Timothy
Parker Consulting Incorporated
|
|
|
|
Data security and encryption An increasing number of corporations and businesses are become concerned about data security. This is especially true with the rise of remote access work, where employees access corporate networks from home, hotels, or on the road through cellular services. IS managers have to consider protecting the data that is being sent back and forth over the Internet and telephone lines so that anyone who intercepts the data cannot read it. The only real way to do this is encryption. For the next few columns we’ll look at the issue of encryption, how you can install it on customer’s networks and laptops, how much of an impact encryption has on daily use, and what your choices are when considering encryption technology. Encryption has become a huge business. Companies dedicated to the issue are becoming important players, including the Nortel spin-off Entrust. Just a couple of years ago getting really good encryption was difficult, as intelligence agencies (notably in the US) tried to prevent encryption algorithms from being too strong, hence preventing them from snooping. In the US it was illegal to export any encryption product that had anything better than 40-bit encryption until last year (encryption systems are considered a weapon). With the ease of access of free or shareware encryption products through the Internet, as well as pressure from application and operating system vendors, 128-bit encryption products can now be distributed to all but a few countries. Without going into detail, encryption uses a key to scramble data, making it unreadable to someone who doesn’t have the key to decode it. The longer the key, the more time necessary to crack the encryption code. Simple password encryption works well, as the password must be known explicitly. When you scramble a message or data with the password, only that same password can decrypt the message. If you are curious about how easy password-based encryption tools are to use, check out CodedDrag (http://www.fim.uni-linz.ac.at/codeddrag/codedrag.htm). CodedDrag was developed at the University of Linz (Austria) and provides a very fast implementation of the Data Encryption Standard (DES) encryption tool. (In fact, CodedDrag offers DES, Triple-DES, and Blowfish encryption methods; the latter two are much more difficult to break than DES). CodedDrag is embedded as part of the Windows 95/98 or Windows NT desktop, adding encrypt and decrypt menu options. After supplying a password to the system once, files are encrypted and decrypted so quickly you don’t notice the action. This product is excellent for protecting files that can be captured by others, especially for laptop users. Corporate users really should put this kind of product on every laptop their employees take out of the office. An evaluation copy of CodedDrag is free, and registering the copy for unlimited use is a matter of a small donation to the site’s server fund. Public-private key encryption is much more popular with Internet users as it allows for decoding of messages without knowing a different password for each. The way a public-private key system works is simple: you have two keys or password strings, one which is freely available to anyone and the other, your private key, which only you know. For someone to send an encrypted message to you, they need your public key. The encryption software then jumbles the message based on your public key. After you receive the message, only the private key can unscramble it again, making you the only person who can read it. The public key cannot unscramble the message. When you want to send a message to someone else, you need their public key. To help spread this type of encryption, many users append their public keys to their e-mail. One of the earliest commercial products offering public-private key encryption tools was RSA Data Security (http://www.rsa.com), founded in 1977 by three MIT scientists. RSA is still in wide use, and is relatively inexpensive, very secure, and easy to use. The RSA software is available in several forms for different operating systems, but in its simplest form adds a few menu items to browsing tools like Windows Explorer. By selecting a file and using the Encrypt menu option, the document file is automatically encrypted after you enter a password. To decrypt, a menu option brings up a window asking for the password, and if correct the restored file is available. Passwords can be stored to simplify the process. Many other encryption tools allow menu options like those in RSA to be added to applications such as word processors, saving a step or two in the encryption process. Most tools provide a desktop icon that you can drag and drop files over to encrypt. Some tools, such as Nortel’s Entrust, can be embedded in e-mail packages such as Microsoft Outlook for automatic encryption and decryption of messages. One of the most famous encryption tools is Phil Zimmermann’s PGP (Pretty Good Privacy). Zimmermann was criminally charged by the US government because he made PGP freely available over the Internet. The case was eventually dropped but it practically assured the wide-spread use of PGP, especially in other countries. PGP is available from many Web sites. |
|
Send mail to
tparker@tpci.com with
questions or comments about this web site.
|