COLUMN

How much encryption is too much?

By Bxtvzwnv 01 Mar 2005 | SearchEnterpriseDesktop.com Digg This!     StumbleUpon     Del.icio.us

An encryption-strength battle is waging in the security market today. Companies are trying to thwart competitors by including stronger encryption in their products. But when is enough enough?

Adequate encryption is often defined as encryption that is strong enough to make brute-force cracks against Windows passwords impractical because they would take too long to complete. However, Moore's Law indicates that available computing power doubles every 18 months. So what is considered adequate encryption today probably won't be sufficient a few years from now simply because faster computers will be available, and encryption will be deciphered more quickly.

I'm not going to become a victim of Moore's Law, dear Readers, and make a statement like "128-bit encryption is strong enough." Many years ago, Bill Gates stated that 640 KB of memory should be enough for anyone. The statement was fine in its day. By today's standards it is ridiculous.

Since I am not going to make a definitive statement about what I consider to be sufficient encryption, let me tell you a little story instead that explains my feelings on the subject.

A few years ago, I was preparing to write a product review comparing various antivirus products. To help me with the evaluation, a friend gave me a CD filled with viruses that I could use to test each product. Obviously that's not the sort of CD you want to accidentally put in your computer, so my friend placed all of the files in an encrypted archive as a safeguard against accidental infection.

Anyone with a little bit of knowledge and enough CPUs can crack a strong encryption key in a reasonable amount of time. Brien Posey SearchWindowsSecurity.com contributor

I recently needed the CD again to assist me in writing a different article, but now I couldn't remember the password to open the archive. I attempted a brute-force crack against the archive, but the cracking software told me the encryption was so strong it could take up to five years to break the password. My article was due in three days -- and I didn't think my editors would appreciate a five-year wait, so I made copies of the CD and ran the cracking software simultaneously on 25 different Windows computers. I specified a different start and end point on each machine so no two machines would have overlapping efforts.

It took me longer to set up those machines than it did to crack the password. Once everything was up and running, I cracked the password in less than two hours -- even though the archive was using strong encryption.

I can always rely on that story to support my belief that strong encryption has its place, but strong encryption alone is an inadequate defense. Anyone with a little bit of knowledge and enough CPUs can crack a strong encryption key in a reasonable amount of time.

Encryption is also ineffective on its own because encryption and decryption processes consume a lot of CPU time. The more highly encrypted your data is, the more data access becomes CPU-intensive, which makes it harder for you to access your data. You can obtain network cards that offload the decryption process from your Windows system's CPU, but those cards are only designed to perform specific types of decryption (i.e., IPsec packet decryption). If you are encrypting the data itself, or using a proprietary means to encrypt a protocol responsible for transporting data, then you will have to rely on old-fashioned, CPU-based decryption.

To truly be effective, strong encryption must be combined with other security techniques. One of the best encryption practices involves changing the encryption key frequently. This technique may not work for file encryption, but it's great for transmitting data securely. The idea is that every packet is encrypted by a different key. If someone manages to determine one of the keys, it won't do them any good because the key expires immediately after the packet is sent.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com. Brien M. Posey is a regular contributor on SearchWindowsSecurity.com.

More Information from SearchWindowsSecurity.com

Tags: Patches, alerts and critical updates,  Microsoft Windows XP Pro,  Windows legacy operating systems,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Patches, alerts and critical updates Microsoft releases six patches for November Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Windows security tools for the busy desktop administrator Microsoft Windows XP Pro Guide to converting from Windows XP to Windows 7 Top 5 registry keys for Windows XP Manage the desktop image lifecycle to limit work, ensure security Secure Windows XP before a Windows 7 upgrade Microsoft's August patches run the gamut Hold on to Windows XP at your peril XP stragglers blame hardware costs, new features Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Vista shops eye quick path to Windows 7, XP shops likely to resist Windows legacy operating systems Windows 7 launches, offers salvation from Vista Admins can wear many hats using Netcat Choosing the best way to install images Ten ways to sell security to management Improve Windows security with our top 10 tips Windows Vista management tutorial Ten ways to selling security to management Vista security option changes to named pipe access Minasi talks Vista security, Windows Server 2008 features Troubleshooting IEEE 1394 bus devices for Windows machines

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary