Database Encryption

To understand DB encryption, it’s necessary to have a basic understanding of encryption principles.

Encryption

What is Encryption?

An encryption algorithm changes information into meaningless characters through a mathematical process. Compared to other security tools that concentrate on system protection, encryption is a more fundamental and original method. This means that only the authorized users are able to read it, using a key.

what-is-enc-1

Ciphers

Classical Ciphers

An cipher is an algorithm to encrypt and decrypt – it does not let others know the content of a message or the algorithm. Ciphers have two characteristics, Confusion and Diffusion:

Confusion makes it difficult to know the content of a message text.

Diffusion makes it difficult to know the pattern of the encryption algorithm.

An effective cipher contains both confusion and diffusion.

Classical ciphers are often divided into transposition ciphers and substitution ciphers.

Substitution Ciphers replace the letters throughout the message with other letters.

what-is-enc-2

Transposition Cipher keeps the letters themselves unchanged, but their order within the message is scrambled according to a well-defined scheme.

what-is-enc-3

The substitution cipher satisfies the confusion characteristics that make inference of the message difficult. The transposition cipher satisfies the diffusion characteristics that make inference of the encryption algorithm difficult.

Therefore, by applying substitution and transposition in tandem, both confusion and the diffusion can be satisfied.

However, there is a limitation of classical ciphers. If the algorithm is discovered, then the message is easily discovered. And with the invention of the computer, computation capability has rapidly improved and classical ciphers are basically useless.

Encryption Keys

The Encryption Key

Therefore, the core of current encryption technologies is the ‘encryption key,’ a parameter that specifies the transformation from plaintext (data given before encryption) to ciphertext (a cryptogram, or encrypted data), and vice versa.

Operation of a key is based on the ‘exclusive OR’ operation in mathematical logic. The bitwise exclusive OR is the result of addition and subtraction calculation of each bit of a binary number. The bitwise exclusive OR is the reverse of a specific bit. Therefore, it becomes the original value by repeating the operation. In other words,

If the P is operated with the key value K a cryptogram P + is created.

If this cryptogram is operated with the key value, K, then

(P + K) + K = P

… and it can be decrypted to the original P.

While a simple concept, there is a certain standard in the specifications of a key, resulting in different key types from the point of view of key management.

There are different types of encryption: one-way (also called “hashing”), symmetric, and asymmetric.


One Way (Hashing)

hashing encryption diagram

Passwords used for identification use the One-way Encryption algorithm. For example, before saving a password, the password is encrypted. And when a password is ‘password,’ it is encrypted and saved as ‘WaBauZ2.Hnt2.’ There should be no similarity between the plaintext ‘password’ and the cryptogram ‘WaBauZ2.Hnt2.’

The one-way encryption cannot be reverse-converted. There is no way to reverse the cryptogram into plain text. It does not decrypt the password to verify whether the entered password is valid; it encrypts the entered password again and compares it with the saved password to verify the ID.


Symmetric Key Encryption

For this method, the encryption and decryption keys are the same. Both sides must have the same, symmetric key, to receive the proper and secure communication.

symmetric encryption process with keys

A cryptogram is created by operating the plaintext with the encryption key value as a binary. The recipient who received the cryptogram substitutes the identical encryption key value reversely to decrypt the cryptogram. Therefore, the sender and the recipient must know an identical encryption key. When a person sends an encrypted message to another person, the recipient should receive the key.


Asymmetric Key Encryption

Asymmetric, or public key, encryption using two different keys, is different from symmetric key encryption because it uses two keys: a private key and a public key. It encrypts with a public key and decrypts with a private key.

asymmetric encryption with public key

Just as its name implies, a public key is an open key, and anyone can encrypt plaintext. However, only the person who has a private key can decrypt the ciphertext.

When the locations of private key and public key are switched, it becomes an ‘e-signature.’


The encryption method is determined based on the environment.

According to different needs, methods and formats are selected, and the encryption process is designed and the system is implemented. From a simple format to a complex format, users can select one according to the economical decision for security. For example, a public key is higher than the private key; the private key cannot be replaced with a public key because the two key methods are different ways that are selected according to the need.

For example,

  • Choose the private key method if there is no problem in key distribution and management, and if quick execution speed is required.
  • Choose the public key method if there is a problem in key distribution and management, and if transfer non-repudiation is required.
DB Encryption

Basic encryption and the terminology used to explain it is an effort to explain the logic through a perfectly logical and generalized propositional system. However, the technology and system come into play to create according to economical principle: making the most profit at the lowest cost. Technology is created by transforming, processing, and converging the principles. According to business requirements, the location of encryption and data characteristics may differ. Therefore, the encryption technology requires an understanding of overall systems and business.

This is a recent example of a mobile messenger application encryption system that was designed and implemented.

The initial requirement was data encryption in the DBMS (Database Management System), which saves the conversation communicated through a messenger.

what-is-enc-8

However, the above configuration couldn’t offer sufficient security as reviewing the general behavior of security violation accidents.

The requirements of web application encryption were as follows:

what-is-enc-9

The configuration includes encryption of user authentication, section encryption, message encryption, and key management.

All kinds of security system configurations follow the secured IT system design principles. Therefore, to apply a perfect encryption technology, all layers and areas of a system needed to be considered.

what-is-enc-10

For comprehensive encryption, a proper encryption is applied to all of three layers, application, system, and network; secure key management, privilege management, and access control needed to be be applied.

Many companies or organizations are hesitant to apply the technology because of the belief that application of encryption technology affects the system performance. If they do apply the technology, many companies believe that the downgrade in performance level is simply the trade-off – a price that must be paid in order for their data to be secure.

However, an encryption-specialized company should be able to implement a system that provides security at the same level for various environments, and minimize degradation of system performance to the system because in most cases, the degradation isn’t caused by issues of technology – it is caused by insufficient understanding of the system and poorly designed application. Most security accidents occur because of careless users who believe solely in the performance of tools. The only way to prevent accidents is to improve security consciousness across the user group. This is determined by sufficient understanding of security and the security governance that educates and manages the group members.

You’ll find countless companies that tout the following:

“If you purchase this system, there will be no problems, and you don’t need to worry about security.”

But this is undoubtedly the wrong attitude: an specialized company first talks about the need of security governance and improvement of security consciousness across the organization.

According to the advance of knowledge information society, the importance of protection of various data, including personal information, grows serious. Among various technical methods for protecting data, encryption is the most important and fundamental way from a technical stability aspect.

The key ingredients to perfect encryption?

data encryption

ENCRYPTION

Data encryption with proper algorithms

key management

KEY MANAGEMENT

Secured management and operation of an encryption key

access control

ACCESS CONTROL / AUDIT

Access control and audit for data reading

Data Environment and Layer Structure of an IT System

To analyze the data environment, the IT system layer structure should be understood according to the data processing method. A virtual layer structure of the IT system conceptually is as follows:

db encryption for the it infrastructure layers

Network : data is transmitted or received between servers or between a server and a user device via the network

Operating System : physically saves the OS, which runs the servers or devices, or files including data

DBMS Engine : a core feature of a DB system that stores or retrieves data within the DB

DBMS Package : provides interworking to process data in the DB server or to externally use the DB server

DBMS Procedure : configures applications that use the DB as data storage by interworking with the DB server

Web Application : provides information to users on the Web by interworking with the DB server

Business Application : a large information system that creates a large application system by bundling small applications

Network Layer

Data Encryption at the Network Layer

At the Network Layer, the server and the client is inter-connected for data transfer. This includes communication between an application server and a DB server, between a networked storage device and a server, and between a server and a device. An attacker can collect and steal the transferred data by tapping the communication channel. At this time, to protect data, the data transferred are encrypted in the following way:

Encrypt the communication channel between the sender and the recipient
By encrypting all data, the efficiency may be lowered; however, the transfer itself can be hidden, and the safety is very high.

Selectively encrypt only the specified data among the data transferred
It improves the performance by encrypting the required information only. It requires selective encryption technology.

Encryption at the network layer can physically and separately provide secured encryption between a sender and a recipient. For secure encryption, the encryption key must be created and managed in a secure manner between a sender and a recipient.

Operating System

Data Encryption at the Operating System Layer

All data are saved as a file format in the computer. Encryption at the OS layer means adding an encryption stage to the file-saving process of the OS.

Build the encryption feature in the storage device
Storage devices like HDD encrypts and decrypts data by itself. All files saved are encrypted.

A file system encrypts and decrypts data
The OS file system encrypts and decrypts data. All files saved are encrypted.

Encrypt and save a specific file
A file is selectively encrypted and managed. Encryption in the unit of directory or folder is available.

When encryption is carried out at the OS layer, a DB or an application does not need to consider encryption processing. Therefore, no complex modification or change of the existing system are required, and this is a great benefit. However, most OS-level encryption products save the encryption key in the user device or a server, and it is difficult to control access and set the segmented security policy.

DBMS Engine

Data Encryption at the DBMS Engine Layer

The DBMS Engine is a core module that manages I/O and storage of data in the DB server. Most DBMS products offer a built-in encryption feature. Storing or reading information in the DB, the operation before and after encryption is the same. Therefore, it is not required to modify the existing application like encryption of the OS layer. This is defined as a transparency to an application and called Transparent Data Encryption (TDE).

However, most TDE-type encryption products store the decrypted data in the memory, which creates the possibility of information leakage. From a key management aspect, as the encryption key and the data are stored in the identical repository, it is not a perfect security solution.

Therefore, before applying the DBMS Engine-level encryption product, key management and decrypted data processing in the memory should be considered.

DBMS Package Layer

Data Encryption at the DBMS Package Layer

At the DBMS Package Layer, directions and management are carried out to receive the request externally and let the engine process the request. Encryption at this layer has a benefit in that the application at a higher layer does not need to be modified. As a DBMS engine receives and processes encrypted data, there is no memory security issues. It is also a excellent method in performance because it is possible to specify and encrypt the DB table.

In the past, because the data stored in the DB was encrypted, it was a fault that there was no search index. However, today, most encryption companies provide index creation, which allows fast searching for encryption data.

The DBMS Package Layer encryption product may place load on the DB server because encryption/decryption occurs whenever data is processed. Therefore, when the product is applied to the real environment, a proper method should be chosen and applied to reduce load on the server.

DBMS Procedure Layer

Data Encryption at the DBMS Procedure Layer

Software at the DBMS Procedure Layer externally uses the DBMS API.

To apply encryption to this layer, an additional API that supports encryption for transferring data with the DB server should be used. If the application and the DB server reside in different systems, network layer encryption may be additionally applied.

By calling the encryption API instead of the existing DBMS API, it has all the benefits of the DBMS Package layer encryption and does not place a load of processing encryption/decryption operation on the DB server. There is another benefit in that it can cope with security threats that occur at the network section in the network environment. However, it requires a certain level of application modification.

Web Application

Data Encryption at the Web Application Layer

Today, the system configuration of many online information services gets complex.

It is configured as multi-tier with a web server, a web application server, and a DB server. The web application links the web server and the DB server and controls data flow.

The side connected to the DB server provides the same features with the application of the DBMS Procedure. Therefore, only the location where encryption is processed is different, and the encryption process and the pros and cons of this layer are identical with those of the DBMS Procedure layer encryption.

Business Application

Data Encryption at the Business Application Layer

In most cases, a business application is a large system integrated with applications.

Even when a DBMS is deployed for internal data management, it is included as a separate system that manages the repository. Therefore, it is impossible for developers of the business application to call or use the DBMS directly. To encrypt this layer, a subsystem for repository management should be modified, or a subsystem should be added.

As the business application is implemented based on the independent design and implementation principles, it takes a lot of effort and cost to add and modify new subsystems.

As the method is the same with that of the DBMS Procedure layer and the Web Application layer, the pros and cons are the same with those of the DBMS Procedure layer and the Web Application layer.

Comparison of Encryption Methods

To determine deployment of an encryption technology plan for data protection, refer to the following table.

Encryption MethodsEncryption OperationsSecurityModification of Existing System
Key Confidentiality / Key Management SecurityAccess ControlAdministrative Privilege Separation
Network EncryptionEnd to EndHighMediumHighX
Storage Device EncryptionDB ServerLow
(Requires a Separate Key Management Server)
LowLowX
File System/Volume EncryptionDB ServerLow
(Requires a Separate Key Management Server)
MediumLowX
File EncryptionDB ServerLow
(Requires a Separate Key Management Server)
MediumLowX
TDE EncryptionDB ServerMedium
(Requires a Separate Key Management Server)
MediumLowX
DBMS Engine EncryptionDB ServerHighHighHighX
DBMS Pakage EncryptionDB ServerHighHighHighX
DBMS Procedure EncryptionDB ServerHighHighHighO
Web App. EncryptionApplication ServerHighHighHighO
Biz App. EncryptionApplication or DB ServerHighHighHighO

A technology that satisfies both security and performance based on throughout understanding of the entire ICT system and the business environment, as an encryption specialized company, Penta Security provides all encryption technologies required for data protection.