6

I'm studying for the CCSP and from a high-level, I keep hearing encryption described in three forms:

  • Protecting data at rest.
  • Protecting data in transit.
  • Protecting data in use.

The first two make sense to me, but then I'm struggling to think of a practical example for the third scenario. Can someone elaborate? Unfortunately, my study material doesn't elaborate.

One scenario I could think of would be (perhaps) masking some sensitive information (like only showing the last four digits of a credit card number to a customer service rep). That might be a stretch though... because technically wouldn't the data still be at rest?

Alex Probert
  • 493
  • 1
  • 3
  • 17
Mike B
  • 3,336
  • 4
  • 29
  • 39
  • https://security.stackexchange.com/questions/20322/why-encrypt-data-in-memory an example. – Monica Apologists Get Out Mar 27 '18 at 15:52
  • @Adonalsium so the distinction is "at rest" on disk, "in use" in memory? – multithr3at3d Mar 27 '18 at 15:55
  • @multithr3at3d Yes. At rest is on disk, in use is in memory, in transit is moving across the network. – Monica Apologists Get Out Mar 27 '18 at 17:54
  • In use means protecting data in memory, to achieve this secure enclave processor have been designed where the segment of memory is isolated and encrypted. For more details please refer following links, https://patentimages.storage.googleapis.com/a9/7d/61/cdaf8124ebebdd/US8832465.pdf https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf – ifexploit Mar 27 '18 at 17:59
  • 1
    Not necessarily in memory. Encryption in use would also apply to encrypted swap partitions. – forest Mar 28 '18 at 02:06

2 Answers2

3

Lets first define what encryption-in-use is. Its a capabilitiy that lets you run your computation on encrypted data or run encrypted application.

There are two ways to do this. There are pros and cons to each, but they are complementary in most use cases.

  • Hardware-based trusted execution environment (TEE). Intel's SGX or ARM TrustZone is a good example.

  • Software-based. This is relatively new and not used much outside of the research currently. Multi-Party Computation (MPC) and Homomorphic Encryption are two popular choices.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Dr. Mohan
  • 31
  • 2
2

Protecting data at rest

Data at rest is data on disk rather than in memory. This data is typically protected using disk encryption, file encryption, database encryption or encryption of the specific piece of data.

Protecting data in transit

Data in movement is protected within channels. Examples would be IPsec VPN, HTTPS(SSL, TLS)

Protecting data in use

Data in use could be handled in protected memory or the data can be transformed for use. An example would be the use of a hash of the original data for comparison purposes like when performing password verifications.

Example: password verification

  • The user password is protected at rest through hashing (usually with a salt)
  • The user's entered password is protected in use through hashing
  • The user's password hash is protected in transit between the authentication requesting system and the centralised authentication server over an encrypted channel (TLS, SSH)
AndyMac
  • 3,149
  • 12
  • 21