Top Secret

By Shawn P McCarthy -- Logistics Management, 6/1/1998

If you're moving business data over your Internet connection, you already may have investigated encryption technologies to ensure confidentiality.

Many business use one of two popular encryption methods: DES (various products that follow the Data Encryption Standard outlined by the National Bureau of Standards), or RSA Data Security Inc.'s suite of products for protecting transactions, data, and e-mail. Another encryption system, the National Security Agency's Capstone technologies, often is used by logistics operations that deal with the military.

But less well-known encryption methods are gaining popularity, especially among systems engineers building specialized servers. Smart cards, handheld computing devices, and electronic commerce solutions are driving the newest encryption techniques because they must interact with transaction servers, but they have limited memory and processing power.

RSA offers very tight security. But it uses 512-bit and 1,024-bit keys. This long bit length takes extra processing time on a transaction server. Smart cards that use RSA have to devote more space for encryption, and, as secure transactions gain popularity, commerce servers spend more time dealing with encryption processing and less time doing business.

Certicom Corp.'s Elliptic Curve cryptography is gaining popularity because it offers strong protection with 84-, 56-, and 96-bit cryptography keys. That means less work for transaction servers. It also means more keys and more flexibility for smart cards.

Elliptic Curve is available in a postal meter that attaches to a PC and allows users to buy postage electronically and print postal stamps. It's also showing up in handheld devices and in the smart cellular telephones.

The push is on to offer a wider variety of encryption. As you work with different logistics partners, you may be asked to support different types of encryption. The pointers box shown at left outlines some of the most popular encryption products that you may encounter.

If you want to read up on security and encryption solutions, the Center for Information Technology at the National Institutes of Health in Bethesda, Md., maintains a useful page with pointers to security advisories, frequently asked questions, lists, and software. Visit www.alw.nih.gov/Security/security.html.

Tip of the Month

What if you need to protect the data you trade with overseas partners? How can you avoid U.S. laws prohibiting export of high-end encryption products? MIT professor Ron Rivest, a co-inventor of the RSA technologies, has a process known as chaffing and winnowing. Messages are sent with a combination of good packets and bad packets. An authentication code known only by the sending and receiving parties strips out the bad packets, leaving a readable file. Rivest says this isn't encryption, and accordingly, it isn't affected by encryption export laws. Details are available at http:theory.lcs.mit.edu/~rivest/chaffing.txt.

Pointers

+ Visit www.rsa.com to see RSA's public-key cryptosystems. Products include secure payment, e-mail, instant messaging, certificate management, secure Java applications, and a crypto development toolkit.

+ Canada's Certicom Corp., www.certicom.com., offers Elliptic Curve technology. Products include software-development kits, embedded systems for cell phones and handhelds, cryptographic plug-in modules, and integrated circuits with cryptographic functions.

+ Cylink Corp., www.cylink.com, specializes in network security, including specialized products for frame-relay, Asynchronous Transfer Mode (ATM), and other high-end networks. It supports Certicom standards.

+ Pretty Good Privacy (PGP), www.pgp.com. Originally available for free, PGP now is available from Network Associates Inc. Used for digital signing of e-mail or encrypting all files and correspondence. An outline of how it is integrated is available at www.pgp.com/products/pgp-personal-55-faq.cgi.

+ C2Net Software Inc., www.c2.net, offers the StrongHold Web server, which attaches a crypto element to The Apache Project's popular Apache HTTP Server. A secure browser plug-in and a TCP tunnel product for the client side also are available.

+ A good glossary of security terms is available at www.securityinfo.com/glossary.html.