Data encryption refers to the process of transforming electronic information into a scrambled form that can only be read by someone who knows how to translate the code. Encryption was already used by Julius Caesar in the days of the Roman Empire to scramble letters and messages. It played a major role in many wars and in military circles generally. Encryption has turned electronic in modern times. It is today very important in the business world as well. It is the easiest and most practical method of protecting data stored, processed, or transmitted electronically. It makes electronic commerce possible by protecting credit card and personal information. It is also commonly used to scramble the contents of contracts, sensitive documents, and personal messages sent over the Internet. More and more institutions, including small businesses with data to protect, also use encryption to protect data on their computer in-house.
Encryption comes from the science of cryptography, which involves the coding and decoding of messages in order to protect their contents. One of the most ancient forms of it is letter substitution—thus, for instance, sending the next letter in the alphabet instead of the actual letter in the text. Ifmmp xpsme/ thus spells out Hello world. In the electronic environment, every symbol has a numerical value expressible in binary notation. Thus the letter A is 01000001 and the letter a is 01100001. Humans cannot make out a vast stream of zeroes and ones, but it is child's play for a computer. Patterns of letters are therefore transformed before transmission by using an arbitrary key; the key may be used in arithmetic, logical, or other ways to make the underlying meaning inaccessible to anyone who does not know the key. The more binary digit the key has, the more difficult the code is to crack—meaning that the longer it takes a computer system, attempting to break the code, to find the key by trial and error. Very safe encryption methods in the mid-2000s made use of 128-bit keys; such keys were used in financial transactions; but newer systems were being fielded using 168 and 256 bits.
TYPES OF ENCRYPTION PROGRAMS
There are two main types of data encryption systems. In the first—which is variously known as private key, single key, secret key, or symmetric encryption—the sender and the recipient of the data both hold the same key for translation. This single key is used both to code and to decode information exchanged between two parties. Since the same key is used to encrypt and decrypt messages, the parties involved must exchange the key secretly and keep it secure from outsiders. Private key encryption systems are usually faster than other types; they can be cumbersome when more than two parties need to exchange information.
The second, and more commonly used, type of data encryption system is known as a public key system. This approach involves two separate keys: a public key for encoding information; and a private key for decoding information. The public key can be held and used by any number of individuals and businesses, whereas only one party holds the private key. The system is particularly useful in electronic commerce: the merchant holds the private key and all customers have access to the public key. The public key can be posted on a Web page or stored in an easily accessible key repository. Public key encryption systems are widely available on the Internet and heavily used by large companies.
The best-known data encryption program is called RSA. It was developed in the late 1970s by three graduates of the Massachusetts Institute of Technology—Ronald Rivest, Adi Shamir, and Leonard Adleman. As of the mid-2000, there were more than a billion installations of RSA encryption programs on computer systems worldwide. RSA scrambles data based on the product of two prime numbers, each of which is 100 digits long. RSA is known as a public key encryption system, meaning that many people can use it to encode information, but only the person who holds the key (or knows the value of the two prime numbers) can decode it again. RSA is embedded in hundreds of popular software products, including Windows, Netscape Navigator, Quicken, and Lotus Notes. It is also available as a free download from the World Wide Web.
A number of other data encryption programs enjoy wide use as well. Examples include Pretty Good Privacy (PGP), which is considered easy to use; Secure Sockets Layer (SSL), which is used by many companies that accept online credit card orders; Secure Electronic Transactions (SET), another popular method of handling credit card purchases that is backed by Visa, Mastercard, Microsoft, IBM, and other major players in electronic commerce; and Data Encryption Standard (DES), which was invented by IBM in the mid-1970s and became the U.S. government standard.
DES is a good example of the life-cycle of encryption systems. Unlike diamonds, they are not forever. More powerful and faster computers are able to tackle and break the best the older codes. Thus in 1998, as reported by James Swann in Community Banker, the Electronic Frontier Foundation cracked a DES code in less than three days; the year after, another network comprised of 100,000 computers cracked the key in 22 hours and 15 minutes. For this reason The National Institute of Standards and Technology proposed in 2005 that DES be decertified for government work. It will most likely be replaced by Triple DES, also an IBM product. 3DES, as it is known, makes the code much harder to crack by using a 168-bit key.
MOTIVATION FOR ENCRYPTION
Encryption systems cost money in the form of software and greater computer capacity. Processing of encrypted data in and out also adds time to all procedures. But the money is well spent. Betsy Spethmann, writing in 2005 for Promo magazine, reports that security breaches of systems holding customer data cost their owners on average $14 million per incident. In addition, once such breaches become known, the database owner typically loses at least 20 percent of its customers. Shedding troubled customers in large numbers is likely to accelerate. At present, Spethmann reports, 21 states "have laws requiring marketers to notify customers or employees when security of personal data has been breached. The federal legislature is considering at least five bills on data security and notification."
TRENDS IN ENCRYPTION PRACTICES
In the early 2000s, many corporations materially strengthened their defenses against the interception of transmitted data by encryption; they also fortified their information systems with ever better firewalls against intruders. Trends in the mid-2000s have been to focus on internal security. More and more companies, as reported elsewhere in this volume (see "Computer Crime"), have begun to focus on the enemy within. As one article in Information Week put it in its title, "You Know These Security Threats—You Hired Them."
In many companies data are routinely encrypted before transmission to another site—but remain in clear, unencrypted language on the computer itself, protected only by a system of passwords. When these machines are backed up at night on tape, vital proprietary data are simply hanging on a rack, stored on magnetic tape—tapes small enough to fit comfortably into a generously sized canvas shopping bag. These data are all too frequently simply stolen.
More and more companies in consequence are extending encryption to storage tapes used for backup. They are also exploring off-site storage of back-up data on distant computers where they reside in encrypted form. Even such methods are not sufficient to protect data from individuals who, by the very nature of their jobs, have access to the sensitive data. Thus, at the boundaries of encryption other techniques of supervision and control must be devised to protect information where scrambling, however effective and however well protected by keys of ever increasing digits, still do not provide protection.
see also Biometrics; Internet Security
Angwin, Julia. "Internet Encryption's Password is 'Slow.'" Wall Street Journal. 28 March 2000.
Britt, Phillip. "Encryption Key to Data Security." Information Today. November 2005.
"Internet Security Gateway Targets Small Network Environments." Product News Network. 16 December 2005.
Komiega, Kevin. "Tape Encryption Not a Security Cure-All." InfoStor. January 2006.
Korper, Steffano, and Juanita Ellis. The E-Commerce Book: Building the E-Empire. Academic Press, 2000.
MacVittie, Don. "Don't Be The Next Data Debacle—Implement tape encryption now, before you find yourself in the white-hot spotlight for all the wrong reasons." Network Computing. 24 November 2005.
"No One-Stop Shopping to Stop Database Pilferages." eWeek. 21 December 2005.
Spethmann, Betsy. "Data Security Mistakes Cost an Average $14 Million." Promo. 23 November 2005.
Swann, James. "Preparing for Triple DES security." Community Banker. December 2005.
"You Know These Security Threats—You Hired Them: New products are designed to stop threats that come from the inside." Information Week. 31 October 2005.
Hillstrom, Northern Lights
updated by Magee, ECDI
Data Encryption Standard (DES)
DATA ENCRYPTION STANDARD (DES)
Highly sensitive digital information is often the target of computer hackers, international spies, and criminals. In order to protect such information, in 1977 the National Security Agency (NSA) and the National Bureau of Standards (NBS) adopted the Data Encryption Standard (DES) to protect sensitive, unclassified, non-military digital information from unauthorized access. Encryption is the intentional scrambling or masking of digital data to protect it from compromise.
DES utilized symmetric-key (or private-key) encryption, in which the sender and receiver of a message share a single, common key that is used to encrypt and decrypt the message. The key is a string of digits that has been generated by a complex mathematical algorithm, or formula. Private-key encryption differs from public-key encryption, which utilizes two keys—a public key to encrypt messages and a private key to decrypt them. Private-key systems are simpler and faster, but their main drawback is that both parties must somehow exchange the key in a secure manner. Public-key encryption avoids this problem because the public key can be distributed in a non-secure way, and the private key is never transmitted. In the former case, secrecy is shared between only two users, whereas in the latter, the public key is a more or less an "open secret." Thus, public-key encryption requires many more bits to rival private-key systems' level of protection.
Though the NSA usually supervises development of governmental encryption systems, its hesitation over creating such a system for public use led to an open call for the system's design. Ultimately IBM produced a 56-bit key algorithm that became DES. Controversy arose over the extent to which DES-encrypted products could be exported outside the United States, since federal regulations govern export of encrypted items. Security considerations led the U.S. government to limit the export of encryption systems to those of 40 bits or less. Since DES employed 56 bits, most products incorporating DES could not be exported, despite a report on national encryption policy issued by the National Research Council in 1996 that called for a relaxation of export regulations.
DES underwent its most serious challenge in 1998, and failed. The Electronic Frontier Foundation constructed a custom-designed machine, which broke open a DES-encrypted code in 56 hours. Subsequent tests, conducted on 100,000 PCs networked with the EFF machine, reduced the time required to 22 hours. This procedure resulted in the lifting of the U.S. restrictions on exporting DES-encrypted products.
DES's efficacy under continuous surveillance and was reassessed every five years after its inception. The 1998 EFF crack-through concluded that DES' Achilles heel was its short key length. It was recommended that DES should be replaced by Triple DES, a modified version employing 112- or 168-bit keys. DES's versatility also was limited because it worked only in hardware, and the explosion of the Internet and e-commerce led to much greater use and versatility of software than could have been anticipated by DES's designers.
As DES's vulnerabilities became apparent, the National Institute of Standards and Technology (NIST) opened an international competition in 1997 to find a permanent replacement for DES. To be christened the Advanced Encryption Standard (AES), the replacement would be operable into the 21st century. NIST recommended a minimum key length of 128 bits, and sought to guarantee that encrypted files would continue to be secure even after AES was eventually phased out. In addition, the algorithm had to implement public-key cryptography and work with key sizes of 128, 192, and 256 bits. Flexibility also was a premium concern of AES' designers. AES had to function with eight-bit processors, smart cards, ATM networks, high-definition TVs, voice-recognition systems, and satellite communications. Finally, it had to be available internationally on a non-exclusive, royalty-free basis.
Ultimately, DES was testament to the pace of technological change in the late 20th century. It was considered to be adequately powerful and impenetrable in its day. However, the cracks in DES widened into gaping holes as cryptographic and computer technology developed, and as the Internet and other networked systems heightened the need for flexible and durable encryption.
Anthes, Gary H., and Patrick Thibodeau. "IT & the Feds: The Five Years." Computerworld. June 14, 1999, 52.
Harrison, Ann. "Advanced Encryption Standard." Computerworld. May 29, 2000, 57.
——. "Cryptographers Urge Review of Standard." Computerworld. August 23, 1999, 4.
——. "Encryption Standard Finals." Computerworld. August 16, 1999, 6.
——. "Feds Propose New Encryption Standard." Computerworld. October 9, 2000, 14.
Hulme, Geroge V. "Commerce Department Picks Rijndael Encryption Formula." InformationWeek. October 16, 2000.
Landau, Susan. "Designing Cryptography for the New Century." Communications of the ACM. May 2000.
Loshin, Pete. "Cryptographic Turning Points." Computerworld. August 28, 2000.
Messmer, Ellen. "Crypto Proposal Faces Long Journey." Network World. October 16, 2000.
Yasin, Rutrell. "U.S. Picks AES Encryption Spec: Belgian Formula Seen Overcoming DES's Vulnerability to Hackers and Hardware Requirements." Internetweek. October 9, 2000.
SEE ALSO: Advanced Encryption Standard; Cryptography, Public and Private Key; Digital Certificate; Digital Signature; Encryption; Hacking
Data Encryption Standard
DES can be used simply as a block cipher, in which case its “mode of operation” is called Electronic Codebook (ECB). The three other NBS-recommended modes of operation are Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Output Feedback (OFB). These increase the security of the system by using DES as a building block in a stream cipher, and differ regarding recovery from possible errors of transmission.
The US National Security Agency announced in 1986 that it would no longer certify the algorithm, so it lapsed as an official standard. It should now properly be called the Data Encryption Algorithm (DEA), although DES remains its most usual name, and it continues to be used throughout the world despite being regarded as insecure for many purposes since brute-force exhaustive key searches have become feasible in some contexts.