Mar 29 2011
Security 101: Encryption
Posted by chris.mark
Data Security, Technical Discussions
No Comments
This is intended to be complementary to the post: Security 101: Authentication.
Encryption is explained in Wikipedia as: “…the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted).”
At a high level encryption requires three elements (yes this is a very basic primer)…1) the plaintext or input 2) the algorithm and 3) the key (s). The value of encryption is based upon the strength of the algorithm and the length of the key(s). All industry accepted, or government approved algorithms are in the public domain. As an example, you can read about the 3DES algorithm here. As stated by Auguste Kerchoff in the 19th century: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” Understanding this point, it is fair to say that the key provides the proverbial “keys to the kingdom” in encryption and as such the keys need to be protected.
With this in mind, there are two basic types of encryption which rely upon different methods of key management. The first type of encryption is known as symmetric key (or private key) and relies upon a single key (or trivially related key) to encrypt and decrypt the data. Symmetric key algorithms are those used every day and includes 3DES, AES, and Twofish. The challenge with private key encryption is that the key must remain private. Another form of encryption is known as asymmetric or public key encryption. In public key encryption two mathematically related keys are employed. The first key, known as the public key, is used to encrypt the data, while only the mathematically related private key can be used to decrypt the data. Public key cryptography is often used to secure email and provide digital signatures for electronic documents. The value of public key encryption is that the encrypting key (the public key) can be distributed and does not need to be protected as only the related private key can be used to decrypt the data. A well known email encryption program called Pretty Good Privacy (PGP) uses public key cryptography to secure email.
A variation on public key cryptography that was patented by Visa is known as Derived Unique Key Per Transaction (DUKPT). In DUKPT, every single transaction uses a new key that is generated from the preceding transaction. In this model, if a single key is compromised the preceding and following transactions are protected. DUKPT is specified in ANSI X9.24 part 1 and is used to encrypt PIN based transactions.
At a high level encryption allows data to be rendered unreadable to anyone without the proper key. With the proper key the data can be decrypted into the original form and read. As stated previously: “A cryptosystem should be secure if everything about the system, except the key, is public knowledge.” If employed correctly and the keys are appropriately secured, the data is protected. It is this premise that provides the value of encryption.
Chris Mark
EVP, Data Security & Compliance
No Responses to “ Security 101: Encryption ”