Encryption: Achy, Breaky Code

What every CSO needs to know about encryption

July 01, 2003 — CSO — Cryptography is the fundamental technology used to protect information in today's information economy. Not coincidently, it is also responsible for the commercialization of the Internet. Netscape was able to kick off the Internet revolution because of its SSL encryption technology, a scheme that lets consumers send encrypted credit card numbers over the Internet by just filling out a Web form and clicking a button. Say what you will about the dotcom excesses that followed, but much of what we take for granted on the Internet today simply wouldn't have happened without ubiquitous, easy-to-use cryptography.

Yet despite its importance, it is amazing how much disinformation there is out there regarding cryptography. For example, I recently gave a demonstration of a new e-mail encryption system at a conference sponsored by the National Science Foundation. A professor from a university (that will remain nameless) didn't understand the point of my project. "Isn't all e-mail encrypted?" he asked.

"Well, no, it isn't," I told him. While it's true that practically every e-mail client in use today supports either OpenPGP or Secure/MIMEthe two competing standards for encrypting e-mailit's also true that very few people encrypt their e-mail because doing so is tremendously difficult.

Later, another attendee told me that he didn't bother encrypting e-mail because computers were so fast these days that anybody who wanted to could easily crack a message.

"Well, no, they can't," I said. Although many encryption systems have been "cracked" or "broken" in recent years, the so-called strong cryptography systems used today are generally regarded as unbreakable. Unfortunately, that simple fact hasn't stopped many journalists, academics and business leaders from asserting otherwise. Rest assured: They're wrong.

With so much confusion out there, it's worth devoting some attention to a brief synopsis on encryption and an exposition of its most common myths. (Next month I'll continue with an exploration of PKI or, more specifically, an attack on PKI excesses.) Cryptography is a set of mathematical techniques used to lock up information so that it can be unlocked only by a person who has the necessary key or password. Cryptography can also be used to digitally sign or certify information so that you can determine if it was modified without authorization. If there is no possibility that your data might be eavesdropped upon, stolen, modified or publicized without your permission, then there is no reason to protect your data with cryptography. I've tried hard, however, and I can't think of any information that doesn't fall into the "protect" category.