What's Up With Encryption?
Encryption is hot. Perhaps that's because its been around so long it's no longer seen as a black art. Or perhaps security issues have grown so prevalent, everyone wants some sort of encryption as a truly secure way of stopping the pain of those problems. Indeed whatever the reason, encryption technologies seem to be behind a series of important security happenings of late. Here's a look at some of the more interesting happenings shaping encryption today:
The backdoor question: The Obama administration wants e-mail service providers using encryption technology to leave in a backdoor so that the government can peer in if it needs to. According to a New York Times article this week, the Obama administration plans to submit to lawmakers next year that requires e-mail transmitters like BlackBerry, social networking Web sites like Facebook and direct "peer to peer" messaging like Skype - to be technically capable of complying if served with a federal wiretap order. The mandate would include being able to intercept and unscramble encrypted messages.
Ubiquitous encryption?: A group of researchers recently presented a paper on a technology they said could make end-to-end encryption of TCP traffic the default, not the exception. The group presenting at the recent Usenix symposium talked up a TCP extension known as tcpcrypt. Implemented in the transport layer, tcpcrypt protects legacy applications and provides backwards compatibility with legacy TCP stacks and middleboxes, the groups says. The technology also provides a hook for integration with application-layer authentication, largely obviating the need for applications to encrypt their own network traffic and minimizing the need for duplication of features. Finally, tcpcrypt minimizes the cost of key negotiation on servers; a server using tcpcrypt can accept connections at 36 times the rate achieved using SSL, the researchers stated in their paper.
Cryptography and the Internet: In July the 13 globally distributed server clusters -- known within Internet engineering circles as the Root Zone – will start cryptographically signing DNS look-ups today. The Root Zone is got an added layer of protection from hackers through the deployment of DNS Security Extensions (DNSSEC). This emerging Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. Proponents of DNSSEC hope that having the Root Zone cryptographically signed will create a domino effect, prompting operators of top-level domains and individual Web sites to deploy the security standard. That at least in part seems to be happening because in August, Afilias, which operates .info and more than a dozen other Web site extensions, said it would deploy DNSSEC.
Heartland goes with end-to-end encryption: The victim last year of a massive data breach of sensitive card data, Heartland Payment Systems vowed to develop new security gear based on end-to-end encryption between itself and its merchants to prevent such a breach from occurring again. In June the company said such an encryption system, known as E3, is slowly taking shape. The E3 terminals, built by Voltage Security and Uniform Industrial Corp., were custom ordered by Heartland, which isn't requiring its merchants to use them, but strongly recommending them. One incentive for using E3 is a guarantee from Heartland that if merchants using E3 are breached, Heartland will cover fines and forensic costs related to any breach tied to the stand-alone terminals. Heartland is also offering free help to smaller merchants in filling out PCI standard conformance forms, something that can be technically bewildering to them.
Military wants Holy Grail of secure encryption technology: It's a data encryption technology that protects sensitive data but at the same time lets computations be performed on it all without the data being decrypted. Called fully homomorphic encryption it is known as the Holy Grail of encryption systems by some security experts and it is one of the key technologies scientists at the Defense Advanced Research Projects Agency want for future projects. DARPA wants the new cryptosystem as part of an overarching project know as Programming Computation on Encrypted Data (PROCEED) which seeks to develop all manner of programs that can "develop practical methods for computation on encrypted data without decrypting the data and to develop modern programming languages to describe these computations." PROCEED has some mighty lofty goals including the development of new algorithms and programming languages.
Battle over BlackBerry: Seems the encryption support on the BlackBerry is troubling to those countries that would like to monitor people's transmissions. Saudi Arabia, India, the United Arab Emirates and other countries are looking to ban the wildly popular devices over its encryption features. Banning such strong encryption-based information and communications services would severely limit the effectiveness and productivity of India's corporations, RIM said in an IDG News Service story. RIM also said it does not possess a "master key," nor does any "back door" exist in the system that would allow RIM or any third party, under any circumstances, to gain access to encrypted corporate information. The BlackBerry security architecture for enterprise customers was purposely designed to exclude the capability for RIM or any third party to read encrypted information, it said. RIM would simply be unable to accommodate any request for a copy of a customer's encryption key since at no time does RIM ever possess a copy of the key, it added.
Encryption would seem to be the answer here but: The Payment Card Industry Data Security Standard 2.0 that governs how businesses must guard sensitive cardholder information on their networks will be out in September, according to the organization in charge of it. Most prominent will be new recommendations related to the process in PCI assessment known as "scoping" to determine where sensitive cardholder data exists so that specific portions of the network are subjected to the PCI data-security standards. The problem today is that too often businesses handling cardholder data don't really know where it's going. But the group won't include recommendations for end-to-end encryption for PCI cardholder data. Proponents say industry-wide adoption will ward off further cyberattacks aimed at stealing massive amounts of payment-card data.
Encryption as a service: IBM has rolled out its Tivoli Key Lifecycle Manager (TKLS) that in a nutshell makes encryption a service. From Network World blogger Jon Oltsik: "What is so special about [IBM's service]? First, key management is one of those IT security disciplines that will go from relatively esoteric to an enterprise requirement in the next year or so. Why? More and more data is being encrypted each day so key management is becoming increasingly important. Stolen encryption keys could compromise the confidentiality of sensitive data while lost encryption keys could transform critical data into meaningless 1s and 0s. Pretty soon, all large enterprises will have something resembling TKLS."
Lawsuit: According to an article from TechWorld, data security vendor Protegrity has added new names to a lengthening list of companies it wants to sue over alleged violation of its encryption patents. The original sued party - which it has only now admitted it launched an action against as far back as May 2008 - was Ingrian Networks, to which in May of this year were added a new parent company Safenet, plus nuBridges and Voltage Security. The accused companies are claimed of infringing multiple patents relating to highly technical but critical aspects of applying, managing, and renewing elements of encryption when protecting databases.
Follow Michael Cooney on Twitter: nwwlayer8
Read more about wide area network in Network World's Wide Area Network section.