While other security mechanisms provide protection against unauthorized access
and destruction of resources and information, encryption/decryption protects
information from being usable by the attacker. Encryption/decryption is a security
mechanism where cipher algorithms are applied together with a secret key
to encrypt data so that they are unreadable if they are intercepted. Data are then
decrypted at or near their destination. This is shown in Figure 3.8 .
As such, encryption/decryption enhances other forms of security by protecting
information in case other mechanisms fail to keep unauthorized users from
that information. There are two common types of encryption/decryption: public
key and private key. Software implementations of public key encryption/decryption
are commonly available. Examples include data encryption standard (DES)
private key encryption, triple DES private key encryption, and Rivest, Shamir, and
Adleman (RSA) public key encryption.
Public key infrastructure (PKI) is an example of a security infrastructure that
uses both public and private keys. Public key infrastructure is a security infrastructure
that combines security mechanisms, policies, and directives into a system that
is targeted for use across unsecured public networks (e.g., the Internet), where
information is encrypted through the use of a public and a private cryptographic
key pair that is obtained and shared through a trusted authority. PKI is targeted
toward legal, commercial, offi cial, and confi dential transactions, and includes cryptographic
keys and a certifi cate management system. Components of this system are:
■ Managing the generation and distribution of public/private keys
■ Publishing public keys with UIDs as certifi cates in open directories
■ Ensuring that specifi c public keys are truly linked to specifi c private keys
■ Authenticating the holder of a public/private key pair
PKI uses one or more trusted systems known as Certifi cation Authorities (CA),
which serve as trusted third parties for PKI. The PKI infrastructure is hierarchical,
with issuing authorities, registration authorities, authentication authorities, and
local registration authorities.
Another example is the secure sockets library (SSL). Secure sockets library is
a security mechanism that uses RSA-based authentication to recognize a party’s
digital identity and uses RC4 to encrypt and decrypt the accompanying transaction
or communication. SSL has grown to become one of the leading security protocols
on the Internet.
One trade-off with encryption/decryption is a reduction in network performance.
Depending on the type of encryption/decryption and where it is implemented in
the network, network performance (in terms of capacity and delay) can be degraded
from 15% to 85% or more. Encryption/decryption usually also requires administration
and maintenance, and some encryption/decryption equipment can be expensive.
While this mechanism is compatible with other security mechanisms, trade-offs
such as these should be considered when evaluating encryption/decryption.