NuCypher’s revolutionary big data encryption layer enables organizations to use military-strength encryption to protect large, distributed data sets in the cloud or on-premise, without sacrificing functionality or performance. It’s the latest advance in the rich history of cryptography and encryption.

Proxy re-encryption is a breakthrough cryptosystem that provides secure access delegation to encrypted data, eliminating many of the performance and functionality constraints typically associated with encryption — just what is needed for protecting large-scale, distributed big data platforms.

David Núñez, Postdoctoral Researcher at NICS Lab

The Use of Cryptography Dates Back to Caesar

In Roman times, messengers carried encrypted communications as a way to send information. A second messenger traveled separately, carrying the decryption scheme. This separation of duties protected the underlying message in the event of capture or interception. While the transmission mechanism has changed, the core challenge remains.

In today’s enterprise, cryptography protects the secrecy and integrity of data. But traditional cryptographic schemes do not scale well. They aren’t suited for big data platforms where many users process massive amounts of data on distributed servers. Designed for structured relational databases, legacy encryption products lack the ability to scale in dynamic, petabyte-scale, distributed computing architectures. None are optimized for big data platforms and distributed file systems like HDFS. And certainly not for cloud environments.

When it comes to securing big data in the enterprise, existing encryption solutions are insufficient in yet more ways. Hadoop’s transparent data encryption (TDE) lacks basic key rotation capabilities, forcing manual, time-consuming workarounds. This makes it difficult to fit into existing enterprise security infrastructures and comply with standards requiring key rotation such as PCI. It also creates security risks when used in cloud environments, exposing secret keys to the cloud provider.

You Can’t Use Data You Can’t Unlock

In a single-user system, access control is straightforward. The user creates all the keys protecting content and there is no key distribution problem. But with multiple users, group members must communicate with the content owner to obtain decryption keys. This key exchange creates operational barriers and security risks. When sharing access to massive amounts of data among many users in big data environments, traditional approaches break down. At it’s core, the NuCypher cryptosystem is a new approach to key exchange. It provides temporary keys to decrypt the data and manages who has the rights to use these keys. To achieve this, NuCypher uses breakthrough re-encryption technology.

Delegated Access via Proxy Re-encryption Is the Secret Sauce

Secure Distribution of Encryption Keys
NuCypher supports on-premise key management so that keys never leave your control. Instead, it issues temporary access keys. Your master key is kept secure, and because the access control server never accesses the master secret, it cannot decrypt your data at-will. The content owner can store the master secret key offline, using it only to generate re-encryption keys for the access control server.

Elimination of Latency and Downtime
NuCypher is a cryptographically-enforced access control system based on proxy re-encryption. Data remains encrypted until needed for processing, at which time the owner delegates access rights to the compute cluster or user. By delegating decryption operations to the cluster, NuCypher eliminates latency and downtime.

Unimpaired Data Availability
One of the problems with storing encrypted data in the cloud is revoking access rights. A user with revoked permissions will still have access to the keys, and may maliciously decrypt data. As a result, the data must be re-encrypted. But re-encryption commands may not be received and executed by all of the cloud servers due to unreliable network communications. Because NuCyher delegates encryption operations to the cluster, these issues are mitigated. With NuCypher, processing encrypted data doesn’t require constant communication between compute nodes and the key management service (KMS). This means the KMS doesn’t have to stay online during a job, removing latency bottlenecks and slow requests over the network.

No More Tradeoffs Between Security, Performance, and Cost

With secure, scalable access delegation your administrators, developers, testers, researchers, and analysts will have always-on access to data. You can make data available for analytics across large and complex environments – on-premise and in private, public, or hybrid clouds.