Data encryption

Secure Socket Layer (SSL)

If your emails or transmissions to partners contain personal or corporate information one way to protect the transmission is to use SSL. On the web, the ability to steal confidential data is rampant, thus to circumvent the problems, telecommunication sessions can be negotiated with what is called SSL (Secure Socket Layer). SSL is a process of encrypting the data traffic (messages) such that snoopers looking at the network traffic can see bizarre characters but not understand the contents. SSL protects the traffic between partners; however immediately as the data is received, it is dynamically decrypted back to being in the clear. SSL encryption algorithms are site based and each site has the use of several algorithms. We note that a strong transmission encryption is the norm to protect the transmission of data between sites; however, this security feature can be overcome. More about how SSL can be intercepted is described later.

The reasons for eCLIPse Data Encryption

Encryption is the process of changing the characters in a field such that the contents of the field are visible, but not understandable. If the algorithm is applied to every successive block of 8 characters in the file, the entire file can be encrypted. In use, an encryption algorithm takes a block of text of 8 or 16 characters, tears apart the block, shuffle the parts that were torn apart, flips a few bits and substitutes parts of other characters before re-assembling the block as encrypted text. These actions are the roles of the encryption algorithm, controlled by the encryption key (s) and are reversible. Two different encryption key(s) do not and cannot produce the same encrypted output. For eCLIPse® with 3DES, using the same keys and passing the encrypted file as input results in recreating the original unencrypted text.

While it is important to transmit encrypted data, it is equally important to encrypt files stored on a laptop, a desktop, or on a database server. If the laptop is stolen, and the files therein are not encrypted, then confidential information can be lost. One other way this can happen is with a key logger virus, designed to capture the keystrokes and to monitor the website access. If a server is compromised, confidentiality is lost. In a Business to Business (BB) environment, the consequences are costly enough to force bankruptcy. What are the cost consequences of data loss if you have stored business partner names, addresses, social security numbers, credit card information, bank account numbers, manufacturing formulas, competitor information, etc?

There are many algorithms for encryption. The most popular three are AES, 3DES and PKI. I will briefly describe each.

PKI

PKI uses two keys for each partner. One is called the private key which you own, and the other is called the public key which you distribute. To use PKI, you send each partner your public key. Using your public key, he encrypts the file destined to you. When you receive the encrypted file, you use your private key to decrypt it. To send an encrypted message to a partner, you use his public key. The PKI process is called non-symmetric key encryption. If you encrypt a file with your partner's public key, you need his private key to decrypt it. It often happens that the only file you have is the encrypted one destined for the partner. You may have information therein that should not be divulged. Worse, without your partner's help, you cannot decrypt that file.

AES Encryption

Around year 2000, AES was presented to the world as a strong encryption algorithm. AES operates on a fixed block size of 128 bits (16 characters) using a key size selected from one of 16, 24 or 32 characters. With AES, the smallest field size that can be encrypted is 16 characters. Until May 2009, it was thought to be un-crackable, but since then several articles have been produced to show that it can be done. The USA government, which promoted AES, in 2000, announced in May 2009 that AES may continue to be used, but cannot to be used for critical government information.

Triple DES (3DES)

Triple DES (3DES) is a very strong encryption algorithm in use in the banks since 1971. It is free of patents. Moreover, to break the encryption of 3DES can take many hundreds of years. 3DES has the advantage of encrypting a fixed block size of 8 characters, and uses either two or three keys, each of 8 characters. 3DES is the application of the DES algorithm three times in succession. The USA government has not refused 3DES encryption, and has indicated that for the next twenty years it can be used, when in 2030, its use will be reviewed . 3DES uses the first key to encrypt the block, the second different key to run the decryption algorithm against the block, (which results in a second encryption) and a third key to re-encrypt the block again. Using 3DES, also known as TDEA, effectively encrypts an 8 character block of text using an effective key-length of 24 characters (actually 21 characters plus 3 parity bytes).

eCLIPse® Offering

In the business world where data fields are as small as 8 characters (example, account numbers or dollar amounts) it is essential that this smaller field be encrypted. Because 8 characters is a good size for encryption, (bank machines (automated teller machines or ATMs use 3DES) eCLIPse® use 3DES as the algorithm of choice. A file encrypted with eCLIPse® attacked with today's technology of using a divide and conquer approach, (hundreds of PCs) will still require in excess of many hundreds of years to determine the encryption keys. eCLIPse® is more than a file encryption product. It is security product with many functions rolled up into one.

These are some of the features:

a) Stand alone operation using a secure smart-card USB Rosetta token as the data store for the encryption keys or the fetching of encryption keys from a secure Key server.

b) A Key server application to replace or complement the USB Rosetta token allowing secure online encryption key retrieval for offline encryption/decryption of data. VPN support integrated.

c) An administrator application to manage the key server and USB tokens.

d) First level access to the encryption keys is via a PIN. Keys are referred to by their key number. No operations personnel or end-users know the actual encryption key contents.

e) No keys are ever stored on the client's disk. They are fetched from the USB token or in encrypted form from the Key server and are stored in the memory of the eCLIPse user interface.

f) Standard software provided for 3DES file encryption uses fixed size record encryption or cipher-block chaining (CBC). One hundred encryption keys are stored in memory (400 bytes).

g) An eCLIPse explorer module with email interface to allow the user to work with encrypted files or to encrypt files, as well as to email an encrypted file using pop or imap protocols. As well, to receive and decode an encrypted email attachment.

h) Using Explorer, a file can be decrypted for update, re-encrypted, and the clear version deleted with one mouse click operation.

i) A utility program to allow individual or batch operation against multiple files.

j) An application programming interface DLL (API), allowing the user to incorporate eCLIPse's 3DES encryption into his application.

k) A secure remote functionality is provided to restore a locked out PIN through an exchange of coded messages. To do this, user validation is done via voice with the administrator. There is an exchange of request / response codes to permit unlocking the user device PIN and forcing a new PIN password.

l) eCLIPse has been reliably executing since 1989. Works with XP, VISTA, Windows 7, MS Servers.

A later article will present some of the features of the eCLIPse® package.

Man in the Middle Security Attacks.

As mentioned, SSL is the software that is invoked when a TCP/IP request is made for a secure connection. Here is one way how a man in the middle attack can conceivably happen by using XXXXX as an example.

a) User asks to contact his secure site, by submitting the URL (www.xxxxx.com). Your request is sent to a DNS server.

b) A DNS server is the equivalent to an electronic phone book. Because of the billions of IP addresses, a hierarchy system exists to manage local DNS servers. For example my request for www.gmail.com lookup returned 173.194.33.83. Your Internet Service Provider may have a DNS server which may cache the URL information, or if the address is not found in his cache, may pass the request onwards to an upstream DNS server. The problem arises because some DNS servers are not fully secured. Internet service providers (ISPs) usually have more than one DNS server as one of them may be offline or not responding quickly enough.

c) Suppose a hacker sets up a DNS server with its characteristic to serve your ISP or the ISP of your partner or the hacker breaks into a valid DNS server. This DNS server now replaces the www. xxxxx.com address with one belonging to a hacker site. When you request a secure connection to www.xxxxx.com, it does the lookup and returns the address of the hacker site. The hacker site, interposes itself between you and the target URL. The hacker site is now deemed to be the man in the middle. Since the hacker site is both your partner and the www.xxxxx.com partner, it takes copies of all traffic seen in the clear. Even though every effort has been made to secure a DNS server, hackers have occasionally found ways to enter and modify ones which have not been maintained with up-to-date security patches. Hackers can also gain access to your site via other means such as faulty webpage designs, key loggers and a slew of other virus attacks.

d) What are the consequences of a circumvention of the SSL intent? Once the hacker has analyzed the protocol and the traffic, the hacking program can start probing the website's backend database; there are many techniques for probing database contents. Suffice to say, that since most backend databases store contents in the clear, all the contents are open to copying . The hacker may also do such things as mass injection, mass deletion, mass renaming of contents; in short, destruction. eCLIPse® allows you to encrypt key database contents.

Summary

Security is more than just protecting transmission of data. It is the protection of confidential information, beginning with the laptop, and all the intervening points, including the encryption of database contents. In forthcoming articles we will describe the security components offered by eCLIPse®

(2) One of the largest bank frauds occurred in Sweden http://www.pctools.com/news/view/id/159/, another with TJ Maxx http://www.msnbc.msn.com/id/21454847 where for months at a time, bank account and credit card information was copied. After several months of copying, massive credit card frauds were done simultaneously, resulting in the immediate loss of in excess of 94 million accounts. Other frauds included the creation of fictitious payment transactions. (Small amounts from many accounts to a half dozen hacker accounts). Because of the volume of frauds, corrective action took months to achieve. The lifetime cost per individual loss is estimated today at USA 49500$.

Unrivaled in the world of IT security and encryption, eCLIPse® offers your enterprise extreme protection from hackers and theft of information, corporate espionage and collusion, internal/employee fraud, misuse of information, accidental sharing of sensitive information, unintended data loss and overexpenditures on equipment and software licenses. . . and we have been doing so since 1989.

Community

Quick Links

eCLIPse® 2010. All rights reserved. eCLIPse and the eCLIPse logo, are registered trademarks of itBMS.
All other trademarks are the property of their respective owners.