Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
0
Are there any interesting ways to use encryption that may not be widely known?
For instance, there's this tool called Social Fortress that will encrypt all your Facebook and Google+ postings (although all your contacts also need to install it or no one can understand what you're saying), or I found an AT&T app for encrypting voice.
Think of people who are paranoid or run businesses that involve dealing with sensitive info. What else is out there?
Events
- Dos and Don'ts of Small Business Marketing May 29 @ 11 am PT
- Lead Nurturing 202: The Next Generation May 31 @ 11 am PT
- The Tricks to Paid Media June 6 @ 11 am PT
- Display Advertising for Brand Awareness June 20 @ 11 am PT
Related Activity
12 Answers
Last year I asked Bruce Schneier, perhaps one of the most famous cryptographers of all time, why he had moved from cryptography to become focused so much on human behavior. His latest writing revolves around actors and their decisions rather than mathematics and the more traditional problems of encryption.
I asked because my work has shifted from human behavior into developing and deploying encryption solutions. Just as I was collaborating on new and open standards like the Encryption Key Management Infrastructure (EKMI) he seemed to be leaving the field.
He looked at me for a second, laughed and said (paraphrase) "because we've solved the hard science problems of encryption. All the problems now are in how people use it".
In other words the best encryption solutions going forward will be the ones that can address the problem of human behavior and provide transparency into their complex issues of trust.
Dropbox encryption is an example of encryption management failure. It was not widely understood by users that they shared their keys with support staff -- like apartment dwellers sharing their door keys with plumbers, electricians, and anyone else the building owner hired to maintain the building. This created an uproar because many had expectations unfulfilled.
The first example, therefore, is the emerging use of personal/local key management systems and peer-based authority networks. Rather than trust a central authority to deploy keys and vouch for them, groups can trade levels of trust. This is based on the Pretty Good Privacy theory of signing keys, but it scales much higher because it is based on even home users running a trusted hardware-based key management system. Those systems used to be available only to large enterprise datacenter environments, but the cost of managing keys has come down dramatically and is now a consumer, let alone small business, opportunity. You may soon have one in your own home. StrongAuth has products that serve this new market.
The second emerging use of encryption I find most interesting, and not widely known yet, is how systems increasingly provide tamper-proof options based on a profile. your data (whether on laptop, tablet, phone, etc) will not be accessible, for example, unless it is in the right place at the right time. if someone tries to copy the data to California, but you live in Texas, then your data will be illegible to them. this is based on the history of companies who try to link their software to hardware, but it will be about protecting user data (much larger market) and blocking the movement of virtual systems instead of just defeating software piracy. RSA has been developing this technology.
A third example is integration of encryption into radio frequencies for robust secure communication channels over long distances with low power (e.g. sending tweets and twitpics from remote and isolated places). Messages are sent confidentially and with integrity from sea or land across relays and without central authority. I am not aware of any companies developing this yet for civilian use although the M-PESA system in Kenya is an example of how demand for this capability is exploding -- a secure wireless replacement for bank accounts and even debit or credit cards.
Hi Christina,
That's a broad question, to which the answer will undoubtedly be "Yes!"... :)
To be fair, I'm not sure I know what the average person understands about encryption. That's true for the average technical person as well.
Most of the encryption that people use is seamless to them (SSL, for example).
Encryption can be used in a variety of ways, both to secure data (at rest or in transit) or to ensure identity, such as with digital signatures and application hashes.
-ASB: http://XeeMe.com/AndrewBaker
Thanks for adding the details. I hadn't even heard of Social Fortress :)
In general, encryption is either a back-end technology (like SSL), or used in very niche areas. We still don't have ubiquitous email encryption, despite years of attempts with PKI and S/MIME and PGP.
Encryption, despite its complexity, is a good thing, and highly recommended whenever possible. At the very least, people should be using highly encrypted password safes to store their passwords and other credentials. And corporate users should be using whole disk encryption for sensitive laptops.
Paranoia in this area is not an absolutely bad thing, but discipline is even better. Carelessness when using encryption will either invalidate the entire effort, or render the data inaccessible to even the intended user.
In terms of encryption apps, I use and recommend GnuPG, which is an opensource PGP-compatible encryption tool.
http://gnupg.org
http://www.gpg4win.org
I also use TrueCrypt for disk encryption: http://www.truecrypt.org/
-ASB: http://XeeMe.com/AndrewBaker
Hi Cristina,
I was part of the team which developed Conseal USB, which is a neat use of encryption. Thought it may be of interest...
Essentially it allows any flash drive / removable hard disk to be remotely self-destructed. Also administrators can see who has used the device (and when and where), and they can prevent the device from being used outside of authorized networks or domains, or even limit its use to certain times of day.
http://www.consealsecurity.com/conseal-product-info/conseal-usb/
- Tom
CloudShield is a cool company that uses a gateway device to encrypt just the data fields you are concerned about as they are uploaded to SalesForce and other web based sites. It keeps your private data away from the application provider.
VaporStream has a secure cloud based messaging system. In addition to encrypting your messages they are only presented as an image on your screen that is stored in video RAM which is not accessible by any malware you be infected with.
The most amazing use of encryption is in David Chaum's digital cash algorithms. http://en.wikipedia.org/wiki/David_Chaum
I'm sure there are some novel uses for encryption, most of which are already patented.
The question of "use" is more interesting. Why would one want to use encryption, even commonly-available things like S/MIME e-mail or PGP? The primary reason is to mitigate risks, i.e., for encryption, to make it very difficult to breach data confidentiality for data in messages and at rest. Using encryption without understanding what and why you are protecting data confidentiality may lead to incurring needless costs or, worse, feeling "safe" and ignoring other risks that encryption does not mitigate.
Encryption comes at a cost: one must deal with key creation, distribution, and management -- a non-trivial set of tasks -- and train users on how to properly use the technology. And, if there is high-volume encryption such as entire disk drives, there is a computing speed/capacity cost. It is not free.
Healthcare industry employees seem to be very excited about using the text messaging feature of their smartphones to share vital patient information including Personal Identifiable Information (PII) and other electronic Protected Healthcare Information (ePHI). While one can certainly imagine how the use of text messaging would increase staff productivity and result in enhanced patient care; one can also see that the transfer of this data via non-secured text messaging is a HIPAA Security/Privacy breach waiting to happen.
TigerText, Inc, a leader in private mobile messaging for consumers and healthcare organizations has integrated with Amion’s industry physician and hospital-wide scheduling software. Amion’s is an extremely popular scheduling service that enables hospital staff to view assignments, submit special requests, swap shifts online and page on-call staff. Now with TigerText, these same customers can enable a private, secure and HIPAA compliant text messaging network with their existing computers and smartphones reducing the risk of unauthorized access to patient data.
TigerText enables hospitals to deploy their own end-to-end encrypted, private mobile network in half the time of conventional tunnels. This secure solution addresses HIPAA/ HITECH demand for better management and control of text communications in the workforce as employees use mobile messaging as their primary means of communication.
One of its best side benefits is that encryption is a great technique for data compression. Some email gateways will block zip files, but not encrypted file formats.
For the most part, encryption is used point to point (most often controlled by a company IT) and at the end-user level. The challenge with end-user encryption is that the user is often the weakest link.
Effective encryption requires the user to enter a good passphrase, which most are simply not capable of doing. Passwords such as Phillies2011 is but one example.
So while an interesting way to use encryption may be to make it seamless to the end-user; it is not feasible given the need for their insecure passphrase input.
In this case, I think the question is much better than any of the answers proposed, and illustrates the challenges of encryption.
Oddly enough, I've found that encrypting laptops, external hard drives and thumb drives is not widely known. Okay, I'm saying this (kind of) tongue-in-cheek, but you get the point.
The reality is many large enterprises and even certain smaller businesses are utilizing disk encryption to keep things in check. But we're nowhere near where we need to be.
I remember hearing a vendor cite a study about the percentage of drives being encrypted a while back. I wasn't able to locate it doing a quick search and I don't recall the specific percentage other than the organizations who do use disk encryption are in the minority.
I'm convinced that unencrypted mobile devices is one of the greatest risks in any given business today. Case in point, the 2010 Absolute Software / Ponemon "The Human Factor in Laptop Encryption" study found 95% of IT practitioners reported that someone in their organization has had a laptop lost or stolen and that 72% resulted in a data breach. The incidents listed in the Chronology of Data Breaches (http://www.privacyrights.org/data-breach) backs this up.
I still hear people with good intentions talking about how their disk encryption projects are "in the works" but I'm not seeing anything of real substance. So, we know where we're bleeding, yet we're still ignoring the obvious solutions: whole disk encryption software or self-encrypting drives. I can't quite wrap my head around it.
Sure, as I've written about here: http://securityonwheels.blogspot.com/search/label/mobile%20security and here: http://www.principlelogic.com/mobile.html disk encryption is not THE magic solution, but I'll guarantee you it'll eliminate a ton of unnecessary risk and put businesses way ahead of where they are now.
There are two pieces to really good encryption. The encryption technology itself and the key management. The biggest mistake people make is paying a premium price for encryption technology and then don't think about who has access or who can gain access to the key that can unlock the data. There are some interesting players in this field, but http://www.gazzang.com is a little start up that's making some waves. Right now, they specialize in encryption for the LAMP stack. A couple of value props on their website include out-of-the box compliance with PCI, HIPAA, HITECH, etc. and their key management process. They host the key away from the data and the key can only be unlocked via business processes, including IP location, password, salt, etc. They claim it even keeps rogue insiders from being able to access sensitive info. I personally haven't tried it but they are creating quite a bit of buzz and they offer a free trial, so I figure it's pretty low risk to at least check it out. http://blog.gazzang.com/encrypt-free-trial?&t=59734
Hey Andrew. Nice to hear from you!
Please note I've added some details to my question. You're right, though, it is a broad one.
Kevin - good points.
The Symantec/Ponemon 2010 Annual Study: U.S. Enterprise Encryption Trends has a number of statistics on the topic. See http://eval.symantec.com/mktginfo/downloads/US%20Encryption%20Trends%202010%2...
Hard to reconcile though their note that ‘protecting against malicious cyberattacks is organizations’ top enterprise data protection priority’ and that fact that so few org are encryption all mobile data.
One area worth looking at is to store all data in the cloud. Don’t keep it local, and ensure your cloud has really strong access control and data encryption.
That just may be the interesting way to use encryption that is not be widely known.
Answer This Question