|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Encryption packages: Beyond the code September 23, 2002 URL: http://www.zdnet.com.au/reviews/software/security/soa/Encryption-packages-Beyond-the-code/0,139023452,120268444,00.htm
 Trying to keep corporate secrets away from prying eyes? We evaluate five encryption software packages. I guess in a perfect world we would not even have the term “encryption” in our dictionary; the same would go for car alarm, PIN, and theft. Alas, we are a bit more than a tad off living in a perfect world and so security is a very important issue. Many people use the terms “encrypt” and “encode” interchangeably, but this is not strictly true. To encode something simply means change it to a form that renders it easier to transmit or store. For example in the days before voice could be transmitted over wire or radio we had Morse Code, which—far from being a secret—was a code that enabled bursts of electricity or radio noise in short and long durations, dots and dashes, to be universally understood by anybody listening with a receiver. Encryption on the other hand is a completely different kettle of fish. Rather than encoding, an encryption algorithm converts the data into ciphertext—which can’t easily be understood without decrypting it first. The actual algorithm used to do so is called a cipher. The sole purpose of encryption is to prevent unauthorised access to the data; ideally only those authorised have the ability—and the necessary decryption key—to convert the data back to its original form. It’s probably true to say that encryption came into existence around the same time as communication. When our ancestors were still running around on their knuckles they probably had a series of secret grunts that the neighbours didn’t understand. Ciphers range from the very simple, such as substituting numbers for letters, right up to very complex algorithms that require a reasonable degree of computing power just to encrypt and decrypt, and of course enormous (and hopefully prohibitive) amounts of computing power to break without the correct algorithm or decryption key. With the move away from dedicated leased lines between secure sites to transferring sensitive data using VPNs over the internet, and even worse via wireless communication, it has become far easier for someone to tap into your communication and view your data. And security is important even if you do not use your credit card over the Internet; you still swipe your card at the local supermarket or milk bar and send sensitive financial data over regular phone lines. You are certainly going to want that data to be encoded so it cannot be snooped. The stronger the cipher, the more computing power and time it will require to break, which brings us to the so-called “strong encryption”. Strong encryption ciphers are unbreakable—or at least by the time they are broken, the information is no longer useful—unless the decryption key finds its way into the wrong hands. While these powerful ciphers are great for legally protecting sensitive data, they can also be used to encrypt the data of criminals and terrorists, for instance. Because of this, many governments want to set up a secure database of encryption keys, so that authorities could decrypt communications that might be used to conceal illegal or threatening activities. Among the many potential problems with this idea is the possibility that this database itself could be hacked, providing the keys to secure communications of all sorts to people less scrupulous than the government. And, of course this is not going to help much if the cipher itself is based on a unique password key provided by the user. A great article on attacking ciphers can be found at http://axion.physics.ubc.ca/pgp-attack.html—some of the present cipher schemes require truly mind boggling brute force processing to crack. Business uses The main business uses for encryption technology are encrypting communications such as e-mail, instant messages, Web site sessions, and Internet connections, and encrypting files on a disk, so that even if the system is compromised, the files are not readable. Despite your best security efforts, at some point one of your corporate desktops or laptops will be lost or stolen. If the machine belongs to someone in customer service, you may only need to worry about the loss of the equipment. If the machine belongs to the CEO, CFO, or the head of human resources, important company data could be compromised. Encryption software can often prevent a loss of sensitive data, but is it right for all desktops or is that security overkill? It depends. When determining whether your desktops and/or laptops need encryption software, consider file location, file type, and file sensitivity. File location If your organisation stores highly sensitive data only on network servers, neither your desktops nor laptops likely need encryption software. However, if your organisation must store sensitive data on desktops and/or laptops, you should take a second look at encryption software. It’s always appropriate to encrypt sensitive data stored on a laptop. Laptops generally travel out of the office, so unless the data is encrypted, it could be easily compromised if the laptop were lost or stolen. Depending on the encryption software used, encrypted data can be difficult if not impossible to recover if the PC’s operating system crashes. To avoid catastrophe in the event of such a failure, you should completely back up encrypted PCs on a regular schedule. This effort can be quite time-consuming if you’re dealing with a large number of encrypted desktops and/or laptops. File type Not all files can or should be encrypted. For example, you usually can’t encrypt an operating system, nor can you perform partition-level encryption on a partition that contains operating system files. This is because during the early phases of the boot process, the operating system is unaware of any encryption software (even if the encryption software is part of the operating system, as in the case of Windows 2000). Encrypted operating system files would therefore be unreadable, making the system unbootable. File sensitivity Consider the files’ sensitivity and only encrypt those files that could cause significant damage to your organisation if exposed to a competitor or made public. A few examples include human resource records, financial statements, legal department documents, and sales figures. When deciding which files to encrypt, we recommend enlisting the aid of senior management and your organisation’s legal department.
PC encryption optionsIf you decide that your organisation needs to encrypt data on its desktops and/or laptops, you have several options. Both Windows 2000 and XP offer file encryption capabilities via the encrypting file system (EFS). While EFS is fairly good, plenty of third-party products are available for encrypting PC files. In this feature we look at five packages with a variety of file and communication encryption capabilities. ComSec Enterprises PrivateCryptoWant a no-nonsense encryption program that is simple to install and use with very little in the way of bells and whistles? That pretty much sums up PrivateCrypto. The software was delivered to the Lab on a credit card-sized CD, from which the installation is swift with little operator intervention. The software integrates seamlessly with Windows Explorer, and it’s fair to say if you can use Explorer and products like Winzip, then this is no stretch at all. Want to encrypt a file? Right-click on the file and one of the menu options will be PrivateCrypto. The utility then requests the user supply a password; you can have different passwords for different recipients. There is an option to create self-extracting files, which is great if the recipient does not have a copy of PrivateCrypto. In addition, the utility can compress the file prior to encryption and if required, delete the unencrypted original. However, the utility will only encrypt a single file at a time, which is a bit limiting; if you select multiple files at once the PrivateCrypto option is not available. On the other hand, you could turn a group of files into a single Zip file and encrypt that. The encryption scheme is 128-bit AES, so it’s quite secure although not as fast as some of the other programs tested. It took 10.8 seconds to encrypt and compress a 5.98MB spreadsheet down to 1.18MB, which is not too shabby.
Elantra EncryptNTEncryptNT is an Australian disk encryption tool. As the name suggests, the product runs under Windows NT4.0 SP5 and above, and can be used on a single workstation or by multiple users across a network.
OK, it’s not quite that bad. During installation you create a set of master keys, so should you lose the key or perhaps a disgruntled employee changes the encryption key, you can still restore the data with the master key (which you have obviously kept out of circulation and locked away in the company vault). The installation procedure, while not difficult, is nevertheless long-winded when compared to some of the other packages. It’s a two-step procedure, first install the software and then reboot, login using your new password, and then configure. And while we are on the subject of login, you’ll get stuck at this point until you read the manual and find out the default user name is ”encryptnt”. One strange aspect of the setup process is that you must create a temporary password, which you must then replace a couple of minutes later with a permanent encryption account password. Two keys are used to generate the master encryption keys; you can choose to generate the keys using the software’s own random phrase, random text generators, or use your own. The software effectively integrates into Windows: if you need to encrypt a partition, right click on it, select Properties, and you will find an EncryptNT tab. From here, providing you have the rights of course, you can encrypt the partition in DES, IDEA, or Triple DES formats. The initial encryption is not blindingly fast, and even if you only have a small amount of data on the partition it still takes time, as the entire partition must be encrypted. For example we had a 10GB partition with just 456MB used, and it took our 1.7GHz Dell around 47 minutes to complete the task. Of course once completed, on the test system at least, the saving and retrieving of files from the partition was very fast, the encryption and decryption were quite transparent. Initially, only the default user has access to the encrypted partitions. Other Windows users can be added and configured from the EncryptNT Settings control panel. Each user can be assigned various levels of rights on different partitions and removable media, and you can grant or deny the ability to change system settings and other users’ settings. The user can be disallowed encryption on a particular device, allowed standard encryption, or interchange encryption mode. For each of the three modes, the user can be assigned various read and write access combinations.
Janteknology Encryption Plus Enterprise EditionUnder the Encryption Plus banner falls a suite of programs each with their own dedicated function—Hard Disk, Folders, CD-ROM, E-mail, and Secure Export. They all use the Blowfish encryption algorithm; the commercial version of the package utilises 192-bit encryption, while the freeware version is only 64-bit. We’re pretty sure you can guess what Hard Disk, Folders, CD-ROM, and E-mail do, while Secure Export will encrypt files for secure distribution using media such as floppy drives, tapes, CD-ROMs, and e-mail.
The administrator has the option to define the export file extension; you can give them EPE or NEX extensions rather than EXE, because many firewalls and e-mail programs will not pass self-extracting EXE files. Once installed, using the software is quite painless. The export window clearly lays out the destination file name, source file/s, and the encryption password. The recipient simply runs the EXE file and puts in the password for the file/s to be correctly decrypted. Encryption Plus Folders is also simple to install, although it requires a reboot to complete the configuration. Interestingly, the software included an “Authenti-Check” setup step. This allows the user to input three questions to which the user will be the only one to know all three answers. If the password is lost, the user can run Authenti-Check, give the three answers, and put in a new password. Using the software is also a doddle. Running the Folders applet presents the user with a simple button interface that includes changing passwords, adding users, mounting devices, and of course protecting folders. The interface is clean and simple to use, and once the folder has been protected, future access from other applications is as seamless as unprotected folders, providing of course you are a user who has access rights. Each time Windows starts up, the user is asked for a user name and password to identify their access level to the various protected folders. While the installation of the Encryption Plus Hard Disk software is quick and easy, the configuration process is more complex than the other Encryption Plus applications. Setting up the initial user defaults is a multi-step process, but to be fair, it takes this number of steps because the list of configuration settings is extensive and very useful. There is a very flexible list of settings for user passwords, ranging from required special characters and expiry dates through to lockout counts. Users can be configured to log in to Windows and Encryption Plus as a single-step or two-step process. The final step in the configuration process is arguably the most important and includes the setting of the initial encryption speed. Why? Well the default setting is “fast” but of course this will consume more system resources than “slow”. If your PC isn’t that powerful, you may wish to select “slow” so that your foreground work does not overly suffer while background encryption is occurring. The software can be configured to encrypt the entire disk, or just the sections with data on them. You can also speed up performance by disabling the software’s power loss recovery feature, but this means you may lose data if there is a power loss. On completion of the user setup, the administration utility creates a setup directory that can be run locally or remotely for each user. This installs the user portion of Encryption Plus Hard Disk. The interface is simple and very easy to navigate, however we found that encrypting our 10GB partition was very slow when compared to EncryptNT. Admittedly the configuration selected was encrypting the entire disk space, as was EncryptNT. While the encryption speed was set to “fast”, the fact that we had “Recovery after Power Loss” enabled would not have helped improve on the almost five hours required to encrypt the partition.
McAfee E-Business ServerThe name of this product may lead many to believe it’s a fully featured e-business package; it isn’t. E-Business Server is in fact a tool that integrates into your business processes to provide secure transactions.
The vendor supplies some example scenarios that are quite illustrative of the use of the product. As an example, a hardware developer may share large design files of confidential data with a chipset manufacturer. Each night the company’s server may automatically send the files to the manufacturer’s server via FTP. Admittedly each company will have its own firewall security in place, but while it’s being transmitted over the Internet, it’s fair game. E-Business Server encrypts the data with the business partner’s public key, thus protecting it from interception. An added benefit of the product is that before it encrypts the data, which may be large CAD files for example; it compresses the files, thus saving on data transfer costs as well. The product has a wide range of uses. For instance, it could protect real-time transfer of credit card or point-of-sale data, healthcare provider information such as billing and patient records, in fact any transaction that involves the transfer of sensitive data over the Internet. Installing the product is relatively straightforward, however to actually use it in a meaningful way, you must access its functions from your existing applications either via the command line interface, Unix Shell scripts, C/C++, CGI scripts, ASP pages, or an optional set of APIs allowing the command set to be added to programming languages such as Visual Basic/COM, Perl, and Java. Platform requirements are quite modest, although we tested the product on a 1.8GHz Pentium 4 with 256MB of memory and so cannot confirm that the minimum requirements are actually usable. However, we can say it was very quick on the test system. Operating system support is quite good covering Windows NT/2000, some flavours of Linux, Solaris, HP-UX, and AIX. E-Business Server supports all PGP and x.509 certificates and a very solid collection of encryption algorithms, both symmetrical and public key, in addition to several common hash algorithms.
Network Associates PGPPGP is an acronym for “Pretty Good Privacy” which to some may sound a bit too slap dash; a bit of an inconvenience rather than a deterrent. This is certainly not the case; PGP utilises a PKI structure that uses either Diffie-Hellman/DSS encryption, or RSA based on the IDEA algorithm. In the latter case PGP must pay a licence fee to RSA, but the former is free.
To generate an encryption key, the program uses your full name and e-mail address, or any other items you may wish to input at this point. At this stage the user can select the algorithm used, whether or not the key has an expiry date, and the key size, which is configurable between 1024 and 4096 bits. PGP is actually a small collection of security tools and includes PGPkey, PGPnet, PGPtools, and PGPtray to allow access to the functionality from the system tray. PGPkey is—as the name suggests—a key management tool, with which you can browse key and certificate properties, and send and retrieve keys from a server. PGPnet is a basic VPN client. With the commercial version, it also includes a personal firewall and intrusion detection software. The PGPtools interface is a small floating button bar that provides a convenient interface to launch PGPkey as well as encrypt, sign, or encrypt and sign single or multiple files. In addition, the tool bar also provides a useful “wipe” function that will delete a file and wipe the space it occupied to ensure it cannot be retrieved by disk tools. There’s also the “freespace wipe” button that will clean all the free space on your hard drive ensuring no recoverable deleted files are lurking. We found the encryption engine very fast with 6MB files encrypted in just 1.5 seconds and reduced in size to 1.59MB. The freeware PGP distributed by Network Associates only supports Windows or Mac but there are countless versions of PGP, with various levels of bells and whistles available for just about every platform under the sun. We should note that to use the product commercially, a commercial licence must be obtained from Network Associates.
More encryption optionsStill not satisfied? Here are a few more encryption options you could try out.
Virtual Matrix Encryption
Virtual Matrix Encryption comes in several flavors, but the version most suitable for enterprise laptops and desktops is VME 2000. Its base price is US$100 per copy for individual licenses. Corporate packages are available if you contact Meganet Corporation directly.
CHAOS
CipherPack
Rather than simply applying encryption to a folder as other products do, CipherPack creates an archive file containing all of the encrypted files. Because of this, CipherPack is an ideal solution for securely distributing software over the Internet. The recipient doesn’t even need a copy of CipherPack because the compressed file also contains decryption software. The recipient must simply enter the encryption key to launch the decryption process. CipherPack costs about US$40 for the standard version and about US$60 for the professional version.
ImageX
GlossaryBlock Cipher: Rather than encrypt data a bit at a time, often termed a stream cipher, the algorithm is applied to the data a block at a time. To ensure that identical blocks of data are not encrypted in precisely the same way, often the ciphertext from the previous block is used by the algorithm to further alter the encrypted output. Often in encrypted data streams, the same message may appears several times in a relatively short time period, so steps are taken to ensure this does not produce identical ciphertext that will be more susceptible to attack. For example, at the start of each message an initialisation number derived from a random number generator may be fed to the encryption algorithm to ensure identical messages do not produce the same ciphertext. Key: A key is a variable value in cryptography that is taken by the algorithm and applied to the unencrypted message to produce an encrypted message or ciphertext. Logically, a key is also required for the algorithm to decrypt ciphertext and retrieve the original message. The longer the key, the more difficult it will be to break the code. A private key, often known as a secret key, is a key that is only known to the trusted parties involved in the communication. The risk with this system is that if either party loses the key or it is stolen, the security is compromised. PKI (Public Key Infrastructure) is an example of asymmetric cryptography and uses a combination of private and public keys. The public key can be used to encrypt text, but the ciphertext can only be decrypted using the private key. The private key is never shared or sent across the Internet, but you can freely distribute your public key, so that people can send you encrypted email. Public keys can also be stored in directories that are accessible over the Internet. A number of companies supply and maintain the PKI infrastructure; the leaders are RSA, Verisign, GTE CyberTrust, Xcert, and Netscape. PGP: Pretty Good Privacy (PGP) is a popular program used to encrypt and decrypt e-mail over the Internet and send digital signatures. PGP is available as both freeware and as commercial packages. PGP was developed by Philip R Zimmermann in 1991 and is an asymmetrical algorithm that uses a private and a public encryption key. There are two public key versions of PGP and they are Diffie-Hellman, which can be distributed freely, and RSA/IDEA, which requires a licence fee. When sending digital signatures, PGP uses a hash algorithm whose output is based on the user's name and other specific information. The RSA version uses the MD5 algorithm while the Diffie-Hellman version uses the SHA-1 algorithm. DES (and triple DES or 3DES): The Data Encryption Standard (DES) was developed by an IBM team around 1974 and adopted as a US national standard in 1977. Triple DES is a minor variation of this standard. It is three times slower than regular DES, but can be billions of times more secure if used properly. Triple DES enjoys much wider use than DES because DES is so easy to break with today's rapidly advancing technology. Triple DES was the answer to many of the shortcomings of DES. Since it is based on the DES algorithm, it is very easy to modify existing software to use triple DES. It also has the advantage of proven reliability and a longer key length that eliminates many of the shortcut attacks that can be used to reduce the amount of time it takes to break DES. Triple DES takes three 64-bit keys, for an overall key length of 192 bits. The procedure for encryption is exactly the same as regular DES, but it is repeated three times, hence the name triple DES. The data is encrypted with the first key, decrypted with the second key, and finally encrypted again with the third key. IDEA: IDEA (International Data Encryption Algorithm) was developed in Switzerland and uses a block cipher with a 128-bit key. It is one of the best of the public encryption algorithms and is considered very secure. MD5: MD5 is a digital signature algorithm that is based on the attached message with a 128-bit fingerprint unique to the message data. There are two earlier algorithms MD2 and MD4, the former was optimised for 8-bit processors while the latter and MD5 were optimised for 32-bit processors. While MD4 was considered quite fast there was some criticism of its security, so MD5 was developed as a more secure extension, although it is slower than MD4. AES: Advanced Encryption Standard (AES) is a symmetrical encryption algorithm developed at the request of the National Institute of Standards to replace DES to secure unclassified material for US Government agencies. It is growing in popularity in the commercial sector. The algorithm uses block encryption, with the blocks 128 bits in size and encryption key sizes of 128, 192, and 256 bits as a minimum. Blowfish: Blowfish is an encryption algorithm that is unpatented and available free for all uses. It can be used as a DES replacement and uses a variable length key from 32 bits to 448 bits. Its main advantage over DES is that it's optimised for 32-bit processors and is significantly faster. Subscribe now to Australian Technology & Business magazine.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
