Fri Apr 8 06:49:41 PDT 2016

Content control: Data in motion: When should I transmit content encrypted?


Options are split into three dimensions.
Dimension 1:
    Option 1: When feasible
    Option 2: When convenient and available.
    Option 3: When required by others.
    Option 4: Never use encryption.
Dimension 2:
    Option A: Sensitive information.
    Option B: All information.
Dimension 3:
    Option i: Within internal infrastructure.
    Option ii: When transiting untrusted networks.


IF Encryption in motion is required, THEN Always encrypt data in motion.
OTHERWISE Follow the table below:

Sensitivity Location Low Risk Medium Risk High Risk
all internal convenient convenient convenient
all external convenient convenient feasible
sensitive internal convenient feasible feasible
sensitive external feasible feasible feasible
What to encrypt content in motion

ALSO IF Surveillance of traffic is required AND encryption is used, THEN either:

  • Surveil at the endpoint(s), or
  • Decrypt and re-encrypt in transit, or
  • Duplicate relevant traffic encrypted to the surveillance system.


Required: When encryption is required by others, whether by contract, government mandate, or by customer demand, when encryption is required, it should be used.

Feasible: Encryption is not always feasible. For example, real-time control data at a rates or with delay requirements beyond technical capabilities to encrypt are infeasible. Infeasibility may be fed by economic concerns, complexity of operations, political sensitivities, or any number of other factors.

Convenient: Encryption is often convenient and readily available. For examples, SSL to Web servers, WPA for wireless systems, and ssh for remote terminal access are almost always as each or nearly as easy to do as operating unencrypted. When use of encryption is as easy, reliable, fast, and allowable as non-use, encryption should be used.

Alternatives: There are, of course, alternatives to encryption (and other modes of coding) in transit. For example, physical separation of infrastructure and local wiring may be used in some cases. Signals may be sent via multiple paths or protocols to make it harder to intercept complete information, etc. But without physical containment and a great deal of additional control, access will be attainable.

Sensitive information:
Information that must be protected from observation either because it is confidential or because it revels operational information that could be used in intelligence, should be encrypted in transit to prevent exploitation.

All (other) information:
Not all information is sensitive and the rest of the information may be treated differently. A good example is content of public Web servers which often has integrity requirements, but usually has no confidentiality requirements.

Within internal infrastructure, encryption may be harder to do on a uniform basis, and it may be more expensive. If physical or other protective mechanisms are adequate to the need, there is no need to encrypt internally, but this does not apply to remote connections to "internal" resources at another location.

When transiting untrusted networks, including the Internet and other connections that pass through areas of lesser trust.

In some cases, it is necessary to observe traffic to meet external mandates (e.g., laws requiring law enforcement and government access to transmissions), while in other cases, protection may be enhanced by surveillance (e.g., leakage prevention, intrusion detection, etc.) In these cases, there are three basic options:

  • Surveil at the endpoint(s): This is normally done by logging and/or other technical mechanisms. Depending on control over endpoints, this may be more or less feasible.
  • Decrypt and re-encrypt in transit: This approach typically requires an extensive and complex key management system or sacrificing of protective utility. An example approach is the use of a proxy server with traffic from internal system to the proxy server unencrypted, surveillance feeds before or at the proxy server, and encryption from the proxy server to the other endpoint (or its proxy server). Another approach is encryption to the proxy and separate encryption from the proxy. In any case, these are effectively man-in-the-middle attacks on end-to-end protection and become points for ready attack.
  • Duplicate relevant traffic encrypted to the surveillance system: A less often tried approach is to duplicate the traffic at the endpoint so that an encrypted copy is sent to the surveillance system independently of the traffic between endpoints. This reduces vulnerabilities in the middle of the traffic flows, but requires endpoints to cooperate in the process.

Note also that surveillance of this sort tends to be ineffective against steganography or other covert channel methods.

The use of encryption for information in transit, as opposed to other techniques, is specifically and solely for the purpose of preventing unauthorized revelation of content or information about the systems exchanging the content. It is expensive to do well and prevents internal surveillance that may be important to intrusion detection, network debugging, and other similar uses. Therefore, the only justification for encryption in transit comes from external requirements or risks. However, it is very inexpensive in most cases today to encrypt less well, so unless there is a need to surveil the communications, encryption is sensible at some level or quality in most cases.

Low risk: In low risk situations, encrypting all content traveling through internal networks may be too hard or expensive, is often unnecessary, and may be difficult to manage. If required for some contractual or other reason, external traffic should be encrypted. Sensitive information should be internally encrypted if it is convenient because, while the risk is low, the cost is also low in this situation. External sensitive information should be encrypted if required for regulatory, public perception, or contractual reasons.

Medium risk: In medium risk situations, all internal network traffic should only be encrypted if convenient. Most information is not likely to be important if leaked, and this keeps unnecessary costs down without sacrificing anything critical. All external and internal sensitive information should be encrypted if it is convenient because, in the case of external information, it increases the difficulty of understanding which information is important, and for internal information, it doesn't hurt to encrypt if it is convenient. Sensitive information with value this high and identified threats should always be encrypted in transit, even internally.

High risk: In high risk situations, loss of life or similar high consequences may be the result of sensitive information leaks. As a result, all sensitive information should be encrypted in transit. Non-sensitive information should be encrypted internally if convenient and externally if feasible, for the same reasons as the medium risk situation.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved