Envaulting

From Wikipedia, the free encyclopedia

 This article or section is in the middle of an expansion or major revamping.
You are welcome to assist in its construction by editing it as well.
Please view the edit history should you wish to contact the person who placed this template. If this article has not been edited in several days please remove this template. Consider not tagging with a deletion tag unless the page hasn't been edited in several days.
This article is about envaulting, a novel cryptographic method for protecting the confidentiality and integrity of information. For an overview about traditional cryptographic technology in general, see Cryptography.

Envaulting is the process of transforming information (referred to as plaintext) using a diffusion algorithm (usually a standard cipher such as 256-bit Advanced Encryption Standard) and a bit removing algorithm, to make the information unreadable to anyone except those authorized to view it.

In the process, the plaintext is first diffused to form ciphertext. Then, a number of selected bits are removed from the ciphertext. The process outputs two results: ciphertext that is missing information (referred to as envaulted data) and a group of removed bits (referred to as data fragments).

To reverse the process, i.e. to de-vault information, the envaulted data must first be joined with the data fragments, using a join algorithm, so that the removed bits are inserted back to their original places, and then the ciphertext must be decrypted.

Contents

[edit] Typical uses for envaulting

A typical use case for envaulting is the protection of information on computer data systems, where one or several computers can act as the storage for data fragments, and other computers hold only the envaulted data. Dedicated software can automatically perform the envaulting and de-vaulting processes. By controlling access to the computers storing data fragments, the data owner can fully control the access to the original information. Envaulted data can reside also on any removable mass storage devices or removable media.

[edit] Strengths of envaulting compared to traditional encryption

Unlike traditional encryption, envaulting can protect both the data confidentiality and the data integrity of messages.

Confidentiality is protected because information is ciphered and the ciphertext is then made irrecoverable by removing bits from it. The ciphertext can be successfully decrypted only after inserting the removed bits back to their exact places.

Data integrity is protected because the data fragments form a unique fingerprint of the original information. If the envaulted data is altered in any way, joining it with the data fragments does not produce a valid ciphertext and decryption will fail.

[edit] Limitations of envaulting compared to traditional encryption

Because the envaulted data and data fragments must be stored in separate places, availability of the original information is more limited than in encryption. Whereas traditional encryption can be decrypted with a single password that a person can memorize, envaulting requires access to the data fragments at the time of accessing.

However, the limited availability of envaulting can be converted into a strength in cases where availability of certain data is wanted to depend on a user's current access to e.g. a network resource. For example, local data remaining unavailable until a controlled network access to a data fragment storage is established. The limited availability can therefore be used to remotely control and monitor different users’ or user groups’ access to the original information.

[edit] Background of envaulting

Envaulting was developed in cooperation by Envault Corporation and VTT, the Technical Research Centre of Finland. Primary design goal was to create a transparent and easy to use data protection technique that would address the known shortcomings of traditional encryption (difficult secret key management, lack of protection for data integrity, and vulnerability to cryptanalysis and side-channel attacks, such as the recent Princeton Cold boot attack). The developed method combines encryption with the concept of missing data, providing a new way for the owner of the protected information to remotely control and monitor access to it. Ideally, the envaulting and de-vaulting processes should be automated so that they require no passwords or any input from the user. This way envaulting helps to eliminate the human error from data security.

Envault Corporation has filed international patent applications protecting the envaulting method and several implementation level solutions.

[edit] References

  • Applied Cryptography, Second Edition, Bruce Schneier, John Wiley & Sons, 1996
  • M. Liskov, R. L. Rivest, and D. Wagner. Tweakable Block Ciphers. Crypto 2002.
  • J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. "Lest We Remember: Cold Boot Attacks on Encryption Keys". . Princeton University. February 2008.

[edit] See also

Cryptography Portal
  • Cryptography - term which encompasses encryption and other concepts used for hiding information