A Brief History of Data Encryption
Types of Encryption
References

You only have to glance at the papers to see that instances of data security breeches are on the rise.

If it’s not a careless employee leaving their laptop full of highly-sensitive company data in their car at the footy, it’s a backup tape going missing in the mail. If someone isn’t sneaking sensitive documents out the door on a flash drive, they could be loosing their keys down at the local, USB key and all. And let’s not forget improper deleting and cleansing methods used for old hard drives and outdated hardware. Around US$50 in Africa these days will buy you some poor souls bank account details undeleted from a PC that was recycled from Europe or America.

If these kinds of nightmarish data security breeches are keeping you awake at night, then perhaps it’s time to think about incorporating some kind of encryption into your business processes.

Encryption has been used by governments and the military for centuries to protect communications, and now in the information age, it is becoming more important than ever. Encryption as we know it emerged in the 1970s where it was mostly used by secretive government agencies. It is now, however, used to protect widely-used systems where privacy is paramount. These typically include those of finance companies and mobile phone networks, although this list is rapidly expanding as businesses and individuals embrace the benefits it offers for data protection.

If you’re using a modern PC, then you will already be using some form of encryption already. Whether it be for email, online shopping or internet banking, as our home and work lives move further and further into the digital world, security for our identities, our communications and our privacy means more than just an access password.

Password Precipice

In the spirit of Talking Heads’ David Byrne, You may ask yourself, “I have a firewall, network logon, email password and this snazzy new laptop with fingerprint identification... What more security do I need?” Well, a logon password can be cracked in a number of ways if a hacker is determined and resourceful, or on the flip side it can be completely circumvented with some hardware tinkering.

Data on lost or stolen PCs can be viewed by simply installing a new operating system, or shifting the hard disk into to a new machine altogether. There are also many different ways that offline attacks can circumvent bios and software security measures and strip a machine’s data.

When data is encrypted it cannot be read without the right decryption key, and modern techniques simply cannot be broken by brute force techniques of computing every possible combination. Even with a bank of the most powerful computers on the planet it could potentially take thousands of years to break a modern cryptographic code.

For example, a 128-bit number has a possible 2 to the power of 128 different combinations.To give you a visual, that’s 3,402,823,669,209,384,634,633,746,074,300,000,000,000,000,000,000,000,000,000,000,000,000 combinations. While it may resemble Bill Gate’s bank balance in Lira, this kind of number would intimidate any number cruncher Cray or IBM could put together. To make matters worse for crackers, algorithms like Blowfish support up to 448 bit encryption these days.

Whether you have confidential records you would like stay just that (such as medical records), suspect that an employee or associates may not be as honourable as once thought or wish to transmit sensitive data over distance, then encryption can provide peace of mind for company directors, and stay the hands of government regulators and lawyers. Particularly when securing mobile data on laptops.

Scrambled Storage

Cryptography has traditionally been widely used in industries such as banking & finance, telecommunications and insurance where information security and privacy are what keeps them in business. These days, however, with greater computing resources at the ready all businesses that have sensitive data should be protecting themselves with some form of encryption.

But what form will a typical encryption solution take? Storage vendors in particular, and quite aptly, are leading the charge somewhat by bundling easy to use encryption software with many of their products.

A number of USB keys that have appeared in IDM’s Tools and Tech section over the last several issues alone have included some form of encryption. Verbatim’s Store N’ Go Pro and SanDisk’s Cruiser Profile both come standard with some form PIN driven security. The cruiser actually comes with a fingerprint scanner – a biometric key that is becoming more widely used in security with every passing day.

With its upcoming Vista operating system release, Microsoft is also playing its part in bringing the security of data encryption into the mainstream. Microsoft says that one of its top requests from customers for Vista is protection against data theft of exposure. With its new BitLocker Drive Encryption hardware feature, it claims that Vista machines can be protected from data breeches both on and offline by encrypting the entire Windows volume.

Encryption stops data from being compromised if a hard disk is removed and plugged into another system, and if system files are tampered with Vista will not boot. The key for Vista’s encryption comes in the form of a PIN code or, as in the T3 Security Suite IDM looked at earlier this year, a USB flash drive that holds the decryption keys. If the PIN is missing or the USB key absent, the system is rendered useless.

Open Source Security

There are quite a few different products and companies on the market these days, so if you want to move up to the next level of security there are naturally a number of ways you can go. More often than not too these days there is an open source alternative. The security potential of a strong cryptosystem is actually quite similar to a piece of open source software. The system needs to assume that everyone has the source code (in this case the algorithm) and be defended accordingly. In cryptography, the key should be the part that is most secret not the underlying algorithm.

With that in mind, if it’s communications you need to protect, then quirkily named Pretty Good Privacy (PGP) is a well known example of this kind of encryption, and one that is already widely used for email encryption, digital signatures and internet faxing. A combined symmetric and asymmetric system, a PGP implementation is achieved by installing a plugin in one of many popular email clients. Some of these include Microsoft Office Outlook and Outlook Express, Eudora, Mozilla Thunderbird and Apple Mail. Plugins are actually separate from the PGP package, so it is recommended that any plugin is thoroughly tested with the entire PGP system to ensure security is on the level.

PGP also has an open source equivalent called GNU Privacy Guard (GPG), which many consider extremely formidable due to it being open source in the first place.

If you’re important data encompasses more than just fax and email however, another popular form of encryption is available for Virtual Private Networks (VPNs). An effective way of linking remote branches, VPNs encrypt all traffic between end points. This is typically done by using a secure sockets layer (SSL), another symmetric and asymmetric combination that you will commonly see when browsing secure areas with your web browser. A URL beginning with “https://” for example, indicates an SSL connection, one that supports both client and server side authentication for secure, encrypted communication.

VPNs using standards such as SSL to encrypt information enable the secure transmission of data over any internet connection. Provided of course you are using a supported browser such as Internet Explorer, FireFox, Opera or Safari to name but a few. This is a secure and extremely cost effective way to enable secure data communications over a disparate network.

Finally, if are worried about your laptop suddenly disappearing or unfortunately work with a potentially unscrupulous character, then you should probably encrypt your data as a precaution. The popular open source encryption tool TrueCrypt is a formidable tool that enables you to encrypt data on-the-fly without any complicated or time-consuming procedures.

With the ability to encrypt data in mass storage and decrypt it on demand, TrueCrypt is perfectly suited to mobile devices such as laptops and flash drives. It enables the creation of a virtual encrypted disk within a file that will be mounted as a physical drive in Windows or Linux. The disk behaves exactly like a normal drive, even allowing checkdisk to run. If viewed without verification however, the volume appears as nothing more than random data. TrueCrypt supports well known algorithms (such as AES, Blowfish, CAST5, Serpent, Triple DES, and Twofish) and even allows several to be used in conjunction with one another in a cascade to create a virtually un-crackable volume.

It’s all well and good to protect your digital world, however, the spectacular maths required still has to be done somewhere. The thicker your digital ramparts, the more waiting you’re going to have to do for each block of data.

Times vary between algorithms, and especially so if you are cascading several of them. To give you an idea, in TrueCrypt if you are encrypting data store in RAM, then using AES or Blowfish will give you an encryption rate of around 60MB/s. Cascading AES and Twofish cuts this to around 19MB/s, and if you have a file containing the key to Penelope Cruz’s heart or a map to the Holy Grail and feel the need to cascade three algorithms, then you can expect around 10MB/s. You will most likely never have to use two or three algorithms in a cascade, so 60MB/s is an inconsequential wait for the protection encryption provides. Perfect for keeping your company documents and spreadsheets safe when you are on the move.

The Legal Situation in Australia

Because of its military origins and the threat encryption poses to government control, many countries have imposed laws governing the import, export and use of cryptography and encryption technology in line with the framework set down by the Wassenaar Arrangement (See our brief history of Encryption). In the US for example, there are many restrictions on the importing and exporting of cryptographic products and services, plus uncomfortable laws such as California law SB 1386, which mandates that companies must publicly disclose when sensitive customer data is compromised. In Australia however, things are a little different.

For example, there are no direct controls limiting the import of cryptographic software or hardware. There are also no restrictions placed on the domestic use of cryptography within Australia. Exports are banned in accordance with the Wassenaar Arrangement.

Australian law also requires that carriage service providers (CSPs, such as Telstra) allow the government access to customer communications if required, and if these communications have been encrypted by the CSP then it must also decrypt them. They do not, however, have to decrypt any information that their customers have encrypted themselves.

This means that any telephone and fax calls that are normally encrypted by carriers can be decrypted at the Government’s request. Something some may be uncomfortable with, however, this situation is changing once again with Voice Over IP (VOiP). Because the analogue voice signal is converted into digital form before being sent, the resulting data can easily be encrypted with one of the many free software packages available on the internet.

Overall, encryption technology can be used freely in Australia. To balance this apparent freedom, however, the Cybercrime Act 2001 included powers for police officers to procure encryption keys, passwords and anything else necessary to decrypt protected evidence.

Chances are, you are already using encryption in one form or another in your day to day business dealings. That said, something that is implemented broadly and for the lowest common denominator is not always the best solution to fill all the gaps in the solution for your business.

Encryption can help you secure your communications, both voice and data. It can provide that extra level of security to your filed-and-forgotten archives and it can protect your sensitive data from accidental loss, malicious damage and unintended exposure. And these days, it can do it all without necessarily making a negative impact on productivity and your bottom line.

A small investment in protection can add up to a lot when you’ve prevented the loss of your intellectual property, or worse, reputation. Greater mobility combined with greater emphasis on digital document delivery, archiving and communications mean greater precautions must be taken to ensure security beyond human error and human nature. What price can you put on peace of mind?

A Brief History of Data Encryption

With instances appearing as far back as ancient Greece, encryption has been around for as long as the need for secure communications.

War is most often the engine behind advances in cryptographic technology, so it is not surprising that some of the first references to encryption appear in Plutarch’s writings on Greek history. He tells of Spartan generals who used thin cylinders called “skytales” to scramble their penned communications. Wrapping parchment around the cylinders enabled one to pen a message that would only be readable again if wrapped around a set of skytales of the same size.

Years later during the fifth century BC, messages were sent between Persia and Greece tattooed onto the skulls of slaves, the message hidden until their heads were shaved once more. These are two examples of ciphers (methods of encoding information so it is unreadable without special tools or information), others include numerical substitution where numbers on a grid correspond to letters of the alphabet (the first record occurrence of which also resides with the Greeks) and, while not strictly a cipher, the use of obscure languages such as Navajo (used by the US in WWII) has also been employed as a form of communication encryption.

Encryption has evolved over the years from simple substitution codes, to mechanical methods such as the German Enigma machine (notorious for its part in Germany’s WWII defeat), to modern software packages that use complex mathematical algorithms to encrypt digital information.

The early 70’s saw the rise of the Data Encryption Standard algorithm (DES). Featuring a 56-bit key for encrypting and decrypting data, the DES was established in the U.S. and was at the time considered secure. The rapid evolution of processing power has forced its retirement however, as it can now be cracked quite rapidly by simply trying every possible code combination. It has been replaced by the Advanced Encryption Standard (AES) which uses a 128, 192 or 256 bit key, levels of encryption considered to be beyond the capabilities of any computer to break in the foreseeable future.

Because of its military applications, countries such as the U.S. and Britain have put strict controls in place to restrict the export of cryptography. Called The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, the agreement aims to encourage greater transparency and responsibility between countries trading encryption technologies, although it does not dictate policy, it just provides a framework that can be adhered to.

Any encryption product with a key of over 64 bits should be subject to certain controls according to the arrangement. This includes products where intellectual property is protected with encryption, such as DVD’s, and new forms of digital rights management (DRM) that we are starting to see within the digital music industry, although consumer products are far less regulated than communications equipment.

Types of Encryption

Most forms of computer encryption fall into two categories:
- Symmetric-key encryption
- Asymmetric-key (otherwise known as public-key) encryption

In symmetric encryption, each computer has a key (or code) that is used to scramble a packet of information before it is transmitted. It requires the key to be installed on each machine and is similar to having a secret language that only the key-keepers speak.

Asymmetric encryption on the other hand, uses both a private key and a public key. The private key is known only by your PC, while your PC gives the public key to any computer that wants to communicate securely with it. Data is encrypted using the public key, but can only be decrypted with the private key.

Symmetric encryption is fast and light on system resources. However, as it requires both parties to hold the key to encryption/decryption it is not suitable for wide use on its own. Giving every possible contact you are likely to email the right key isn’t exactly an efficient way of protecting communications.

Asymmetric encryption on the other hand is much more suitable for wide scale use due to use of a public key that can safely be used to encrypt the data. Once a connection is established, the computers exchange public keys and verify each others identities before proceeding with any data exchange. This solves the security issue, however, asymmetric encryption is rather slow and resource intensive, particularly when working with larger files, so on its own it is also not perfectly suited to many situations.

Because of these two factors, most systems use a combination of symmetric and asymmetric encryption. For example, when two computers create a secure session (such as your laptop connecting to an email server, or a web browser connecting to an internet banking website), asymmetric will be used to encrypt a symmetric key and send it to the other computer. This will allow both to communicate securely for the duration of the connection with the symmetric key discarded once the session is terminated. This allows the benefits of both to be used harmoniously.

There are many kinds of symmetric algorithms, with some of the most common being the Data Encryption Algorithm, DEA (Otherwise known as the Data Encryption Standard, DES), it’s recent replacement the Advanced Encryption Standard (AES), Twofish, Serpent, AES, SKIPJACK and Blowfish. Well-regarded asymmetric algorithms include Digital Signature Standard (DSS), Diffie-Hellman, Paillier cryptosystem and RSA.

Anything less than 64 bit is considered to be weak, particularly the old standard of 40 bits which can be broken by an average home computer in a matter of weeks (a custom built cracking system can do it in seconds, whie banks of “drones” collected by hackers can also rapidly break it with a brute force attack). The larger the bit count doesn’t necessarily mean more security. Blowfish has 448 Bit encryption, however, 128 Bit encryption (as found in the Advanced Encryption Standard) is considered to be secure for the foreseeable future.

It should be noted that there is a big difference between symmetric and asymmetric key sizes. While 128 Bit is considered secure for symmetric, 1024 is considered to be the minimum for asymmetric while 3072 Bit asymmetric is as secure as 128 Bit symmetric.

References

How Encryption Works – Jeff Tyson, Microsoft-certified systems engineer - http://computer.howstuffworks.com/encryption.htm

An Introduction to the Use of Encryption – Peter Myer, Hermetic Systems http://www.hermetic.ch/crypto/intro.htm

Electronic Frontiers Australia - http://www.efa.org.au

Cryptology: Law Enforcement & National Security vs. Privacy, Security & The Future of Commerce - Nick Ellsmore - http://cryptome.org/crypto97-ne.htm

TrueCrypt - http://www.truecrypt.org

keylength.com – Cryptographic Key Length Recommendation - http://www.keylength.com/index.php#results

Comment on this story.