Managed Security Services

Encryption: An Overview

This article provides an overview of the various types of encryption that are available for your ISP's data. Click on any glossary item for more information from the ISP Glossary.

by Gerald Williams of CrossNodes, an EarthWeb site [October 2, 2001]

Any data that travels across wires or through the air is vulnerable. Depending on the value of the data and the need to protect it, network managers often elect to encrypt transmissions. This, essentially, uses an algorithm, called a key that changes the data before it is sent. The receiving station then uses the key to restore the data to its original content.

Although encryption is an effective privacy safeguard, it can vary based on the type and size of the key. Smaller keys are easier to break than larger keys. However, longer keys require more computation, and this can slow transmissions.

In addition, companies must ensure that the keys they use remain protected. In response to the vulnerability of the keys, some vendors use asymmetric encryption that uses two keys. Anyone who wants to receive an encrypted message (the receiving station) creates a unique key, which it keeps secret (a private key) and another key which can be distributed (a public key). The receiving station holds the private key and only the receiving station can decrypt messages sent using its public key.

Keys can be any size, but most range from 40-bits to 256-bits. Any encryption neophyte needs to know about types of encryption (methods of turning data into code) and also about protocols (methods of transmitting data over the Internet) that use encryption.

Popular types of both include (this list contains a mishmash of items—for more detail on any item, click on it to read the glossary entry in the ISP Glossary):

• WEP (Wired Equivalency Privacy)—a protocol for wireless connections; the current standards call for 40-bit encryption, but a 128-bit specification is planned.

• SSL (Secure Socket Layer) Encryption—a protocol that implements encryption algorithms based on public and private encryption keys to secure transmission.

• DES (Data Encryption Standard)—implements a 56-bit key for encryption.

• 3DES (Triple Data Encryption Standard)—uses multiple keys and multiple encryption/decryption passes to enhance the security provided by simple DES.

• IPSec (IP Security)—a protocol that provides encryption for the IP protocol. Network managers can choose to encrypt the entire packet or only the data.

• PKCS (Public Key Cryptograph Standard)—distributes encryption keys for workstations outside of the corporation. The most popular version in use number 11.

• Pretty Good Privacy (PGP), often conflated with Blowfish, its encryption algorithm—allows systems to negotiate a complex number for each session. The number serves as the key for scrambling and restoring e-mail.

Looking for a business solution
Even if normal transmissions do not warrant encryption, network managers need to worry about e-mail messages. These frequently carry sensitive corporate and personal data and require protection. An emerging standard, S/MIME, uses 40-bit symmetrical encryption for all messages. The message also carries a digital signature, and the receiving station must receive this signature before its decrypts the message. The system, which is being adopted by several e-mail providers, uses a 40-bit key.

International companies also must beware of national laws. Some encryption algorithms that use large keys cannot be exported to foreign countries, so the network manager must implement the best possible encryption that falls within the legal guidelines.

Maintaining Throughput
Networks that do not require high throughput will find software-based encryption software adequately protects transmissions. Networks that require more throughput, however, will require a different approach.

Vendors market individual cards that reside in each workstation as well as network appliances. Both devices can help alleviate the bottleneck that complex encryption can create.

Individual cards install in the workstation. These can help balance transmission loads across the network, but they still use server time. Appliances run alongside the server. Although they also require some server processing, they offload many of the encrypting and decrypting tasks.

Some products enhance the integrity of the encryption by changing keys at regular intervals during a transmission session. By substituting keys on an on-going basis, it makes it hard for anyone to intercept the number of packets needed to decipher an unknown key. This, combined with large keys, represents one of the more secure methods available.

Business clients sending large amounts of data generally recognize the need for encryption, but the process can slow communications. Each packet must be encrypted and decrypted, and that takes processor cycles.

As a result, ISPs need to assess their risk. If an ISP sends financial data or sensitive information, encryption becomes a requirement.

—End