Deploying Crypto, What Are You Waiting For? 

Fredrick M. Avolio
Avolio Consulting

Ever since we started using the Internet, we have known that communications over a public network are vulnerable to eavesdropping. Even before the Internet Password Capture Attack of Winter, 1994, we knew we were vulnerable. We knew that when sending e-mail, transferring a file, or logging into a terminal session across a network, others on that network could, if they chose to, read that information.

We also know about cryptography. If we didn’t before, the news around the US National Security Agency’s attempt to get the world using NSA-created encryption hardware made sure everyone who read a newspaper knew about it. And the controversies regarding the export of strong cryptography go on today.

This note isn’t about export issues. Strong cryptography is commercially available all over the world. The title says what this is about: after all this time, considering the threat, the risk, and the available products, why aren’t you using crypto products?

When to Use Cryptography
We can use crypto products to provide confidentiality for transmissions or data files, strong user authentication, authentication of creators of documents, data integrity, and non-repudiation (protection against someone denying they originated a communication or data).

Crypto Doesn’t Have to be Difficult
Some of you think that using cryptographic products will take a big step, a major commitment from your organization. Won’t you need a Public Key Infrastructure (PKI)? Doesn’t that take a lot of money and work?

Yes, you need a PKI, but you can get away with a very lightweight one to start. And to start using, then deploying, encryption products just takes first steps. What I will do is suggest first steps to take for the organization, or individual, wanting to start to use encryption products.

Step 1: Start Encrypting Sensitive Files on Your PC
Free, licensed products are available for use on Windows platforms, Macs, and UNIX systems. There are, of course, commercial products as well. Some software requires you to decrypt — to unlock — a file to read it or edit it, and encrypt it again to store it safely. Others allow you to store files in an electronic "safe". The beauty of starting with these is you do not have to have anyone else to play with in order to use them.

Start routinely encrypting sensitive files. Now, if someone steals your notebook PC, or if someone breaks into your file server and accesses your files, the attacker will find unintelligible data. Show others when the opportunity arises. Oh, and do not forget your passphrase (something you can get away from if you use biometrics — but that’s a subject for another month).

Step 2. E-mail Encryption
This is second, because it takes at least two to dance this tango. There are two emerging standards in use for encrypted Internet mail: PGP/MIME and S/MIME. Freely available programs using both standards work as stand-alone programs for encrypting and decrypting as well as integrate into popular mail programs such as Eudora, Netscape, and Outlook. These programs are simple to install and set up, and you can be using them in a matter of minutes. Start signing your e-mail messages with your digital certificate (the software gets you started on this). Test it with others in the organization. Use it when confidentiality is important (which is a good deal of the time, is it not?). You will start asking people for their digital certificate so you can send them confidential e-mail. You will be starting something.

Step 3. Remote Connection Encryption
If you go to conferences and use public "terminal" rooms to access e-mail you need remote connection encryption. You need this if you are in a multi-billion dollar business. It is a bit harder to start using remote connection encryption — we will say remote VPN (Virtual Private Network), but only a bit. Remote user VPN software exists from nearly every firewall vendor, router vendor, as well as companies that specialize in VPN products (and many firewall vendors and router vendors resell these products).

You will need something on a server-side to support the other end of the encrypted connection. WatchGuard includes remote user VPN options with their LiveSecurity system that allow any Windows client to connect to the home network through the Firebox. Select from either PPTP  (included with version 4.0) or the new IPSec versions. A no-cost alternative is an application called Secure Shell (SSH) for Windows, Macs, and UNIX systems. While SSH was created to be an encrypted replacement for Remote Shell (RSH) on UNIX, it also has a facility allowing one to tunnel other services over it.

That’s It?
Is this all there is to it? Well, no, but it is a good start. It requires little or no money. And it works. Encryption products — products that safeguard our data on networks and on disks from prying eyes — are available, usable, and necessary. It is foolishness not to use them. Especially, when it is so easy to get started.