double arrow

Product Details

Encryption (2003)

Encryption is becoming an essential tool in modern business, partly due to the increasing use of mobile computing says Geoff Marshall

Accidental loss or theft of notebook computers and palmtops is costing companies that do not invest in encryption technology a great deal of money indirectly in lost data - both because the data may be irreplaceable or confidential.

But how does one choose from the many encryption products on the market? Are the products as secure as they say they are? Are they easy to use? In this Group Test, we are going to answer these questions by examining products that are on the market today.

Encryption products fall into various categories:

  • File encryption involves converting to code and storing this new data in another file. Often this process can work like Winzip in that a number of files may be combined into one encrypted archive, and this can sometimes include subfolders and a whole directory structure.
  • Email encryption can be achieved by the simple expedient of using file encryption to code attachments before attaching them to an email message. However, some encryption programs integrate fully with an email client, or act at the email gateway, to automate this process and therefore can also encrypt the body of the message as well as any attachment.
    Different ways of disk encryption

Disk encryption involves coding data in place on disks, which can often include removable media. Different products implement this in different ways. Some may require setting up folders to contain the encrypted data. Others encrypt everything in a given disk partition, or encrypt the entire drive.

When this last approach is used, temporary files, swap files, deleted files, and hidden files are also encrypted - protecting against all forms of data scavenging. There are pros and cons to encrypting an entire drive that contains the operating system (OS).

If something goes wrong when the OS is encrypted - for example, disk corruption when it is very unlikely that data will be recoverable - the machine will probably have to be reformatted and the OS reinstalled. On the other hand, if the operating system can be started without any decryption password being given (because the OS is not encrypted), then hackers have a better chance of subverting the encryption system by attacking the OS.

Pre-boot authentication

Pre-boot authentication (PBA) takes disk encryption one step further by placing an authentication step before any OS is loaded and usually involves encrypting the operating system itself. PBA means that nobody can even use the computer (as opposed to access the confidential data) without appropriate authentication credentials. But this means that IT support staff must be given authentication credentials to do routine software maintenance, such as OS patches and upgrades, and users might not want your IT staff to be able to access their confidential files.

Encryption should not be implemented without careful consideration of its consequences. Modern encryption techniques are so good that, if a key or password is lost, chances are the data will never be seen again unless an unencrypted backup exists. But, for confidentiality reasons, most people probably don't want to keep an unencrypted backup, unless of course they are happy keeping such a backup in a physical vault.

So make sure a reliable encryption system is chosen that provides key recovery. Key recovery is necessary in case a user or administrator leaves the company or dies - taking their password and any token with them - and to prevent employees from maliciously encrypting vital company data

Most products offer tried-and-tested algorithms that are non-proprietary and therefore subject to peer review.

Public key systems

Asymmetric public-key algorithms (such as RSA, Diffie-Hellman, etc.) are not necessary for bulk data encryption unless you need their particular benefits, which are integrity assurance, non-repudiation, authentication by digital signatures and the ability to solve the 'key distribution problem' - because there is no need to keep the public key secret.

Public key systems are therefore better suited to messaging (where you have a key distribution problem and also need to have authentication of who you are messaging) than to encrypting data in storage. However, most secure messaging products still use symmetric secret-key systems for bulk data encryption, reserving the more computationally intensive public-key technology for exchanging session keys, checksums, and authentication.

In assessing products, and marking them out of five, we have taken 'performance' to mean not just speed of operation but also how secure they are. This is based on knowledge of the algorithms used, key lengths, methods of storing keys, and any obvious design weaknesses.


clear float