Initially, information security was tightly bound to physical security. The introduction of networked systems created a need for a new kind of security system. Not only must information be protected from improper physical access, it must also be protected from outside attackers using the very tools that make distributed computing so powerful. Cryptography is the use of codes and ciphers to prevent the corruption or loss of information to would-be attackers.
Before diving into the various encryption methods in use today, it is worthwhile to discuss a method of information security that is not cryptography. Steganography is often confused with cryptography, but the two only have similar goals, not methods. Cryptography alters the information such that it can only be retrieved through the use of the proper key. Steganography is an attempt to hide information in plain sight. Modern steganographic techniques hide bits of information in digital images or within CDs. Once the method for hiding the information becomes discovered, it becomes useless (Stallings, 1998).
Symmetric encryption works through the use of a shared, private key. This private key must be held by anyone wishing to decrypt the encrypted information. Symmetric encryption algorithms are designed to be very secure, but also very fast. This speed can be necessary in communication protocols that can be hampered by the added latency of encryption and decryption in slow algorithms. The weakness of this encryption method is the private key that must be used by all parties. Keeping the key secure and maintaining the key as the parties change adds overhead to the technique. Algorithms that fall into this encryption method include the Data Encryption Standard (DES), Triple DES (3DES), and the Advanced Encryption Standard (AES). AES is currently the recommended encryption standard for most modern applications (Whitman & Mattord, 2009).
Like symmetric encryption, asymmetric encryption also relies on the use of keys. In asymmetric encryption, two keys are used. One key is used to encrypt the information and the other is used to decrypt. The most common application of this is for the receiving part to keep the decryption key private while the sending party uses a publicly available key to encrypt the message. Since the public key can only be used to encrypt the message, it is safe to share this key with anyone. The private key must still remain secure, but the overhead of maintaining a single private key is much lower in an asymmetric encryption scheme. The main drawback of this scheme is the distribution and management of public keys (Whitman & Mattord, 2009).
Any of the previously mentioned methods can be used to encrypt data stored on hard drives. The encryption method used depends on the nature of the information and how it will be accessed. For example, Microsoft SQL Server supports both symmetric and asymmetric encryption. If the data to be encrypted will only be accessed infrequently, a database administrator (DBA) may choose to use a larger key length and asymmetric encryption. Both of these methods provide stronger encryption but require more processing power to decrypt. Frequently accessed information may be encrypted using symmetric keys to speed up database performance. A DBA may choose to encrypt an entire database or only a portion. This decision depends on the sensitivity of the data (Microsoft, 2009).
The most commonly secured communication protocols are web transactions, email exchanges, wireless networks, and Virtual Private Networks (VPNs). Secure web transactions use standard Hypertext Transfer Protocol (HTTP) exchanges inside Secure Sockets Layer (SSL) encrypted sessions. SSL uses asymmetric encryption to create a secure channel between the client web browser and the web server. Email communication can be secured via Secure Multipurpose Internet Mail Extensions (S/MIME), Privacy Enhanced Mail (PEM), or Pretty Good Privacy (PGP). S/MIME uses asymmetric encryption. Both PEM and PGP use a combination of symmetric and asymmetric encryption to protect email exchanges (Whitman & Mattord, 2009).
While HTTP over SSL and the various email schemes focus on encrypting data transmitted between applications, there are times when all communications between hosts should be encrypted. Wireless networks are inherently insecure due to their nature of broadcast. Wired Equivalent Privacy (WEP) was originally used to protect transmissions on 802.11 networks. WEP only employs a 64-bit key, making it virtually useless by modern encryption standards. Wi-Fi Protected Access (WPA) was created to address the shortcomings of WEP and uses frequently changing keys of 128 bits. When communicating across a wide-area network (WAN), VPNs are used to secure communication between the remote host and home network. Internet Protocol Security (IPSec) has become the standard for VPNs. IPSec combines various cryptosystems to create a framework that can be deployed in many situations and support different host systems (Whitman & Mattord, 2009).
Microsoft Corporation. (2009). SQL Server encryption. Retrieved September 2, 2009.
Stallings, W. (1998). Cryptography and network security: Principles and practice (2nd ed.). Upper Saddle River, NJ: Prentice Hall.
Whitman, M. E. & Mattord, H. J. (2009). Principles of information security (3rd ed.). Boston: Thomson Course Technology.