From the 2008 Tax Season Survival Guide
Every day, we transmit private information across public networks or store
it in secure databases. Business communication that was previously done in person
or in written form with signatures for identification is now conducted using
the Internet and e-mail to transmit confidential information from one party
to the next.
The difficulty encountered is the inability to trust the secure transmission
or storage of the information. How do we know that something we send will only
be read by the person whom we intended to read it? How do we know that our message
has not been intercepted and changed? How do I know that information I receive
is unaltered during its transmission from the sender to me?
Encryption is a methodology to provide confidentiality and authentication.
Also known as Cryptography, these technologies use cipher-coded text to transform
information into code that cannot be decoded without a special key. Encryption
uses an algorithm and a key to alter the plain text into coded or encrypted
text. Subsequently, a key is used to decode or decrypt the coded message. In
some cases, the data is encrypted and decrypted multiple times using different
keys, such as Triple Data Encryption Standard (TDES) keys used in ATM machines.
Much like a password, the longer the key, the more difficult it is for someone
to “guess” the key. Key lengths are described by their bit length,
typically 56, 64 or 128 bits. Access and control over those keys is critical
to maintaining the confidentiality of the information. If the key is not well
protected, the encryption methodology is weakened. Key generation, distribution,
storage destruction and management must be conducted in a secure manner to protect
the integrity of the key.
Keys can be either private (symmetric) algorithms or public (asymmetric) algorithms.
Each has its own purpose. In private key algorithms, the same key is used to
encrypt and decrypt the information. Therefore, to keep private keys private,
the keys must be unique between the sender and the recipient. The key could
not be reused between two different people because its security would be compromised
(someone else would know the key). Instead, the key would have to be provided
from the sender to the recipient in some manner that would not subject it to
interception. Hence, you couldn’t transmit the key to the recipient via
the Internet because someone else might intercept the key; the encryption would
then be useless because of the possibility that someone other than the intended
recipient would have the key and be able to access the information.
The key would have to be given to the recipient in a way you could authenticate
that only that person was receiving the key, such as personally giving them
the key. If you have to personally give them the key, you could just as easily
personally give them the information, and the need for the encryption would
be eliminated. However, symmetric keys are sometimes used when the exchange
of the key is going to be very quick and temporary in nature. Data Encryption
Standard (DES) keys are a common form of symmetric keys.
On the other hand, public key encryption uses two different or asymmetric
keys. One key encrypts the information, and the other (asymmetric) key is used
to decrypt the information. The two keys are mathematically created together.
One of the keys — the public key — may be disclosed to anyone because
it cannot be used to decrypt the information. Only the private key can be used
to decrypt the information. The private key must be kept secure by the sender.
For example, I want to receive information that is private from my colleague,
Ben. I send Ben my public key. Ben encrypts the information using my public
key and sends it to me. I then use my private key, that no one knows except
me, and I decrypt the private information.
Encryption is used in many different ways in business. The chart below shows
some examples, including passwords, e-mail, e-commerce and more. The use of
encryption can also impact financial statement audits. Management assertions,
such as existence or occurrence, completeness, accuracy, rights and obligations,
and even valuation, can be enhanced by the use of encryption by the client.
Using encryption can prevent unauthorized access to systems or data, and prevent
data alteration and manipulation (although not deletion). Encryption is also
valuable for meeting regulatory requirements for ensuring confidentiality and
privacy. For example, the Gramm-Leach-Bliley Act of 1999 requires some specific
industries to provide their customers with privacy protection that includes
the use of encryption methodologies.
Numerous products and resources are available to provide encryption technology.
Certificate Authorities (CA) such as Verisign, are trusted entities that provide
public key management for users. Popular products are available for key management,
such as Pretty Good Privacy (PGP). Before choosing a product or vendor, be sure
to assess their key management process and reputation. The key is only as strong
as the management and security of the key itself.
Understanding the basic concepts of encryption will enable you to appreciate
the value of encryption and give you the tools to evaluate the need for encryption
and the use of encryption by your clients.
Catherine Bruder is a Director with Doeren Mayhew in Troy, Mich. She is a
former member of the AICPA’s Information Technology Executive Committee.
Contact Catherine at firstname.lastname@example.org.