ENCRYPTION What is it? Does it work?

artshot

ENCRYPTION: you see the word everyday. It’s offered for flash drives, laptops, file storage and email. It’s made to sound like it is invincible. Is it? Do we need it? Is it everything we imagine it to be?

The use of encryption is increasing as more and more sensitive data is being stored and moved over the www. Everything from bank accounts to credit cards need protection from a growing number of savvy and sophisticated thieves. The simple online purchase of a tweed kilt can transmit enough personal information to make your pits sweat.

We all know the extent to which phishing and basic rotten thievery has grown. Whole industries have been stripped of thousands of identities, your identity. How do we protect ourselves? Well, we use a SECRET CODE of course. Just like in the old Military movies and Spy dramas.

WHAT IS ENCRYPTION?

Encryption is the process of changing information into unreadable gibberish. The information is transformed by an algorithm, cipher or key. Ciphertext is the code and the algorithm is the decoder ring. Yes, this is an over simplification but basically it’s correct.
Types of encryption include Symmetric-key encryption and Public-key encryption.

Symmetric Key Encryption

In the beginning, users were given Symmetric-key Encryption. It is the one most like a secret code, as each computer needs the secret key to use the encryption. The very first Symmetric-key encryption was called Data Encryption Standard or DES. It uses a 56 bit key. This allows more than 70 quadrillion possible combination. That sounds like a lot, but computers get faster every day. It didn’t take long before a new Symmetric standard was put in place. It was called the Advanced Encryption Standard or AES and it uses 128, 192, or 256 bit keys. Don’t ask me to say it, but this standard allows for 300, 000,000,000,000,000,000,000,000,000,000,000, key combinations. That must be enough, right?

No, even symmetric-key encryption is vulnerable, unless users are communicating through a secure connection. Without that, the data and key can easily be discovered by attackers. What was the solution? Public Key Encryption.

Public Key Encryption

In November of 1976, Public-key Encryption was offered up as a better solution. It uses two keys, one public and one private, to keep the information safe. The private key is for your computer only, and the public key is for computers you are communicating with. To decode a message, each computer must use the public key and its own private key. The structure of Asymmetric-key encryption allows for an infinite number of key possibilities.

padlock

Using Asymmetric-key encryption on a large scale requires the addition of even more code in the form of a digital certificate. This unique piece of code gives a “trusted” designation to particular entities such as a Web servers. This “trusted” designation is bestowed by an independent source and confirms that the public keys are going to only “trusted” computers. It is one more layer of protection between you and the bad guys.Check your Digital certificates by going to Internet Explorer/Tools/Options/Advanced/Encryption area of your browser.

https

SSL or Secure Sockets is an additional layer. SSL was originally developed by Netscape as an Internet Security Protocol. It has become an integral part of the web and today’s Transport Layer Security, TLS. When you view the https in your browser or the little padlock throughout your system, you know that TLS is checking that the certificate is valid, from a trusted site, and is from the site sending it.

The description above is by no means complete, but it should at least give the beginnings of an understanding and a feel for how it’s progressing. The important question remains. Does it work?

DOES IT WORK?

In a word, yes. Today’s encryption techniques, especially at the file level, are extremely effective. So effective, that law enforcement hasn’t always been able to crack suspect encryption. Should I and the hooded Klebold Look-alike down the street have access to encryption methods that authorities can’t crack? This, of course, is the endless debate our brave governmental protectors grapple with. Should government keep all the good toys for themselves? I don’t think so. Maybe a better debate would be whether encryption should be required by any entity holding or transferring sensitive third party information.

Not being up-to-speed on encryption and the law, I realize I have no idea whether my bank is required to encrypt my personal data. I cringed when reading an article that says Nevada recently put into effect the nation’s first data encryption law prohibiting “businesses from electronically transferring customers’ personal data outside their organization unless it is encrypted.” Is that right? My bank isn’t “required” to encrypt my data? They’re only encrypting to avoid a fine after it’s stolen?

Does all this uncrackable encryption mean you’re perfectly safe? No, not any more than the perfect steak guarantees the perfect meal. How the technology is put together and how it is employed by YOU, that’s the determining factor in security. YOU are the Achilles Heel.

In a perfect “security world” the user has no input on security implementation. That’s great for the perfect world, but that’s not my world. I want my data and I want it now, without a hassle. That’s my attitude for everyday computing. Trying to satisfy me (and you), has led to increasingly complicated security technologies. Giving us what we want and maintaining strong security is a tough game, maybe an impossible game? When you add to that, the increased theft risk of mobile devices, it’s easy to see that problems are only increasing as technology continues to permeate our lives.

What was once a matter of securing user data, has now become a matter of securely managing encryption keys. Maintaining access to data after keys are lost and coping with, security software, passwords, patches,and updates is becoming expensive. Is the “Cloud Computing” we keep hearing about the answer?

Cloud Computing

How does cloud computing figure into this mix? Control of encryption methods and easier to manage encryption protocol are two things that can be improved by cloud computing, but they can also be abused by cloud computing. The idea of keeping information in a central location, away from the individual or device accessing the information, is growing. Companies are offering this as a safer, more convenient form of computing. They are benefiting by providing consumers with a “Safe Shelter” for performing their daily tasks. Is it really safer? What happens to the data in the event of a bankruptcy? What happens when a cloud computing entity is sold? Who is checking on your cloud partner?

Because I know that it’s the individual that is most likely to cause system vulnerability, my bet is that statistically, Cloud Computing is the safer alternative. It’s more likely that my data will be kept safer if someone else is managing it. That’s a hard pill to swallow but no harder than when banks came on the scene. What’s safer, a bank or a hole in your yard? Now that I type it out, I’m not sure. Where is my money safer? Where is my personal information safer?

Whether it’s file storage or system maintenance, cloud computing is gaining in popularity as users better understand that they are the “fly in the ointment”, but are we positioned to loosen our grasp. Is it time to let someone else take care of me? These are tough questions.

______________________________________________

Discounting sleep, what is the longest you go without touching a cell phone, computer, ipod, game console, or heart monitor? Face it, you’re immersed in technology. You are drowning in it. Does your house have a Command Center?

Your States “Security Breech Disclosure Laws“.

216 total views, 1 views today

(Visited 33 times, 1 visits today)

8 thoughts on “ENCRYPTION What is it? Does it work?

  1. Encryption is a very useful tool in today’s ever-growing e-scam world. Are any of us safe? In two words… Absolutely NOT! The few protocols that are in wide spread use are available to any programmer to find and abuse. It’s insanely ironic that for anyone who is smart enough to create an encryption, there is 500+ people learning how to break it. Therein lies the problem; good guys and bad guys will not go away. Nor will the desire to help protect or try to exploit the majority of the population that doesn’t know how to use a computer. The Baby Boomers make up almost 1/3 of the population (north america) and MAYBE 20% of them can use a computer without assistance. Thats a huge figure: North America (minus Mexico) is roughly 350 million people, making about 117 million born between 1947-1966 (the baby boom). Using 20% as a generous estimate of savvy computer users, that leaves about 94 million people to pay the “geeks”. I’m all for stopping this identity theft BS and starting the “lets help the uninformed/incapable”; we’ll all get rich just the same as long as we can code programs that teenagers can’t crack!

  2. A lot of discussion but no hard & fast answers. Beyond the tools some of the more PC savvy of us are familiar with, this article space could have been better used on a tutorial on protection in the real world…..

  3. Hmmm, I really dont like the look of that cloud computing. Give someone else complete control over my system and what I can and cant do etc…no thanks, I’d rather be my own Admin 🙂

  4. Um, the “what is encryption” part of this article is not correct at all. The problem with symmetric encryption isn’t the finite number of keys. Asymmetric encryption doesn’t even give you an infinite number of keys (at least, not any more than symmetric encryption – you can increase the number of bits in both, but they both are vulnerable to brute-force attacks).

    The actual problem is that symmetric encryption requires both of you to be using the same key (thus “symmetric”). So you somehow need to *give* the symmetric key to the other person. How do you do this securely without having an existing secure connection? It’s a chicken-and-egg problem.

    Asymmetric key crypto actually works by doing a mathematical trick. You generate two numbers (using some complex math) where anything one number encrypts the other can decrypt, and vice versa. You make one of the numbers “public” and one “private”. When you give out the public key, you can say, “encrypt everything you send to me using this public key. I (and only I) will be able to decrypt it using my private key.” Similarly, to sign something, you encrypt your message using your own private key and can say, “You can decrypt this message using my public key. This means it was encrypted using my private key, which only I have access to.” (There is some further sophistication to make sure you don’t accidentally reveal your private key, don’t send a message so short that the *message* can be guessed, and such.)

  5. A good reminder that the individual determines much of the safety of the internet. It is so easy to open the door to vulnerablility.

  6. In the UK, by far the worst culprit for losing personal data is the government.

    On one occasion it lost personal data relating to 23 million people on unencrypted CDs. In other words, personal data belonging to over a third of the entire UK population was lost in one hit.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.