E-BUSINESS SPECIAL REPORT
Benchmarking Encryption Technology

Although ciphers long have been a staple of spy thrillers and mysteries, data encryption now has gained a real -- and critical -- foothold in the business world.

"Encryption and authentication are playing a very important role, in particular with most businesses moving online and adding business processes online," said Ed Kim, product line manager for PKI and device authentication in VeriSign's (Nasdaq: VRSN) security services business unit.

Which Standards Lead?

As enterprises and government agencies increase their dependence on intranets, extranets and the Internet, they are relying mainly on two standards to protect their data: Triple Data Encryption Standard (DES) and the more recently developed and approved Advanced Encryption Standard (AES). Without such encryption, data packets can be easily captured and viewed by unauthorized users.

In lieu of the above-mentioned encryption algorithms, IT organizations can opt for alternate open-source offerings, such as Blowfish and Twofish from Cupertino, California-based Counterpane Labs, the research division of Counterpane Internet Security, or Bedford, Massachusetts-based RSA Security's BSAFE.

Although proprietary encryption methods from other providers also exist, a growing number of organizations are moving away from such algorithms.

"At one time, people had proprietary algorithms. The theory was if nobody knew how it worked, nobody could break it," IDC research director of security products Charles Kolodgy told the E-Commerce Times. "Now people want to know what the algorithm is to make sure it's secure. The standard everyone uses in the Americas is Triple Data Encryption. Standard DES, at 56 bits, isn't strong enough today."

Triple Threat?

The strength of an encryption algorithm is based on its key length, expressed in bits. The longer the key length, the harder it is for an attacker to break the cipher. On the flip side, however, more processing power is needed for stronger algorithms, and messages coded with strong encryption require more storage space.

Triple DES repeats standard DES' fixed 56-bit encryption procedure three times and relies on three 64-bit keys, according to the U.S. Department of Commerce's National Institute of Standards and Technology, which oversaw third-party development of both Triple DES and AES. However, AES was designed to be even more secure and much faster: It supports key lengths of 128, 192 and 256 bits.

"One hundred twenty-eight bits has become the accepted number as very secure," Kolodgy said. "The size of the key is important."

Lillian Vernon Corp. is one firm that has adopted 128-bit encryption, according to David Hochberg, vice president of public affairs at the Rye, New York-based catalog and online retailer. "We certainly, first and foremost, want the latest and greatest [security and encryption] technology," he told the E-Commerce Times. "It's critical to us because you must always maintain your customers' trust. If customers didn't think security and safeguarding their information was important to us, we'd lose their loyalty."

Bits and Pieces

However, many companies do not require the additional bits, said Ray Wagner, research director for information security strategies at Gartner (NYSE: IT). "I never recommend that companies using symmetric encryption go above 128 bits," he told the E-Commerce Times. "The likelihood of people attacking encryption in data transfer is relatively low. Most organizations could probably deploy 40-bit encryption and never have an attack against those types of data transfers. That said, 40-bit encryption is not hard to break."

Because Triple DES has existed for about 25 years, it is well entrenched in the corporate world -- and is unlikely to lose its stronghold soon, according to industry observers. "We're likely to have AES and Triple DES with us for the foreseeable future," Wagner said. "If someone's using 112-bit Triple DES, the reason for them switching is because they're moving to a product that doesn't support 112-bit Triple DES."

Today, most developers support Triple DES, although a growing number are adding AES support to their SSL (secure sockets layer) and VPN (virtual private network) products. One reason: "AES is more suited to software," Mark Kraynak, strategic marketing manager at Check Point Software, told the E-Commerce Times. "People look to change encryption when there's some outside driver. Someone using DES for a VPN would probably want to move to Triple DES or AES. Computing power has gotten fast enough where you might not feel secure using single DES."

The Right Balance

Judging by the headlines, it is not surprising that some IT departments tend to over-encrypt data. "People say, 'If 128 is good, then 256 is better,'" Wagner said. "That's true to some extent." However, he added, encrypting data slows performance, even with today's high-powered processors, so security executives should carefully weigh the need for strong encryption versus speed deterioration.

"If you use any kind of encryption, it's going to impact the document," IDC's Kolodgy confirmed. "If you're passing a lot of e-mails [that are encrypted], your messages are going to be much larger than they would be normally, and you'll need more storage."

Indeed, although the cost of encryption technology -- be it Triple DES, AES, Blowfish, RSA or one of many other alternatives on the market -- is negligible, implementing it can lead to higher storage and processing costs.

Once IT executives have determined how much encryption they need and which information must be safeguarded, they will find that much of the mystery of this cryptic technology has been solved.