Crackerjack security

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Kevin Jonah
 

Connecting state and local government leaders

By Kevin Jonah

|

Federal information technology managers' data encryption options are about to expand.

Federal information technology managers' data encryption options are about to expand.There are three encryption standards approved for government use by the National Institute of Standards and Technology: the Digital Encryption Standard (DES), Triple DES and Skipjack.By the end of the summer, NIST is scheduled to release a new Federal Information Processing Standard for data encryption called the Advanced Encryption Standard. AES is designed to replace the aging DES and will coexist with other FIPS-approved cryptographic standards.AES, like DES and Triple DES, is a symmetric encryption algorithm, which means that the same key both encrypts and decrypts the data. AES is well-suited for securing data on disks and performing other tasks for which a single encryption key is practical.Skipjack, on the other hand, is an asymmetric encryption method. Asymmetric encryption, also known as public-key encryption, encrypts messages with two pairs of keys. Each user of a public-key system has a private, or secret, key known only to that user and a published, public key.To send an encrypted message to someone, you would encrypt the message with your private and his public key; the recipient would use his private and your public key to decrypt. Exchanging keys requires a public-key infrastructure for the dissemination of keys.Asymmetric encryption standards such as the Digital Signature Algorithm and the public-domain RSA are approved for use by NIST as digital signature systems because they can establish the identity of a sender through his or her public key.AES will add some dearly needed encryption muscle to the government's data security arsenal in a form that will undoubtedly find favor among software developers.Part of its likely popularity will be because AES is theoretically exportable. AES differs from current encryption standards in that it is based on an algorithm developed overseas, called Rijndael (pronounced rain doll or rhine dahl, according to the FIPS document).The Bureau of Export Administration heavily regulates the export of U.S. encryption software, though it eased export restrictions on software last October with the most recent update to the bureau's policies.Export restrictions on encryption technology have been a barrier to commercial software developers for two decades. U.S. software companies using encryption in their products had to ship dumbed-down versions with weaker security capabilities for export. The PGP encryption standard'from Pretty Good Privacy Inc. of San Mateo, Calif.'became a rallying point for 'cypherpunks' protesting the laws as a restriction of free speech.In fact, the restrictions on U.S. cryptographic products led to the success of overseas encryption software companies, such as Baltimore Technologies of Ireland, which were free to sell their products inside and outside the United States.AES also offers stronger encryption than most current standards for encryption, as it supports encryption keys of 128, 192 and 256 bits in length, and encrypts data in blocks of 128 bits. The algorithm can be extended to encrypt in larger blocks and use larger keys in increments of 32 bits, but the current FIPS standard sets these three key lengths and the 128-bit block length.Longer key length means a larger number of possible encryption keys, which lowers the likelihood of someone decrypting data by guessing the key or by trying all possible keys. With 128-bit keys, there are 3.4 x 1038 possible keys; there are 6.2 x 1057 possible 192-bit keys and 1.1 x 1077 possible 256-bit keys.DES, because of its 56-bit encryption, has about 7.2 x 1016 possible keys, a relatively small number that makes its susceptible to the 'brute force' method of modern computing. So-called DES cracker machines can discover the key for a DES-encrypted file in a matter of hours.By comparison, according to NIST, if a DES cracker succeeded in breaking DES in one second, it would take the same cracker software 149 trillion years to crack an AES-encrypted message. For practical purposes, AES is unbreakable through brute force attacks.So for the foreseeable future, AES will remain a potent encryption tool. It took more than 20 years for DES to become vulnerable, and AES is expected to remain secure for much longer, particularly as hardware makes it possible for AES to encrypt larger blocks with larger keys.But NIST will formally re-evaluate AES every five years and continue to monitor developments in code-breaking technology to determine if yet another encryption standard is required as a counter.Only a few software developers have released AES-based encryption software so far, and it's doubtful that AES will displace public-key encryption for most Web and e-mail transactions.For those applications, systems based on RSA encryption for sensitive data and Tessera or Clipper chip cards for more secure data are sure to remain as standards because they can encrypt data as well as verify identities.

Related Links

These AES encryption products show that strong data protection is no secret

The Lowdown

  • What is symmetric encryption? Symmetric encryption standards use the same key to encrypt and decrypt data. AES, DES and Triple DES are all symmetric encryption algorithms.

  • What is asymmetric encryption? Asymmetric encryption, also called public-key encryption, relies on two pairs of keys to encrypt and decrypt a message. Each pair consists of a private key known only to its user and a published public key. When a user encrypts a message, he uses his private key and the recipient's public key to encode the data. The recipient then uses his private key and the sender's public key to decode the message and verify the identity of the sender. RSA, RC3 and DSS use asymmetric encryption for digital signatures.

  • What is PKI? A public-key infrastructure is a system for issuing public and private keys, and disseminating public keys'usually in the form of digital certificates'for use in decrypting messages or certifying the identity of a sender.

    It usually consists of a certificate authority that generates the certificates and a directory system for distributing, managing and, if necessary, revoking digital certificates. RSA is one form of PKI.



  • What documents determine government encryption standards? Government encryption policies are described in the National Institute of Standards and Technology's FIPS-140-1, Security Requirements for Cryptographic Modules for general requirements; FIPS-46-3, Data Encryption Standard for DES and Triple DES; FIPS-185, Escrowed Encryption Standard for Skipjack; and FIPS-186-2, Digital Signature Standard for RSA, DSA and Elliptical Curve DSA. You can find them on NIST's Web site at csrc.nist.gov.

  • How much do encryption software systems cost? PKI systems, including a certificate authority server and other supporting software, can cost $100,000 or more to deploy, depending on a number of factors.

    The factors include whether the software is used within an organization or as part of a larger secure electronic commerce infrastructure, the number of users and the types of client applications supported. Additional software and toolkits might be required to integrate custom applications into a PKI. If encryption is used merely for data security'with symmetric encryption'the costs are much lower.

    • With 128-bit AES on the horizon, encryption software gets tough

















    Hey, I know you









    Sitting on the dock











    Do the math













    Kevin Jonah, a Maryland network manager, writes about computer technology.

    NEXT STORY: GAO targets financial center's security steps

    X
    This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
    Accept Cookies
    X
    Cookie Preferences Cookie List

    Do Not Sell My Personal Information

    When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

    Allow All Cookies

    Manage Consent Preferences

    Strictly Necessary Cookies - Always Active

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data, Targeting & Social Media Cookies

    Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

    If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

    Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

    Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

    If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

    Save Settings
    Cookie Preferences Cookie List

    Cookie List

    A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

    Strictly Necessary Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Functional Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Performance Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Social Media Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Targeting Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.