Protect Your Windows Network: From Perimeter to Data

Law #7: Encrypted data is only as secure as the decryption key

Suppose you installed the biggest, strongest, most secure lock in the world on your front door, but you put the key under the front door mat. It wouldn't really matter how strong the lock is, would it? The critical factor would be the poor way the key was protected, because if a burglar could find it, he'd have everything he needed to open the lock. Encrypted data works the same wayno matter how strong the crypto algorithm is, the data is only as safe as the key that can decrypt it.

Many operating systems and cryptographic software products give you an option to store cryptographic keys on the computer. The advantage is convenienceyou don't have to handle the keybut it comes at the cost of security. The keys are usually obfuscated (that is, hidden), and some of the obfuscation methods are quite good. But in the end, no matter how well hidden the key is, if it's on the computer it can be found. It has to beafter all, the software can find it, so a sufficiently motivated bad guy could find it, too. Whenever possible, use offline storage for keys. If the key is a word or phrase, memorize it. If not, export it to a floppy disk, make a backup copy, and store the copies in separate, secure locations. (All of you administrators out there who are using Syskey in "local storage" modeyou're going to reconfigure your server right this minute, right?)

Категории