Sunday, October 25, 2009

The role of eCLIPse in Security

by Leslie Satenstein
October, 2009

Prior to describing Eclipse, the industry uses several terms that need some definitions.

Data In The Clear
Data that is stored so that what you see is what you get. For example, this text and the email you receive from contacts is in the clear. Anyone can read it or make use of it. Excel Spreadsheets, lawyer’s papers, auditors working papers, etc or even one’s confidential diary is normally available to anyone who receives a copy.

Encryption is the process of taking a file of “data in the clear”, and using a mathematical algorithm such as 3DES, driven by keywords, to convert the data in such a way that it now appears as gibberish. To decrypt the data requires the use of a keyword or a second keyword. Encryption is used to provide privacy of information. A quality of modern encryption algorithms, is that someone who does not have the keyword(s) required to undo the encryption process, would normally require a lifetime of years of effort employing dozens of superfast computers, to try to restore the data to it’s original form (to break the encryption code).

Some encryption algorithms are rated very strong while others are weaker. The standard connection between computers and wireless networks use weak encryption and the encryption can be easily discovered, however, eCLIPse uses a strong encryption algorithm « Triple Des » (3DES) that is virtually impossible to break. 3DES is used in banking networks and in transmitting data between individuals. 3DES encryption is used for various tasks, including secure storage, protecting online databases and other security requirements.

How secure is 3DES ?
It seems reasonable, given that we recommend using 3DES, to ask, « Is it safe? » The answer is « It is very safe ». There is a technical description that is beyond the scope of this article, which explains that because eCLIPse imposes the use of distinct keys it can take about 2^168 (2 raised to the power 168) crypto operations to discover the 3DES key. Assuming that each 3DES decryption test requires 2 decryptions plus one encryption) at a million instructions per second, it will amount to 1.19 x 10^37 or more then 137 million years to discover the key. That's far longer than scientists currently estimate our universe to have been in existence.

Secure Socket Layer or SSL is a transmission protocol that is layered onto TPNS. It is a security to dynamically chose encryption and decryption keys, and to keep the user to partner and partner to user transmission contents fully encrypted. Eclipse fully supports SSL. A common use of SSL is securing internet website access sessions.

Virtual Private Network (VPN)
The internet is a highway that is open to all, and in particular, opens to snooping. Virtual Private Networks (VPN) uses SSL encryption to establish connections for all traffic between a remote host and a network. VPNs are typically used when remote workers connect to the office network. VPNs use secure channels to exchange data, the channel is encrypted between the remote computer and network to protect private information. However the files may not be encrypted and may be stored in the computer in the clear. Eclipse supports VPN, SSL, and allows end-to-end transfer of encrypted files, safe from problems due to illicit copy or laptop theft.

Wireless Networks
Wireless network protocols like WPA and WEP use encryption to secure communication between the router and computer. Both of these encryption algorithms are weak, allowing someone with a message analyzer, to break in and eavesdrop. Since WPA or WEP code is easily broken, it is best to use eCLIPSe to encrypt the files before transmission to the host. This use ensures that even if one can take copies of the data during wireless transmission, the data will appear as illegible characters.

File Storage Security
In transmitting or archiving encrypted files, one should have a method to keep track of the keys used to encrypt them. Lose the key and the file is lost. With eCLIPSe, a collection of keys is stored within a Smart USB Token, or, in other cases, in an eCLIPSe virtual token server in a host environment. For security purposes, the keys are not known to the users. In normal use, the user requests encryption and decryption and the software takes over, using the extracted keys from the token or from the virtual server.

While there is free compression software like WinZip that supports primitive password protection, a problem arises in the requirement to keep secret, the encryption keys used.

USB Tokens are actually computers on a chip. eCLIPSe is based on USB Tokens which store the 3DES keys. To access the keys, a logon (PIN) is required before the token contents can be fetched. The chip cannot be interrogated unless the logon code is known. Eclipse uses the “3 strikes and you are out” rule to lock up the USB token if the wrong Alphanumeric PIN (Alphanumeric Personal Identification Number) is used incorrectly 3 consecutive times. Individual files and folders can easily be encrypted using eCLIPSe.

Encrypted Hard drives
Encryption can be used to hide the contents within a computer. Entire hard drives can be encrypted using encryption software to ensure that no one can access the directory. Software like PGP and TrueCrypt are good for hard drive encryption. The disadvantage is that once the encryption key to access the hard drive is known, all the files in that drive are visible in the clear. eCLIPSe is recommended to be used to encrypt the files that are stored within an encrypted hard drive. There is also problems with creating links (shortcuts) in the encrypted partition that refers to non-encrypted directories.

Secure Socket Layer (SSL)
eCLIPse has a virtual server facility that uses and supports SSL, an encryption method used for secure Internet communication. SSL is used for shopping websites, online banking, and any other secure login or credit card processing websites. The use of SSL on websites ensures that the transferred information although capture-able, cannot be determined. eCLIPse communicates with the eCLIPse Virtual Server using SSL.

The eCLIPse API library
eCLIPse includes a full API library to manage encryption and encryption keys. Not only can the programmer implement encryption in his own applications, he can do so for sensitive database fields. Databases, known to be fully encrypted are known to be prone to security hacking to successfully bypass the built-in database security. eCLIPse provides the API so that confidential fields (credit cards, social security numbers, and other confidential data) can be fully protected. This permits simpler database setups, allowing for use of standard database backup and recovery utilities.

eCLIPse addresses problems that are of concern to laptop users, namely
a) the problem of maintaining data confidentiality if the laptop is stolen,
b) maintaining data confidentiality during transmission,
c) Ensuring that the data received on the target system is only visible to members in the same business group who share encryption/decryption keys,
d) other applications (database, etc.) may use eCLIPse and
e) eCLIPse use is very easy and semi-transparent for use by non computer expert “end users”.

Thanks to Alex Hankewicz contribution

Copyright 2009 itBMS - Business and Marketing Solutions Inc.