| Everything
you need to know about the stuff that keeps corporate secrets
safe online.
It's no secret that not a
lot on the web is secret. In fact, most people with an Internet
connection and a bit of free time can find out plenty about
all kinds of people and subjects without a whole lot of effort.
With the Internet capable of transmitting everything from
pedestrian e-mail to highly sensitive proprietary company
information with equal speed and confidence, the danger of
information being intercepted and read by prying eyes is very
real. That is why the wise business executive needs to understand
the basics of encryption, the science of coding information
that travels electronically. After all, responsibility for
the security of your company and its assets ultimately rests
at the top. Encryption is a murky world, but a fascinating
one, inhabited by lines of code, denizens called cryptographers
and a healthy dose of acronyms. (And math. Lots and lots of
math.) But just what is the stuff? And what does its use mean
to you and your business? Let us venture into this sureal
world where we will try to help answer these questions. The
mission, if you choose to accept, understand encryption.
The single biggest question
for the newly initiated to the information security world
is, what's the difference between security and encryption?
Security encompasses a whole bunch of different things, right
down to whether or not your extra computers are safely locked
in storage, your employees scribble their passwords on little
sticky notes and even how physically secure your building
is. Encryption, the act of scrambling electronic information
so that even if someone intercepts it he can't read it, is
only one piece (albeit a generous one) of the security pie.
Encryption roots go back to the ancient Egyptians (think hieroglyphics
and the Rosetta
Stone), and it played a starring role on the world stage
in the 20th century (think Enigma
and the Allies breaking German code during World War II and
let us not forget the Russians and the Cold War). But as business
technology has matured and security threats have become more
pronounced during the last decade, encryption has come into
its own as a mainstream business necessity.
Looking
for a brief history of Encryption?
How does an encrypted message
travel?
Rijndael. No that is not a typo, it's the newest encryption
standard. Check
here for more detailed information.
A piece of information is encrypted using two parts: an algorithm
and a key. The algorithm is a mathematical formula that uses
a key (a series of characters) to turn data into cipher text,
mixing and blending the data until it looks like a bunch of
gibberish. On the other end, another key unscrambles the data,
turning it back into plain text. The strength of an encryption
system depends not only on the strength of the algorithm that
governs it, but also on how carefully the keys used to encode
and decode the information are developed and cared for. With
most modern encryption systems there are so many possible key
combinations that a computer would have to spend hundreds of
thousands of years to try all the different combinations. The
more bits, or pieces, a key has, the harder it is to break it.
That means most properly encrypted pieces of information are
pretty safe.
But
I always misplace my house keys. If I use encryption, do I have
to keep track of another set?
That depends on what sort of key you're using. There are two
different types of keys: public and private. A public key can
live anywhere, on a website, on a Post-it note, or it can travel
from one person to another through e-mail or another public
channel. If you use a private key, it lives on your hard drive
or in another secret place.
To communicate with encrypted messages, two people need to agree
on what key they're going to use to code and decode a message.
It's like saying to a friend, "OK, let's talk in pig latin for
the next five minutes." If this communication gets neglected,
the message recipient won't be able to make heads or tails of
the encrypted information. It's like asking someone to feed
your cat while you're away, but forgetting to give them the
house key.
There are two types of encryption, symmetric and asymmetric,
and they use different types of keys. Symmetric encryption uses
a private key for both encoding and decoding a message. Asymmetric
encryption uses a private key for the encoding and a public
key for the decoding, or vice versa.
Let's say Joe sends a message to Mary encrypted with his private
key. Because Joe's private key is related to his public key,
he tells Mary what his public key is, and she uses that to decode
his message. But Mary can't figure out what Joe's private key
is by his public one, so he can use that private key again and
again to communicate with other people.
Is encryption just for sending
messages from one person to another?
Not at all. Many types of encryption
negotiations go on behind the scenes all the time and remain
invisible to users. Take Internet shopping. When Mick the
music fan types his credit card number into Ticketmaster's
website, Mick's computer's browser, which has built-in encryption
technology, takes responsibility for the transaction. The
browser negotiates with Ticketmaster's server and keeps Mick's
credit card numbers away from prying eyes. A similar thing
happens when you enter your PIN into an ATM; encryption turns
that PIN into a key that unlocks your account information.
Does Uncle Sam have anything to do with encryption?
Funny you should ask. In October of 2000 the National
Institute of Standards and Technology (NIST) chose a new
encryption standard called Advanced
Encryption Standard,or AES for short, that government
organizations will be required to use. Like sheep, others
will migrate to the new standard. The banking industry has
historically used NIST standards, joining the government in
one big, happy standard algorithm party. But why use a standard?
Because the NIST, the arm of the Department of Commerce that
monitors standards, regularly tests encryption standards to
ensure that they are still valid. The more industries that
adopt the NIST's encryption standard, the closer the world
comes to having all systems speak the same encryption language,
the elusive "interoperability" that IT people are always going
on and on about.
How do I know what I need to encrypt?
Keep in mind that for the most part anything you send over
the Internet without encryption is fair game for interception.
So if you are sending sensitive company documents in an e-mail
(probably not a good idea, anyway), you should make sure you
and the recipient use encryption.
Password protection and a bit of luck are not enough to keep
the files on your hard drive safe. Software that breaks through
the weak password barriers most systems use is not only cheap
but readily available, so only encrypted information is truly
safe.
As a businessperson, how much do I need to know about
this?
While nobody expects a business executive to develop a personalized
algorithm for the company, or to try to create an uncrackable
key, you do have ultimate responsibility for the safety of
the corporate goodies. Take e-commerce, for example, its success
largely depends on a website's ability to conduct secure credit
card transactions and assure users that their information
is safe.
Fortunately, there are number-loving folks who are delighted
to do the nitty-gritty work, some theoretical cryptographers
spend their entire lives on a single math problem and wouldn't
be caught dead in a company boardroom. (If there isn't an
expert in your company, it's time to think about getting one
or shop for a hired gun.) But all executives should be aware
that anything truly valuable is better off encrypted. Don't
be blasé about the danger of information hijacking.
Final thought - Even with all the
great tools available at your disposal to defend yourself
from the would be bad guy, nothing is 100% hack proof. The
key is to make it difficult enough for him to move onto the
next target.
|
