Why use encryption

Why use encryption?

Encryption is the scrambling of data in computer files to ensure that it remains confidential to it's owner and only to those who he decides should have the right to read it. It is achieved by altering the binary representation of that data on the computer through the application of mathematical formulae (algorithms) specially designed for this purpose.

GROWING THREATS TO SECURITY

With the growth of Internet usage and it's applications, has come increasing awareness about security, a rise in the number of security breaches and fears about engaging in the electronic commerce facilities which the Internet offers.

A survey by Barclays Bank found that two thirds of their respondents were unwilling to trust the Internet with their credit card details; another survey by Fletcher Research found that half would not use cards on line. A Wall Street Journal/ NBC poll conducted in the US last October found that fears for personal security and privacy in an era of e-everything topped both war and famine as the biggest threat of the emerging new century. Similar fears, though less intensively held, were found in a survey by the Marketing Society in Ireland last year.

The Internet is primarily used, not for web-browsing, but for email, the insecurities of which are perhaps just beginning to be realized by the general user. (It is often assumed that email travels from sender to recipient directly. This is absolutely not the case. Because of the decentralized nature of the Internet, the messages you send go through multiple mail servers. It is at these points that your email can be intercepted, copied, and stored for later retrieval. It may not even be stored deliberately. Most systems do regular backups, so a considerable portion of your email correspondence probably still remains on your mailserver's backup tapes. Weeks, months, even years after you've sent a message, someone with a modicum of computer expertise can retrieve your mail by using key word search strings.)

The complete openess and insecurity of the Internet has spawned some new protective technologies, such as encrypted VPNs, which we will discuss in more detail later. These are designed to ensure the encrypted transport of data across the Net, or, in the case of firewalls, to keep out unwelcome intruders. But, still today, the main threat to corporate security arises from inside the firewall, i.e. from the corporation's own personnel, either through malice or carelessness.

In the UK, Information Security magazine conducted a survey last April and May among it's (professional) readers, and found that, as is confirmed in all such studies " companies suffer employee access abuses more than any other type of security breach. The 1999 survey shows that, by a large margin, such breaches continue to affect more companies-some 52 percent of reporting companies-than any other type of access breach. However, as global organizations continue to migrate their businesses to the 'Net, breaches involving unauthorized access abuses (read: penetration attacks) are increasing at an alarming rate. According to the survey, the number of companies experiencing such a breach over the last year nearly doubled, from about 12 percent of all respondents in 1998 to 23 percent in 1999. "The internal threat has been the highest threat for so many years that it's almost a knee-jerk reaction at this stage," says Harry DeMaio, president of Deloitte & Touche Security Services. "But as more and more remote users gain increased access to the system, the origin of the threat is changing."

The reality is that, while acknowledging that data in transport, across the Net, is certainly insecure, the greater risk is to data in storage, on the disk- from insider theft, or (laptop) loss, or, while on-line, through intruding virus-type programmes which can simply copy stored data and take it away while the user is busy protecting his probably unimportant email messages!.

(The most effective way to protect stored data while on the Internet, is to have it encrypted on a closed Disk Cryprite disk partition- where it remains completely inaccessible)

TECHNOLOGY SOLUTIONS

Encryption is a very necessary part of the solution to these problems, though, of course, not the complete answer in itself. But-there is no practical solution which does not include encryption. Access passwords and firewalls (on their own) are not good defensive technologies, because their failure to provide real protection has been demonstrated repeatedly. Intrusion scanners and anti-virus programmes- which are only as good as yesterday's virus- have a role to play and are experiencing increasing sales, but cannot, for example, protect against insider attack or loss of data through laptop theft.

So, all experts agree- eCommerce depends on encryption.

But, the question is - what type of encryption? There are various implementations of cryptographic algorithms available on the market or proposed as solutions. (Many of them use weak algorithms and are therefore inherently insecure). Encryption can be applied, in different ways, at different points of the communications chain. No system yet meets all circumstances. And no dominant suppliers have emerged. (In part because the industry and market is in it's infancy)

* Symmetric key systems

The fastest, simplest, least intensive in terms of usage of computing resources and most elegant encryption products are those based on secret key algorithms, where the key used to decrypt is the same as the one used to encrypt the document.

These are typically used for encrypting data in storage- for example in disk encryption- or for transporting data in a relatively small or closed environment such as a LAN. And also in other circumstances where the sender and the recipient of data know each other and/ or have a simple means of securely agreeing what password to use. (They are also typically used inside PKI structures- about which more later- for the actual data encryption function)

The problem- or alleged problem - with symmetric encryption is that the password has to be conveyed to the other correspondent, if the encryption is used for email purposes for example, and if this is conveyed over electronic media it is possible for it to be intercepted by a third party.

* Public Key systems (PKI)

The solution invented to solve this problem is the two-key Public Key system, where each user has connected "public" and private keys, one of which being able to exclusively decrypt data encrypted with the other. The idea is that each user will keep his private key private, never having to convey it elsewhere and will present his public key to all parties who will then use his public key to encrypt messages to be sent to him.

Also, if the user encrypts a message with his private key, then this may be regarded as a method of proving his identity, because only his well known public key can decrypt that message.

Public Key technology has taken off strongly - at least in the media, and on the stock markets, where the shares of leading Public Key Infrastructure (PKI) companies have reached astronomical heights. But, PKI technology also suffers disadvantages which make it less than the ideal solution for all- even for manycircumstances and may yet lead to it's replacement with a more simple alternative.:

Mathematicians and cryptographers argue that the mathematical basis of PKI systems does not provide unbreakability of the ciphers, in theory. Most cryptographers would accept that most PKI systems are weak, in crypto-resistance terms, compared to most symmetric key systems. Indeed, the leading PKI algorithm, RSA, has recently been cracked, in one of it's versions. (RSA and other private/public key systems are not strictly mathematically irreversible)
PKI systems are bewilderingly complex. This arises mainly from the need to prove identity in the faceless electronic media, where all public keys are publicly available and therefore can be used by imposters. To get over this, individuals and corpoprations use digital certificates, which must be certified by authorised Certificate Authorities (CAs). If a certificate should be revoked- as will happen regularly- for example when holders change jobs- or their private keys become compromised- then all previous holders of that individual's public keys must be informed. This becomes very complex and basically unmanageable when certificates are routinely issued to thousands of individuals and thousands of different corporations and authorised by perhaps hundreds of (-often noncompatible-) CAs. Only the largest organisations employing teams of specially trained Systems Administrators can seriously contemplate PKI systems. The following item from PC Week, Jan.25, 1999, is relevant:

"WANTED : SECURITY HELP; IT LABOUR SKILLS SHORTAGE EXTENDS TO ENCRYPTION, FIREWALL EXPERTS

Security vendors estimate that the IT industry will need 500,000 new computer security consultants over the next three years. But universities and other organizations are only producing about a third of that number.

Ultimately, vendors have the best chance of closing the skills gap by taking the arcane elements out of their software and making them easier to implement.

"We have to simplify the conceptual model," said Jeffrey Jaffe, general manager of IBM's Secure Way"

Some of the larger vendors of PKI sytems seem to have more or less admitted that these systems are currently too complex- and expensive- to be contemplated for the B2C (business-to-consumer) market. Indeed, one of the largest vendors has recently bought an applications hosting company, indicating that they may see the future as being in the management of PKI systems for customers, rather than in the supply of the technology.

From the Irish Times, 21st, January, 2000, reporting on a recent international conference on security, attended by one of the world's leading cryptographers, Bruce Schneier:

"For many security experts, such as author and chief technical officer of Counterpane Internet Security, Mr. Bruce Schneier, "Complexity is the worst enemy of security. Unfortunately, the future of the Internet, of our digital systems, is complexity," he said. As a result, computer experts can no longer test systems for all the possible ways in which they might be broken into, he said.

Throughout the conference, panels of some of the best known names in computer security expressed scepticism about software solutions to the problem. Many felt software designed to address the problem only added complexity and further opportunities for hackers. For example, one panelist noted that there were 100 "trusted certificates" in Windows 2000, Microsoft's business operating system due for release next month. The certificates, used to guarantee the identity of a computer user and attest to the reliability of data sent over a network, actually offer 100 new ways to crack into a system, said another panelist, a hacker known only as Mudge."
PKI systems are heavy users of computing resources - and are up to 100 times slower than symmetric systems- and when/ if they become widely adopted are likely to clog up internet lines, slowing down data transport speeds and reducing ISP's quality of service standards.

Our objective here is not to knock the PKI solution, but to point out that the main advantage which it offers- to securely communicate a secret/ symmetric key password to your correspondent over the internet- is somewhat limited by the complexity and other inefficiencies of PKI technology.

Cryprite products currently implement the SVC symmetric algorithm. However, the next versions of the products will be, in addition, PKI-enabled, for those of our customers who wish to sometimes use that option.. (It should also be noted that our main product, Disk Cryprite, is for encrypting stored data transparently on disk, and generally does not need a PKI wrap-around, because it's secret key rarely, if ever, needs to be communicated outside the system)

* VPN technology

Another major sector of the encryption industry- and a leading mechanism for the realisation of the B2B potential of the Internetis the virtual private network, based, not on leased lines or "pay-when-used" private lines, but on the open Internet. The prospect is for massive savings when using the local-call aspects of the Internet, compared to other VPN solutions of recent years. The problem is how to secure messages, files, documents and other data crossing the completely insecure Internet.

From "Computer Business Review", June 1998:

"VIRTUALLY THERE

Virtual private networks - a means of ring-fencing a secure section of a widely accessible network and using it like a private network - are springing up in their thousands. Network providers large and small are rushing to bring new VPN offerings to market.

From a standing start of $200 million this year, the worldwide VPN market will be worth $11.9 billion by 2001, according to market watcher Infonetics Research. That figure applies to VPNs, not intranets with which VPNs are often confused, says Larry Howard, vice president of Infonetics.

The elements of a VPN are simple: an underlying network - perhaps the Internet, perhaps another high speed service such as a mixed satellite and cable network - on which data can be sent. Then data encryption is needed to keep packets secure; user authentication, to ascertain the users are who they say they are; and network access control, to manage who is allowed to do and see what.

Once established, outgoing packets of data are encrypted at source by standard algorithms using 40-bit or longer codes. These very private packets - typically passing between client PCs and central office servers - are sent through a 'virtual tunnel', which is a route across the network, often set out in advance by the routers to ensure security and speed.

Primarily, the use of a public network (such as the Internet) for private communications provides inexpensive and flexible remote user access to corporate systems, as well as office-to-office communications.

Many of these remote users will be mobile workers - salesforce 'road warriors', consultants working at client locations, telecommuters and so on. Today, remote employees commonly dial into a central point through the telephone network. But dial-up is expensive and it can be insecure and slow.

A virtual network is usually cheaper than dial-up and much cheaper than leased lines...

THREE KEYS

Despite the potential savings, VPNs have some serious and interrelated problems. These fall into three categories: security, performance and standards.

The security concerns are multifaceted. Authentication, encryption, and security key management, for example, have to be addressed.

Performance can also be a problem on VPNs. Degradation occurs in two areas. The first is the network. The Internet, which treats all packets the same, frequently gets congested. The problem may be simple overload or router failure. The ability to avoid this is a selling point for private networks.

A second performance issue arises because of encryption. Encoding makes messages safe but at a computational cost. And this extra burden can show up in a number of areas. For instance, a router generally only processes packet headers, but encryption operates on each byte in the packet. So an encrypting router needs much more computing power than one that does not encrypt. The stronger the encryption, the more computing power is needed - and this penalty is felt when messages are encoded and decoded. The degradation varies but it can reduce performance by a third to a half.

STANDARDS BATTLE

A further issue is standards. There are currently three VPN protocols battling it out: Microsoft's Point-to- Point Tunneling Protocol (PPTP), Cisco's Layer Two Forwarding (L2F), and the Internet Engineering Task Force's IPSec. These provide a secure method for sending packets over the Internet.

In spite of this, the standards tussle will probably end soon, with IPSec the victor. First, it has the backing of one of the largest users of private and virtual private networks - the US automotive industry. Second, it is the only one of the three standards that provides for the key management necessary for security. And third, PPTP and L2F are merging into Layer Two Tunneling Protocol (L2TP). L2TP specifies that IPSec should be used for packet encryption in IP environments."

As the article points out, the three major problems to be resolved before VPN's true- and enormous- potential is to be realised are Security (meaning, basically, encryption); Performance (-divided into congestion =encryption and encryption=computational cost-); and Standards (also = which encryption standard, with IPSec winning that one). The encryption problems would be substantially resolved if a way was found to avoid the heavy computational aspects of today's PKI systems and speed up the encryption process. For this we, naturally, propose SVC, the fastest algorithm.

But, VPNs have a not-mentioned in-built inefficiency: ALL data travelling through the VPN's firewall is encrypted automatically (-occupying gateway computational resources and slowing traffic-), including that data which is not sensitive and doesn't need encryption. This inefficiency becomes a more unacceptable economic cost as traffic/ usage of the VPN rises. Ultimately, it is far more efficient to distribute the encryption/ decryption task- away from the bottle-necked gateway and down to individual networked PCs, for example. And, another problem with VPNs - data is decrypted at the firewall and freely roams in plain text form inside the local network- where, today, most security breaches happen!.

So, a return to the original concept of desktop encryption, even when operating in networks and over VPNs, might well be on the cards.

It is therefore perhaps appropriate to advise the reader that HST/Cryprite has "Network Conductor" under development - with important aspects being patent-pending - and this is an extension of our File Cryprite technology. Currently, our technology permits the transport of files, securely, from one user's password system to another's, within a LAN. Our system is very user friendly and very low on usage of computational resources. In a near-future version, we expect to provide a method of transporting files safely across the open Internet, to all correspondents, without the requirement of VPN technology being in place.