Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people.

Decryption is the process of converting encrypted data back into its original form, so it can be understood. The use of encryption/decryption is as old as the art of communication. In wartime, a cipher, often incorrectly called a code, can be employed to keep the enemy from obtaining the contents of transmissions. (Technically, a code is a means of representing a signal without the intent of keeping it secret; examples are Morse code and ASCII.) Simple ciphers include the substitution of letters for numbers, the rotation of letters in the alphabet, and the "scrambling" of voice signals by inverting the sideband frequencies. More complex ciphers work according to sophisticated computeralgorithms that rearrange the data bits in digital signals. In order to easily recover the contents of an encrypted signal, the correct decryption key is required. The key is an algorithm that undoes the work of the encryption algorithm. Alternatively, a computer can be used in an attempt to break the cipher. The more complex the encryption algorithm, the more difficult it becomes to eavesdrop on the communications without access to the key. Encryption/decryption is especially important in wireless communications. This is because wireless circuits are easier to tap than their hard-wired counterparts. Nevertheless, encryption/decryption is a good idea when carrying out any kind of sensitive transaction, such as a credit-card purchase online, or the discussion of a company secret between different departments in the organization. The stronger the cipher -- that is, the harder it is for unauthorized people to break it -- the better, in general. However, as the strength of encryption/decryption increases, so does the cost. In recent years, a controversy has arisen over so-called strong encryption. This refers to ciphers that are essentially unbreakable without the decryption keys. While most companies and their customers view it as a means of keeping secrets and minimizing fraud, some governments view strong encryption as a potential vehicle by which terrorists might evade authorities. These governments, including that of the United States, want to set up a key-escrow arrangement. This means everyone who uses a cipher would be required to provide the government with a copy of the key. Decryption keys would be stored in a supposedly secure place, used only by authorities, and used only if backed up by a court order. Opponents of this scheme argue that criminals could hack into the key-escrow database and illegally obtain, steal, or alter the keys. Supporters claim that while this is a possibility, implementing the key escrow scheme would be better than doing nothing to prevent criminals from freely using encryption/decryption.

How P2P encryption works Point-to-point encryption allows enterprises to create secure communication links between devices or components within those devices that prevent intermediate devices from having exposure to sensitive information that is transiting the network. P2PE is most commonly

deployed as a solution for compliance with the Payment Card Industry Data Security Standard (PCI DSS), but it may also be used for other sensitive data. For example, consider a clothing chain that has many retail outlets located around the country, handling all financial transactions from a centrally located data center. It would be difficult for the retailer to ensure the physical security of the local area networks in each store, due to the sheer quantity of those networks and the public nature of retail locations. Furthermore, it is unlikely that trained security staff is present in each of the retail outlets to monitor the network. By deploying P2P encryption, the retailer can limit the scope of exposure credit card numbers operate under within the merchandizing environment. For example, by deploying a point of sale (POS) system that uses encrypting card scanners and is supported by a back-end system in the home office that supports point-to-point encryption, the entire store network is taken out of the loop. Since the hardware card scanner encrypts the data before it reaches the POS terminal, there is no device on the store network that has the ability to decrypt the card number. This protects card numbers from a variety of attacks, including the eavesdropping of unauthorized devices and malware infections in the POS terminal. Devices such as those do not have access to the encryption key, so they would remain unable to access the card number. Why use P2P encryption? The main benefit of point-to-point encryption is its ability to reduce the scope of security efforts. In the retail scenario described above, if the merchant is able to assure the integrity of the hardware card scanners, it is only necessary to apply the most stringent security controls to the centralized back-end systems that are vulnerable to decryption. In highly regulated environments, this strategy can dramatically reduce the number of systems and networks that must meet onerous compliance and monitoring requirements. Limitations of P2P encryption While point-to-point encryption is a promising security technology option, it is still not widely deployed, mainly due to the small number of mature products on the market. Several organizations wanted to deploy it shortly after the PCI Security Standards Council adopted a simplified validation process for such products, but were unable to locate a product that met the PCI SSC's guidelines. In many cases, vendors reported they were beginning to field test offerings, but they were not yet commercially viable. These products are now beginning to find their way onto the market and are slowly coming online as merchants upgrade their systems. This compliance delay leads to the second main limitation of P2P encryption; it often requires a sizeable financial investment in order to get up and running. This includes upgrades to POS hardware, software, and potential fee increases from vendors who are eager to capitalize on the sudden demand from businesses that are seeking to limit their compliance obligations. Finally, its important to remember P2P encryption is not a panacea. While it can certainly reduce the need to secure remote networks, it does not eliminate the need for security

controls. The most important example of this is the need to employ strong encryption key management practices. If an adversary is able to gain access to the decryption key, this solution is rendered useless. This means any device that is considered out of scope must not have access to the keys used to protect sensitive information. In conclusion, point-to-point encryption is a promising technology that organizations are beginning to adopt in an effort to enhance data security and reduce the scope of compliance initiatives, especially in payment system environments. Currently, however, there are several significant limitations to the approach that security professionals looking to utilize this technology must consider, but continued improvement in commercial P2P products will likely lead to increased enterprise usage in the years ahead. How might strong encryption be successfully employed within our Web server environment? Web servers rely upon strong encryption to protect the data sent between users and the Web server. In the absence of strong encryption, any such communications are vulnerable to eavesdropping and modification. This threat could potentially undermine the confidentiality and integrity of financial transactions or other sensitive data that is exchanged with end users. There are two steps to ensuring strong encryption is being used to protect Web communications. One requires the use of a secure cryptographic protocol, and the other requires that the selected protocol make use of strong cipher algorithms. The cryptographic protocol describes how the Web user and server set-up communications and exchange encryption keys while the cipher algorithm specifies the mathematical operations used to encrypt and decrypt data. There are two main cryptographic protocols in use on the Web today; the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). TLS is the successor to SSL and is, generally speaking, more secure and preferred to SSL. However, many older Web browsers do not provide support for TLS, so Web servers used by the general public must also support the older SSL protocol. When configuring the protocols used on a Web server, an organization should choose to support both TLS and SSL version 3. Earlier versions of SSL have critical vulnerabilities and should not be used. To acquire the use of SSLv3 and TLS on a Microsoft IIS Web server, see this Microsoft Knowledge Base article. For Apache servers, include the following directive in your httpd.conf file: SSLProtocol -ALL +SSLv3 +TLSv1 Both SSL and TLS support a number of cipher algorithms. It is equally important to configure the server to only use cipher algorithms considered secure by the cryptographic community. For Microsoft IIS configuration instructions, see this Microsoft Knowledge Base article. On Apache servers, use this configuration directive:

SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW With the combination of these two website encryption controls, you can ensure strong Web server encryption is in place to protect your Web infrastructure.

Homomorphic encryption is the conversion of data into ciphertext that can be analyzed and worked with as if it were still in its original form. Homomorphic encryptions allow complex mathematical operations to be performed on encrypted data without compromising the encryption. In mathematics, homomorphic describes the transformation of one data set into another while preserving relationships between elements in both sets. The term is derived from the Greek words for "same structure." Because the data in a homomorphic encryption scheme retains the same structure, identical mathematical operations -- whether they are performed on encrypted or decrypted data -- will yield equivalent results. Homomorphic encryption is expected to play an important part in cloud computing, allowing companies to store encrypted data in a public cloud and take advantage of the cloud providers analytic services. Here is a very simple example of how a homomorphic encryption scheme might work in cloud computing:

Business XYZ has a very important data set (VIDS) that consists of the numbers 5 and 10. To encrypt the data set, Business XYZ multiplies each element in the set by 2, creating a new set whose members are 10 and 20. Business XYZ sends the encrypted VIDS set to the cloud for safe storage. A few months later, the government contacts Business XYZ and requests the sum of VIDS elements. Business XYZ is very busy, so it asks the cloud provider to perform the operation. The cloud provider, who only has access to the encrypted data set, finds the sum of 10 + 20 and returns the answer 30. Business XYZ decrypts the cloud providers reply and provides the government with the decrypted answer, 15.

What's the best way to protect against Trojans on mobile phones, particularly those that try to steal SMS messages? Is there a way to encrypt SMS messages between mobile phones in the enterprise? Best practices for securing a smartphones have been covered in some of our recent Ask the Expert questions. The same security steps to secure your smartphone will protect it from mobile Trojans that steal SMS messages. Many applications that install on Androidpowered smartphones request more permissions than necessary, and may even request permission to SMS messages when not needed. Users may not carefully review the access they grant to an application when its installed and may unnecessarily allow an application access to SMS messages. Users should carefully review if an application needs access to SMS messages before granting the access and installing the application. Encrypting text messages can help protect against rogue or Trojan applications that steal SMS messages. There are ways to encrypt SMS messages between individual mobile phones using freely available applications for Android smartphones. For example, WhisperSystems TextSecure allows you to send and receive encrypted text messages and encrypts the text messages stored on your smartphone. Both the sender and the receiver need to have TextSecure installed, but the software requires no other configuration other than a password. Using this application could enable the secure usage of SMS messaging. Commercial applications like Protected SMS can be used for corporate usage.

Cloud storage encryption is a service offered by cloud storage providers whereby data, or text, is transformed using encryption algorithms and is then placed on a storage cloud. These encryption algorithms create ciphertext, a coded form that cannot be understood by anyone unfamiliar with the data set or the way the data was converted. A data key is created for each set of data, and that key is used to both encrypt and decrypt that data. Encryption can take place for data at rest or in flight. Data at rest is stored in databases on a companys SAN, NAS or file servers, while data in flight is moving throughout a network.Encryption, regardless of whether it takes place in flight or at rest, is an absolute requirement for cloud storage. Encryption to the cloud is almost identical to storage encryption, with one major difference. In a cloud environment, it is sometimes debated whether the customer or cloud storage provider should hold the data key. In the case of highly sensitive information, it is imperative that a cloud provider cannot access any information which they are not privy to. This is especially applicable in the case of health industry data that is protected by HIPAA laws. The Department of Health and Human Services (HHS) has published guidance for encrypting any Personal Health Information (PHI).

When considering placing data in the cloud, regardless of whether it is a public or private cloud, it is important that organizations ask what type of in flight and rest encryption the service is using, and who will hold the key to those encryptions.