IT Security Topic — Encryption

General information and definitions

While the concepts and processes of encryption greatly pre-date modern computing, the topic has become increasingly popular in computing over the past few years.  This has largely been fueled by the vast increase of information transfer over computer networks and the increased security concerns that accompany a massively interconnected “always online” computing environment. 

At its basic level, the process of encryption is the transformation of information into a form that is only readable by those with particular knowledge or technology to prevent others who might have access to the information from reading it.  It has long been used for messages in transit, whether carried by hand, transmitted via radio or sent over a computer network – if the message is intercepted, the interceptor would be unable to interpret the information.  It also serves an important role for stored information to protect it in case of loss or theft.

If we had a number we wished to keep secret (say the combination to a safe), one option to protect it is to encrypt the number, after all we can’t store the combination to the safe inside the safe.  Let’s say the combination is 12-28-11 which we shorten to just 122811.  Let’s use some simple math to make it into a scrambled number.

Here’s an equation that adds a secret number (n) to the combination and then multiplies the result by the same secret number:

secret number *(combination + secret number)=scrambled number

If we pick 5 as our secret number, then we get:

5*(122811+5)= 614080

Our scrambled number, 614080, is an encrypted version of our safe combination.  To get our combination number back, we need to know our secret number and the formula used to create the scrambled number.  Here’s the formula:

• secret number *(combination+ secret number)=scrambled number

We insert our secret number and our scrambled number:

• 5*(combination+5)=614080

And solve the equation to find our combination:

• Combination +5=122816
• Combination=122811

We have successfully developed our own encryption process for our safe combination.

• Encrypt – the process of transforming readable information into an unreadable form.  Making the safe combination into the scrambled number. 
• Decrypt – the process of transforming encrypted information back into its readable form.  Making the scrambled number back into the safe combination.
• Key – the item used, along with the algorithm, to encrypt and decrypt information. .  In the example above, the secret number, n, was our key.  The key could be a password, a special file or a hardware device often called a token  Strong encryption processes may use multiple keys like both a password and a token.
• Key length (often just referred to by the bit length e.g. 40-bit, 128-bit, 256-bit) – this is the size of the key used in the encryption process.  In general, the longer the key, the harder it is to break the encryption, but breaking encryption in this manner is unusual unless the key is very small (like 40-bit) or the attacker has significant resources. 
• Algorithm – the mathematical technique used, along with the key(s), to encrypt and decrypt information.  In the example above, the equation, n*(combination + n)=scrambled number, was our algorithm.  Popular encryption algorithms include: AES, DES, triple-DES, RSA, blowfish, IDEA
• “At rest” – information is considered “at rest” when it is saved to a computer or storage device (like a CD, tape or thumbdrive) which is usually in contrast to “in transit”.  Note that data can be considered “at rest” while physically moving like someone carrying a CD with information.
• “in transit” – information is “in transit” when it is being transferred over a network.  This could be copying a file from a file server, submitting a webpage order form or sending an e-mail.
• “stickiness” – the behavior of an encryption technology/product which keeps a file encrypted when it is moved between disks or computers.  Many forms of encryption only keep information encrypted when stored in a particular location.
• Symmetrical vs Asymmetrical – encryption/decryption processes are often referred to as being either symmetrical or asymmetrical, which relates to what keys are used to encrypt and decrypt information. 
• In symmetrical encryption, the same key is used to encrypt and decrypt the information.  The most common use of this technique is password encryption where the same password is used to encrypt and decrypt the information.  This method is simple and useful when sharing the key isn’t problematic (either the key isn’t shared or all parties are trusted with the information).  It requires that all parties who need to encrypt or decrypt the information safely obtain the key.
• In asymmetrical encryption, there are two different keys – one used to encrypt the information and one used to decrypt the information.  In this approach, the key used to encrypt the information cannot be used to decrypt it.  This technique is useful when sharing a key might be problematic.  These two keys are often referred to as public and private keys.  As the names imply, the public key is openly distributed as it can only be used to encrypt information and the private key that can decrypt the information is protected. 

General issues with encryption

Perhaps the most important aspect of encryption deployment is management of keys.  This includes what types of keys are used (passwords, files, tokens, certificates, etc), how they are given to users, how they are protected and how to deal with a lost key scenario.  Each technology and product handles this differently, but the lost key scenario is usually the most concerning since it could lead to either an unauthorized person decrypting information or the inability for authorized people to decrypt information.  Many encryption horror stories come in the form of not being able to decrypt the only copy of very important information.  Pay careful attention to key generation, distribution, use, recovery and security when looking into encryption options.

When files or disks are encrypted, an IT administrator might have to adapt some of their management processes or tools.  For example, what impact do encrypted hard drives have on system imaging?  What about the use of wake-on-LAN for management?  The answers to these questions vary with your management processes and the encryption product, so it’s important to understand how encryption products will impact your IT environment. 

Many forms of encryption only protect information while it is transferred over the network (like a website using SSL) or while it is stored in a particular place (like on an encrypted hard drive).  This means that once the file is moved out of the situation, it is no longer encrypted.  This often confuses users who think encryption “sticks” to files and they can e-mail a file stored on an encrypted disk and it will stay encrypted as an e-mail attachment, or copy a file from an encrypted disk to a thumb drive and the file will remain encrypted.  It’s important to understand the conditions under which a file will be encrypted and explain those conditions to those in your department.  Since encryption conditions vary by technology, product and implementation, there isn’t a general rule.

Learn More

• Types of Encryption
• Product Options
• Senarios
• What should department heads know?

Contact Information
Campus IT Security Office
(303) 735-4357 (or 5-HELP from a campus phone)
security@colorado.edu