What Is In-Transit Cryptography?

Data encryption is a crucial part of cybersecurity. The standard data states (at rest, in transit, and use) all present unique and challenging vulnerabilities that can expose that data to unauthorized parties. No vulnerability is more apparent than having that data stolen and viewed by people who shouldn’t be looking. 

That’s where in-transit encryption comes into play. With in-transit encryption, you can meet your compliance requirements and ensure that your data, and the data of your patients and customers, remain confidential.

 

How Does In-Transit Cryptography Work?

While we’ve previously covered the concept of protecting stored data, the actual information used professionally and by consumers rarely stays in a server. At any given moment, petabytes of data move through networks from one point to the next–-and this data is vulnerable. That’s why every security framework in the world includes a specification that dictates that compliant organizations must encrypt data as it rests in storage and during transit from one place to another. 

However, there are a few challenges to this practice:

  • Obfuscation: As with any form of encryption, in-transit cryptography must ensure that a hacker cannot read data if it is intercepted and viewed.
  • Integrity: Because data in transit includes the risk of interception, it’s also essential to have checks in place to ensure the integrity of that data so that outside users cannot modify it.
  • Coordination: Network communication protocols typically use mechanisms like a “handshake” to set up data exchange. Encrypted data is no different; this portion of the interaction often includes the exchange of encryption/keys.

With that in mind, several approaches to encrypting data transmissions address these issues:

  • Symmetrical Key Encryption: A single key handles encryption and decryption with symmetrical key cryptography. These keys are shared with parties authorized to access the encrypted data. The most common and established form of symmetrical-key encryption is the Advanced Encryption Standard (AES), supported by the National Institute of Standards and Technology. AES is often used for in-transit cryptography but typically as part of a more robust approach like Transport Layer Security (TLS).
  • Asymmetrical Key Encryption: With asymmetrical cryptography, users create two keys–a public and a private key. Any data encrypted with a public key can only be decrypted with the private key, so anyone sending a message can count on their messages remaining secure so long as the recipient’s private key has not been compromised. Asymmetric keys are used in several applications as standalone end-to-end solutions or as parts of other protocols.
  • Cryptographic Tunneling: Tunnelling creates secure connections between machines or networks by encapsulating data in obfuscating data. This means private network data will travel over public networks like the Internet as if it were a private network. This ensures that this data is secured via encryption and end users can communicate with private network resources as if they were locally connected. This approach is often used for file-sharing protocols like SFTP and Virtual Private Networks (VPNs).
  • Certificates: A form of asymmetric-key encryption, certificates are maintained by “certificate authorities” containing public and private keys for certified users. These certificates can be used to generate unique and fast symmetric “session” keys that allow sixers to connect and verify through the authority that your system resources are legitimately you. Certificates are most often used with TLS/HTTPS applications.

 

What Are Some Examples of In-Transit Cryptography?

in transit cryptography

As we’ve mentioned previously, there are a few different approaches to encryption, and many of these approaches complement each other in one way or another. Engineers and cryptographic scientists will strategically use different approaches to protect data, ensure user authenticity and protect encryption keys from compromise. 

Furthermore, the type of encryption application will invariably determine the kind of encryption to use. These also tend to overlap, so different encryption approaches will often contain several layers.

Broadly, many of these examples will operate using a foundational encryption algorithm. Some standard algorithms include:

  • Advanced Encryption Standard (AES): AES is a symmetric block cipher that takes 128-bit blocks of data and encrypts them using a 128-, 192-, or 256-bit key (with each increasing the complexity of the last). This is the algorithm supported by NIST.
  • Twofish: A symmetrical block cipher using 128-bit block sizes and keys up to 256 bits. This algorithm is competitive with AES and serves as the evolution of the older (and limited) Blowfish algorithm.
  • Rivest-Shamir-Adleman (RSA) Encryption: RSA is an asymmetric encryption method that allows for both public-key encryption and digitally signed content. Strong RSA often uses rather large keys of 2048 bits. Some rumors circulated in 2021 that RSA has been cracked, but these are unfounded–although now many security experts argue that this is a sign to move on from the standard as quantum computers become a reality.

Some of the most familiar in-transit encryption methods include:

 

Transport Layer Security (TLS)

TLS provides end-to-end security for network transmissions using a combination of symmetric and asymmetric encryption approaches. The successor to Secure Socket Layers (SSL), TLS involves an asymmetric “handshake” between machines that relies on a certificate authority to facilitate the encryption and authentication of the server, resulting in the secure exchange of symmetric keys to maintain a protected and fast connection.

The strength of TLS is its flexibility–that is, it supports the encryption of traffic from various applications. Using TLS, you can encrypt traffic between email servers, Voice over IP (VoIP) applications, or requests from browsers to web servers. 

On the downside, TLS is for in-transit only and does not protect data once it reaches its destination.

 

Secure HyperText Transfer Protocol (HTTPS)

HTTPS is an extension of HTTP, the original protocol handling data exchange for websites. 

Remember when we said that TLS supports other applications? HTTPS adds TLS security to the foundational HTTP process to protect certificate-based asymmetric and symmetric encryption.

 

Secure/Multipurpose Internet Mail Extensions (S/MIME)

S/MIME is another certificate-based form of asymmetric encryption used primarily in email clients, where the encryption happens directly to the email message in question. Unlike TLS, which can create a secure channel between machines to support different applications, S/MIME is specifically designed to encrypt emails and email metadata. 

 

Secure File Transfer Protocol (SFTP)

File Transfer Protocol (FTP) is an interesting protocol in that, while it facilitates the exchange of messages, it does so with the express purpose of allowing a user to access a system to execute specific commands remotely. For example, an FTP user connecting to a server may be able to download files or have permission to upload files, create files and directories, or manipulate existing files and directories.

FTP, however, is inherently insecure, using plaintext authentication without encryption at any step of the process. SFTP, the adaption of SSH cryptographic tunneling to utilize FTP commands, allows admins and users to securely use large, scalable file transfers with encryption at all transit points. 

 

End-to-End (E2E) Encryption

E2E encryption is unique in the world of in-transit cryptography. The previous examples we’ve provided all work with the notion that they only protect the data through direct obfuscation or creating cryptographic channels as it moves over a network. Once the data reaches its endpoint, administrators must employ additional security measures like at-rest encryption. 

This is a trust issue… if you send what you think is a secure email to someone via TLS, there’s no telling who may access that information on the other end. This is why many security regulations like HIPAA don’t consider TLS or S/MIME as end-to-end solutions that can justify sharing personal information via email. 

E2E encryption methods, like Pretty Good Privacy (PGP), allow users to directly encrypt and decrypt content with public/private key pairs. The difference is that the actual message is encrypted from the moment it’s sent to the moment that the reader decrypts it. That is, it remains secure until read by the intended recipient. 

End-to-end solutions are available and highly secure with the correct key management. However, it’s also slow and requires that all users employ the same protocol and algorithm built into their applications. Finally, it’s not seriously used in many different areas of use, like file sharing, and finds more reasonable use in places where users want to protect specific messages, like emails.

 

Maintain the Right Encryption with Continuum GRC 

Any and every security regulation and framework includes some requirement for in-transit encryption. It’s up to you to make sure you’re using the right one and that all of your applications are secured in the right ways. 

However, it can become easy to lose the thread when it comes time to adopt new technologies, upgrade security measures, and consider new approaches to in-transit cryptography. That’s why our clients rely on our Continuum GRC cloud platform to help them understand how their encryption algorithms and modules are implemented in their system and how they compare to compliance and risk standards. 

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • DFARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2, SOC 3
  • HIPAA
  • PCI DSS 4.0
  • IRS 1075
  • COSO SOX
  • ISO 27000 Series
  • ISO 9000 Series

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]