Article

«  Back

 

EDUCATE YOURSELF ON ENCRYPTION

by Sean Madden, Project Manager, Galaxy Bright::

Encryption is a common term used in our age of the Internet, ecommerce, email and online transactions. What is encryption and how is it applicable to me? In this article, we will break down and give a brief overview of what encryption is, some types of encryption, where you may have come across it and if this level of protection is for you.

WHAT IS ENCRYPTION?
Encryption is the process of transforming data into an unintelligible form to prevent the unauthorized use of the data. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called "plain text" and is what a user generally sees on any random site. Actual encrypted data is called cipher text. A cipher is an encryption-decryption algorithm. Below are 3 types:

Data Encryption Standard (DES) is a cryptographic algorithm designed to encrypt and decrypt data using 8-byte blocks and a 64-bit key. It works by a combination of transposition and substitution, completely randomizing the information. Originally developed by IBM and rigorously tested by the NSA, DES was eventually adopted by the U.S. National Bureau of Standards in 1977. This form of encryption created the basis for data protection, used by the federal government, most banks and money-transfer systems at inception.

Triple DES (DES3) is a variation of DES in which three 64-bit keys are used for a 192-bit key. Triple DES works by first encrypting the plain text using the first key, decrypting with the second key, and finally encrypting again with the third key. While DES3 was endorsed by the National Institute of Standards and Technology as a temporary standard until the Advanced Encryption Standard was completed, it is still supported by the NIST today as a safe and effective form of encryption.

Advanced Encryption Standard (AES) is a replacement algorithm that is used by U.S. government agencies to secure sensitive but unclassified materials. AES is a symmetric algorithm (same key for encryption and decryption) using block encryption. AES supports key sizes of 128, 192 and 256 bits. It is royalty-free for worldwide use to offer a sound level of security for the next 20 to 30 years. Click the following link to see additional notes and what some researchers say about AES and its longevity
[ http://en.wikipedia.org/wiki/AES#Security ].

METHODS & OPTIONS FOR ENCRYPTION
Block mode is a method of encryption in which the message is broken into blocks and the encryption occurs on each block as a unit.

Stream mode, generally considered to be a weak form of encryption, is another method of encryption in which each individual byte is encrypted.

Options for encryption fall under 3 types: password, data-transmission and column-level. Password encryption are simply encrypt passwords. Data-transmission is used to encrypt data transmitted over the network. This includes data transmitted between the database server and client systems. Column-level sets encryption passwords for columns containing sensitive data, such as credit card numbers. If you set column-level encryption passwords, data in the columns is stored in an encrypted format. Only users who can provide a secret password can view, copy, or modify encrypted data.

SPOTTING ENCRYPTION IN THE REAL WORLD
Password encryption is easy to see–sites where you have to login and enter a password for verification. Online banking, dating forums, and web email are just a few. Data-transmission is seen in the form of content management, where pages and information are pulled from an SQL, MySQL, Access, or other database. Column-level, the third option of encryption, is most commonly found protecting financial information such as a credit card account. If a user frequently uses Amazon, eBay or NetFlix, their Account Payment Option would be protected by column-level encryption.

PUBLIC vs PRIVATE KEY ENCRYPTION (ASSYMETRICAL)
Public-key cryptography uses a pair of keys: public and private. Private key is kept private. Public key is distributed to other users. The public and private keys of a particular user are related via complex mathematical structures in such a way that inexorably links one key with the other. This relationship is crucial to making public/private key-based encryption work.

The public key is used as the basis for encrypting a message and can be published openly - while the private key is necessary for the recipient to decrypt the encrypted message. Only the bearer of the private key can decrypt the message. Even the person who did the encrypting cannot decrypt the message he just encrypted, because he does not hold the private key.

HACKERS & SAFEGUARDS
Keys used in encrypted communications have the same problems as conventional keys: they can be lost, stolen, even bought and sold. And some can be discovered by hackers through a method called "social engineering." Hackers don't necessarily use a serious amount of CPU cycles to crack a cipher. Most of the time, they just ask for the password from an unsuspecting technician. They may call up a receptionist "just to chat" and grab a piece or two of crucial information. You'd be surprised how often this occurs.

This does not negate the fact that applications and systems exist that work around the clock to crack encryption. In 1998, a specially developed computer called the DES Cracker managed to break DES in less than 3 days. This was done under a budget of $250,000. The cracker was able to process 88 billion keys per second. For about $1 Million, a dedicated machine can be built that searches all possible DES keys in about 3 1/2 hours.

As technology advances to secure information, so will the development of software to crack them. It's all a matter of who is ahead of the pack. For now, the Advanced Encryption Standard offers the highest level of public encryption to date and has not been cracked.

COMMON SENSE TO PROTECT YOURSELF
Better passwords are alphanumeric and nonsensical, such as "1Am*Sh$b" or "BA8Hw2Lq." Most password-cracking software cycles through a dictionary. If you keep your systems locked down, keep your private keys private, and don't give your root password to your receptionist, your data is probably pretty safe.

Taking these commonsense approaches to protecting your data will help ensure your security for daily operations.

DO I NEED ENCRYPTION?
Review the questions below to determine if you need encryption. Does your site:
• need a Login area requiring Password verification?
• demand an excessive amount of page duplication and/or content editing on a daily/weekly basis?
• need to have ecommerce, where users can buy products online and store account information?
• require clients to access private information for review, approval or upload files?

If the answer to any of the above is "yes" then encryption may be a need for your company. Determining how private you need your information to be is the first step.

Sites that are purely HTML, with information that is accessible to the general public and not private, does not require encryption. Simple login sections for downloads, forums or page editing inside simple content management solutions, do not require encryption unless the company deems it is necessary.