[iwar] [fc:Heightened.Security.Concerns.to.Accelerate.New.Encryption's.Deployment]

From: Fred Cohen (fc@all.net)
Date: 2001-09-21 19:23:35


Return-Path: <sentto-279987-2196-1001125414-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 21 Sep 2001 19:25:12 -0700 (PDT)
Received: (qmail 2630 invoked by uid 510); 22 Sep 2001 02:24:03 -0000
Received: from n11.groups.yahoo.com (216.115.96.61) by 204.181.12.215 with SMTP; 22 Sep 2001 02:24:03 -0000
X-eGroups-Return: sentto-279987-2196-1001125414-fc=all.net@returns.onelist.com
Received: from [10.1.1.222] by c3.egroups.com with NNFMP; 22 Sep 2001 02:23:37 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 22 Sep 2001 02:23:34 -0000
Received: (qmail 91483 invoked from network); 22 Sep 2001 02:23:32 -0000
Received: from unknown (10.1.10.26) by 10.1.1.222 with QMQP; 22 Sep 2001 02:23:32 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 22 Sep 2001 02:23:36 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id TAA00322 for iwar@onelist.com; Fri, 21 Sep 2001 19:23:35 -0700
Message-Id: <200109220223.TAA00322@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 21 Sep 2001 19:23:35 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Heightened.Security.Concerns.to.Accelerate.New.Encryption's.Deployment]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Heightened Security Concerns to Accelerate New Encryption's Deployment
By Bob Liu 

The destructive nature of the Code Red and Nimda worms coupled with the
heightened awareness for added security in cyberspace as well as the
physical realm will likely accelerate the deployment of the Advanced
Encryption Standard (AES) data encryption technique, network security
experts said. 

AES -- a 128-bit block cipher algorithm based on a mathematic formula
developed by two Belgian cryptographers -- was selected by the U.S. 
government in October 2000 as a new encryption technique to be used to
protect computerized information.  The selection was made by the
National Institute of Standards and Technology (NIST), an agency of the
Commerce Department's Technology Administration, after a four-year
competition to find the winning formula.  The encryption formula is
known as "Rijndael" -- (pronounced Rhine-dahl) -- named after its
creators, Joan Daemen and Vincent Rijmen. 

Now, nearly one year later, there is evidence that AES is being deployed
in the private sector even faster than the federal government can
mandate it.  Biodata Information Technology, a Lichtenfels,
Germany-based provider of cryptographic devices as well as network and
communications products, this week introduced Biodata VPN, which
incorporates the new AES algorithm and supports IP Security Standard
(IPsec) technology.  The move is widely believed to be the first
implemention of AES into a virtual private network. 

"Since its development, we've always kept a close eye on incorporating
the new algorithms," said Eric Goldberg, East Coast regional manager at
Biodata's New York offices.  "We're really trying to give our clients
the most choice with encryption.  That's really the challenge of meeting
global needs is to have that open architecture."

Consultants and solutions providers believe Biodata's latest product
represents only the tip of the iceberg for a new generation of VPN boxes
from vendors around the globe that will safeguard data using more
efficient yet more complex encryption techniques. 

"Whether it's going to be deployment of VPN or other things, we're
seeing an acceleration in deployment of security," said Ed Skoudis, VP
of Ethical Hacking at Predictive Systems.  "And that's clearly going to
mean deploying VPNs and using the best crypto that can be provided.  So
everyone is going through security with a fine-tooth comb and that's the
right thing to do."

While not yet an official standard, AES is designed to replace an
existing standard that hasn't been updated since the 1970s known as Data
Encryption Standard (DES).  (It's sometimes referred to as the "Defense
Encryption Standard" seeing that the Defense Department enforced its
implementation after the 1977 adoption.)

DES is a 56-bit encryption technique that stood firm for nearly 20 years
before scientists were able to crack it using massive parallel network
computer attacks and special-purpose "DES-cracking" hardware.  By 1993,
other formulas came along such as Blowfish, which is a 64-bit block
algorithms.  So, in order to enhance security encryption further through
the years, cryptographers developed a way to encrypt data three times
over -- a variant known as "Triple-DES."

But Triple-DES was a considerable drain on a CPU's resources because the
encryption and decryption wasn't only performed once but three times
over.  By comparison, AES works with data in 128-bit blocks and can
encrypt using larger 192-bit and 256-bit keys, if needed.  The technique
clearly allows programmers to hide critical data while putting less of a
strain on the CPU. 

Still, security specialists like RSA Security Inc.  of Bedford, Mass.,
and Baltimore Technologies Ltd.  are hesitant to deploy AES until the
proposed standard receives formal approval from the federal government. 
The proposal has already cleared the NIST but needs to clear the Office
of Management and Budget (where it currently sits) before returning to
the Commerce Department for final approval. 

"People are not required to use it yet," said Philip Bulman, NIST
spokesman. 

However, companies like Biodata aren't waiting around for the federal
government to act, warning that IT managers should be more realistic
when evaluating the cost-benefit of network security. 

"I think people need to be more security-minded.  People really need to
take a look at their physical security as well as their network security
and really assess it.  There really is no way to measure how much damage
a network hack would do," Biodata's Goldberg said. 

Analysts certainly see credence with that assessment.  By the end of
2005, IDC expects the worldwide market for information security services
to grow from approximately $6.7 billion in 2000 to to $21 billion at a
compound annual growth rate of approximately 25.5 percent. 

Data encryption techniques such as AES work at multiple layers of the
network, as opposed to, say, IPsec which only works on the data packets
layer.  For example, one can run it at the application layer as part of
a Windows-based application (if you buy or find or write one that does
AES) and then send the file to someone (or even use AES as the means of
encrypting data on your disk for privacy).  However, like most other
security components, encryption is only effective when implemented as
part of a comprehensive, well-designed strategy that should also include
authentication schemes and key distribution techniques. 

That's because, as Predictive's Skoudis points out, it is often easier
to get around the encryption devices than it is to get through them.  He
should know.  As head of ethical hacking, Skoudis directs his staff of
25 professionals to hack into systems at the request of a client. 
(Remember Robert Redford in the movie "Sneakers"?)

"You can't leave sensitive information on the web server.  The web
server is too weak, you need to encrpyt it and get it off the servers,"
Skoudis said. 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/XrFcOC/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:47 PDT