download issue 24 here - Help Net Security
download issue 24 here - Help Net Security
download issue 24 here - Help Net Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
acronyms without researching their underpinnings.<br />
Since all IT decisions come down to<br />
dollars and sense versus functionality, this<br />
scenario turned into a “risk analysis” exercise<br />
centered on how likely it was that a hypothetical<br />
attacker had the means to “crack” 3DES<br />
and yet not be capable of getting through<br />
AES. Then, comparing that difference in<br />
probability to the implied “loss” that would be<br />
realized in the event of a breach, in an effort<br />
to justify the additional cost.<br />
The result of this exercise was that 3DES was<br />
more than sufficient since we had calculated it<br />
was more likely (from a probabilistic standpoint)<br />
that the equipment would be stolen,<br />
physical security compromised, and the information<br />
easily removed from the internal<br />
systems without needing to crack one encryption<br />
key. This result was disliked greatly by the<br />
IT staff, but liked immensely by the accounting<br />
department who now felt they saved quite a<br />
bit of money.<br />
Since this will not be an overview on how to<br />
develop risk scenario calculations, weʼll focus<br />
on trying to educate our fellow IT professionals<br />
on why BOTH algorithms are great, but if<br />
one costs more money, either can be used so<br />
one can save money. In the process, we will<br />
hopefully clear up some misunderstandings<br />
about their in<strong>here</strong>nt differences and advantages<br />
in different situations.<br />
In an effort to bridge the gap between the<br />
“newbie” IT professional and the seasoned<br />
expert, we will offer some definitions w<strong>here</strong><br />
appropriate. Our goal is simply this – to come<br />
away with a better understanding of the differences<br />
amongst encryption algorithms and<br />
w<strong>here</strong> they fit in todayʼs business computing<br />
environment.<br />
Data Encryption Standard, 3DES, and<br />
Advanced Encryption Standard<br />
To begin, let us quickly come up to speed on<br />
some points: “Cryptology” is essentially defined<br />
as the making and breaking of secret<br />
codes. It consists of two parts: cryptography,<br />
which is the development and use of codes;<br />
and, cryptanalysis, which is the breaking of<br />
the codes. These two aspects go hand in<br />
hand as the cryptanalysis confirms (or negates)<br />
the strength of the algorithms them-<br />
selves. Once shown to have vulnerabilities,<br />
the algorithms tend to get stronger via improved<br />
cryptographic mathematics (usually).<br />
Please keep in mind that this “cat and mouse”<br />
game between code creators and code<br />
breakers is not new, by ANY means. Cryptography<br />
was very popular even during the time<br />
of Julius Caesar since the security of a message<br />
delivered by a human could NOT be secured<br />
simply by trusting the human. In fact,<br />
recall the Hundred Years War between France<br />
and England. At that time, the cryptanalysts<br />
were ahead of the cryptographers. France believed<br />
the Vigenère cipher to be unbreakable.<br />
The British, of course, cracked that code. No<br />
algorithm is truly unbreakable. Hence, the security<br />
of entire nations sometimes rests on the<br />
strength of encryption codes! But, let us return<br />
from our digression.<br />
Put simply, a “cipher” is an algorithm for performing<br />
encryption and decryption. With a<br />
substitution cipher, one letter is substituted for<br />
another to encrypt a message. In simplest<br />
form, the number of letters in the output<br />
equals that of the input. One of the shortcomings<br />
of this simple cipher is its vulnerability to<br />
frequency analysis.<br />
If a message has 15 B's, for example, and B<br />
is replaced by L, the ciphertext would still contain<br />
15 Ls. As the message lengthens, it becomes<br />
more and more vulnerable to frequency<br />
analysis because the message would<br />
retain the frequency patters found in the language,<br />
even though the characters are different.<br />
Polyalphabetic ciphers were invented to make<br />
up for the shortcomings of the substitution cipher.<br />
The Vigenère cipher is an example. It<br />
encrypts using a series of different Caesar ciphers<br />
based on the letters of a keyword. This<br />
makes it invulnerable to frequency analysis.<br />
National security dictated the need to create<br />
DES, which was adopted by the National Institute<br />
of Standards and Technology in 1977,<br />
and later approved by the American National<br />
Standards Institute in 1981 (ANSI X3.92). It is<br />
defined as a “Block Cipher” because it handles<br />
data in 64 bit “blocks.” This means eight<br />
bytes, since one byte [historically] equals<br />
eight bits. Within this 64-bit block, 56 bits are<br />
www.insecuremag.com 52