Private bits - the battle to safeguard data through encryption

As the amount of data exchanged on a daily basis grows exponentially, so does the need to protect these zeros and ones from prying eyes.

Mathematical algorithms - sometimes ancient ones - have been harnessed to keep information secret. Cryptography, the science of encryption or the ability to encode and decode messages, has entered mainstream communications. But how useful is it?

"Cryptography can be deployed for two different purposes: either when transporting a message from A to B or storing sensitive information," explained Graham Welch, UK VP at RSA Security. "Electronic messages, such as email, can be made secret by using encryption which works by encoding the information sent. As for storage - cryptography can be used to protect stationary files by limiting access to a selected group of people."

According to Ian Walker, CTO at security company Entrust, there are two cryptographic methods currently deployed by the industry. The traditional method uses a secret key, such as the DES (data encryption standard). DES allows both the sender and receiver to use the same key to encrypt and decrypt. "This is the fastest method, but transmitting the secret key to the recipient in the first place is not secure," said Walker.

One of the simplest DES applications currently used is SSL - secure sockets layer - a protocol developed by Netscape to provide secure communications on the internet. SSL is a protocol that encrypts data during its transfer from one point to another. But the data is only secured during transfer.

Pundits say that SSL is not necessarily the most secure option for transferring sensitive data. "SSL can be used as a basic protection against unwelcome snoopers," said Douglas Hurd, European business development manager at Network Associates. "But it is not as secure as point-to-point encryption as once the data arrives at its destination, it remains unprotected on the server until taken off."

The second method is public key (PK) cryptography, which uses both a private and a public key. Each recipient has a private key that is kept secret and a public key that is publicly available. The sender looks up the recipient's public key from the internet and uses it to encrypt the message. The recipient uses the private key to decrypt the message. "PK-based technologies are eagerly used by financial institutions who need maximum transmission security," said RSA's Welch.

The internet has created an illusion of anonymity because of its ability to connect people anywhere anytime. But surfers' actions can be easily monitored, emailers can be effortlessly traced back and cookies can be planted to follow clicktrails. So cryptography has come to the rescue of those who wish to hide behind the net curtain. SafeWeb, for instance, hides users' surfing by encrypting all site content and URL information. Hushmail is another facility which offers secret communication between agreed parties. It is based on a type of public/private key structure which allows users to exchange electronic keys automatically.

Simon Davies, director of Privacy International, said the use of services such as Hushmail and SafeWeb is growing fast: "Individual users will resort to using secret communication as spying and surveillance increases with more sophisticated devices. There will always be information people want to keep private."

Despite existing technologies, cryptography is still awaiting mass deployment. Most companies consider the use of advanced cryptography unnecessary in internal communication and rely on their current emailing software for safeguards. Neil Barrett, technical director at security consultancy IRM, said: "Encryption software is still seen as cumbersome and time-consuming as there are performance issues. It can slow down the whole system."

End user training is also seen as laborious, according to Barrett. "As long as encryption is made to look invisible or at least integrated with a plain user interface, such as SSL, it should work with end users," he said. Losing the encryption keys may also cause reluctance to adopt the technology. "Once an employee leaves for instance, you may never recover the data, which is every IT directors worst nightmare," he concluded.

But even the most sophisticated cryptography used on its own will not protect corporate information, as master cryptographer Bruce Schneier reminds us in his latest book, Secrets and Lies: Digital Security in a Networked World.

He writes: "Computer networks are so dauntingly complex that loopholes will always remain. Security professionals can't head off every attack, no matter how pricey their toys. World-class cryptography is pretty useless, if the administrator's password is set to 'password'."

Despite human errors, cryptography can be a powerful weapon against unwanted snoopers. But in this battle, one strategy rises above the rest - silence. And in this case, this means not just communicating only when necessary, but also CIOs plotting their battle strategies behind closed doors.

--What is encryption?
Even the simplest form of encryption is based on complex-sounding mathematics. The original text, or 'plaintext', is converted into a coded equivalent called 'ciphertext' with an encryption algorithm. The ciphertext is then decoded (decrypted) at the receiving end and turned back into plaintext. The encryption algorithm uses a key, which is a binary number that is typically from 40 to 128 bits in length. The greater the number of bits in the key, the longer it will take to break the code. The data is encrypted by combining the bits in the key mathematically with the data bits. At the receiving end, the key is used to 'unlock' the code.