Data encryption refers to the process of transforming electronic information into a scrambled form that can only be read by someone who knows how to translate the code. Encryption was already used by Julius Caesar in the days of the Roman Empire to scramble letters and messages. It played a major role in many wars and in military circles generally. Encryption has turned electronic in modern times. It is today very important in the business world as well. It is the easiest and most practical method of protecting data stored, processed, or transmitted electronically. It makes electronic commerce possible by protecting credit card and personal information. It is also commonly used to scramble the contents of contracts, sensitive documents, and personal messages sent over the Internet. More and more institutions, including small businesses with data to protect, also use encryption to protect data on their computer in-house.
Encryption comes from the science of cryptography, which involves the coding and decoding of messages in order to protect their contents. One of the most ancient forms of it is letter substitution—thus, for instance, sending the next letter in the alphabet instead of the actual letter in the text. Ifmmp xpsme/ thus spells out Hello world. In the electronic environment, every symbol has a numerical value expressible in binary notation. Thus the letter A is 01000001 and the letter a is 01100001. Humans cannot make out a vast stream of zeroes and ones, but it is child's play for a computer. Patterns of letters are therefore transformed before transmission by using an arbitrary key; the key may be used in arithmetic, logical, or other ways to make the underlying meaning inaccessible to anyone who does not know the key. The more binary digit the key has, the more difficult the code is to crack—meaning that the longer it takes a computer system, attempting to break the code, to find the key by trial and error. Very safe encryption methods in the mid-2000s made use of 128-bit keys; such keys were used in financial transactions; but newer systems were being fielded using 168 and 256 bits.
TYPES OF ENCRYPTION PROGRAMS
There are two main types of data encryption systems. In the first—which is variously known as private key, single key, secret key, or symmetric encryption—the sender and the recipient of the data both hold the same key for translation. This single key is used both to code and to decode information exchanged between two parties. Since the same key is used to encrypt and decrypt messages, the parties involved must exchange the key secretly and keep it secure from outsiders. Private key encryption systems are usually faster than other types; they can be cumbersome when more than two parties need to exchange information.
The second, and more commonly used, type of data encryption system is known as a public key system. This approach involves two separate keys: a public key for encoding information; and a private key for decoding information. The public key can be held and used by any number of individuals and businesses, whereas only one party holds the private key. The system is particularly useful in electronic commerce: the merchant holds the private key and all customers have access to the public key. The public key can be posted on a Web page or stored in an easily accessible key repository. Public key encryption systems are widely available on the Internet and heavily used by large companies.
The best-known data encryption program is called RSA. It was developed in the late 1970s by three graduates of the Massachusetts Institute of Technology—Ronald Rivest, Adi Shamir, and Leonard Adleman. As of the mid-2000, there were more than a billion installations of RSA encryption programs on computer systems worldwide. RSA scrambles data based on the product of two prime numbers, each of which is 100 digits long. RSA is known as a public key encryption system, meaning that many people can use it to encode information, but only the person who holds the key (or knows the value of the two prime numbers) can decode it again. RSA is embedded in hundreds of popular software products, including Windows, Netscape Navigator, Quicken, and Lotus Notes. It is also available as a free download from the World Wide Web.
A number of other data encryption programs enjoy wide use as well. Examples include Pretty Good Privacy (PGP), which is considered easy to use; Secure Sockets Layer (SSL), which is used by many companies that accept online credit card orders; Secure Electronic Transactions (SET), another popular method of handling credit card purchases that is backed by Visa, Mastercard, Microsoft, IBM, and other major players in electronic commerce; and Data Encryption Standard (DES), which was invented by IBM in the mid-1970s and became the U.S. government standard.
DES is a good example of the life-cycle of encryption systems. Unlike diamonds, they are not forever. More powerful and faster computers are able to tackle and break the best the older codes. Thus in 1998, as reported by James Swann in Community Banker, the Electronic Frontier Foundation cracked a DES code in less than three days; the year after, another network comprised of 100,000 computers cracked the key in 22 hours and 15 minutes. For this reason The National Institute of Standards and Technology proposed in 2005 that DES be decertified for government work. It will most likely be replaced by Triple DES, also an IBM product. 3DES, as it is known, makes the code much harder to crack by using a 168-bit key.
MOTIVATION FOR ENCRYPTION
Encryption systems cost money in the form of software and greater computer capacity. Processing of encrypted data in and out also adds time to all procedures. But the money is well spent. Betsy Spethmann, writing in 2005 for Promo magazine, reports that security breaches of systems holding customer data cost their owners on average $14 million per incident. In addition, once such breaches become known, the database owner typically loses at least 20 percent of its customers. Shedding troubled customers in large numbers is likely to accelerate. At present, Spethmann reports, 21 states "have laws requiring marketers to notify customers or employees when security of personal data has been breached. The federal legislature is considering at least five bills on data security and notification."
TRENDS IN ENCRYPTION PRACTICES
In the early 2000s, many corporations materially strengthened their defenses against the interception of transmitted data by encryption; they also fortified their information systems with ever better firewalls against intruders. Trends in the mid-2000s have been to focus on internal security. More and more companies, as reported elsewhere in this volume (see "Computer Crime"), have begun to focus on the enemy within. As one article in Information Week put it in its title, "You Know These Security Threats—You Hired Them."
In many companies data are routinely encrypted before transmission to another site—but remain in clear, unencrypted language on the computer itself, protected only by a system of passwords. When these machines are backed up at night on tape, vital proprietary data are simply hanging on a rack, stored on magnetic tape—tapes small enough to fit comfortably into a generously sized canvas shopping bag. These data are all too frequently simply stolen.
More and more companies in consequence are extending encryption to storage tapes used for backup. They are also exploring off-site storage of back-up data on distant computers where they reside in encrypted form. Even such methods are not sufficient to protect data from individuals who, by the very nature of their jobs, have access to the sensitive data. Thus, at the boundaries of encryption other techniques of supervision and control must be devised to protect information where scrambling, however effective and however well protected by keys of ever increasing digits, still do not provide protection.
SEE ALSO Biometrics; Internet Security
Angwin, Julia. "Internet Encryption's Password is 'Slow.'" Wall Street Journal. 28 March 2000.
Britt, Phillip. "Encryption Key to Data Security." Information Today. November 2005.
"Internet Security Gateway Targets Small Network Environments." Product News Network. 16 December 2005.
Komiega, Kevin. "Tape Encryption Not a Security Cure-All." InfoStor. January 2006.
Korper, Steffano, and Juanita Ellis. The E-Commerce Book: Building the E-Empire. Academic Press, 2000.
MacVittie, Don. "Don't Be The Next Data Debacle—Implement tape encryption now, before you find yourself in the white-hot spotlight for all the wrong reasons." Network Computing. 24 November 2005.
"No One-Stop Shopping to Stop Database Pilferages." eWeek. 21 December 2005.
Spethmann, Betsy. "Data Security Mistakes Cost an Average $14 Million." Promo. 23 November 2005.
Swann, James. "Preparing for Triple DES security." Community Banker. December 2005.
"You Know These Security Threats—You Hired Them: New products are designed to stop threats that come from the inside." Information Week. 31 October 2005.
Hillstrom, Northern Lights
updated by Magee, ECDI