The destructive nature of the Code Red and Nimda worms coupled with the
heightened awareness for added security in cyberspace as well as the
physical realm will likely accelerate the deployment of the Advanced
Encryption Standard (AES) data encryption technique, network security
experts said.
AES — a 128-bit block cipher algorithm based on a mathematic formula
developed by two Belgian cryptographers — was selected by the U.S.
government in October 2000 as a new encryption technique to be used to
protect computerized information. The selection was made by the National
Institute of Standards and Technology (NIST), an agency of the Commerce
Department’s Technology Administration, after a four-year competition to
find the winning formula. The encryption formula is known as “Rijndael” —
(pronounced Rhine-dahl) — named after its creators, Joan Daemen and Vincent
Rijmen.
Now, nearly one year later, there is evidence that AES is being deployed
in the private sector even faster than the federal government can mandate
it. Biodata Information Technology, a Lichtenfels, Germany-based provider of
cryptographic devices as well as network and communications products, this
week introduced Biodata VPN, which incorporates the new AES algorithm and
supports IP Security Standard (IPsec) technology. The move is widely
believed to be the first implemention of AES into a virtual private network.
“Since its development, we’ve always kept a close eye on incorporating
the new algorithms,” said Eric Goldberg, East Coast regional manager at
Biodata’s New York offices. “We’re really trying to give our clients the
most choice with encryption. That’s really the challenge of meeting global
needs is to have that open architecture.”
Consultants and solutions providers believe Biodata’s latest product
represents only the tip of the iceberg for a new generation of VPN boxes
from vendors around the globe that will safeguard data using more efficient
yet more complex encryption techniques.
“Whether it’s going to be deployment of VPN or other things, we’re seeing
an acceleration in deployment of security,” said Ed Skoudis, VP of Ethical
Hacking at Predictive Systems. “And that’s clearly going to mean deploying
VPNs and using the best crypto that can be provided. So everyone is going
through security with a fine-tooth comb and that’s the right thing to do.”
While not yet an official standard, AES is designed to replace an
existing standard that hasn’t been updated since the 1970s known as Data Encryption
Standard (DES). (It’s sometimes referred to as the “Defense Encryption
Standard” seeing that the Defense Department enforced its implementation
after the 1977 adoption.)
DES is a 56-bit encryption technique that stood firm for nearly 20 years
before scientists were able to crack it using massive parallel network
computer attacks and special-purpose “DES-cracking” hardware. By 1993, other
formulas came along such as Blowfish, which is a 64-bit block algorithms.
So, in order to enhance security encryption further through the years,
cryptographers developed a way to encrypt data three times over — a variant
known as “Triple-DES.”
But Triple-DES was a considerable drain on a CPU’s resources because the
encryption and decryption wasn’t only performed once but three times over.
By comparison, AES works with data in 128-bit blocks and can encrypt using
larger 192-bit and 256-bit keys, if needed. The technique clearly allows
programmers to hide critical data while putting less of a strain on the CPU.
Still, security specialists like RSA Security Inc. of Bedford, Mass., and
Baltimore Technologies Ltd. are hesitant to deploy AES until the proposed
standard receives formal approval from the federal government. The proposal
has already cleared the NIST but needs to clear the Office of Management and
Budget (where it currently sits) before returning to the Commerce Department
for final approval.
“People are not required to use it yet,” said Philip Bulman, NIST
spokesman.
However, companies like Biodata aren’t waiting around for the federal
government to act, warning that IT managers should be more realistic when
evaluating the cost-benefit of network security.
“I think people need to be more security-minded. People really need to
take a look at their physical security as well as their network security and
really assess it. There really is no way to measure how much damage a
network hack would do,” Biodata’s Goldberg said.
Analysts certainly see credence with that assessment. By the end of 2005,
IDC expects the worldwide market for information security services to grow
from approximately $6.7 billion in 2000 to to $21 billion at a compound
annual growth rate of approximately 25.5 percent.
Data encryption techniques such as AES work at multiple layers of the
network, as opposed to, say, IPsec which only works on the data packets
layer. For example, one can run it at the application layer as part of a
Windows-based application (if you buy or find or write one that does AES)
and then send the file to someone (or even use AES as the means of
encrypting data on your disk for privacy). However, like most other security
components, encryption is only effective when implemented as part of a
comprehensive, well-designed strategy that should also include
authentication schemes and key distribution techniques.
That’s because, as Predictive’s Skoudis points out, it is often easier to
get around the encryption devices than it is to get through them. He should
know. As head of ethical hacking, Skoudis directs his staff of 25
professionals to hack into systems at the request of a client. (Remember
Robert Redford in the movie “Sneakers”?)
“You can’t leave sensitive information on the web server. The web server
is too weak, you need to encrpyt it and get it off the servers,” Skoudis
said.