Encryption Technology Ready for Its Close-Up

In the early ’90s the technical culture, usually of one mind on issues of importance developed a crack. Popular technical culture, based in campuses and the online hacker communities, fell head over heels in love with encryption, especially as embodied in the method called public key. This, they proclaimed, was a revolutionary technology that would dissolve the privacy, authentication and security problems that constrained online communities, secure vital human freedoms like free speech and association, and even (some thought) usher out central governments in favor of the libertarian utopia. The talisman of this movement was Phil Zimmerman’s program Pretty Good Privacy; its bible, Bruce Schneier’s Applied Cryptography (Wiley, John & Sons, October 1995), sold more than 100,000 copies in two editions.

Meantime, the corporate technical community was relatively indifferent to the technology. To some this seemed paradoxical. The risk the average Unix programmer ran by leaving his Quake cheats unencrypted was probably pretty low. Companies, however, routinely sent and stored information of real value on their networks and file servers.

The reason for the difference was that both the corporate and popular communities were focusing on the same feature but with different perspectives: In the early ’90s encryption was primarily an end-to-end technology, run by users from the edge of the network. This appealed to the popular community, since users liked the idea of being responsible for enforcing their rights with their own hands. For CIOs, end-to-end was a bug, not a feature, because such services carry significant training and installation costs. There were other problems: Encryption made it harder for network diagnostic tools to peer into the traffic flow.

The argument between encryption developers and vendors, and the national intelligence and law enforcement agencies looked like a good one to avoid. There were no open standards.

Thus on the corporate side, even though encryption was available in theory (Lotus had built a decent module into Notes) the security products that drew the most enthusiasm were firewalls. Firewalls did not demand as many resources, and they protected against some of the same threats as encryption. Our own coverage mirrored that attitude. When we wrote about security (as we did in our Feb. 15, 1994, issue), we concentrated on firewalls, good practices and smarter management. Encryption seldom merited more than a line or two. “Crypto companies were begging for someone to pay attention to them,” remembers Vin McLellan, managing director of the Privacy Guild, a security consultancy in Chelsea, Mass.

During the past five years or so, however, the fortunes of encryption have risen dramatically. Industry groups have hammered out open standards. The Internet has increased both the number of attacks and the value of the properties that those attacks can threaten. Perhaps most important, encryption has moved off the edge; it can now be managed and delivered by the network, not the user. Virtual private network (VPN) technology is essentially about different ways of establishing and running totally encrypted sessions over otherwise insecure IP networks. Users establish these connections with special clients that handle the encryption management issues invisibly and in accordance with corporate policies.

Centralization has also added a function to encryption technology: management tools. For instance, encryption makes it much easier to enforce e-mail expiration policies. “The problem with e-mail that is unencrypted is that it’s hard to make sure you’ve gotten rid of all the copies,” says Chuck Wade, a senior researcher at Cupertino, Calif.-based CommerceNet, a nonprofit, industry consortium that focuses on all aspects of e-commerce. “Generally, investigators will go after the desktop and laptop PCs of key individuals, since they know copies on the archive servers were disposed of long ago. If, on the other hand, you have to have access to a key server to decrypt these files, and the keys on that server have expiration dates, then the copies will be unreadable even if they survive.”

All these improvements have led to a huge increase in the popularity of encryption. VPN sales are growing briskly. It is increasingly common for archiving and database software to encrypt the data they contain. Some industry observers, such as Raj Dhingra, senior vice president of marketing at Sunnyvale, Calif.-based Sonicwall, a firewall company moving into encryption, believe that encryption will become a standard element in corporate data privacy protection policies.

But while companies have warmed up to encryption, the popular technical culture has begun to cool on the technology. Schneier has publicly recanted his cryptocentric view of security in a new book, Secrets and Lies: Digital Security in a Networked World (Wiley, John & Sons, August 2000), in which he argues that encryption is just one link in a long chain, and that any failure in the chain will compromise even the best encryption. The two wings of the technical culture are not only converging; they may soon be passing each other, going in opposite directions.