IT/NETWORKING--Encryption 101

July 12, 2013
Primer on encryption of security data and communications

This article originally appeared in the July 2013 issue of SD&I magazine.

Despite what you were taught in English class, there are times where simple, open communications simply do not cut it. Security—especially in areas like Wi-Fi and access control—demands confidentiality. And that typically means encryption.

Steve Surfaro, vice chair of the Physical Security Council and security industry liaison with Axis Communications, Chelmsford, Mass., explains that encryption is the conversion of data into a form called a cipher text that cannot be easily understood by unauthorized people. Decryption brings encrypted data back into its original form so it can be understood. “Protecting data at rest is of great significance today as cyber security is challenged by exploits exhibiting persistent, varied, complex and even ‘supernormal’ behavior,” Surfaro said. “If data at rest is encrypted, risk is better managed and information security compliance is maintained even in the event of unauthorized access.”

Why encrypt?

“Encryption is critical to securing information transmitted over wireless networks, especially from those in public areas known as hotspots,” said Darnell Washington, president and CEO of SecureXperts, Kennedy Space Center, Fla. The firm is currently doing a secure cloud-hosted video surveillance pilot at Federal Protective Services. “Attackers can use unsophisticated tools to sniff and decipher transmitted information (packets) and even emulate or spoof your activities by making other systems think that transactions are generated by your system or device,” he added.

Encryption is not the only method to secure content produced by non-person entities like Voice over IP (VoIP) telephony devices, network video cameras, intrusion detection alarm transponders and electronic physical access control readers. Comprehensive endpoint security of these devices is achieved via authentication by a trusted, credentialing authority that issues digital certificates to the devices and the consumers of the content produced by these devices. “Practically nothing is sacred over unencrypted wireless,” Surfaro said.

These unencrypted transmissions are known as plaintext, or cleartext. Attackers can steal passwords and gain access to stored information and even escalate permissions to gain administrative control of security systems by hacking into them.

The flavors of crypto

The key standards used today to provide public-key cryptography conform to the American National Standards Institute (ANSI), and International Standards organization (ISO). The most prevalent and widely used set of cryptographic standards is published by RSA Laboratories (, a company that uses Public Key Cryptography Systems (PKCS). The standards define cryptographic processes which perform public key distribution, cryptographic interfaces between systems, and conformance with signing and verifying the authenticity of private keys. Each standard is defined with a number, such as PKCS#1, PKCS#2. Currently, there are 15 published standards.

* Symmetric Key Encryption is the most basic use of encryption for communication between devices. One device contains an embedded password consisting of an embedded code that makes a numerical representation or “expression” of a character, (such as the letter C=100), and then adds what is known as a “seed” number to form a new expression (e.g., the number 13). Another device will be configured (encoded) to understand this expression of C=113. Multiple groups of expressions make it more difficult to decode (decipher).

Still, Surfaro said such a system is weak due to publicly available “cracking systems,” which can guess or use computational power to unlock expressions or groups of expressions.

* Asymmetric Encryption is a more resilient encryption for internetworked systems that are installed in “untrusted” environments. Its technique uses a public key (which can be shared openly) and a private key to sign and to encrypt data. This type of encryption is known as Public Key cryptography. It is more secure and robust because the expression undergoes a series of steps to validate that the data has not been tampered with (message integrity), and that the transaction was completed by opening the data (non-repudiation).

Government leads the way

The government has what is arguably the most robust encryption. The private sector is taking solutions from the government sector,” said Joe Gittens, director of Standards for the Security Industry Association (SIA). “A lot of private-sector firms are now asking for federal-quality asymmetric encryption at the door.”

Currently, U.S. federal mandates and standards have been enacted to require encryption and identification-and-authentication (IA) controls to be embedded in physical security devices, which are referred to as Non-Person Entities (NPE’s), Washington said. These NPE devices require a unique cryptographic key to ensure they maintain a consistent security state.

Encryption systems, also known as cryptosystems, must be validated and approved under Federal Information Processing Standard 140, which identifies the requirements and standards for cryptographic modules including both hardware and software components for use by departments and agencies of the U.S. government.

Put encryption to work for your clients

In order to communicate with externally hosted systems in the future, security firms can integrate standards-based, certificate-based authentication and encryption into their systems to improve assurance and stay ahead of threats.

Axis, for example, uses a number of technologies including secure sockets layer (SSL) to create secure connections and interfaces with external sources, basically enabling its network cameras to function as their own web servers. It currently can provide a secure encrypted tunnel with most standard browsers, which prevents others from intercepting video feeds or other communications.

HTTPS (Hyper Text Transfer Protocol Secure) is identical to HTTP but with one key difference: the data transferred is encrypted using SSL or Transport Layer Security (TLS). This security method applies encryption to the data itself. Many network video products have built-in support for HTTPS, which makes it possible for video to be securely viewed using a web browser.

Many network video products support IEEE 802.1X, which provides authentication to devices attached to a LAN port. IEEE 802.1X establishes a point-to-point connection or prevents access from the LAN port if authentication fails. IEEE 802.1X prevents what is called “port hijacking”—when an unauthorized computer gets access to a network by connecting to a network jack inside or outside a building. The standard is useful in network video applications since network cameras are often located in public spaces where an openly accessible network jack can pose a security risk. In today’s enterprise networks, 802.1X is becoming a basic requirement for anything that is connected to a network.

Axis and other wireless products also support wireless encryption using Wireless Equivalency Protocol (WEP), and Wi-Fi Protected Access (WPA).

“Encryption can be a blessing or a curse if inappropriately applied,” Washington said. “It is important to ask what type of encryption is being used, and whether this encryption standard has been published and certified,” he said.

Software-based encryption is often known as a weaker type of encryption because it is stored on media that can be extracted with less difficulty than a stronger type of encryption known as hardware-based encryption, Washington explained. Hardware-based encryption uses a specific device which is known as a Hardware Security Module (HSM), or Trusted Platform Module (TPM), containing a cryptographic co-processor that runs completely separate from the systems processor and operating system.

“When a dealer performs security installations in mission-critical, high-assurance environments, they should always determine whether a software-based encryption solution is insufficient to support the overall environmental risk of the deployment,” Surfaro said. “One of the biggest pitfalls a dealer should be aware to avoid is a security system that does not support encryption at all.”

Encryption compliance standards emerge

“We see a compliance standard emerging as part of NIST (National Institute for Standards and Technology),” Surfaro said. “It mandates the use of encryption as well as identification and authentication for physical devices that communicate on government networks — including enterprise commercial and critical emergency and public safety systems owned by public and private institutions.”

These encryption standards will be established to provide a hardware-based “root of trust,” which can be trusted by IT enterprise domains and the federal government under another group known as the Federal Bridge Certificate Authority, which can validate transactions and electronic communications over secure encrypted channels with other agencies creating an interoperable trusted framework that uses encryption, digital signing, and device authentication and identification.

Device authentication and enhanced endpoint security strategies can be applied to both private and public cloud solutions.

There is also a need for encryption when it comes to cloud-based security services. According to Washington: “There are a number of directives and strategies for the federal government to adopt shared enterprise IT services using virtualization and cloud hosted environments,” he said.

One of these strategies is the modernization of government facilities to support Video Surveillance as a Service (VSaaS) on a federal level. This will permit live viewing and situational awareness across all federal facilities, and integrate facial recognition, video analytics, and predictive threat modeling on an enterprise scale.

As these systems are deployed, they will be protected from unauthorized viewing through the use of video encryption, which will only permit users who are in possession of a government or commercial issued personal identity credential known as HSPD-12 or PIV, to securely gain access to live or stored video regardless of geographic location.

A Federal Cloud Hosting provider will accept these credentials to establish an encrypted session through a secure authentication portal to review stored video, and can export live video to first responders.