RealTime IT News

Heightened Security Concerns to Accelerate New Encryption's Deployment

The destructive nature of the Code Red and Nimda worms coupled with the heightened awareness for added security in cyberspace as well as the physical realm will likely accelerate the deployment of the Advanced Encryption Standard (AES) data encryption technique, network security experts said.

AES -- a 128-bit block cipher algorithm based on a mathematic formula developed by two Belgian cryptographers -- was selected by the U.S. government in October 2000 as a new encryption technique to be used to protect computerized information. The selection was made by the National Institute of Standards and Technology (NIST), an agency of the Commerce Department's Technology Administration, after a four-year competition to find the winning formula. The encryption formula is known as "Rijndael" -- (pronounced Rhine-dahl) -- named after its creators, Joan Daemen and Vincent Rijmen.

Now, nearly one year later, there is evidence that AES is being deployed in the private sector even faster than the federal government can mandate it. Biodata Information Technology, a Lichtenfels, Germany-based provider of cryptographic devices as well as network and communications products, this week introduced Biodata VPN, which incorporates the new AES algorithm and supports IP Security Standard (IPsec) technology. The move is widely believed to be the first implemention of AES into a virtual private network.

"Since its development, we've always kept a close eye on incorporating the new algorithms," said Eric Goldberg, East Coast regional manager at Biodata's New York offices. "We're really trying to give our clients the most choice with encryption. That's really the challenge of meeting global needs is to have that open architecture."

Consultants and solutions providers believe Biodata's latest product represents only the tip of the iceberg for a new generation of VPN boxes from vendors around the globe that will safeguard data using more efficient yet more complex encryption techniques.

"Whether it's going to be deployment of VPN or other things, we're seeing an acceleration in deployment of security," said Ed Skoudis, VP of Ethical Hacking at Predictive Systems. "And that's clearly going to mean deploying VPNs and using the best crypto that can be provided. So everyone is going through security with a fine-tooth comb and that's the right thing to do."

While not yet an official standard, AES is designed to replace an existing standard that hasn't been updated since the 1970s known as Data Encryption Standard (DES). (It's sometimes referred to as the "Defense Encryption Standard" seeing that the Defense Department enforced its implementation after the 1977 adoption.)

DES is a 56-bit encryption technique that stood firm for nearly 20 years before scientists were able to crack it using massive parallel network computer attacks and special-purpose "DES-cracking" hardware. By 1993, other formulas came along such as Blowfish, which is a 64-bit block algorithms. So, in order to enhance security encryption further through the years, cryptographers developed a way to encrypt data three times over -- a variant known as "Triple-DES."

But Triple-DES was a considerable drain on a CPU's resources because the encryption and decryption wasn't only performed once but three times over. By comparison, AES works with data in 128-bit blocks and can encrypt using larger 192-bit and 256-bit keys, if needed. The technique clearly allows programmers to hide critical data while putting less of a strain on the CPU.

Still, security specialists like RSA Security Inc. of Bedford, Mass., and Baltimore Technologies Ltd. are hesitant to deploy AES until the proposed standard receives formal approval from the federal government. The proposal has already cleared the NIST but needs to clear the Office of Management and Budget (where it currently sits) before returning to the Commerce Department for final approval.

"People are not required to use it yet," said Philip Bulman, NIST spokesman.

However, companies like Biodata aren't waiting around for the federal government to act, warning that IT managers should be more realistic when evaluating the cost-benefit of network security.

"I think people need to be more security-minded. People really need to take a look at their physical security as well as their network security and really assess it. There really is no way to measure how much damage a network hack would do," Biodata's Goldberg said.

Analysts certainly see credence with that assessment. By the end of 2005, IDC expects the worldwide market for information security services to grow from approximately $6.7 billion in 2000 to to $21 billion at a compound annual growth rate of approximately 25.5 percent.

Data encryption techniques such as AES work at multiple layers of the network, as opposed to, say, IPsec which only works on the data packets layer. For example, one can run it at the application layer as part of a Windows-based application (if you buy or find or write one that does AES) and then send the file to someone (or even use AES as the means of encrypting data on your disk for privacy). However, like most other security components, encryption is only effective when implemented as part of a comprehensive, well-designed strategy that should also include authentication schemes and key distribution techniques.

That's because, as Predictive's Skoudis points out, it is often easier to get around the encryption devices than it is to get through them. He should know. As head of ethical hacking, Skoudis directs his staff of 25 professionals to hack into systems at the request of a client. (Remember Robert Redford in the movie "Sneakers"?)

"You can't leave sensitive information on the web server. The web server is too weak, you need to encrpyt it and get it off the servers," Skoudis said.