Data Security Tutorial v1.00 
(c) 1996-1997 by:  MaeDae Enterprises
5805 Prospero Road
Peyton, CO 80831 USA
Voice: 1-719-683-3860   FAX: 1-719-683-5199
  http://www.maedae.com

This data security tutorial provides information on several security related 
areas.  In particular, it concentrates on areas related to helping you in the 
secure use of your small computer.  To get the most out of our security related 
products you need to have a basic understanding of what data security is.  To 
aid you in this, we have provided the following information.

Security Topics:

What is data security? 
Encryption techniques 

Key management 
Electronic file transfer 
Archives and encryption 
Virtual memory 
USA security policy 
Security terms defined 
Additional reading


Please feel free to pass copies of this security tutorial on to friends and post 
to bulletin boards and information services.  We have invested a lot of effort 
into developing this tutorial and would like others to benefit from it.

What is data security?

Data security is basically protecting the data you use with your computer.  This 
can be accomplished through access control methods like locked computer rooms, 
security guards, and safes.  It can also be through encryption, the scrambling 
of the data so no one will be able to figure out what the data really is.  We 
concentrate on encryption for this tutorial.

As you know from the television and newspapers. as networks proliferate so do 
thieves and the need for data security increases.  The world in the past has 
largely depended on physical security such as safes and locks.  Computers are 
rapidly eroding the possibility of physical security (wherever a modem is 
connected to a phone line).  Laws will be passed, but in the final result, 
honesty depends on good security.  All the ministrations of legislators and 
bureaucrats will have little positive effect on security.  Human nature will win 
out.  The easier it is to get, the more likely it is to be stolen.  Encryption 
provides part of the answer to the need for increased security.  It will be 
especially useful in systems that are open to all users but which have some 
confidential data.  Instead of complex levels of user verification through 
passwords, everyone can get the file but only the people with the key can decode 
the information.  Encryption in its present state is cumbersome and time 
consuming, but faster computers and better programs can ease this problem.  This 
is where our products come to the rescue.

Encryption is a fascinating exercise.  One of our basic encryption levels 
implements a version of the Vernam machine developed at Bell labs in the 1920's.  
The original machine used Baudot code on a teletype and performed an exclusive 
or (XOR) on each character of the message and the key to produce the encrypted 
character.  The message was decoded by the same machine in the same manner.  The 
method is considered unbreakable if two conditions are met.  First, the key is 
longer than the message and second, the key is only used once, sometimes called 
a one time pad.  Typically the files you will be encrypting are much longer than 
the key.

NOTE:  If there is any question about the randomness of the encrypted file, you  
can encrypt the same file multiple times using different keys.  The true 
randomness of the key should not matter since the use of more than one key will 
make decoding the file very difficult, if not impossible.  This process could be 
repeated until the paranoia of the person was satisfied.

Encryption Techniques

The Data Encryption Standard (DES)

Most encryption schemes are kept secret.  One exception is the Data Encryption 
Standard (DES), which was issued by the U.S. National Bureau of Standards (NBS).  
The National Security Agency (NSA) was intimately involved in the development 
and acceptance testing of the DES algorithm.

In 1972, the National Bureau of Standards (now called the National Institute for 
Standards and Testing) asked for proposals for a method to encrypt commercial 
computer data traffic (just like the data in your PC today).  In 1974, the NBS 
asked NSA for assistance, since the NBS had received an extremely poor response 
to their original request for proposals.  NSA has as one of its primary 
functions the development and breaking of information protection techniques 
(codes and ciphers).  An algorithm developed by IBM became the DES and was 
issued by the NBS in 1977.  This provided an approved and secure standard for 
protecting computer data against possible theft or unauthorized access.

DES performs encryption by working on a block of 64 bits of your data using a 64 
bit key (we generate the 64 bit key from the key you supply).  Basically, DES is 
a substitution cipher.

How well does DES protect your data?  The designers of the DES algorithm 
maintain that the time needed to decrypt a DES encrypted file makes it 
unprofitable to use trial and error techniques.  Some estimates to break DES are 
as high as $200 million to try all 72 quadrillion possible keys.

We chose to implement DES because it is a standard and its ability to protect 
your data is well documented.  Our goal is to provide you with the best possible 
software tool for the protection of your sensitive data.  

Proprietary Encryption Techniques

Our software provides several layers of encryption as its basic level of data 
protection.  Our proprietary encryption algorithms provide the industry standard 
xor, transposition, and substitution forms of encryption.  These are applied to 
your data, one on top of the other, providing multiple layers of encryption.

It is extremely unlikely that anyone will ever go to the expense to break our 
proprietary level of encryption in our Encrypt-It.  To eliminate even this small 
possibility we also support adding the secure DES on top of our proprietary 
encryption techniques.

Cryptographic Encryption Techniques

Cryptographic techniques provide a very cost effective method of protecting your 
important data.  There are many computer techniques available today for 
protecting your sensitive data.  Our encryption products uses the following four 
basic encryption methods:

1.  Transposition - Changes the natural order of data so that a different order 
for the characters is used.  It swaps characters within a message to place them 
in a different order based on the encryption key (text string) you use for 
encryption.  For example, the clear text phrase - THIS IS A TEST - could become 
- ISTHA SI  TAEST - after encryption.  YYou will notice that the characters are 
the same.  However, their order is totally mixed up or transposed.  This process 
is repeated during decryption to return the data back to its original state.

2.  Substitution - Substitution is one of the simplest encryption techniques.  
It creates a new order for the characters.  For example, the order of the text 
ABCDEFGHIJKLMNOPQRSTUVWXYZ could be changed to a new order 
ADMYNZEOFPBQGSRHTUIVWJKXL.  The message - THIS IS A TEST - would become - IEOU 
OU C IYUI -. This example is over simplified for illustration purposes.  When 
substitution is used within a computer, all 256 possible characters are used so 
that it is possible to use the technique on different types of computer files.

3.  Exclusive Or - This is a logic operation used by the computer to manipulate 
the data at the bit level.  For example, a character which consists of 10011001 
(shown as bits) could be encrypted with 1101010 to give you 01001100 when the 
exclusive or is performed.  When either the data or the key contains a 1, the 
result is a 1, otherwise it is a 0.  To reverse the process, you exclusive or 
the encrypted data with the key a second time.  This operation is very easy for 
computers to perform and is used when only a minimum of protection is required.

4. Data Encryption Standard (DES) - DES performs its encryption by working on a 
block of 64 bits of your data using a 64 bit key (we generate the 64 bit key 
from the key you provide).  DES makes a total of 16 passes through each 8 
character (64 bit) block of your data substituting a different character for the 
one initially there.  As you can guess, DES is practically impossible to break.  
To eliminate even that small possibility, cipher block chaining (CBC)) is often 
used to strengthen DES.  CBC provides an exclusive or encryption layer 
underneath DES that chains the encryption of the unencrypted data from one 64 
bit block to the next.

Key Management

The best data encryption software in the world cannot protect your files if you 
compromise your key. 

Encryption Keys

Secure encryption of your data is our job.  The choice of a good key and 
protecting the key from compromise is your job.

How do you select a good text key?  Several things should be considered:

	1.  Keys should not have many repeating characters.
	2.  If they have any pattern to the eye they should not be used.
	3.  Keys must be kept secure.

4.  Keys should be as long as practical.

We recommend you use as long a key as possible.  Phrases or short sentences 
should work well as a key and still be easy to remember.  Spaces may be used in 
your key, but we recommend not using spaces at the beginning or end of the key.  
These spaces are easily forgotten.  

Management of the Keys

Distribution and maintenance of keys requires planning if it is to be 
successful.  Both you and the person you send encrypted files to need to know 
the key. One way to handle this is to coordinate a key through a trusted avenue 
-- in person, over secure phone circuitss, etc.

Once you have a trusted secure key, generate and encrypt other keys on an as 
needed basis.  Encrypt the work keys in your trusted secure key and send the 
encrypted key to the person who will be decrypting your files.  Since the work 
keys will encrypted, they can be sent through any avenue you want.  You do not 
have to protect them since they are encrypted.

The person at the end will receive your list of keys and decrypt them using the 
coordinated private key.  You can now safely switch to the new keys.  

This simple concept should make key management much easier for you.

Generating Binary Keys

Encryption routines like DES require a key consisting of a sequential number of 
bits.  There are several ways to translate a phrase like - my dog is brown - 
into a binary key.  One easy way to generate this key is to calculate the cyclic 
redundancy check (CRC) of the phrase generating a 16 bit or 32 bit binary 
signature for the entire phrase.  

You could then use this signature as the first part of the binary key.  The rest 
of the binary key could be made up of the first few characters of the textual 
phrase.  That way you could have a binary key that varied with the textual 
phrase but was much smaller.

Our Windows Encryption Toolkit provides a CRC function to help you take 
advantage of this approach to binary key generation.

Electronic File Transfer

Many products, like our Encrypt-It, build extensive file validation checks into 
the file structure of the encrypted file.  If any character of the encrypted 
data is EVER changed, you are notified!   The implications are discussed in the 
following paragraphs.

Our extensive checks means you can have complete confidence that the decrypted 
data is ALWAYS exactly what you started with.  However, there is a drawback.  
You need to be aware of the limitations of the electronic transfer medium you 
use.   If the file transfer alters the original file in ANY way, Encrypt-It will 
flag this as an attempt to alter your data.  In essence it really is, but it may 
just reflect the limitations of the electronic transfer medium you are using. 

When you transfer files by floppy diskette, preservation of the original size 
and contents without error are virtually guaranteed.  The same cannot be said 
about electronic transfer of data via bulletin boards and information services 
like CompuServe, AOL, or GEnie.  Our suggestions for electronic file transfer 
are:


1.  Use ZModem protocol whenever possible.  Kermit may also maintain the correct 
file size, but we are unsure of other protocols.  A problem with XModem is that 
it adds bytes to round the file size up to the next higher block size.  Check 
your file transfer protocol to make sure it does not add additional characters 
to pad the transferred data out to a standard block size.

2.  Wherever possible use binary file transfer.  Some information services 
convert your file into a limited range ASCII message and insert it into an email 
message.  It is up to the end user to translate the file back into its initial 
state.  This can be confusing and may not totally ensure the integrity of your 
data.  Watch out for this.

3.  ALWAYS use error correction if it is an option.  Implementations of ZModem 
frequently offer the option of using a 32 bit CRC, use this whenever possible.  
If a file is ever altered during transfer, our Encrypt-It will flag it as a 
modification of your data!  This includes any attempt to add or delete 
characters!  

We want to provide you with the best possible protection for your data!  If our 
checks in our products seem like we are going overboard, then we have 
accomplished our goal.  Our goal is total protection for your sensitive data.  
Nothing less is acceptable.

Archives and Encryption

Archives like .ZIP and .LZH are frequently used to store files.  This may be 
done to reduce storage requirements or just to group all the files needed for a 
given application.  Archives are especially useful when the files are to be 
transferred electronically.

For best results with archives, first archive your files then encrypt the 
archive.  Archivers cannot compress encrypted files.  Compression techniques 
typically rely upon uneven character distribution or repeating patterns in the 
data to be able to accomplish their function.  After encryption, the data has an 
even character distribution without any repeating patterns.  

Archives can also be used to get around limitations of  the electronic file 
transfer protocols.  Some of the protocols add bytes which alter  your data.  If 
you archive the encrypted file first, transfer the archive, and then break it 
out, you will have gotten around these problems.  This may in some cases mean 
that you archive all your files, encrypt the archive, and then archive the 
encrypted file to get around the protocol limitations.

Virtual Memory

Operating systems as they grow more complex have a tendency to require more 
system resources to run.  Computers typically have a very limited amount of 
physical RAM which is not enough for the newer memory hungry operating systems.  
Because of this, the operating systems use the much larger hard disk space 
transparently as memory using a technique called virtual memory.

The use of hard disk space in this manner creates a touchy problem for data 
security.  Transparently to your applications, sections of documents are being 
stored temporarily in various locations on your hard drive.  How do you ensure 
every single trace of any of your data is erased under these conditions?  You 
cannot really.  However, data stored in virtual memory will tend to be quickly 
overwritten when you run the next application.  This will not be totally secure 
but should suffice for most situations.   

Do you need total protection from the possibility compromise of data through 
virtual memory?  Configure your system to not use virtual memory.  You should 
probably add additional physical RAM as part of this process.  A word of caution 
- some operating systems may actually ruun slower if you totally disable virtual 
memory instead of merely setting it to a very low value.

USA Security Policy

Overview of USA Regulations

The USA government, in its usual cryptic fashion, classifies encryption software 
under the International Traffic in Arms Regulations (ITAR).  The ITAR does not 
deal well with technical data that can exist in many different forms and flow 
across national boundaries on BBSs, Internet, and other electronic services.  In 
fact, some of the best source code for encryption techniques, regulated by the 
ITAR, frequently originates outside the USA.  This source code can be imported 
via electronic means, built into commercially competitive products, and then 
cannot be exported to the world-wide marketplace.  Examples of this are the DES 
and IDEA (from Switzerland) encryption techniques which are available in 
commercial products throughout the world, but cannot be exported outside the USA 
and Canada.

ITAR currently makes a distinction on what type of encryption software can be 
exported primarily based on the complexity of the encryption algorithm 
(sometimes linked to the number of bits in the encryption key).  It is tied back 
to whether the US government feels they can break the encryption technique given 
their super computer resources.  Basically, it goes something like this:

- XOR, transposition, substitution, and  the like can be freely exported.
- RSA 40 bits or less can be freely expoorted.

- RSA 41-64 bits cannot be exported unleess you build in a back door and give the 
government the key.
- RSA greater than 64 bits cannot be expported.
- DES cannot be exported unless you builld in a back door and give the government 
the key.
- Other encryption schemes like the 128  bit IDEA or 448 bit Blowfish cannot be 
exported.

Use of Encryption Software in USA Government

To the best of our knowledge, no software is authorized for the encryption of 
classified information (Confidential, Secret, and Top Secret) in the USA.  Only 
hardware encryption devices are approved for the processing of classified data.  
Software encryption can be used only for the encryption of For Official Use Only 
(FOUO) data such as base telephone books.

Notes:  

1.  In order to comply with USA DES export restrictions, we will NOT sell any 
DES enabled encryption product outside the USA and Canada.  All other orders 
will be filled with the simpler proprietary encryption versions.  We have chosen 
to eliminate all back doors in our DES products so the USA regulations prohibit 
us from exporting them.

2. The USA is currently working on security policies (as always).  The above 
general export guidelines are subject to immediate change as the USA changes 
their minds.

Security Terms Defined

Terms used when dealing with encryption may be a little confusing.  They are 
terms frequently used when discussing cryptography.  We picked the most 
important ones and defined them for you here.

Cipher -- Any technique, method, or scheme (XOR, substitution, transposition, 
etc.) used to encrypt and decrypt text, without regard to its linguistic 
structure.

Cipher Block Chaining (CBC) -- Provides an exclusive or encryption layer 
underneath DES that chains the encryption of the unencrypted data from one 64 
bit block to the next.

Ciphertext -- The unintelligible text, after encrypting it.

Cryptanalysis -- The solving or breaking of codes without knowledge of the key.

Cryptography -- The general study of hiding the meaning of messages and the 
general techniques used for the hiding.

Data Encryption Standard (DES) -- DES is basically a substitution cipher using a 
64 bit block of your data and a 64 bit key.

Decrypting -- The process of  decoding an encrypted or ciphertext file to regain 
the original information.

Encrypting -- The process of encoding a plaintext file to hide the original 
information.

Exclusive Or (XOR) - This is an encryption technique that uses  logic computer 
operations to manipulate the data at the bit level.

Key -- The text used to encrypt or decrypt a file.  Sometimes called a code word 
or password.  Keys can be simple everyday words or very complex combinations of 
characters that have no meaning.  Example keys: abc1234, Never:Again, and Buy 
Bonds.

Plaintext -- The unencrypted or decrypted, readable text.

Substitution - Substitution is one of the simplest encryption techniques.  It 
creates a new order for the characters.  

Transposition - An encryption technique that changes the natural order of data 
so that a different order for the characters is used.  It swaps characters 
within a message to place them in a different order based on the encryption key 
(text string) you use for encryption.

Additional Reading

The books listed below were useful in the development of our security related 
products.  In particular, Applied Cryptography was very useful in helping to 
evaluate the protection provided by different encryption techniques.

1.  John Wiley & Sons, Inc., Applied Cryptography, by Bruce Schneier, 1993.

2.  Aegean Park Press, Elements of Cryptanalysis, by William F. Friedman, 1976.

3.  Aegean Park Press, Introduction to the Analysis of the Data Encryption 
Standard, by Wayne G. Barker, 1991.

3. Sams Publishing, Top Secret Data Encryption Techniques, by Gilbert Held, 
1993.