数据加密是一种保护数据不被未经授权的访问或使用的手段. Commerce, government, 个人互联网用户依靠强大的安全保障来实现通信. 根据网络安全基础设施和安全局(CISA), the public safety community increasingly needs to protect critical information and sensitive data, 特别是在陆地移动无线电(LMR)通信中, 而加密是实现这种安全性的最佳工具.
最初的数据加密标准(DES)是在20世纪70年代早期开发的, and emerged as a result of the US government recognizing a need to secure and protect data of a more sensitive nature as developing nations were increasingly keen to get their hands on this type of information.
Data encryption is meant to both protect critical information in transit as well as inspire confidence in the user or sender of the data that, 如果坏人窃取/泄露了这些信息, 他们实际上能够阅读或解释它的可能性很小.
随着生成式人工智能(GenAI)的采用变得越来越广泛,并且可以被不良行为者操纵, it will become imperative for those looking to protect proprietary data to become superior at leveraging GenAI. Those that do not adopt this technology to accelerate their encryption methodologies will inevitably become more attractive targets for data theft and encryption cracking.
数据加密的工作原理主要是利用一个相同的, 或对称, 加密和解密消息的密钥, 这样发送方和接收方应该知道并使用相同的私钥. 用更专业的术语来说,“明文”被转换成“密文”.”
根据美国国家标准与技术研究院(NIST), 的明文, 在被转换成密文之后, 看起来是随机的,不透露任何关于原始数据内容的信息. 一次加密, no person (or machine) can discern anything about the content of the original data by reading its encrypted form.
解密是反转加密的过程,以便它是可读的. 在加密和解密过程中都必须存在对称密钥. Encryption isn’t just for data moving in and out of different environments and clouds, however.
如果数据是加密的,并且威胁行为者不拥有密钥, 然后这些数据——即使从技术上讲是被盗的——被认为是无用的. 数据丢失预防(DLP) techniques and tools can actually search for unencrypted data on a network so that internal personnel can quickly encrypt it. 这样,如果这些数据被泄露,对那些想要利用它的人来说将毫无用处.
如上所述,对称密钥只是确保加密数据解码的一种方法. 让我们更深入地看看这个方法以及另一个方法:
这种类型的加密将在加密阶段和解密阶段使用相同的密钥. 以那种方式, this type of encryption has an inherent vulnerability: if a threat actor were to identify or steal the key – particularly if it was unbeknownst to the original user – then that key could be used to decrypt the information and could potentially be leveraged for other attacks.
这种类型的加密解决了上面提到的问题, 使用两种类型的密钥:一种“公共”密钥和一种“私有”密钥.数据的发送方必须确保使用公钥进行加密, 而接收方必须拥有私钥才能执行解密.
非对称加密显然是一个更复杂的场景, however it’s critical to remember why encryption is being used in the first place: to maintain 数据安全 and confidentiality as information moves around -- both inside and outside of -- a security organization or business. 在当今的环境中,加密在许多应用程序中被频繁使用.
数据加密有几种格式或标准. It’s important to implement a standard that makes the most sense for a specific organization and its workflows.
我们在上面定义了静态数据和传输数据, 但是特定的加密协议如何对这些不同状态下的数据起作用呢?
一旦建立了连接,数据就可以传输了, it's critical to keep the data away from prying eyes and as secure as possible while it is moving. 根据谷歌云文档, encryption in transit defends data after a connection is established and authenticated by:
静态数据是指存储在某种介质上的数据, 比如笔记本电脑, 云存储, USB drives, and so on. Any data sent to a cloud service should be encrypted when it is simply “sitting” in the cloud environment, as it is inherently at greater risk being in an ephemeral environment that is theoretically open to the public internet.
Encrypting at-rest data as a best practice protects it from potential system compromises or exfiltration by ensuring it is unreadable while not in use. 这也可以指被认为不再有用的存档数据.
自20世纪诞生以来,加密技术已经走过了漫长的道路, 现在大部分工作都可以自动化. But as Generative AI (GenAI) becomes a popular tool for threat actors – and as they make gains in the ability to 蛮力 their way past encryption protocols – it becomes clear there are challenges new and old to overcome.
根据CISA的说法,密钥传输过程中的漏洞是一个重大挑战. The agency stipulates that it’s good to disable Wi-Fi capabilities while encryption-key transmission is taking place. 它接着说, a transmission destination that "has its Wi-Fi capabilities disabled is referred to as hardened." Hardening ensures there is no inadvertent “leaking” of the encryption keys onto a wireless network where unauthorized personnel could access them.
Another challenge facing anyone looking to encrypt sensitive data could be a lack of WEP/WAP access-point encryption. A weak encryption mechanism can allow an attacker to 蛮力 their way into a network and begin 中间人攻击. 加密实现越强,越安全.
Another major challenge of data encryption is inherent trust of a cloud service provider (CSP). Typically, CSP将保持对密钥的控制, 因此,组织永远不会保留对加密过程的100%控制.
Trusting a CSP’s employees – and most likely any partners they may be leveraging – that exert control over the encryption process will always hold some liability for the company using the CSP’s services and trusting their data encryption processes. 这就是为什么 责任分担模式 对保护组织的数据如此重要吗.
数据加密的好处似乎是显而易见的, but let's take a more in-depth look at ways businesses might benefit from adopting a strong encryption strategy.