Who needs cryptography?

Dino Covotsos

A: Data encryption is not a widely practiced standard by most businesses, with the exception of those financial institutions that are legally bound to do so. Even then, it seems the bare minimum is done. We have yet to see a private key structure implemented by banks that use e-mail notification to alert clients if for no other reason than to verify the transmissions source and eliminate phishing scams.

Q: Why cryptography isn't standard security enough?

A: That depends on one's own definition of "standard security". Certainly, online banking transactions take place over a secure channel and utilise cryptographically strong algorithms, however a question to ask is where are the clients making use of these services storing there soft-copy banking details?

Clear text e-mail transmission remains a staple throughout the Internet. The vast majority of commonly used network file sharing protocols are in clear text. If you or your company stands to lose from others obtaining your confidential data then standard security should never be enough.

Q: Who needs cryptographic software?

A: Any individual or organisation who makes use of potentially unsafe electronic channels to store or transfer confidential data. An unsafe channel can be considered any electronic data transfer or storage medium that is accessible to those other than intended recipients or authorised users.

That said, you can consider data passing through or being stored on the Internet, internal LANs, inter-organisational WANs and a variety of other network architectures that are accessible to multiple people as being generally unsafe.

These days, clear text protocols are being replaced with cryptographically strong equivalents. Noting the vast array of free and even open source cryptographic software available online, making use of cryptographic software to protect one's informational assets should make sense to just about everyone.

Q: How impenetrable is it?

A: That is fully dependant on the algorithm being used and the skill of the software developer who has implemented the algorithm.

Public key and key exchange algorithms such as RSA, DSA, Diffie-Hellman and ElGamal rely on strong randomisation and the usage of large, strong prime numbers in order to be fully secure.

Symmetric ciphers such as Blowfish, Twofish and the Advanced Encryption Standard winner Rijndael, are fully reliant on the assumption that the key being used for encryption and decryption be kept a secret between both parties involved.

When time-tested algorithms are properly implemented to encrypt data, it can be assumed that no individual, organisation or government will be able to intercept and decrypt the data in any reasonable time frame - and by reasonable we mean billions of years.

Dino Covotsos is MD of Telspace Systems and will be one of the speakers at the ITWeb Security Summit 2007.