Impossible tri-bar

Digital Phenomena - Your first stop for internet consultancy 
Data Encryption Tutorial — Lesson 1
Lesson 1

by Julie Meloni

Page 1 — Encryption Options

The basic idea of key-based cryptography is that you take a chunk of data (plain text) and scramble it up (ciphertext) so that the original information is hidden beneath a level of encryption. In theory, only the person (or machine) doing the scrambling and the recipient of the ciphertext knows how to decrypt (unscramble) it, because it will have been encrypted using an agreed-upon set of keys or a specific cipher and passphrase (key).

This key-based method of cryptography is common, wherein the key in question is only known to the persons or machines doing the encrypting and decrypting. Think of it like a car key. The owner of the car has the key, obviously. When the owner walks away from the car, she locks it and keeps the key safely secured. No one can get into or use the car without some sort of "brute force."

The responsibility of protecting the key rests solely with the owner of the car. If the owner puts a set of keys in one of those magnetized key holders underneath the car, that's a very loose method of security. If the owner keeps the key with her at all times, even showering with it on a chain around her neck, that's a pretty good level of key security.

But say the owner's friend needs to borrow the car, so the owner passes along an extra set of keys for the friend to use. Both people can now drive the car, but the security of the key itself is compromised because someone else has it. If the friend makes copies of the key (for other people to use when the owner is out of town, say), the level of security becomes even more diluted. Eventually, the original lock-and-key security will be lost entirely, and in order to recover it, the owner will have to have new locks put on the car and new keys made.

Keys used in encrypted communications have the same problems as conventional keys: They can be lost, stolen, even bought and sold. And some can be discovered by crackers through a method called "social engineering."

Crackers don't necessarily use a serious amount of CPU cycles to crack a cipher. Most of the time, they just ask for the password from an unsuspecting technician. Or maybe they call up your receptionist "just to chat" and glean a tidbit or two of crucial information. You'd be surprised at how often this occurs.

Sometimes crackers play on the notion that most people choose passwords that are easy to crack, like any word found in a dictionary. Words like "hopscotch," "meteor," or "porcupine" may seem like nice, hard-to-guess and easy-to-remember non sequiturs, but they're all bad passwords because most password-cracking software cycles through a dictionary. If your password is anywhere in that dictionary, then say bye-bye to your sensitive data. Better passwords are alphanumeric and nonsensical, such as "1Am*Sh$b" or "BA8Hw2Lq."

There are methods of cryptography that don't rely on keys at all, but even those aren't foolproof. If the decryption program is essentially the key itself, then the machine becomes one big, concrete representation of the key, which can be stolen. For example, take the infamous Enigma machine. This machine was used by the Germans in World War II to encrypt and decrypt secret messages. Although it looked like a typewriter on steroids, the Enigma machine was not built to type plain text. Based on a complex series of settings, wheels, and rotors, the typed text was skewed ever so slightly, so as to produce the encrypted data. In this instance, the machine was the key; it proved to be a very valuable piece of equipment, especially in the hands of the Allies.

Taking all of this into consideration — social engineering, careless people holding keys, encryption embedded into machines themselves — you may wonder if your sensitive data is really safe. If you keep your systems locked down, keep your private keys private, don't use an Enigma machine, and don't give your root password to your receptionist, your data is probably pretty safe. The techniques outlined in this tutorial will assist you as you attempt to reach a comfortable level of security, but be advised that these few Web-based tricks only scratch the surface of data encryption and security.

next page»

|Home|About Us|Services|Search|
W3C validatedW3C validated CSSCompatible with all browsers