IT managers have to sort out the fact from the fiction and hype coming from over 300 vendors promising to solve vital pieces of the security jigsaw. Then, of course, there is the question of how seriously to take new developments that are always 'just around the corner'.The truth is that security developments move very slowly. Behind every usable innovation are years of testing and peer review. Cryptography, one of the technologies that underpins IT security, dates back to Egyptian times and the cryptographic algorithms in use today have been studied for over 20 years. Some cryptographers reckon that you simply can't trust anything that hasn't been studied for that long.Confidence in security comes from a thorough understanding of the science used to encrypt data, whether it is mathematics, physics or even biology. The better we understand it the stronger the security that can be built on top of it. So rather than advancing the underlying science and coming up with new algorithms, most of the important developments currently taking place are focused on the application and management of cryptography.For example, while the generation of cryptographic keys is well understood, and the use of these keys is understood, there are still problems in distributing keys that could well be solved better by newer technologies.Cryptography is best known today for protecting data in transit, particularly across the public Internet. We are all familiar with the padlock in the corner of the screen that provides the reassurance that SSL (Secure Socket Layer) encryption is being used to protect our personal details or ecommerce transaction. SSL is now a defacto standard to prevent eavesdropping and provide secure sessions between the browser and web server.If sensitive information such as a password and pin are unencrypted on a web server to check against data stored in a back-end database, the point of risk is simply shifted. The challenge therefore, is to extend the secururity provided by SSL deeper into the web site infrastructure in order to protect data behind the firewall from internal and external attacks. As the concept of a secure network boundary becomes outdated it becomes even more important to protect sensitive information wherever it flows, inside or outside a corporate network. SSL sessions can now be terminated inside a protected tamper-resistant environment and traffic passed securely on to other back-end applications.The idea of end-to-end encryption may still be a holy grail but cryptography is increasingly playing a vital role both externally and internally. For example, why crack individual credit card transactions over the Internet when entire repositories of private information stored in databases may be open for attack?To overcome this vulnerability, fine-grained data protection and key management technologies have now been developed that only encrypt those data objects or fields specified by the security policy. So instead of building 'walls' around servers or hard drives, a protective layer of encryption is created around individual data-items or objects. When it comes to Web services, the security challenges mirror those of standard Internet communications but the stakes are higher. Web Services involve scalable machine-to-machine interaction, which will often bridge the firewall, increasing vulnerability to malicious attack. Not only is it vital to deliver confidentiality and integrity though encryption and digital signatures, it is also important to manage user identities and verify who or what is on the other end of a network connection.
A Leap in the Dark
So encryption is finding its way into a wide range of new applications but what about future developments in cryptography? Probably the most heralded technology in this field is quantum encryption. From many reports, it would seem that this is a commercial proposition about to replace established security technologies to provide a panacea for all the unresolved security issues.Quantum encryption works by using the unique properties of fundamental particles to encrypt streams of data. If any attempt is made to intercept encrypted data the quantum properties are changed, showing that the data has been compromised. So far this technology has been confined to research laboratories, though each report suggests that researchers are closer to achieving a commercially useful implementation of this technology. Two main issues emerge. The first is practical. The type of security that quantum encryption proves to be good at, at least in initial implementations, is point-to-point security between parties that already know each other. As the quantum-secured streams of data can only pass down a single fibre-optic cable while remaining readable, this development is likely to be useful in some important security scenarios, such as securing telecommunications links. In its current form it is not applicable to most forms of Internet or corporate security where data must pass through many computers on its journey from start to endpoint. Unless every connected computer can have a direct connection with every other connected computer, this will limit the application of this development, though it promises to be very useful for particular security needs.The second is more theoretical. While we understand enough about quantum physics to see how it can be used to encrypt data and provide a novel security solution, the field is by no means fully mature. There remains a risk that further discoveries could change our understanding of the quantum world and that such discoveries might p provide a security hole or enable a form of attack that we can't envisage or protect against based on current understanding.Compare this with the well-understood mathematics behind the RSA public key algorithm. There remains an outside risk that a mathematician will discover something about factorisation, the basis of security in the RSA algorithm. This branch of mathematics is more mature than the study of quantum physics, so it is much less likely that there could be an undiscovered fault-line in the technology. With over 25 years' close scrutiny of this algorithm and the maths behind it, users can be reasonably confident that weaknesses have already been discovered and understood.The most likely risks to algorithms such as RSA are probably those we already know about. For example, as computers get more powerful, they can process the sums behind the security much more quickly and could therefore crack keys more quickly. So, because we understand this risk, we can protect against it by using longer keys which make the sums involved exponentially more difficult and therefore reduce the likelihood that an attacker can find a key in any reasonable period of time. The process of introduction for the symmetric algorithm AES (the US government's Advanced Encryption Standard) shows how the industry can work together, by subjecting it to an unprecedented level of scrutiny from experts all over the world. Even so, security curmudgeons still express some scepticism that this new standard is entirely safe to adopt after its brief but intense introduction.Quantum key distribution and encryption are technologies worth watching, although there is a great deal to be implemented and proven before the risks of using them become as low as the risks of using more familiar technologies such as RSA. The quality of the research undertaken in this field is undoubtedly high; look for more discussions of the topic at security conferences and peer-reviewed articles and papers to show how the technology is developing and its implementation progressing. While quantum encryption sounds like the stuff of science fiction, it is a serious development.
