Encryption is the Key

Jan 1, 2006 12:00 PM, By Sandra Kay Miller

Encryption has a history spanning more than 4,000 years and even today it continues to play an increasing role in modern security practices. No longer limited to government and diplomatic circles, encryption is increasingly gaining traction in nearly every facet of the networked world.

As Ethernet is integrated into numerous access control and security systems — especially for access control panels, fire alarms, time-and-attendance systems, electronic badge readers and surveillance equipment — so grows the requirement to securely communicate with systems through Web-based consoles and across public networks. Increasingly, encryption is the technology of choice to meet this demand.

Symmetric vs. Asymmetric

Encryption is an encompassing term for converting data into a form called a ciphertext that cannot be read by an unauthorized recipient. Decryption is the process of converting encrypted data back into its original form so it can be read. This process is done using “keys” created by mathematical algorithms. Once information has been encrypted using a secret “key,” later a key must be used to decrypt the information so it is again readable.

There are two basic types of encryption algorithms — symmetric and asymmetric. Conventional, also known as single-key, algorithms are symmetric — meaning the exact same secret key is used to encrypt and decrypt. Examples of symmetric algorithms include RC2, RC4, the Data Encryption Standard (DES) and Triple DES. This type of encryption is recommended for both securely transmitting and storing information.

Alternatively, asymmetric algorithms involve two different keys — a public key used to encrypt and a secret private key to decrypt. Public keys are often widely distributed so anyone can encrypt data for the recipient holding the private key. Diffie-Hellman, RSA and elliptic curve cryptography (ECC) are commonly used public-key encryption algorithms.

Although both methods of encryption are considered secure, the Achilles' heel of symmetric encryption falls in the transmission of the single secret key for decryption, especially when used to send encrypted information to numerous recipients. Distributing secret keys means each key must be sent separately to the recipient of the encrypted information, using a secure method of transmission. If any of the key recipients compromise or lose the symmetric key, everyone's key is compromised, and a new one must be distributed. The upside of symmetric encryption is speed.

Despite being considered the more secure of the two due to the lack of key exchange, asymmetric encryption has a considerable downside — speed. Essentially using two algorithms, the encryption and decryption process can be up to 1,000 times slower than symmetric key encryption.

This dichotomy has led to the creation of hybrid key encryption. Because asymmetric algorithms are best suited for encrypting small amounts of data, symmetric keys are encrypted using asymmetric encryption for secure public-key exchange.

Another major factor in encryption strength is the length of the key itself. Key length is expressed in terms of bits that make up a combination for the strength of the key. For example, a 56-bit key offers 70 quadrillion combinations. Although this may sound strong, 56-bit keys are no longer considered sufficient since they can be easily compromised through computerized brute-force attacks. The Advanced Encryption Standard (AES), the standard that has been adopted by the U.S. Government, comes in 128, 192 and 256-bit lengths. The latter lengths are strong enough to secure information classified as top secret. Encryption can be accomplished through either software or hardware. Hardware encryption uses a specialized chip for encryption, while software encryptions are an application on a device. Hardware encryption is faster and resistant to tampering or accidental change, but the flexibility of a device can be limited. Software encryption is more flexible, allows different algorithms to be used and is less expensive.

Practical application

Information can be encrypted at rest or in transmission, meaning either the data itself is encrypted on the storage media (hard disk, USB drive and tape drive); or the actual transport method, such as a VPN tunnel, SSL connection or wireless channel, is encrypted. Organizations often make the mistake of encrypting both the data and channel through which it flows. This is unnecessary, slow and, ultimately, expensive.

With the ubiquity of the Internet replacing dedicated lines as a carrier for data, security is becoming a critical factor where it was previously a moot issue. Vendors integrating TCP/IP into products such as environmental sensors, digital monitoring equipment and access control devices have responded by incorporating encryption technologies to meet the stringent security requirements including those for government installations and regulatory compliance mandates, such as Sarbanes-Oxley, HIPPA and Gramm-Leach-Bliley.

Secured control and monitoring

More and more, distributed organizations are managing remote locations from a single console to increase efficiency and save money. Physical security, monitoring and power systems gain real-time control, monitoring and alerts regardless of location through hardware, such as Uptime Devices' SensorHubs, NetBotz or Lantronix.

Although these network-enabled products eliminate expensive dedicated wiring and telephone lines for systems such as environmental monitoring and controls that do not necessarily require encryption, other features such as digital surveillance, access control panels and biometric readers would be left vulnerable without secured data or transmission capabilities. In addition to simple monitoring and alerting, control of remote devices — especially those requiring authentication for access — should employ some type of encryption in order to prevent tampering.

Chris Blask, one of the founders of Protego Networks (acquired by Cisco), a member of the PIX Firewall team and designer of the BoderWare Firewall Server, suggests that anywhere passwords are entered over the Internet, encryption should be used.

Another area where Blask sees the use of encryption growing is for voice-over-IP (VoIP). Hackers have already begun freely distributing software for eavesdropping on VoIP conversations — Voice Over Misconfigured Internet Telephone (VOMIT).

“Control channels should always be encrypted,” Blask says. “While it is a challenge, we must ensure that eventually all VoIP data traffic is encrypted, as well.”

Bruce Schneier, chief technology officer of Counterpane Internet Security and author of the Crypto-Gram newsletter, agrees that encryption for VoIP is a must for anyone concerned about the security of Internet telephony, but he does not see VoIP encryption as challenging — just a matter of writing the code.

That is exactly what Phil Zimmermann, creator of Pretty Good Privacy, a widely used e-mail encryption program, has been working on. At the 2005 BlackHat Security Conference in Las Vegas, Zimmerman debuted his prototype program for encrypting VoIP. Currently, VoIP companies are hesitant to implement encryption due to the overhead of key management; however, Zimmerman's program uses a unique three-digit identifier that callers exchange to encrypt the call once it has been initiated.

David Endler, director of security research at TippingPoint, an intrusion prevention vendor and chairman of the VoIP Security Alliance, points out that the protocol for encrypting VoIP currently exists, but has not been widely used since few VoIP attacks have been seen. Similar to the rise in use of encryption for e-mail, encryption for VoIP is expected to increase proportionally with the growth of Internet telephony.

The wireless world

While the majority of encryption applications focus on the protection of information in the wireless realm, encryption is also used to protect the resource itself. The 802.11 standard is nothing more that radio with encryption added for security.

Unfortunately, wireless users who believe the content of their WiFi transmissions is not important enough to warrant encryption often fall victim to the theft of their WLAN resources when they fail to engage the encryption, now standard on all wireless networking equipment.

For instance, take the maintenance contractor of a large university who deployed wireless sensors to monitor HVAC readings throughout the campus while choosing not to turn on any type of encryption. After all, who would be interested in the temperature of the science building or whether or not there was flooding in the building next to the stream that meandered across the campus? At first, the monitoring system worked flawlessly, but as the weeks rolled on the WLAN's performance greatly deteriorated to the point of barely functioning.

After a cursory examination of the network traffic, the contractor found an enormous amount of peer-to-peer networks streaming music through the wireless access points installed for HVAC monitoring and alarms. Without encryption, anyone in proximity with a wireless network adapter was able to authenticate to the maintenance contractor's access points, which had been attached to the university's network backbone. Once the access points' encryption was turned on, the HVAC monitoring system returned to normal.

The applications for encryption in today's networked environment continue to grow, as do encryption technologies themselves. The real key to encryption is using it effectively in an organization.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue