Any data that travels across wires or through the air is vulnerable. Depending on the value of the data and the need to protect it, network managers often elect to encrypt transmissions. Just how does this technology work, and what are the various solutions you can deploy?
Each CrossNodes Briefing is designed to act as a reference on an individual technology, providing a knowledge base and guide to networkers in purchasing and deployment decisions.
Protecting The Data Stream
Any data that travels across wires or through the air is vulnerable. Depending on the value of the data and the need to protect it, network managers often elect to encrypt transmissions. This, essentially, uses an algorithm, called a key that changes the data before it is sent. The receiving station then uses the key to restore the data to its original content.
Although encryption is an effective privacy safeguard, it can vary based on the type and size of the key. Smaller keys are easier to break than larger keys. However, longer keys require more computation, and this can slow transmissions.
In addition, companies must ensure that the keys they use remain protected. In response to the vulnerability of the keys, some vendors use asymmetric encryption that uses two keys. The sending station creates a unique key, private key and encrypts that key using a public key. The receiving system recognizes the public key, decrypts the private key and uses that to decipher the actual message.
Keys can be any size, but most range from 40-bits to 256-bits. Popular types of encryption include:
- WEP (Wired Equivalency Privacy) -- specification for wireless connections; the current standards call for 40-bit encryption, but a 128-bit specification is planned.
- SSL (Secure Socket Layer) Encryption -- implements public and private encryption keys to secure transmission.
- DES (Data Encryption Standard) -- implements a 56-bit key for encryption.
- 3DES (Triple Data Encryption Standard) -- uses multiple keys and multiple encryption/decryption passes to enhance the security provided by simple DES.
- IPSec (IP Security) -- provides encryption for the IP protocol. Network managers can choose to encrypt the entire packet or only the data. The workstation uses a public key that triggers a proprietary key from the server that exists for the session.
- PKCS (Public Key Cryptograph Standard) -- provides encryption keys for workstations outside of the corporation. The most popular version in use number 11.
- Blowfish, also know as Pretty Good Privacy (PGP) -- allows systems to negotiate a complex number for each session. The number serves as the key for scrambling and restoring data during transmission.
Looking for a Corporate Answer
Even if normal transmissions do not warrant encryption, network managers need to worry about e-mail messages. These frequently carry sensitive corporate data and require protection. An emerging standard, S/MIME, uses a 40-bit symmetrical code for all messages. The message also carries a digital signature, and the receiving station must receive this signature before its decrypts the message. The system, which is being adopted by several e-mail providers, uses a 40-bit key.
International companies also must beware of national laws. Some large keys cannot be exported to foreign offices, so the network manager must implement the best possible encryption that falls within the legal guidelines.
Networks that do not require high throughput will find software-based encryption software adequately protects transmissions. Networks that require more throughput, however, will require a different approach. Vendors market individual cards that reside in each workstation as well as network appliances. Both devices can help alleviate the bottleneck that complex encryption can create.
Individual cards install in the workstation. These can help balance transmission loads across the network, but they still use server time. Appliances run alongside the server. Although they also require some server processing, they offload many of the encrypting and decrypting tasks.
Some products enhance the integrity of the encryption by changing keys at regular intervals during a transmission session. By substituting keys on an on-going basis, it makes it hard for anyone to intercept the number of packets needed to decipher an unknown key. This, combined with large keys, represents one of the more secure methods available.
Companies sending large amounts of data generally recognize the need for encryption, but the process can slow communications. Each packet must be encrypted and decrypted, and that takes processor cycles. As a result, companies need to assess their risk. If a company sends financial data or sensitive information, encryption becomes a requirement. However, a company that sends generic information may elect to forgo encryption.
Gerald Williams serves as director of quality assurance for dolphin inc., a software development company. williams has extensive background in technology and testing, previously serving as editorial director with national software testing labs (nstl), executive editor with datapro research, and managing editor of datapro's pc communications reference service.
Next week as a companion to this article, our CrossNodes Product Briefing will specify vendors who provide encrypttion solutions.