Encryption conjures up images of spies, secret government agencies

When making a mail-order purchase, most people wouldn't dream of writing their credit card numbers, expiration dates, and validation codes on the back of a postcard.

Yet in the vast majority of business and households, people are doing just that -- sending confidential or sensitive information through unsecured channels. Perhaps the most common of these channels is e-mail.

E-mail, at least in its default configuration, was not designed with security in mind.

All contents of a typical message are sent in cleartext, and its contents may be read by anyone along the routing path using common security tools.

Considering that same message may be routed around the world and through dozens of networks, the chances are fairly high that someone somewhere could be intercepting your private communications.

Fortunately, there are a variety of ways to protect yourself and your company's sensitive information, and most of these involve encryption.

What is encryption?

Encryption is a word that conjures up images of international spies, secret government agencies and clandestine operations. However, most people use some sort of encryption every day. Everytime you visit a secure Web site, you are using a form of encryption.

Encryption is merely the process of making information, called "cleartext" or "plaintext," unreadable to others. The resulting "ciphertext" can be decrypted by anyone with an appropriate cryptographic key. The encryption algorithm used can be made public; however, the decrypting key must remain confidential.

Although there are many ways to classify encryption algorithms, in general there are two ways in which the cryptographic keys are handled:

• Symmetric encryption uses the same key for encrypting and decrypting. While these algorithms can be very effective, their main weakness is in the process of key distribution: that is, how do you securely transmit the key? If the key is compromised, then all information encrypted using that key could be intercepted. For disk encryption, this may not be an issue, but it certainly can be when encrypting transmitted data.
• Asymmetric encryption, on the other hand, uses two keys -- one public, one private. Information encrypted with one key requires the other for decryption. In this scenario, the private key remains in the physical possession of the user, but the public key may be distributed to anyone needing to send information securely. This is also known as public-key cryptography.

Often symmetric and asymmetric encryption algorithms are used in combination to draw upon the strengths of each. Because the public keys can be made available to anyone, these keys are often entered into one of several online key repositories.

PGP and GnuPG (OpenPGP)

In 1991, Phil Zimmerman created a program he named "Pretty Good Privacy" or PGP. The name is actually a misnomer, as the encryption it provided was so strong that is was classified as munitions by the U.S. government and banned from export. When the program made its way out of the country, as programs will tend to do, Zimmerman became the target of a criminal investigation by federal agents.

Zimmerman was never formally charged, and the U.S. government eventually relaxed some of the export restrictions. The program evolved into a proprietary product (PGP Corporation) using algorithms that were encumbered with commercial license restrictions. This could have relegated the application to a limited niche role, but fortunately, some within PGP Corporation saw a need to broaden PGP's appeal by promoting an "unencumbered" version of the product. The result became a proposed standard called OpenPGP.

A number of OpenPGP-compliant programs are now available, and all are interoperable with the commercial versions of PGP. One of the more popular implementations sprung from the Free Software Foundation's GNU program. Known as GNU Privacy Guard (GnuPG or GPG, available from www.gnupg.org), it is available free of charge for Windows, Linux, and Mac systems.

Encrypted e-mail

E-mail can be encrypted a number of ways, and most modern e-mail clients support secure transmission. If the functions aren't built into the client, then there are certainly a variety of plug-in modules that can provide encryption on the fly.

PGP Corporation provides a suite of tools that allow encryption and decryption of e-mail, as well as digital signing of messages in Outlook.

For users of Mozilla Thunderbird, the Enigmail plug-in application provides similar functionality using any OpenPGP-compliant encryption program, such as GnuPG. Using these programs is as simple as composing a message, clicking an encryption button, and choosing a recipient. Of course the recipient must also be using a similar program.

Another option for e-mail encryption is S/MIME or Secure Multipurpose Internet Mail Extensions. This option is available in most, if not all, graphical mail clients produced over the past few years. Like OpenPGP encryption, S/MIME uses public key cryptography, but unlike its counterpart, it requires a personal security certificate. A certificate from a trusted certificate authority costs only a few dollars per year, and they are relatively easy to install.

Putting it all together

Some have said that 95 percent of security issues could be solved or mitigated through the use of encryption. This may be overstating the benefit, as encryption only addresses the confidentiality of data. It does not ensure integrity or availability. However, considering the growing problems resulting from credit card fraud, identity theft, and corporate espionage, the use of encryption should become routine for all users.

Perhaps the reasons for slow adoption of this technology are that users believe the programs are too complicated or require too much specialized knowledge. These assumptions are not true. However, the ability to use two-way encrypted communication may be limited by the number of users not using it. This can change, but change must begin at home.

Monte Kendrick is the president of and principal consultant for Pixelogiq Data Systems LLC, a Madison-based company that offers information security and technology consulting services.