Information Security

Data Encryption: At Rest and In Transit

Heartland Payment Systems, 2008: 130 million credit cards stolen. The data was encrypted at rest. Attackers installed a network sniffer that captured card numbers in the memory gap between TLS termination and storage re-encryption. The lesson: encryption at rest is not the same as end-to-end encryption. Knowing which threat model each control addresses is what separates a real defense from a compliance checkbox.

  • **Heartland 2008**: 130M cards stolen despite at-rest encryption. Attackers targeted the plaintext gap between TLS termination and storage write - memory interception bypassed both controls.
  • **LastPass 2022**: attackers copied an unencrypted S3 backup excluded from the key rotation scope. Customer vaults were exposed because backup storage was outside the encryption policy.
  • **MongoDB without authentication 2017**: 27,000 exposed databases in 72 hours. No TLS, no auth - all data readable by anyone with network access. Encryption in transit is not optional.

Envelope Encryption: DEK and KEK

Envelope encryption splits key management into two layers: a Data Encryption Key (DEK) encrypts the actual data using AES-256-GCM, while a Key Encryption Key (KEK) stored in a KMS wraps the DEK. The encrypted DEK travels alongside the ciphertext; the KEK never leaves the HSM.

AWS S3 Server-Side Encryption with KMS (SSE-KMS) uses envelope encryption for every object. The DEK is generated per-object, encrypted with the customer CMK, and stored in S3 object metadata. Decryption requires both the ciphertext and KMS access.

The primary operational advantage: when rotating the master KEK, only the small wrapped DEKs (32-40 bytes each) need re-encryption - not petabytes of data. AWS KMS performs automatic annual key rotation without application changes.

Why does envelope encryption store the wrapped DEK alongside the ciphertext?

Key Rotation: Cryptoperiod and Automation

NIST SP 800-57 defines the cryptoperiod - the maximum time a key should remain active. For AES-256-GCM symmetric keys, NIST recommends annual rotation. The cryptoperiod limits the data volume encrypted under a single key and reduces the exposure window if the key is compromised.

LastPass 2022: attackers copied an unencrypted S3 backup of customer vault data. The backup had been outside the key rotation scope. Rotation policies must explicitly cover all backup and archive storage, not just primary databases.

Why does NIST SP 800-57 recommend rotating AES-GCM keys after roughly 2^32 encryptions?

TLS in Transit: Configuration and Verification

TLS 1.3 eliminated weak cipher suites (RC4, 3DES, MD5), mandates forward secrecy via ephemeral DH, and reduced the handshake to 1-RTT. TLS 1.2 remains acceptable with ECDHE cipher suites; TLS 1.0 and 1.1 are deprecated by RFC 8996 (2021).

Cloudflare's 2023 report shows 95% of traffic served over TLS 1.3. TLS 1.3 handshake latency is lower: one fewer round trip compared to TLS 1.2. Perfect Forward Secrecy is mandatory - every session uses ephemeral ECDHE keys discarded after the session ends.

Why does TLS 1.3 mandate Perfect Forward Secrecy while TLS 1.2 makes it optional?

Database Encryption: At-Rest vs Field-Level

Database encryption has two distinct threat models: encryption at rest protects against physical disk theft or unauthorized file system access; application-level field encryption protects against database administrator access and SQL injection exfiltration. Both serve different adversaries.

Heartland Payment Systems 2008: data was encrypted in storage, but attackers installed a network sniffer capturing card numbers in memory after TLS decryption and before storage re-encryption. 130 million cards were stolen. Encryption at rest alone does not protect data that passes through the application in plaintext.

An attacker gains read-only SQL access via injection. Which encryption approach limits the damage?

Summary

  • **Envelope encryption** (DEK+KEK) separates operational keys from master keys. Rotating the KEK never requires re-encrypting bulk data.
  • **Key rotation** limits the exposure window. NIST SP 800-57 recommends annual rotation for AES-256-GCM; birthday bound for 96-bit nonces is 2^32 encryptions.
  • **TLS 1.3** mandates PFS and eliminates static RSA. TLS 1.0/1.1 are deprecated by RFC 8996. sslyze/testssl.sh verify configuration in CI.
  • **At-rest vs field-level encryption** serve different adversaries. TDE protects disk theft; application-level encryption also protects against SQL injection and rogue DBAs.

Related Topics

Encryption in practice connects to cloud key management and transport security:

  • AWS/GCP/Azure Security — KMS and CMK configuration underpin envelope encryption in all major clouds.
  • Supply Chain Security — Sigstore signs artifacts in transit; TLS secures the artifact download channel.
  • Key Management — HKDF, PBKDF2, and AES Key Wrap algorithms provide the cryptographic primitives used in envelope encryption.

Вопросы для размышления

  • A DBA has full SELECT access to the users table. Which control stops them from reading SSNs: TDE, application-level encryption, or column-level access control?
  • If an attacker captures the wrapped DEK stored alongside a ciphertext, what else do they need to decrypt the data?
  • Why does TLS 1.3 disable the RSA key exchange that was optional in TLS 1.2?

Связанные уроки

  • sec-27
  • sec-04
  • sec-19
  • crypto-14-aes
  • crypto-32-tls
Data Encryption: At Rest and In Transit

0

1

Sign In