IT/NETWORKING--Encryption 101

Primer on encryption of security data and communications

Despite what you were taught in English class, there are times where simple, open communications simply do not cut it. Security—especially in areas like Wi-Fi and access control—demands confidentiality. And that typically means encryption.

Steve Surfaro, vice chair of the Physical Security Council and security industry liaison with Axis Communications, Chelmsford, Mass., explains that encryption is the conversion of data into a form called a cipher text that cannot be easily understood by unauthorized people. Decryption brings encrypted data back into its original form so it can be understood. “Protecting data at rest is of great significance today as cyber security is challenged by exploits exhibiting persistent, varied, complex and even ‘supernormal’ behavior,” Surfaro said. “If data at rest is encrypted, risk is better managed and information security compliance is maintained even in the event of unauthorized access.”


Why encrypt?

“Encryption is critical to securing information transmitted over wireless networks, especially from those in public areas known as hotspots,” said Darnell Washington, president and CEO of SecureXperts, Kennedy Space Center, Fla. The firm is currently doing a secure cloud-hosted video surveillance pilot at Federal Protective Services. “Attackers can use unsophisticated tools to sniff and decipher transmitted information (packets) and even emulate or spoof your activities by making other systems think that transactions are generated by your system or device,” he added.

Encryption is not the only method to secure content produced by non-person entities like Voice over IP (VoIP) telephony devices, network video cameras, intrusion detection alarm transponders and electronic physical access control readers. Comprehensive endpoint security of these devices is achieved via authentication by a trusted, credentialing authority that issues digital certificates to the devices and the consumers of the content produced by these devices. “Practically nothing is sacred over unencrypted wireless,” Surfaro said.

These unencrypted transmissions are known as plaintext, or cleartext. Attackers can steal passwords and gain access to stored information and even escalate permissions to gain administrative control of security systems by hacking into them.


The flavors of crypto

The key standards used today to provide public-key cryptography conform to the American National Standards Institute (ANSI), and International Standards organization (ISO). The most prevalent and widely used set of cryptographic standards is published by RSA Laboratories (, a company that uses Public Key Cryptography Systems (PKCS). The standards define cryptographic processes which perform public key distribution, cryptographic interfaces between systems, and conformance with signing and verifying the authenticity of private keys. Each standard is defined with a number, such as PKCS#1, PKCS#2. Currently, there are 15 published standards.

• Symmetric Key Encryption is the most basic use of encryption for communication between devices. One device contains an embedded password consisting of an embedded code that makes a numerical representation or “expression” of a character, (such as the letter C=100), and then adds what is known as a “seed” number to form a new expression (e.g., the number 13). Another device will be configured (encoded) to understand this expression of C=113. Multiple groups of expressions make it more difficult to decode (decipher).

Still, Surfaro said such a system is weak due to publicly available “cracking systems,” which can guess or use computational power to unlock expressions or groups of expressions.

• Asymmetric Encryption is a more resilient encryption for internetworked systems that are installed in “untrusted” environments. Its technique uses a public key (which can be shared openly) and a private key to sign and to encrypt data. This type of encryption is known as Public Key cryptography. It is more secure and robust because the expression undergoes a series of steps to validate that the data has not been tampered with (message integrity), and that the transaction was completed by opening the data (non-repudiation).

This content continues onto the next page...