ENCRYPTION: you see the word everyday. It’s offered for flash drives, laptops, file storage and email. It’s made to sound like it is invincible. Is it? Do we need it? Is it everything we imagine it to be?
The use of encryption is increasing as more and more sensitive data is being stored and moved over the www. Everything from bank accounts to credit cards need protection from a growing number of savvy and sophisticated thieves. The simple online purchase of a tweed kilt can transmit enough personal information to make your pits sweat.
We all know the extent to which phishing and basic rotten thievery has grown. Whole industries have been stripped of thousands of identities, your identity. How do we protect ourselves? Well, we use a SECRET CODE of course. Just like in the old Military movies and Spy dramas.
WHAT IS ENCRYPTION?
Encryption is the process of changing information into unreadable gibberish. The information is transformed by an algorithm, cipher or key. Ciphertext is the code and the algorithm is the decoder ring. Yes, this is an over simplification but basically it’s correct.
Types of encryption include Symmetric-key encryption and Public-key encryption.
Symmetric Key Encryption
In the beginning, users were given Symmetric-key Encryption. It is the one most like a secret code, as each computer needs the secret key to use the encryption. The very first Symmetric-key encryption was called Data Encryption Standard or DES. It uses a 56 bit key. This allows more than 70 quadrillion possible combination. That sounds like a lot, but computers get faster every day. It didn’t take long before a new Symmetric standard was put in place. It was called the Advanced Encryption Standard or AES and it uses 128, 192, or 256 bit keys. Don’t ask me to say it, but this standard allows for 300, 000,000,000,000,000,000,000,000,000,000,000, key combinations. That must be enough, right?
No, even symmetric-key encryption is vulnerable, unless users are communicating through a secure connection. Without that, the data and key can easily be discovered by attackers. What was the solution? Public Key Encryption.
Public Key Encryption
In November of 1976, Public-key Encryption was offered up as a better solution. It uses two keys, one public and one private, to keep the information safe. The private key is for your computer only, and the public key is for computers you are communicating with. To decode a message, each computer must use the public key and its own private key. The structure of Asymmetric-key encryption allows for an infinite number of key possibilities.
Using Asymmetric-key encryption on a large scale requires the addition of even more code in the form of a digital certificate. This unique piece of code gives a “trusted” designation to particular entities such as a Web servers. This “trusted” designation is bestowed by an independent source and confirms that the public keys are going to only “trusted” computers. It is one more layer of protection between you and the bad guys.Check your Digital certificates by going to Internet Explorer/Tools/Options/Advanced/Encryption area of your browser.
SSL or Secure Sockets is an additional layer. SSL was originally developed by Netscape as an Internet Security Protocol. It has become an integral part of the web and today’s Transport Layer Security, TLS. When you view the https in your browser or the little padlock throughout your system, you know that TLS is checking that the certificate is valid, from a trusted site, and is from the site sending it.
The description above is by no means complete, but it should at least give the beginnings of an understanding and a feel for how it’s progressing. The important question remains. Does it work?
DOES IT WORK?
In a word, yes. Today’s encryption techniques, especially at the file level, are extremely effective. So effective, that law enforcement hasn’t always been able to crack suspect encryption. Should I and the hooded Klebold Look-alike down the street have access to encryption methods that authorities can’t crack? This, of course, is the endless debate our brave governmental protectors grapple with. Should government keep all the good toys for themselves? I don’t think so. Maybe a better debate would be whether encryption should be required by any entity holding or transferring sensitive third party information.
Not being up-to-speed on encryption and the law, I realize I have no idea whether my bank is required to encrypt my personal data. I cringed when reading an article that says Nevada recently put into effect the nation’s first data encryption law prohibiting “businesses from electronically transferring customers’ personal data outside their organization unless it is encrypted.” Is that right? My bank isn’t “required” to encrypt my data? They’re only encrypting to avoid a fine after it’s stolen?
Does all this uncrackable encryption mean you’re perfectly safe? No, not any more than the perfect steak guarantees the perfect meal. How the technology is put together and how it is employed by YOU, that’s the determining factor in security. YOU are the Achilles Heel.
In a perfect “security world” the user has no input on security implementation. That’s great for the perfect world, but that’s not my world. I want my data and I want it now, without a hassle. That’s my attitude for everyday computing. Trying to satisfy me (and you), has led to increasingly complicated security technologies. Giving us what we want and maintaining strong security is a tough game, maybe an impossible game? When you add to that, the increased theft risk of mobile devices, it’s easy to see that problems are only increasing as technology continues to permeate our lives.
What was once a matter of securing user data, has now become a matter of securely managing encryption keys. Maintaining access to data after keys are lost and coping with, security software, passwords, patches,and updates is becoming expensive. Is the “Cloud Computing” we keep hearing about the answer?
How does cloud computing figure into this mix? Control of encryption methods and easier to manage encryption protocol are two things that can be improved by cloud computing, but they can also be abused by cloud computing. The idea of keeping information in a central location, away from the individual or device accessing the information, is growing. Companies are offering this as a safer, more convenient form of computing. They are benefiting by providing consumers with a “Safe Shelter” for performing their daily tasks. Is it really safer? What happens to the data in the event of a bankruptcy? What happens when a cloud computing entity is sold? Who is checking on your cloud partner?
Because I know that it’s the individual that is most likely to cause system vulnerability, my bet is that statistically, Cloud Computing is the safer alternative. It’s more likely that my data will be kept safer if someone else is managing it. That’s a hard pill to swallow but no harder than when banks came on the scene. What’s safer, a bank or a hole in your yard? Now that I type it out, I’m not sure. Where is my money safer? Where is my personal information safer?
Whether it’s file storage or system maintenance, cloud computing is gaining in popularity as users better understand that they are the “fly in the ointment”, but are we positioned to loosen our grasp. Is it time to let someone else take care of me? These are tough questions.
Discounting sleep, what is the longest you go without touching a cell phone, computer, ipod, game console, or heart monitor? Face it, you’re immersed in technology. You are drowning in it. Does your house have a Command Center?
Your States “Security Breech Disclosure Laws“.