The Key to Security

All virtual private networks (VPNs) use an encryption scheme to render your data indecipherable to anyone but you. You have probably heard quite a lot about the cryptographic algorithms on which these encryption schemes are based. Rivest Code 2 (RC2), the Data Encryption Standard (DES), and Diffie-Hellman are only a few of the most commonly used algorithms.

You may be aware that these algorithms use keys to encrypt and decrypt data. However, you probably don't know that the algorithm a product uses isn't the key to the product's security, despite what some vendors would lead you to believe. Instead, the key to a product's security is its key or keys. Generally speaking, the longer the key, the safer your data.

According to cryptologist Bruce Schneier, "all of the security in [cryptographic] algorithms is based in the key (or keys); none is based in the details of the algorithm." (Applied Cryptography, Wiley, New York, 1994, pp. 3­4.) The algorithms can be published (and many have been) because it doesn't matter if an eavesdropper knows your algorithm--what matters is if he or she knows your decryption key. Without that key, an eavesdropper cannot read your data. If the eavesdropper could find your decryption key, however, he or she could read your data.

A key might be any one of a large number of possible values. The length of a key--its bit size--is directly related to how many possible values exist. For example, a 40-bit key has 240 possible values, and a 160-bit key has 2160 possible values. The longer the key, the more possible values exist, and therefore, the harder it is to find the correct key.

Finding the correct key among these values is theoretically possible, regardless of key length. In practice, however, an enormous computing effort is required to crack even a relatively small key, such as a 40-bit key or a 56-bit key.

For example, in June 1997, a team of university students, programmers, and scientists solved a challenge issued by Rivest, Shamir, Adleman (RSA) to crack a message encrypted with a 56-bit DES key. Over a four-month period, tens of thousands of computers worked together to find the correct key out of 72 quadrillion possible values. Only 25 percent of the total number of possible values had been tested when the team discovered the correct key and decrypted the message: "Strong cryptography makes the world a safer place."

In October 1997, another team of users cracked a message encrypted with a 56-bit RC5 key in response to another RSA challenge. The 56-bit RC5 key also had 72 quadrillion possible values, 47 percent of which had been tested before the team discovered the correct key and decrypted yet another message: "It is time to move to a longer key length."

RSA issued these challenges to demonstrate the modest level of security in the encryption technology that the U.S. government allows to be exported. U.S. policy on encryption currently allows companies to use only 40-bit keys when exchanging information with users outside the United States and Canada. Financial institutions and companies with international branch offices can apply for a license that enables them to use keys of up to 56 bits.

VPN solutions operating within the United States and Canada offer key lengths ranging anywhere from 40 to 128 bits. VPN solutions that use 128-bit keys, such as Novell's BorderManager VPN component, are extremely secure. In fact, according to Schneier, breaking even an 80-bit key is "still beyond the realm of possibility." (Applied Cryptography, p. 153.) However, if you plan to establish a tunnel that extends beyond the borders of the United States and Canada, you will be limited to using a 40-bit key (or a 56-bit key if you qualify for a license), and therefore, your data will not be as secure.

If that prospect worries you, remember that although RSA has proven a 56-bit key can be broken, finding the correct key among 72 quadrillion possible values requires an enormous computing effort. You should also know that RSA gave the teams who participated in the challenge a major clue. RSA gave the teams a small piece of encrypted data along with the decrypted version of that data. Even armed with this clue, tens of thousands of computers running 24 hours a day, seven days a week took several months to solve RSA's challenge. Would your data attract that much attention?