Review full report @
http://msofficemag.net/productreviews/2002/03/vba200203mr_p/vba200203mr_p.asp
Hands On
AspEncrypt | Energy Encryption | Morello Strongbox | Xceed Encryption
Component-based Encryption
Secure Communications Is Essential in an E-business World
By Mike Riley
The world of software development in a highly distributed and unpredictable
computing environment, such as the Internet, has brought new challenges and has
worsened old problems. Data integrity and security have taken on a heightened
role in today's e-business environments. When desktop computers were discrete,
separate entities, security took a back seat to enhancing GUIs and simplifying
the user experience. Thanks to the Internet, PCs are no longer islands unto
themselves. They are digital citizens co-existing in a capricious and sometimes
hostile environment.
As a result, the requirements for secure, validated transactions providing
the framework to conduct business electronically have consequently increased,
and companies providing secure software solutions have risen to the challenge.
The purpose of these technologies is to ensure the safe, authenticated, digital
communication of private information. This means parties who have not been
granted permission to participate in the conversation cannot decode the
information, even if they are capable of intercepting the contents of the
message. They also help enforce non-repudiation, which is especially important
when conducting financial transactions electronically. Non-repudiation not only
ensures the authenticity of the parties but also prevents the modification of
any data to which the parties agreed during the transaction process. Digital
signatures also help ensure non-repudiation, so that if a document is altered
without being signed again, it will indicate someone has tampered with it.
Drag-n-drop Encryption
Security is not an easy computing concept to learn. Perhaps that's why it is
often the last critical consideration in the design of new systems and
specifications. However, in today's digitally connected world, security must be
as high a priority as user-interface design. Microsoft Office developers who
have been spoiled with simple drag-and-drop visual controls might find the
implementation of code-intensive cryptographic algorithms daunting. To make life
easier for developers who don't have a Ph.D. in mathematics and computer
security, several component companies have wrapped their cryptographic expertise
into accessible components. Those components apply sophisticated algorithms to
data via simple method calls. As is the case with GUI controls, these
cryptographic controls encapsulate the magic into drag-and-drop components that
you can add to forms to enable advanced cryptographic protection in any
ActiveX-aware application.
The most popular encryption schemes in use on the Internet today are based on
public-key encryption. Transport Layer Security, formerly known as Secure Socket
Layer (SSL), is the most obvious. There also are the now-antiquated Digital
Encryption Standard (DES), and the Triple DES. DES is the albatross of the
cryptography world because of its weak encryption strength and the possibility
that powerful computers could break it in a matter of hours. As a result, the
U.S. government recently replaced DES with the Advanced Encryption Standard (AES),
a powerful cryptographic system two Belgian scientists developed by employing
the Rijndael algorithm. Rijndael can generate random key numbers using 128-,
192-, or 256-bit key sizes. To give some perspective as to how large the
potential number of numeric combinations can be generated using these key sizes,
a 128-bit key size can create 340 different undecillion (that's 340 followed by
36 zeros) combinations. A 256-bit key size can create 110 quattuorvigintillion
(that's 110 followed by 75 zeros) different combinations. The computers capable
of cracking DES in a few hours would need more than 149 trillion years to crack
a 128-bit AES key, according to the National Institute of Standards and
Technology. That's a strong encryption design.
Obviously, the best encryption algorithms are those that cannot be broken. A
person might think that keeping an encryption scheme private and proprietary
will protect the cryptographic code from being hacked, but that's simply not the
case. Experience has shown that proprietary solutions often are the weakest and
most vulnerable because they have not been subject to intense peer review. It
was through peer review that substantial security holes were found in Pretty
Good Privacy and other open standards. Expert cryptographers recommend avoiding
cryptographic algorithms unless they are published and then hacked at for years.
For more information on cryptography, read the well-written book Cryptography
Decrypted by H. X. Mel and Doris Baker.
As is always the case with comparative technologies, the constructs of an
excellent encryption component depend on the problem you have and the amount of
money you're willing to spend. Generally, though, there are a few winning
guidelines.
First, the component should be as flexible as possible, so it can polymorph
and solve any unforeseen problems that may arise during development. Component
flexibility is most often equated with the number of publicly exposed
properties, methods, and events. Obviously, the higher the number of properties,
methods, and events, the better the product's documentation should be.
Components offering a broad selection of exposed interfaces often walk a fine
line between flexibility and undue complexity. Therefore, ease of use in these
scenarios is essential.
Second, it should support as many modern encryption algorithms as possible,
so it can interact with the most popular encryption technologies available
today. You may not always be able to predict which encryption algorithms the
company at the other end of the communications loop supports. Also, support for
cutting-edge algorithms earns bonus points in more progressive development
environments.
Finally, price is certainly a contributing factor in determining the value of
the component. As a general rule, the more flexibility, the more algorithms
supported, and the more reasonable the cost, the better I feel about a
component.
I selected four companies (a mixture of nascent and established firms) and
reviewed their products (with quality ranging from barely adequate to
outstanding). Depending on the type of project and the data being encrypted,
each component had its strengths and weaknesses. See FIGURE 4 toward the end of
the article for a summary of my comparison.
Energy Encryption
Energy Programming, a Web hosting and consulting company in the United
Kingdom, may still be in start-up mode because the company's Web site advertises
news services to follow shortly. The company's product is the Energy Encryption
component (see FIGURE 2).
Energy Encryption is fine for client-application development and, at $175, is
the least expensive of the components reviewed. It also offers the most variety
of encryption technologies, including three proprietary Energy Programming
authored schemes: Bitwise, Simple, and Strong types. Unfortunately, as is the
case for most proprietary code, the vendor didn't publish the algorithms for
these schemes with the product, so use them with caution.
FIGURE 2: The Energy Encryption component's sample application.
The control was authored with Microsoft Visual Basic and, as such, requires
the VB run-time libraries to execute. Given the limitations of VB-authored
components, the scalability of this component is questionable. Scalability is
critical in high-volume operations, especially because some encrypt and decrypt
transactions can chew up processor cycles rapidly because of the encryption
algorithm's intense computational activity. On a positive note, Energy
Encryption was the easiest to learn of the products I reviewed because it had
the fewest exposed properties and methods. Its use is straightforward: Assign
the string or file to be encrypted or decrypted and set the type of encryption
to apply and execute the transform. Assuming no additional flexibility is
required, this approach may suit the needs of developers seeking a component
that's easy to use. Of course, the simplicity is a double-edged sword. If
micromanipulation of cryptographic hashes and events is required, Energy
Encryption may be too generic for your development needs.
Component of Choice
Energy Encryption provides a greater number of encryption technologies, but
the use of VB to construct the component, combined with the employment of
unpublished proprietary algorithms, calls this offering into question. The
component wins points for being the least expensive of the four I compared, but
its small number of exposed properties and methods may make it too basic for all
but the most rudimentary of applications requiring cryptographic hashes. Of
course, if the budget for an encryption component is tight, and scalability is
not a substantial requirement, Energy Encryption should serve developers' needs.
| Product |
Encryption
Technologies |
Exposed
Methods |
Exposed
Properties |
| AspEncrypt |
DES,
3DES, MD4, MD5, RC2, RC4, RSA Digital Signatures, SHA, X.509, PKCS#7
Certificates. |
66 |
38 |
| Energy
Encryption |
Blowfish,
CryptoAPI, DES, Gost, RC4, SkipJack, TEA and Twofish, and proprietary
Bitwise, Simple and Strong types. |
4 |
2 |
| Morello
Strongbox |
Blowfish,
DES |
4 |
3 |
| Xceed
Encryption |
HAVAL,
Rijndael, RSAES-OAEP, SHA-2, Twofish |
32 |
35 |
FIGURE 4: The various components differ significantly in the capabilities
offered.
Cryptography is becoming just as important as accounting for program
accessibility and internationalization in today's global e-business environment.
Using any of these components will go a long way toward helping to protect
electronically transferable digital assets. As the world of distributed
computing continues to evolve into a more complex environment, the algorithms
responsible for securing data will become more complicated as well. That's why
encryption components such as the ones I recommended in this review will be
useful additions to a programmer's toolbox for some time.
Just the Facts: Encryption components enable secure communications for
e-business needs.
| Product |
Publisher |
Single
User License Cost |
Strongest
Feature |
Weakest
or Missing Feature |
Rating |
| AspEncrypt
v. 2.1.0.1 |
Persits
Software, Inc. |
$249.00 |
Provides
encrypted or digitally signed mail (requires included AspMail component)
and Server SSL Certificate Authority capability. |
Only
one Visual Basic example. |
4 |
| Energy
Encryption
v. 4.01
|
Energy
Programming Ltd.
Aynsley House
Croft Road
Upwell
Wisbech
Cambridgeshire, PE14 9HQ
United Kingdom
US Phone: (973) 774-3600
http://www.energy-programming.com
|
$175.00 |
Relatively
inexpensive and simple component to use. |
No
ASP examples, component created with Visual Basic 6. |
3 |
| Morello
Strongbox
v. 1.0
|
Morello
Publishing Ltd. |
$299.00 |
Visual
Basic 6, Visual C++ 6, and Delphi samples provided. |
Supports
only two encryption techniques. |
1 |
| Xceed
Encryption
v. 1.0
|
Xceed
Software, Inc. |
$299.95 |
A
single, self-contained component requiring no additional DLLs or
run-time libraries. |
No
ASP examples. |
4 |
Mike Riley is a chief scientist with RR Donnelley, one of North America's
largest printers. He participates in the company's emerging technology
strategies using a wide variety of distributed network technologies, including
Delphi 6. Readers may reach him at mailto:mike_riley_@hotmail.com.
Tell us what you think! Please send any comments about this article to mailto:feedback@msSmartSolutions.com.
Please include the article title and author.
