The State of Encryption, Part 1: Where Are We Now?

NSA revelations have placed an increased emphasis on encryption, with MIT Tech Review labelling 2014 “The Year of Encryption”. In a two part special, IDG Connect speaks to seven industry experts, including an academic and a CEO, about the various technical and social aspects of this security technique.

On October 22nd 1975, Martin Hellman of Stanford University sent a letter to the then National Bureau of Standards expressing concern about the new Data Encryption Standard (DES) which had been agreed with NSA. “Whit Diffie and I,” he wrote [pdf] “have become concerned that the proposed data encryption standard, while probably secure against commercial assault, may be extremely vulnerable to attack by an intelligence organisation.”  A year later, the pair introduced a radically new method of cryptographic key distribution.

“Encryption itself has not fundamentally changed since Diffie and Hellman's seminal 1976 paper, New Directions in Cryptography, which introduced asymmetric encryption to the world, says Adrian Culley, Global Technical Consultant at Damballa. “What has changed however is the amount of embedded Cryptography in everyday activities, such as online shopping, and the availability of free encryption systems such as TrueCrypt allowing non Cryptographers to encrypt their data with some confidence.”

“[However] there are two sides to the encryption industry,” explains Professor Simon Shepherd, a former naval intelligence officer specialising in cryptography who now works at the Interdisciplinary Cyber Security Research Centre at the University of Bradford. “There is the government side, controlled in the US by NSA and in the UK by CESG (a branch of CGHQ). Then there is the academic side.”

“Most of the useful advances in encryption technology have been made in academia and made freely available via publication,” he continues. “These have then been rapidly turned into encryption software by expert programmers and made available on the internet. There is a plethora of superb encryption software available completely free of charge, that no government agency could break, if used correctly.”

“It remains easy for a non-skilled Cryptographer to implement crypto incorrectly at the code level,” says Cully, “[but it is also] easy for an individual using any encryption manually to make fundamental mistakes that would render it insecure. The challenge is rarely, if ever, with the integrity of an algorithm per se, but rather with the practical use and application of encryption systems and such issues as key management, secure handling of plaintext, and general computer security and housekeeping,”

“Encryption is probably the most underrated tool across the globe when you take into account the scale of its adoption and its importance,” suggests Alex Balan, security expert at BullGuard. “[But] while, in terms of technology, new ciphers are always being developed the key thing to remember is that while the algorithm or the size of the encryption key is highly important, what’s more important is how it is used.”

“Everyone is free to use encryption,” continues Cully, “however to do so securely is non-trivial. In the mid 1990's a confidential Australian Government report, referred to as the Walsh report, was accidentally released in un-redacted form. It claimed then that increasing use of encryption would put Police and Intelligence Agencies out of business. Encryption use has increased, both lawfully and unlawfully. However one cannot but notice that Police and Intelligence agencies are still very much in business.”

“Innovation in cryptography and encryption technology continues to make leaps and bounds, enabling data-centric protection,” concludes Carole Murphy, Director is Product Marketing at Voltage Security. “This is underpinned through the research and development of several technologies by leading academics and cryptography visionaries which enable encryption to be pervasive at tremendous scale, and above all, simple to use even for consumers.”

Paco Hope, Principal Consultant at Cigital feels things are changing within the industry. “We are now accounting for Moore’s law more explicitly in crypto design. Cryptographic agility is increasingly important: being able to swap in algorithms, or change how things are done without radically altering the fundamental design. Algorithms like PBKDF2 include explicit features like ‘work factor’ that can be cranked up as adversaries get faster and faster computers.”

A. N. Ananth, CEO of EventTracker adds: “Many large vendors (e.g., Google, Yahoo and Microsoft) are changing their default to encryption enabled. Previously, it had to be enabled as a conscious decision by the user. This is comparable to the default use of ‘https’ rather than ‘http’ for many websites. This is a good thing but will deter only the garden variety hacker. A nation state cannot be deterred by such a move. Notwithstanding, it’s a good move – with a mind that the perfect is the enemy of the good.”

“Most organizations will use the default selection,” he continues. “The SANS Institute is on record arguing vehemently that vendors need to ship secure default choices and I would agree that this is the best way to encourage adoption of encryption industry wide. The smaller organization does not have to think about it, as secure would be on by default.”

The challenge with encryption seems to be not so much the technology itself, but like most technological solutions, applying it in a simple, useful way that really makes a difference. Do you agree with our experts?


Read part two of our special tomorrow, when we will look at how things are changing across the industry.



Kathryn Cave is Editor at IDG Connect


« SleepOut: The Rise of "Africa's Airbnb"


Facebook-Oculus Deal Will Help Create A Second World »


Do you think your smartphone is making you a workaholic?