Does Your Cloud Encryption Need Closer Inspection?

A day does not go by without a technology vendor waving banners about securing data in the cloud with strong encryption. File sync and cloud storage controller vendors are the new kids on the block that tout the benefits of using strong encryption algorithms such as AES-256 and RSA to secure data in the cloud. A strong encryption algorithm is one of the key mechanisms for securing data in the cloud. The encryption process can take place either on the client side, on the gateway, or in the cloud itself. An encryption algorithm derives strength from its sophisticated mathematical operations and a strong a random number generator which is the foundation for producing strong cryptographic keys. A weak random number generator can produce keys that are predictable and thus easy to guess.

weakrandom-number-generator

We know that a cryptographic algorithm can take any plain data and a key and run it through mathematical operations to create cipher data. However, these sophisticated mathematical operations can be rendered useless if one uses keys that can be easily guessed. Making keys longer is one way to make your keys stronger but if those long keys are using bits that are predictable then the keys are of low quality and your data in the cloud is at risk.

The generation of bits (key material) for the keys is one of the most important factors in determining the strength of your encryption process. The generation of your key material is based on your system’s Pseudo-Random Number Generator (PRNG). Time and time again, security experts have highlighted the folly of having your keys being generated based on a weak PRNG. One of the foundations of strong cryptography is a strong PRNG. A well designed PRNG provides your cryptographic engine with truly random bits for your keys, where every new key that is generated is different from the previous ones and there is no consistent pattern in the key material.

Unfortunately, there are some cases where a PRNG is intentionally weakened to make the encryption scheme vulnerable for intruders. Any user that is looking to move data to the cloud should request its cloud solution provider to certify that it is using a strong PRNG to encrypt data. Since PRNGs are the weakest link in any encryption scheme, we encourage all users to request their respective vendors to certify that their PRNGs indeed produce highly random data. If a cloud vendor dances around this topic or provides vague answers then you know there is something wrong with their encryption scheme.