In Depth

Achy, Breaky Code

By Simson Garfinkel

July 01, 2003CSO — Cryptography is the fundamental technology used to protect information in today's information economy. Not coincidently, it is also responsible for the commercialization of the Internet. Netscape was able to kick off the Internet revolution because of its SSL encryption technology, a scheme that lets consumers send encrypted credit card numbers over the Internet by just filling out a Web form and clicking a button. Say what you will about the dotcom excesses that followed, but much of what we take for granted on the Internet today simply wouldn't have happened without ubiquitous, easy-to-use cryptography.

Yet despite its importance, it is amazing how much disinformation there is out there regarding cryptography. For example, I recently gave a demonstration of a new e-mail encryption system at a conference sponsored by the National Science Foundation. A professor from a university (that will remain nameless) didn't understand the point of my project. "Isn't all e-mail encrypted?" he asked.

"Well, no, it isn't," I told him. While it's true that practically every e-mail client in use today supports either OpenPGP or Secure/MIMEthe two competing standards for encrypting e-mailit's also true that very few people encrypt their e-mail because doing so is tremendously difficult.

Later, another attendee told me that he didn't bother encrypting e-mail because computers were so fast these days that anybody who wanted to could easily crack a message.

"Well, no, they can't," I said. Although many encryption systems have been "cracked" or "broken" in recent years, the so-called strong cryptography systems used today are generally regarded as unbreakable. Unfortunately, that simple fact hasn't stopped many journalists, academics and business leaders from asserting otherwise. Rest assured: They're wrong.

With so much confusion out there, it's worth devoting some attention to a brief synopsis on encryption and an exposition of its most common myths. (Next month I'll continue with an exploration of PKI or, more specifically, an attack on PKI excesses.) Cryptography is a set of mathematical techniques used to lock up information so that it can be unlocked only by a person who has the necessary key or password. Cryptography can also be used to digitally sign or certify information so that you can determine if it was modified without authorization. If there is no possibility that your data might be eavesdropped upon, stolen, modified or publicized without your permission, then there is no reason to protect your data with cryptography. I've tried hard, however, and I can't think of any information that doesn't fall into the "protect" category.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
IT productivity challenges: Google survey results

GoogleIn this webcast, Google reveals results from a survey of message security and compliance priorities and concerns. Download a free copy of the survey report after registering.

» Watch the Webcast

Featured Sponsors
Sponsored Links

Secure your virtual and physical environments with the same software.

Can Google help you save time and money in your fight against spam?

An Executive Guide to Understanding Hosted Messaging Systems

ITCi White Paper: Challenges and Opportunities of PCI

The PCI Data Security Standard

Hardware-based security. That's IT as it should be.

A Guide to Providing Proactive Protection to Consumer Online Transactions

Webcast: Best practices in application security: How do you stack up?

White Paper: Use DAM technology when there is a need for granular monitoring.

This white paper presents document security strategies and best practices

IT Service Management: Metrics That Matter

White Paper: Learn more about how you can use compliance as a means of competitive differentiation.

Simple, Economical Server Virtualization For Any Size Company

Global Companies' Best Practices for Security and Compliance

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

Gene Kim's Practical Steps to Mitigate Virtualization Security Risks

Eliminate network threats and downtime with Juniper Networks. View demo

Configuration Audit and Control for Virtualized Environments

Webcast: learn results from an annual Google message security survey of 575 global IT professionals

This whitepaper describes how you can test your Web applications with virtualization

Read The Evolution of Application Security in Online Banking White Paper

White Paper: Learn how to use Adaptec(R) Snap Server(TM) with MOBOTIX IP Network Cameras

Compliance: Moving From Mandate to Differentiator White Paper