In the early days of cryptography we heard of the old saying, "don't kill the messenger".
This was related to the fact that a message was tattooed on the scalp of the messenger, the hair was then allowed to grow over before he was sent off to his destination. Now clearly the value of said individual, once he had served his purpose, was very little in the hands of the recipient, while still of value to any interceptor. It is based on this legend that the folk saying has grown.
Within a similar, more modern context we need to realise that once we have received the information/data, we need to deal with it in an appropriate way, ie destroy it or place it back into protected storage.
It is these actions that we as the users of the data perform that are governed by policy and procedure, and once again we see the usability versus security of the data becomes an interesting talking point.
The data has to be dealt with appropriately, especially because it is governed by trust. Users often do not care for the improved security that a security control may strive to implement as it can be obtrusive or just a pain in the neck, much like having one's head shaved!
It's a con
Over time the example of a one-time user secret has evolved, thankfully. We now have myriad cryptographic systems and interact with them on a daily basis without real knowledge of how these systems work.
One such example will be an Internet banking application where the pages are secured via Secure Sockets Layer or Transport Layer Security. Suffice to say this provides a secure connection between the computer browser and the banking application, preventing snooping of the information by external parties and offering confidentiality in financial matters.
However, such systems do have an Achilles heel, as was demonstrated in 2002 when an interceptor was able to glean the user account details of a few people with losses of just over R500 000 reported in the media.
Clearly, when accessing those bank accounts, the culprit also used the very same transport security, but because the user credentials were compromised, we cannot say the crypto process failed.
Alas, the act of "stealing" account credentials is a much lower level of attack, akin to what a con artist will achieve in a shell game.
Talking gibberish
We now have myriad cryptographic systems and interact with them on a daily basis without real knowledge of how these systems work.
Karel Rode is solutions strategist at CA.
The example above is related to data in motion. We also use cryptography for static data. When policy dictates that classified or sensitive data needs to be encrypted, we see companies making use of various solutions to comply to these policies.
A common example is on user notebooks where policy will dictate the whole hard drive or specific sections of the file storage be encrypted.
This is so that once the device falls into the wrong hands, we do not see these bits of information appearing in the hands of competitors or on Web blogs on the Internet.
These solutions all work by making use of cryptographic algorithms that transpose the raw data into gibberish; that is gibberish to the average man.
Once the data has been encoded, the user will need a passkey that will work with the cryptographic process to translate the encrypted data back into usable information.
Keeping secrets
The key recovery capability is an important component of all disk encryption solutions. Imagine you have many gigabytes of a major work process encrypted on your machine. You succumb to a major illness and your employer needs to access these files. Most enterprise file and disk encryption systems have a built-in capability for a super user to gain access to those encrypted stores.
A last word on crypto. Many people think that a secret algorithm is stronger than one that is open and available for peer review. Some examples of these open algorithms are DES/3DES, AES, RSA, IDEA and Rijndael, which replaces 3DES as the Advanced Encryption Standard.
They all, and most notable Rijndael, went through strong peer review processes so that the user can be assured of the cryptographic process strength when combined with a strong passkey.
Yes, indeed, the strength of encryption still resides in that something that hopefully only you know, namely the password. Making up a good password or pass phrases will remain with us for a long time to come (so now you all know why I grow my hair).
* Karel Rode is solutions strategist at CA.
Share