Code warriors battle on
Hardware still plays major role in encryption
- By Doug Beizer
- May 26, 2006
Tens of thousands of tactical messages were encrypted during World War II by Nazis using the German Enigma machine. Years later, it came to light that Allied Forces cryptologists had "broken" the cipher machine, and the Allies had read most of those tactical messages.
Today more than ever before, government agencies need to protect important data from those who would try to steal it.
To keep pace with adversaries, the Defense Department and the National Security Agency's Information Assurance Directorate have an ongoing effort called the Cryptographic Modernization Initiative. The initiative's goal is to transform and modernize information assurance capabilities for the 21st century.
"In the encryption world, probably on a timeframe of every seven to 10 years, there's a need for new encryption algorithms," said Anthony Caputo, chairman and CEO of SafeNet Inc. of Belcamp, Md. "Because every year, the enemy or hackers' tools are getting better, periodically you have to increase the strength of the encryption algorithms. That's what the Cryptographic Modernization [Initiative] does."What is encryption?
Data encryption algorithms are computational formulae that use a string of bits to create a key, which is used to encrypt or decrypt text.
Encryption is used for three main purposes: keeping data confidential, authenticating who sends data, and ensuring data hasn't been tampered with, said Alan Sherman, associate professor of computer science in the computer science and electrical engineering department at the University of Maryland, Baltimore County.
"For encryption, one of the major changes was the adoption of the Advanced Encryption Standard in 2002 by the National Institute of Standards and Technology," Sherman said. "The old system was based on 56-bit technology, which had become insecure. I think improving encryption is a continuing process."
Today's AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits.
The Defense Department and intelligence agencies often use encryption on standalone hardware units to encrypt data from a sender, and translate data for the recipient.
SafeNet's SafeEnterprise Synchronous Optical Network Encryptor, an appliance designed to secure Sonet and Synchronous Digital Hierarchy networks, uses 256-bit AES at speeds up to 10 Gbps.
The National Security Agency approved SafeNet's development of a classified version of the 10-Gigabit SafeEnterprise Sonet Encryptor. Under NSA's Commercial Communications Security Evaluation Program, SafeNet has been approved to develop the encryptor for deployment in the federal intelligence communities, defense and civilian agencies.
The special-purpose computers sit at the endpoints of communications links, where they encrypt and decrypt traffic entering or exiting the Sonet WAN.
"These are small encryption appliances, about the size of a paperback book, that plug into computer networks and secure the communication on that network," SafeNet's Caputo said. "They end up in vehicles, airplanes, ships and buildings, and support all government top secret communications."
Software-based encryption is common and adequate for much of IP communications. But according to cryptography experts, hardware encryption is much stronger than software-based encryption. Hardware solutions allow for protection of both the algorithm and the encryption key, a task much more difficult to do in software.
"Our devices in the field today have encryption algorithms much stronger than commercial encryption algorithms, but you still need to periodically strengthen encryption algorithms to make sure the communications links continue to have good security," Caputo said.
Federal agencies also are using encryption to protect data such as health information and tax records.
One emerging area for encryption is in electronic voting, UMBC's Sherman said.
"Electronic voting systems are a very interesting application of cryptology, one that affects the critical national infrastructure of voting," he said. "There are emerging technologies called cryptographic receipt-based voting systems, which offer tremendous potential for significantly enhanced security over other systems that are in use today."
Maryland is among states using direct-recording system voting, in which trust in vote tabulation accuracy is based on properly implemented computer security.
With a receipt-based system, such as a punch scan, voters would get receipts that are an encryption of their ballot. Using that receipt, they can verify that their vote has been correctly included in the official data. The receipt could be embodied in different forms, although the most straightforward way would be paper.
"This is a receipt they can take home that does not reveal how they voted," Sherman said.Just add cryptology
One goal of NSA's modernization initiative is to encourage companies to offer commercial software that incorporates a form of cryptography called elliptical curve, which is based on the algebraic structure of elliptic curves, said Kathy Kriese, senior product manager for RSA Security Inc., Bedford, Mass. The company's BSAFE Encryption, Signature and Privacy solutions incorporate NSA's cryptography specifications.
"We don't develop hardware. We are strictly focused on software," Kriese said. "Our software can be used by a developer as the software incorporated in a special-purpose hardware device."
For example, a federal agency is using RSA's digital certificate product as part of a solution to identify roles and responsibilities assigned to individual employees to determine the access each should have to view satellite photos.
"People with the right combination of their security clearance and other information on their digital certificate would see different types of information when looking up the same satellite image," Kriese said.
One area in which RSA officials see a lot of growth is mobile and embedded applications. As handhelds grow more powerful and more widely used, the need for security also is growing.
But wider use inevitably leads to a need for stronger algorithms, which require larger numbers of battery-draining processes, and new challenges for IT companies and integrators. The task, Kriese said, will be to design systems that run strong algorithms fast while using less battery power.Staff Writer Doug Beizer can be reached at firstname.lastname@example.org.
Doug Beizer is a staff writer for Washington Technology.