IT/NETWORKING--Encryption 101

Primer on encryption of security data and communications


Government leads the way

The government has what is arguably the most robust encryption. The private sector is taking solutions from the government sector,” said Joe Gittens, director of Standards for the Security Industry Association (SIA). “A lot of private-sector firms are now asking for federal-quality asymmetric encryption at the door.”

Currently, U.S. federal mandates and standards have been enacted to require encryption and identification-and-authentication (IA) controls to be embedded in physical security devices, which are referred to as Non-Person Entities (NPE’s), Washington said. These NPE devices require a unique cryptographic key to ensure they maintain a consistent security state.

Encryption systems, also known as cryptosystems, must be validated and approved under Federal Information Processing Standard 140, which identifies the requirements and standards for cryptographic modules including both hardware and software components for use by departments and agencies of the U.S. government.


Put encryption to work for your clients

In order to communicate with externally hosted systems in the future, security firms can integrate standards-based, certificate-based authentication and encryption into their systems to improve assurance and stay ahead of threats.

Axis, for example, uses a number of technologies including secure sockets layer (SSL) to create secure connections and interfaces with external sources, basically enabling its network cameras to function as their own web servers. It currently can provide a secure encrypted tunnel with most standard browsers, which prevents others from intercepting video feeds or other communications.

HTTPS (Hyper Text Transfer Protocol Secure) is identical to HTTP but with one key difference: the data transferred is encrypted using SSL or Transport Layer Security (TLS). This security method applies encryption to the data itself. Many network video products have built-in support for HTTPS, which makes it possible for video to be securely viewed using a web browser.

Many network video products support IEEE 802.1X, which provides authentication to devices attached to a LAN port. IEEE 802.1X establishes a point-to-point connection or prevents access from the LAN port if authentication fails. IEEE 802.1X prevents what is called “port hijacking”—when an unauthorized computer gets access to a network by connecting to a network jack inside or outside a building. The standard is useful in network video applications since network cameras are often located in public spaces where an openly accessible network jack can pose a security risk. In today’s enterprise networks, 802.1X is becoming a basic requirement for anything that is connected to a network.

Axis and other wireless products also support wireless encryption using Wireless Equivalency Protocol (WEP), and Wi-Fi Protected Access (WPA).

“Encryption can be a blessing or a curse if inappropriately applied,” Washington said. “It is important to ask what type of encryption is being used, and whether this encryption standard has been published and certified,” he said.

Software-based encryption is often known as a weaker type of encryption because it is stored on media that can be extracted with less difficulty than a stronger type of encryption known as hardware-based encryption, Washington explained. Hardware-based encryption uses a specific device which is known as a Hardware Security Module (HSM), or Trusted Platform Module (TPM), containing a cryptographic co-processor that runs completely separate from the systems processor and operating system.

“When a dealer performs security installations in mission-critical, high-assurance environments, they should always determine whether a software-based encryption solution is insufficient to support the overall environmental risk of the deployment,” Surfaro said. “One of the biggest pitfalls a dealer should be aware to avoid is a security system that does not support encryption at all.”