Continue in 2 seconds

Data Security: It's Not Just for Secret Agents Anymore

Published
  • November 01 2005, 1:00am EST
More in

The secret agent quietly enters the generic-looking office complex. The agent's assault team has the building surrounded and is standing by in case the operation goes bad. The mission: to find a computer containing information that will save the country from an enemy attack.

The agent moves from the warehouse area to the offices in search of the target's computer. He finds it in the last office. The machine is on, and after gaining access to the computer, the agent starts scanning through files only to find them encrypted.

The agent calls the computer expert at base. The expert "remote controls" the machine and tries some generic passwords - they do not work. The expert runs a password-cracking program, and in seconds, the files are accessible.

The bad guys are caught, the country's security is maintained and the world is saved, all in the course of an hour - excluding commercials, of course!

Television and movies are becoming more and more high tech. It is fun to watch a show with a good plot, cool technology and an enjoyable ending; yet in real life, security concerns are at an all-time high. Employees are reminded to guard their company's proprietary information, laptop users are warned constantly about the threat of theft and home users are becoming more wary of identity theft. Modern-day pirates seek treasure in the form of electronic data.

When networked computing and peer-to-peer environments became the standard 20 years ago, data security meant simply entering a user logon and password. Nowadays, administrator password-breaking programs require that data security goes beyond machine access - security must be at the data level. Encryption is the most effective form of data security.

What is Data Encryption?

The idea behind concealing written information in a coded list of letters and transmitting it to the intended recipient without others being able to understand it has been around for centuries. Historically, cryptography has been used by empires, governments and the military to conceal or encode secret information.

A fascinating account of encryption is the German rotary encoding Enigma machine used during World War II. This machine was used to encode information such as directives and weather reports to units out in the field. When the Allies captured a Navy Enigma machine, they were able to decode sensitive Axis military messages. (See references for more information about the Enigma machine.)

Computer cryptography is based on mathematical algorithms that scramble unencrypted written information, known as plaintext, into an unintelligible mass of characters of encrypted data, known as ciphertext. A key is used to change the plaintext into ciphertext. The key is also used to translate - or decrypt - the ciphertext back into readable plaintext. Since the plaintext is in electronic form, the encryption is done at a bit level. (Recall that eight bits make one byte; one byte can represent an alphabetic, numeric or symbolic character.)

The length of the key determines the encryption level, so the larger the key in bits, the safer the plaintext will be. RSA Laboratories, the research center of RSA Security Inc., explains it this way: "A key of length N bits has 2N possibilities. For example, an 80-bit key would provide 280 or more than one trillion possible keys." If encrypted information falls into the wrong hands and is subjected to a brute-force attack (also called exhaustive search), the adversary tries all possible keys until one is found that decrypts the data into a plaintext message. According to RSA Laboratories, "an implementation of [an 80-bit] key optimized for a single processor on the 8-processor Cray YMP performs about 89,000 encryptions per second. At that rate, it would take more than 400 billion years to try all keys. Assuming the use of all eight processors and aggressive vectorization, the time would be reduced to about a billion years."

Another important aspect of cryptography is the type of key used. There are two types of key encoders or ciphers - block ciphers and stream ciphers. Block ciphers take a group of bits from the plaintext and then mathematically apply the key. Stream ciphers convert the plaintext one bit at time. Stream ciphers can be designed to be exceptionally fast - much faster than any block cipher.

Standards for data encryption vary between organization types (for example, banking, telecommunications or government) and are regulated by organizations such as the American National Standards Institute (ANSI) and the International Telecommunications Union (ITU-T). See Figure 1 for the encryption types that the U.S. National Institute of Standards and Technology has approved for government use.


Figure 1: Encryption Types

If you examine the references at the end of this article, you'll discover that there are many different encryption types, methods and standards. How you or your clients implement encryption can become its own project. Make sure you do your own research into the options available. Beware of choosing an encryption solution based solely on price - you may find that your data is not properly encrypted, thereby making it easy to crack.

Options for Data Encryption

What are the methods available to encrypt data? Now that you have a basic understanding of encryption, how can you use it? What choices do you or your client have for data protection?

The options available for data security begin at a hardware level. These include:

  • Real-time hardware-based encryption. This consists of a hard drive controller with a USB key. Password protection is also available. Using this method, a printed circuit board is attached "in-line" between your hard drive and the computer. Data to be saved is sent to the controller card, and after being encrypted, the data is written to the hard drive. Decrypting data follows this method in reverse. Encryption schemes are chosen from the controller card's setup screen.
  • Software-based encryption.
    Hard drive encryption. Software is loaded at boot-up and decrypts the drive. Usually the partition and volume are encrypted.Virtual drive encryption. The software creates a special file on the host system that is used as a virtual drive. Once the virtual drive is in place, it shows up as a drive letter.

    Individual file encryption. Individual files can be encrypted using the encrypting file system (EFS) feature within Microsoft Windows 2000 or XP. Commercial programs are available for Mac and Linux. There are open source file encryption programs for Mac OS X and UNIX/Linux systems. However, because of the nature of open source programming, there is a risk of compromises to this encryption scheme. Always verify the source and programmer group for these types of programs - that is, let the buyer beware.

There are special systems for e-mail encryption, internal network encryption (where network traffic is encrypted) and also procedures for encrypting Web XML pages.
This leaves one final aspect of data encryption to consider: what if a hard drive with encrypted data fails or if the encrypted data itself becomes corrupted? What are the chances of recovering encrypted data?

Encrypted Data and Data Loss

Data security can be a challenging scheme to implement. It can also be tempting to think that securely encrypted data is invincible. But what if the data doesn't fall into enemy hands? Instead, what if the hard drive simply fails?

According to data recovery experts, the type and level of damage is what can affect the success of the recovery. If the hard drive has sustained physical media damage, such as in the case of a head crash, then a clean room data engineer can work around the physical damage to read the good areas of the drive. Whether data is encrypted or not, the goal is to retrieve all readable data that is on the drive.

When the entire drive is encrypted, a data recovery engineer works with the client in getting the password or key to decrypt the drive. On the other hand, if the keys have been lost or perhaps stolen by a disgruntled employee or a password has been forgotten, the options narrow. Given the probability that the data has been encrypted by means of one of the above advanced algorithms, having the client work directly with the company that designed the software is in the best interest of the client. However, results may be disappointing, as illustrated by the following example.

A user was implementing strong file encryption when the software stopped working during the encryption process. The file was encrypted, but because the operation did not complete, the file was unusable. When the user called the software company for help, they told him that nothing could be done. The user asked if there was a "back door" or a master password to get to the file, and the company responded that by providing such a mechanism they could not guarantee the security of the file and that would defeat the purpose of their software.

The lesson here is that it is imperative to keep the data encryption keys safe, perhaps stored in a different location. If something happens during the encryption process and the decryption key is not produced or is lost, the data that was encrypted may be completely unusable.

Corrupted data falls into a different category. This is where the hard drive is fine, but for some reason the encrypted data is not written correctly to the drive. This can happen with hardware or software encryption methods. The best way to ensure the validity of the data that you or your clients are encrypting is to have a regular backup scheme. As the old adage goes, "Garbage in, garbage out." If the original data has lost its integrity and is then encrypted, the corresponding unencrypted data will not be usable.

On the positive side, encrypted data from all types of storage media has successfully been recovered.

Keeping data from unauthorized access has become a challenge ever since the advent of electronic data; it seems that encryption has become a necessity instead of an option. You can make the right choices for your data by doing your homework on the best application for you. Don't get overwhelmed - there are many different types of encryption out there. Once you have settled on an encryption scheme, consistently back up your data and test your archived data for integrity.   


References:

  1. More about cryptography: http://www.rsasecurity.com/rsalabs/node.asp?id=2155.
  2. Topics in cryptography:
    http://en.wikipedia.org/wiki/Topics_in_cryptography.
  3. Rotary encoding Enigma machine:
    http://cnm.open.ac.uk/projects/stationx/enigma/.
  4. Enigma machine story:
    http://en.wikipedia.org/wiki/Enigma_cipher.
  5. NIST computer security home page:
    http://csrc.nist.gov/.
  6. NIST approved encryption schemes:
    http://csrc.nist.gov/cryptval/des.htm.
  7. PGP-encryption overview:
    http://www.pgp.com/library/whitepapers/index.html#cryptography.
  8. PGP-whole disk encryption: http://www.pgp.com/news/2004/wholedisk.html.
  9. PGP-backdoor:
    http://www.philzimmermann.com/EN/faq/index.html.
  10. Skipjack overview:
    http://www.cs.georgetown.edu/~denning/crypto/clipper/SKIPJACK.txt.
  11. Skipjack specification: http://jya.com/skipjack-spec.htm.
  12. Bitpipe data encryption - vendor white papers: http://www.bitpipe.com/rlist/term/Data-Encryption.html.
  13. Bitpipe data encryption - vendor product review: http://www.bitpipe.com/plist/term/Data-Encryption-Software.html.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access