Perhaps that’s because its been around so long it’s no longer seen as a black art. Or perhaps security issues have grown so prevalent, everyone wants some sort of encryption as a truly secure way of stopping the pain of those problems. Indeed whatever the reason, encryption technologies seem to be behind a series of important security happenings of late.
The backdoor question: In the U.S., the Obama administration wants e-mail service providers using encryption technology to leave in a backdoor so that the government can peer in if it needs to. According to a New York Times article this week, the administration plans to submit to lawmakers next year that requires e-mail transmitters like BlackBerry, social networking Web sites like Facebook and direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a federal wiretap order. The mandate would include being able to intercept and unscramble encrypted messages.
Ubiquitous encryption?: A group of researchers recently presented a paper on a technology they said could make end-to-end encryption of TCP traffic the default, not the exception. The group presenting at the recent Usenix symposium talked up a TCP extension known as tcpcrypt. Implemented in the transport layer, tcpcrypt protects legacy applications and provides backwards compatibility with legacy TCP stacks and middleboxes, the groups says. The technology also provides a hook for integration with application-layer authentication, largely obviating the need for applications to encrypt their own network traffic and minimizing the need for duplication of features. Finally, tcpcrypt minimizes the cost of key negotiation on servers; a server using tcpcrypt can accept connections at 36 times the rate achieved using SSL, the researchers stated in their paper.
Cryptography and the Internet: In July the 13 globally distributed server clusters — known within Internet engineering circles as the Root Zone – started cryptographically signing DNS look-ups. The Root Zone got an added layer of protection from hackers through the deployment of DNS Security Extensions (DNSSEC). This emerging Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. Proponents of DNSSEC hope that having the Root Zone cryptographically signed will create a domino effect, prompting operators of top-level domains and individual Web sites to deploy the security standard. That at least in part seems to be happening because in August, Afilias, which operates .info and more than a dozen other Web site extensions, said it would deploy DNSSEC.
End-to-end encryption: The victim last year of a massive data breach of sensitive card data, Heartland Payment Systems vowed to develop new security gear based on end-to-end encryption between itself and its merchants to prevent such a breach from occurring again. In June the company said such an encryption system, known as E3, is slowly taking shape. The E3 terminals, built by Voltage Security and Uniform Industrial Corp., were custom ordered by Heartland, which isn’t requiring its merchants to use them, but strongly recommending them. One incentive for using E3 is a guarantee from Heartland that if merchants using E3 are breached, Heartland will cover fines and forensic costs related to any breach tied to the stand-alone terminals. Heartland is also offering free help to smaller merchants in filling out PCI standard conformance forms, something that can be technically bewildering to them.
Military wants Holy Grail of secure encryption technology: It’s a data encryption technology that protects sensitive data but at the same time lets computations be performed on it all without the data being decrypted. Called fully homomorphic encryption it is known as the Holy Grail of encryption systems by some security experts and it is one of the key technologies scientists at the Defense Advanced Research Projects Agency want for future projects. DARPA wants the new cryptosystem as part of an overarching project know as Programming Computation on Encrypted Data (PROCEED) which seeks to develop all manner of programs that can “develop practical methods for computation on encrypted data without decrypting the data and to develop modern programming languages to describe these computations.” PROCEED has some mighty lofty goals including the development of new algorithms and programming languages.
Battle over BlackBerry: Seems the encryption support on Research In Motion’s BlackBerry is troubling to those countries that would like to monitor people’s transmissions. Saudi Arabia, India, the United Arab Emirates and other countries are looking to ban the wildly popular devices over its encryption features. Banning such strong encryption-based information and communications services would severely limit the effectiveness and productivity of India’s corporations, RIM said in an IDG News Service story. RIM also said it does not possess a “master key,” nor does any “back door” exist in the system that would allow RIM or any third party, under any circumstances, to gain access to encrypted corporate information. The BlackBerry security architecture for enterprise customers was purposely designed to exclude the capability for RIM or any third party to read encrypted information, it said. RIM would simply be unable to accommodate any request for a copy of a customer’s encryption key since at no time does RIM ever possess a copy of the key, it added.
Encryption as a service: IBM Corp. has rolled out its Tivoli Key Lifecycle Manager (TKLS) that in a nutshell makes encryption a service. Network World blogger Jon Oltsik asks “What is so special about [IBM’s service]? First, key management is one of those IT security disciplines that will go from relatively esoteric to an enterprise requirement in the next year or so. Why? More and more data is being encrypted each day so key management is becoming increasingly important. Stolen encryption keys could compromise the confidentiality of sensitive data while lost encryption keys could transform critical data into meaningless 1s and 0s. Pretty soon, all large enterprises will have something resembling TKLS.”
