Security and Encryption



The point of security is to protect your sensitive data from those that should not have it. Encryption is a powerful tool to achieve this goal

Overview

Encryption protects your data by converting it to a form that is scrambled so that it is meaningless without being translated back to plain text. An algorithm (process or series of steps) called a cipher uses a number of methods to convert the data to an unreadable form. The cipher does different things depending on a key (number, password or passphrase) provided to it so that there is no easy way to decipher the data even by powerful computers trying different decoding techniques without having access to the key.

Encryption can be done using symmetric or asymmetric keys. Symmetric keys means that the same key is used to encrypt and decrypt the data.

Asymmetric key encryption means that a public key is used to encrypt data and a private key is used to unscramble the data. People that want to exchange encrypted data using asymmetric keys provide each other with the public encryption key so that the other person can encrypt the data and then use the private key to make it usable.

When to encrypt

Data should be encrypted whenever there is a possibility of access to it by someone that should not see it. This would apply to sensitive financial data in ones own house if there are young children or other users who may not use it responsibly. It would also be an issue if a computer is not adequately protected against internet hackers. Encryption and file protection used together safeguard this data.

Data that is portable such as backup disks or DVDs are especially vulnerable. Laptop users are especially at risk if they transport the laptop from place to place and might possibly forget it somewhere.

Sensitive emails that are publicly transmitted or data carried over a wireless network can also benefit so that even if someone could intercept the data, it would be meaningless to them. By encrypting a file and providing the decryption key to the recipient separate from the data, the data can be sent by ordinary email and only opened by the recipient with the key. Encrypted wireless data is similarly made available to authorized users by providing them with a key.

What to Encrypt

Some may be tempted to encrypt everything including programs since in this way nothing that could be compromised is left out. However, the process of decryption takes system resources and time and this would have a big impact on system performance. Additionally, if the key is lost, the entire system becomes unavailable. It also makes installation of new software difficult if not impossible.

The best method is to only encrypt the data that is sensitive and to keep the keys off the system either by using a password or by keeping them on an external device such as a USB flash drive.

For an insightful treatment of this issue see here.

Security Encryption Software

Windows XP and Vista have encryption built in. Microsoft encryption is known as EFS or Encrypting File System. EFS works closely with the operating system and therefore is fast and well integrated. They are meant to protect against access to files by users other than the owner either through the network or by finding a laptop.

However, the key and management system for EFS is complex and if you don't know what to do, the default will be that the key resides on the system and anyone that can login will have access to encrypted content. The Syskey utility can provide some options for this but using it properly requires expert knowledge and if you remove the key from the system and lose it, you may find yourself with no way to get your encrypted data back.

There is no supported way to use EFS with keys on removable media or smartcards on any released version of Windows. You can import and export keys but it is a cumbersome procedure.

Vista Ultimate has a new encryption scheme called Bitlocker which encrypts the entire drive but it is even more complex to use than EFS.

Various experts have recommended the following programs;

Axcrypt

Axcrypt is an easy to use file based system that provides file protection and encryption facilities. The user specifies a passphrase (a sequence of words or other text used to control access to a computer system, program or data according to Wikipedia) when encrypting the data. The same passphrase is used to decrypt the file. While the user is on, the passphrase will remain active in the system so that for convenience sake he/she will not have to reenter it. However, if there is fear of access by some other party during a working session the user can specify that the passphrase should not be cached (kept active) by checking a check box for the file. This setting is remembered from session to session.

Axcrypt uses AES with 128-bit keys for encryption, and SHA-1 for hashes. The encryption is greatly enhanced by a complex and diverse passphrase.

Email can be easily sent in a secret form. The sender encrypts the file with a passphrase and sends the file to the recipient without sending the passphrase. The user, who does not need to have Axcrypt, is told or sent the passphrase through some other means. When the email is received it can be opened by providing the passphrase and a response can be entered into the file which is automatically encrypted when closed again. This can now be sent back to the original sender.

Axcrpt also allows for masking the file name with some other name to hide the sensitive nature of the file. The .axx extension of Axcrypt encrypted files can also be hidden.

Truecrypt

Free open-source disk encryption software for Windows Vista/XP/2000 and Linux

It creates a virtual encrypted disk within a file and mounts it as a real disk. It is not file based. It can encrypt an entire hard disk partition or a storage device such as USB flash drive. Encryption is automatic, real-time (on-the-fly) and transparent. The TrueCrypt volume can not be identified (volumes cannot be distinguished from random data).

It uses the following Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: LRW.

A password is only required at mount time.

Crytptainer LE

Crytptainer LE is volume based encryption

The Cryptainer site indicates;

Cryptainer is a simple, easy to use encryption software that creates an encrypted virtual drive. It provides password protection and hides any file or folder ensuring file encryption, automatically. Cryptainer creates a volume (vault) that can only be accessed with a password. This vault stores files in an encrypted form. Once mounted/loaded, the Cryptainer drive is like any other drive you normally work with.

Cryptainer Mobile edition encrypts any data on any media (USB Drives, CD ROMs, Flash Disks etc).

Cryptainer indicates that secure email can be sent in the following manner;

1. Standalone files (self executables, .exe ).

These can be decrypted and viewed at the recipient's end on any Windows machine without any software. The recipient does of course needs to

know the password/phrase. 2. .SIT Files

Given that most virus scanners delete most executable files almost automatically, Cryptainer also allows for the creation of .sit encrypted

files. These can be e-mailed to the recipient, We recommend that you use this method.

The recipient needs to download our free utility, DecypherIT to decrypt them. DecypherIT can be downloaded from here.

A detailed technical review of security encryption software is provided by Wikipedia: security encryption software



Return from Security and Encryption to Computer Security

Return from Security and Encryption to Ask the Computer Doc home

5/21/2009



footer for Consumer Electronics and Computers page