Secret Codes Meet Security Pros
“Secret codes” were once the stuff of military lore. With the rise of computerization, however, new kinds of code have cropped up and are being put to work by anyone who uses a PC, whether they realize it or not. Known collectively as “encryption,” these codes consist of software-based mathematical formulas, or “algorithms,” that “scramble” information to hide it from unauthorized individuals.
By now, there are so many cryptography systems in use that they constitute a virtual alphabet soup. Triple-DES (Data Encryption System), AES (Advanced Encryption System), and PKI (Public Key Infrastructure) are just a few examples. To a physical security professional, even in the government sector, the names alone might seem mystifying, let alone the distinctions among the various approaches.
The process of hiding information was not always as complicated. During the Revolutionary War, for instance, George Washington and a group of other American sympathizers known as the “Culper spies” used a secret code system developed by Major Benjamin Tallmadge to bury military plans in handwritten letters, a form of communication always in danger of falling into enemy hands. Tallmadge took hundreds of words from a commonly used dictionary, and keyed them to numbers that were then used in the letters instead of the dictionary words.
While Washington and his compatriots lived more than 200 years ago, there are obviously still many contemporary purposes for encryption.
Some users of cryptographic systems are criminals — possibly terrorists. It has been rumored that terrorists used e-mails encrypted with PGP (Pretty Good Privacy) to help plot the Sept. 11 attacks.
On the other side of the law, some encryption vendors, such as Memory Experts Intl., Los Angeles, count the FBI, CIA and Department of Justice among their customers.
Many other users of encryption products are private companies. Their motives range from securing e-commerce transactions on the Internet to protecting health records and other sensitive customer data in e-mail.
In fact, emerging regulations such as HIPAA and the Sarbanes-Oxley Act are serving as huge drivers behind encryption, according to Michael B. Rothman, vice president of CipherTrust, Alpharetta, Ga.
“If you work in the medical field, for example, you can no longer just pick up the paper version of a medical record and take it along with you,” agrees Joe Kieran, a director at Memory Experts.
But many of the pertinent regulations are still emerging, and many customers are still unsure which information needs to be encrypted, Rothman says. “The cost of encrypting all e-mail would probably be prohibitive,” he adds.
CipherTrust makes a piece of network hardware known as IronMail, designed to protect e-mail systems by enforcing the customer’s information security policies about encryption and other aspects of e-mail security. In March, IronMail gained new features to help customers comply with government regulations.
As another force behind encryption, experts point to an increasing movement toward “remote computing” — a term that refers to accessing private internal networks over the public Internet from remote locations, such as home offices and wireless hotspots.
Still, however, many remain leery about encryption. “The biggest fear is that, once something is encrypted, you will not be able to ‘get it back’ by decrypting it,” Kieran says.
Why are there so many different encryption methods out there today? For one thing, various sorts of encryption are best suited to different purposes. S/MIME (Secure/Multipurpose Internet Mail Extensions), for example, is specifically designed for encrypting e-mail, although other techniques can be used for e-mail, too.
SSH (Secure Shell) and IpSEC (Internet Protocol Security), on the other hand, are generally used by information security specialists to protect VPNs (virtual private networks). VPNs constitute a sort of “software tunnel” that runs over the Internet and connects remote users to private corporate networks.
During World War II, before the advent of computer cryptography, the Germans sent secret military plans to one another through an earlier encryption system dubbed “Enigma” — a hardware gadget that used a set of rotating disks, each about the size of a hockey puck. An Enigma machine was required to either encrypt or decipher German battle plans. Unfortunately for the Germans, however, the Allies eventually managed to break the Enigma code, thanks partly to captured documents.
Similarly, today’s software-based encryption systems can also be cracked — especially when adversaries keep chipping away at them over a period of time.
Yet whenever a new replacement comes along, it tends to co-exist with older encryption systems until everyone can catch up to the new technology.
Essentially, there are two types of cryptographic systems — or cryptosystems — in use today. In “secret-key cryptography,” also known as “symmetric cryptography,” the same software “key” is typically used for encrypting and decrypting the data.
In public-key cryptography, on the other hand, each person on the network has access to both a “public key,” which is openly accessible, and a “private key,” which remains secret. The public key is used for encryption, and the private key for decryption.
Making sense of alphabet soup
Here is a short guide to common encryption technologies:
Triple-DES (Data Encryption Standard). DES is probably the most popular secret-key system in use on wired networks today. The much trickier Triple DES is a special mode of DES that comes into play mostly for highly sensitive information. Triple DES uses three software keys. Data is encrypted with the first key, decrypted with the second key, and then encrypted again by the third key.
WEP (Wireless Encryption Protocol) is now the most widely used cryptography system on wireless LANs (local area networks), according to Sumit Deshpande, vice president of Computer Associates’ Wireless Solutions Group. WEP, however, has been widely criticized for “weak” encryption keys that are also “static,” or unchanging.
AES (Advanced Encryption Standard) is starting to replace both Triple DES on wired networks and WEP on wireless LANs. “If you are looking for enterprise-grade, government approved encryption today, AES is where you want to be,” says Kieran, whose company is now working with Microsoft to build AES into the next edition of Windows, codenamed “Longhorn.”
WEP’s security vulnerabilities were first widely publicized in 2001 by researchers at the University of California at Berkeley. A group called the Electronic Frontier Foundation cracked Triple-DES even earlier, back in 1999.
In comparison to the 56-bit keys of DES and Triple-DES, AES uses much stronger 128-bit keys, and even larger 192- and 256-bit keys, when necessary. AES also offers much faster performance, experts say.
However, government agencies and other enterprises moving to AES need to upgrade all supporting hardware. Upgrading the system through a software download over the Internet is not enough. “AES brings a change in the chipset itself,” Deshpande says.
For wireless networks, AES is being built into equipment complying with the new 802.11i protocol.
PKI (Public Key Infrastructure). In contrast to the “secret key” techniques, PKI is one of the best-known methods of public key encryption. Like other public encryption systems, PKI uses pieces of software known as “digital certificates” to validate the authenticity of the public key.
In theory, at least, PKI also calls for the use of a company or government agency known as a “certificate authority” (CA) to issue the digital certificate — as well as for a “registration authority” (RA). The RA is supposed to verify the CA.
Yet although PKI is already rather widely in use, the related CA/RA infrastructure is not yet well developed, experts say.
PGP (Pretty Good Privacy), another public key encryption mechanism, works somewhat differently, making it easier for people to take cryptography into their own hands, instead of relying on information security professionals.
PGP users access a directory — or listing — of public keys known as a “key ring.” Using the PGP product, someone can encrypt a message to anyone who has a public key on the key ring. The sender encrypts the message with their public key, and then decrypts it with their private key.
Alternatively, a sender can use their own “private key” to “sign” the note with a digital signature. The recipient of the e-mail can then get the sender’s public key from the key ring to make sure it was actually the person who sent the message.
H.323 is a new standard in information security that uses a software tunneling system specifically created for multimedia computer content. One area where H.323 comes into play is VoIP (voice over Internet Protocol), a technology used for transmitting voice calls over the Internet instead of over standard phone lines.
Cryptography systems such as IPsec are also used in VoIP. “These other systems treat voice as simply another data source,” says Joe Tomasello, department manager at the Avalanche Group.
Gaining a truly in-depth understanding of all the cryptography systems available today would be a daunting task, but taking a little time to learn the simplest ABCs of encryption will give security professionals insight into one of the most complex technologies in all of information security.