Crackerjack security

Crackerjack security

The Lowdown

  • What is symmetric encryption? Symmetric encryption standards use the same key to encrypt and decrypt data. AES, DES and Triple DES are all symmetric encryption algorithms.



  • What is asymmetric encryption? Asymmetric encryption, also called public-key encryption, relies on two pairs of keys to encrypt and decrypt a message. Each pair consists of a private key known only to its user and a published public key. When a user encrypts a message, he uses his private key and the recipient's public key to encode the data. The recipient then uses his private key and the sender's public key to decode the message and verify the identity of the sender. RSA, RC3 and DSS use asymmetric encryption for digital signatures.



  • What is PKI? A public-key infrastructure is a system for issuing public and private keys, and disseminating public keys'usually in the form of digital certificates'for use in decrypting messages or certifying the identity of a sender.



    It usually consists of a certificate authority that generates the certificates and a directory system for distributing, managing and, if necessary, revoking digital certificates. RSA is one form of PKI.



  • What documents determine government encryption standards? Government encryption policies are described in the National Institute of Standards and Technology's FIPS-140-1, Security Requirements for Cryptographic Modules for general requirements; FIPS-46-3, Data Encryption Standard for DES and Triple DES; FIPS-185, Escrowed Encryption Standard for Skipjack; and FIPS-186-2, Digital Signature Standard for RSA, DSA and Elliptical Curve DSA. You can find them on NIST's Web site at csrc.nist.gov.



  • How much do encryption software systems cost? PKI systems, including a certificate authority server and other supporting software, can cost $100,000 or more to deploy, depending on a number of factors.



    The factors include whether the software is used within an organization or as part of a larger secure electronic commerce infrastructure, the number of users and the types of client applications supported. Additional software and toolkits might be required to integrate custom applications into a PKI. If encryption is used merely for data security'with symmetric encryption'the costs are much lower.

  • With 128-bit AES on the horizon, encryption software gets tough

    Federal information technology managers' data encryption options are about to expand.

    There are three encryption standards approved for government use by the National Institute of Standards and Technology: the Digital Encryption Standard (DES), Triple DES and Skipjack.

    By the end of the summer, NIST is scheduled to release a new Federal Information Processing Standard for data encryption called the Advanced Encryption Standard. AES is designed to replace the aging DES and will coexist with other FIPS-approved cryptographic standards.

    AES, like DES and Triple DES, is a symmetric encryption algorithm, which means that the same key both encrypts and decrypts the data. AES is well-suited for securing data on disks and performing other tasks for which a single encryption key is practical.

    Skipjack, on the other hand, is an asymmetric encryption method. Asymmetric encryption, also known as public-key encryption, encrypts messages with two pairs of keys.

    Each user of a public-key system has a private, or secret, key known only to that user and a published, public key.

    To send an encrypted message to someone, you would encrypt the message with your private and his public key; the recipient would use his private and your public key to decrypt.

    Exchanging keys requires a public-key infrastructure for the dissemination of keys.

    Hey, I know you

    Asymmetric encryption standards such as the Digital Signature Algorithm and the public-domain RSA are approved for use by NIST as digital signature systems because they can establish the identity of a sender through his or her public key.

    AES will add some dearly needed encryption muscle to the government's data security arsenal in a form that will undoubtedly find favor among software developers.

    Part of its likely popularity will be because AES is theoretically exportable. AES differs from current encryption standards in that it is based on an algorithm developed overseas, called Rijndael (pronounced rain doll or rhine dahl, according to the FIPS document).

    The Bureau of Export Administration heavily regulates the export of U.S. encryption software, though it eased export restrictions on software last October with the most recent update to the bureau's policies.

    Sitting on the dock

    Export restrictions on encryption technology have been a barrier to commercial software developers for two decades. U.S. software companies using encryption in their products had to ship dumbed-down versions with weaker security capabilities for export.

    The PGP encryption standard'from Pretty Good Privacy Inc. of San Mateo, Calif.'became a rallying point for 'cypherpunks' protesting the laws as a restriction of free speech.

    In fact, the restrictions on U.S. cryptographic products led to the success of overseas encryption software companies, such as Baltimore Technologies of Ireland, which were free to sell their products inside and outside the United States.

    AES also offers stronger encryption than most current standards for encryption, as it supports encryption keys of 128, 192 and 256 bits in length, and encrypts data in blocks of 128 bits. The algorithm can be extended to encrypt in larger blocks and use larger keys in increments of 32 bits, but the current FIPS standard sets these three key lengths and the 128-bit block length.

    Longer key length means a larger number of possible encryption keys, which lowers the likelihood of someone decrypting data by guessing the key or by trying all possible keys. With 128-bit keys, there are 3.4 x 1038 possible keys; there are 6.2 x 1057 possible 192-bit keys and 1.1 x 1077 possible 256-bit keys.

    Do the math

    DES, because of its 56-bit encryption, has about 7.2 x 1016 possible keys, a relatively small number that makes its susceptible to the 'brute force' method of modern computing. So-called DES cracker machines can discover the key for a DES-encrypted file in a matter of hours.

    By comparison, according to NIST, if a DES cracker succeeded in breaking DES in one second, it would take the same cracker software 149 trillion years to crack an AES-encrypted message. For practical purposes, AES is unbreakable through brute force attacks.

    So for the foreseeable future, AES will remain a potent encryption tool. It took more than 20 years for DES to become vulnerable, and AES is expected to remain secure for much longer, particularly as hardware makes it possible for AES to encrypt larger blocks with larger keys.

    But NIST will formally re-evaluate AES every five years and continue to monitor developments in code-breaking technology to determine if yet another encryption standard is required as a counter.

    Only a few software developers have released AES-based encryption software so far, and it's doubtful that AES will displace public-key encryption for most Web and e-mail transactions.

    For those applications, systems based on RSA encryption for sensitive data and Tessera or Clipper chip cards for more secure data are sure to remain as standards because they can encrypt data as well as verify identities.

    Kevin Jonah, a Maryland network manager, writes about computer technology.

    inside gcn

    • Congressman sees broader role for DHS in state and local cyber efforts

      Automating the ATO

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above

    More from 1105 Public Sector Media Group