Everyday Encryption

Feb 1, 2007 12:00 PM, By SANDRA KAY MILLER

Encryption is being implemented in many places besides the office. Most people associate encryption with protecting information as it travels across a network or as a means to secure data storage; however, it actually touches just about every facet of our everyday life. The word encryption once conjured up images of covert diplomatic communication and secret codes to which only a select few were allowed access. But the rise of the Internet age and increasing theft of private digital information have thrust encryption technologies into the public spotlight.

While the average user might not know an algorithm from a protocol, they do understand that the online banking Web site they visit has been secured. For the truly paranoid, Web browsers now offer single-click access to view the certificate issued by a trusted third party Certificate Authority, which certifies that the Web site is official — not a “look-alike” page designed to steal logon and password information.

Viewing the certificate is as simple as clicking on the lock icon, for example, that usually appears to the right of an active URL box on a PC's Web browser. This opens a certificate viewer that will provide ample information about the certificate, such as who issued the certificate and to whom, how long it will be valid, information about the algorithms used and the type of encryption. These implementations of encryption are obvious, but there are more subtle ways in which encryption enters our daily lives.

An average day

Your day starts out with watching a few minutes of news and weather on satellite television prior to heading out for a morning job, which is now more pleasant thanks to your iPod. A little while later, you head out to work, arming your house alarm as you walk out the door. You open the door to your car with a keyless lock numeric pad and start your morning commute. After a quick stop for fuel, paid for at the pump with a credit card, you hop on the toll road in the fast lane using a SpeedPass that automatically deducts the toll from your pre-paid account. At the office, you turn on the computer, finally becoming cognizant of encryption, when logging on to the network using either a password or some type of physical token. However, you remain oblivious to the half dozen instances of encryption that have already touched your life so far today.

“I really see encryption as glue. You have a lot of things that are held together by glue but you don't really see it. It's important that it works well, otherwise everything falls apart,” explains Nate Lawson, senior researcher at Cryptography Research (www.cryptography.com), a security consulting and technology-licensing firm located in San Francisco.

Cryptography Research is unique in that it does not necessarily sell a product, but helps manufacturers integrate encryption technologies into their electronics. “For example, we would work with a company making SD [Secure Digital] cards and help them to integrate security into their product,” Lawson says.

Purchasing and using electronics is not the only way encryption creeps into our daily lives. As of August 2006, anyone obtaining a U.S. Passport will have their photograph digitized and stored along with their personal information on a contactless computer chip embedded in the cover. Readers in close proximity can only read the e-passports, and they also possess an integrated encryption engine much stronger than the one used in the inexpensive RFID tags for supply chain management.

To put e-passport security in perspective, Jim Handy, an analyst at Semico Research (www.semico.com), a semiconductor research company based in Phoenix, says “Getting into these chips is going to take more than your average bear. There will be MIT students who do it, but it probably won't be widespread. You'll have to know how the chip is encrypted and how it is programmed.”

By the end of last year, 16 countries, including the United States, started issuing e-passports. Another 43 countries will be compliant by the end of this year and, by 2010, citizens from nearly 200 countries will be carrying passports containing an encrypted computer chip storing their image and personal information.

Digital rights and anti-tampering

Regulatory compliance has brought the question of whether or not organizations employ encryption to a new level of awareness, but there is another side to the growing use of encryption — anti-piracy and product tampering.

There has been a sharp rise in the number of companies who are integrating encryption into their core components, especially when it comes to tamper-resistance. According to Lawson, encryption is becoming increasingly common in consumer devices. “Typically, you think of servers, network links and hard drives, but now, even the smallest of devices, including microcontrollers, are getting crypto support for doing things like secure boot so manufacturers know what software is being loaded into the processor.”

Historically, everything was stored on a single chip, which could be reverse-engineered by disassembling the chip to find out how it works. Now, the stakes are higher with the dependence on software. “Software is becoming so valuable because it is easy to copy, patch and update,” Lawson explains, “The problem is people are hacking their iPods to run Linux.”

To alleviate the problem, companies want to essentially lock out access to the devices, prevent modifications to the software or stop users from taking the software from one device and using it in another.

Lawson cites the satellite cable industry as an example. “You are basically broadcasting a signal, and once you decrypt it, you can watch their stuff free forever.” It is estimated that satellite companies and the channels, movie studios and sports franchises that supply programming lose well over $1 billion a year in uncollected revenue from piracy. To help combat the loss, Cryptography Research has been involved in helping satellite television companies by developing an application-specific integrated circuit (ASIC).

The entertainment industry has embraced cryptographic technologies in recent years, even showing up on the agenda at the RSA convention in 2005 to reach out to IT companies for developing better anti-piracy technologies. Better known as Digital Rights Management (DRM), it is now routinely found on music CDs and movie DVDs. Apple constructed FairPlay, the DRM that digitally encrypts audio files so they can only be played using iTunes or an iPod. Rarely does anyone consider the fact that their iPod contains its own encrypted key repository.

The latest frontier for encryption in the entertainment industry has been for high-definition (HD) movies. Disney, Intel, Microsoft, Panasonic, Warner Brothers, IBM, Toshiba and Sony have worked together to develop the Advanced Access Content System (AACS) — encryption for protecting HD formats such as Toshiba's HD DVD and Sony's Blu-ray Disc. Less than six months after AACS was put into production, a hacker had already posted the crack online. That is why many who work in the field of cryptography refer to it as a “race” rather than a solution.

Encryption schemes based upon renewability are what Lawson sees as the next step. “Once someone compromises the system, a new update can be issued and the system becomes secure again,” he says. “Such encryption is gaining use in familiar electronics such as cell phones, home office routers, digital video recorders and many other consumer electronics.

“I think we've seen large increases in the use of encryption,” points out Gartner vice president and research fellow, John Pescatore. “But how much of it people realize they are using remains transparent.”

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue