Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

October 20, 1997, Section: Reviews

Breaking The Code For Network Security

By Dayna Delmonico

One area of security confusing to users is encryption. The good news is there is encryption software that's both effective and easy to use.

If you stay away from techno-terms, encryption is fairly simple: It's the process of scrambling information and unscrambling it with a key or password. Encryption can be used on digital transmissions or to secure storage at a local level, but the technique is basically the same.

Users can encrypt one or more critical files, or they can protect directories and folders. Some schemes lock the disk unless the proper password is provided, while other applications lock the screen.

With private key encryption, the information sender and the receiver are the only ones to hold and use the same key-algorithm-to secure or unsecure information. With public key encryption, senders and receivers hold a commonly used public key with an additional private key held only by specific individuals.

Both systems work as long as the keys are protected. If an unauthorized user has a copy of the key, however, the transmissions can be deciphered. With encryption beyond the single user, say for a corporate intranet, a Certificate Authority (CA) is required. A CA stores public and private key information on separate systems thus avoiding potential disasters.

Numerous encryption schemes have emerged. One of the best known is the Data Encryption Standard. DES allows the sender and receiver to use the same key for encryption and decryption.

To protect systems from key loss, many vendors offer asym-metric encryption. This uses two keys. A unique key, or private key, is created by the sender and is encrypted using a public key. The receiver recognizes the public key, decrypts the private key and uses it to decipher the actual message.

RSA Data Security has created extensions to DES, the RC-4 and RC-5 schemes, that improve security. These implement multiple keys as well as digital signatures-a unique identifier sent with a transmission. If the signature is not recognized as valid, then the system will not decrypt the key.

A third approach, known as Blowfish, originally distributed free across the Internet as Pretty Good Privacy (PGP), lets the sending and receiving computers negotiate a complex number. That number is used to scramble and unscramble the data. Blowfish is difficult to break and has been used on voice as well as data.

E-mail is another security-sensitive area, and it's being addressed by a standard called S/MIME. This technology uses a symmetrical cipher to condense messages and encrypt them.

A digital signature travels with the message, and is required to decrypt it.