Encryption: Achy, Breaky Code

What every CSO needs to know about encryption

If you started paying attention to information security back in the 1990s, then you likely got an inaccurate view of this whole encryption business. Back then, practically every month saw another front-page story about some encryption system being "cracked" or "broken." Even a message encrypted with the vaunted RSA algorithm fell when enough programmers applied sufficient processing power.

But the truth about modern encryption systems is really quite different from the perception that all of this news coverage helped to create. Back in the 1990s, there was a huge fight taking place between U.S. businesses and the U.S. government. The businesses were selling to an increasingly global market, and their customers wanted to use encryption to protect communications and stored data. But groups within the federal government, including the NSA and the FBI, were themselves actively engaged in a worldwide program of eavesdropping and data monitoring: They didn't want the enemies of the United States to start using strong encryption systems that couldn't be broken.A 2-Bit LawUnder federal law and international treaty, encryption systems are considered "dual-use" technology; that is, they have both commercial and military purposes. In the early 1990s, U.S. industry cut a deal with the federal government to allow the export of encryption systems that were restricted to using symmetric keys that were 40 bits in length. Although 40 bits might have provided enough security for routine business communications when the compromise was struck, by the middle of the decade 40 bits was clearly insufficient. To demonstrate the inadequacy, groups of researchers set out to crack messages encrypted with 40-bit keys. Their success didn't prove that any encryption system could be overcomeit just proved the absurdity of the government's 40-bit restriction.

Because symmetric algorithms are faster than public key, most encryption systems today use a combination of the two. The SSL algorithm built into most Web browsers uses RSA to exchange a pair of keys, and RC2 or RC4 for bulk data encryption. The Secure Shell (SSH) remote access system is similar except it uses either Blowfish or 3DESa version of DES that uses 168-bit keys instead of 56-bit keysfor bulk encryption.

As both SSL and SSH demonstrate, the latest trend in encryption systems is to make the algorithms "pluggable." These days, the same basic software can use a variety of algorithms, usually determined when the program runs. The big benefit of pluggable systems is that they let end users change encryption algorithms without getting new applications. In other words, if a serious bug is found with the Blowfish cipher, it's a simple matter to tell SSH to use 3DES instead.