ENCRYPTION SPEED AND PERFORMANCE
When you’re using encryption, every byte you read or write has to go through a complex mathematical process. This takes time, so encrypted files ordinarily open and save more slowly than regular ones.
This isn’t always the case. Recent Intel chips – including most Core i5 and i7 models launched since the start of 2010 – feature new extensions (known as AES-NI) that can perform encryption and decryption at very high speeds. Running TrueCrypt on a Core i7-2600 processor, we’ve found using AES encryption is no slower than reading and writing unencrypted data.
Encryption can also be built into external hard disks and flash drives. In such cases, you’ll probably need to use the manufacturer’s own software to offload the encryption process to the drive controller. Again, this gives transfer speeds comparable to what you’d see with unencrypted data.
If you don’t have dedicated hardware support, though, encryption can have a tangible effect on the speed of disk accesses, especially with a low-powered CPU. To illustrate this, we used an Asus Eee PC, with an Atom N270 processor, to run our large-file copy tests on a TrueCrypt encrypted container file hosted on the local hard disk.
As the graph shows, applying AES encryption to the files as they were read or written slashed performance by two-thirds or more – and using a cascade of three encryption algorithms halved that again. That’s something to bear in mind if you’re considering encrypting your entire system: if you want the best performance, encrypt only the minimum of data that needs protecting.
The encryption algorithms used by TrueCrypt are what’s known as symmetric-key algorithms, which means they use the same key to encrypt and decrypt your data. This is convenient for personal storage, but it isn’t ideal for ad hoc transactions such as online shopping. In order to communicate with an online merchant using AES, you’d need to find a secure way of agreeing on a password in advance.
The answer is a different approach – one that uses two keys, known as the private key and the public key (hence the name “public-key encryption”). These keys are both long strings of random-looking data, which can be generated by your encryption software or by a third-party certification authority. They’re connected by an ingenious mathematical relationship, which means that anybody can use your public key to encrypt a message, but it can only be decrypted with your private key. This makes it easy for anyone to share information with you securely without pre-arranging a password.
Public-key cryptography can also be used to prove that a message or file comes from a trusted source. For this application the public and private keys swap roles: the encryption key, which would ordinarily be the public one, must be kept private, and the decryption key is made public. Anyone who can decrypt your messages using your decryption key can be certain that the message or file was sent from someone in possession of the encryption key.
ENCRYPTING YOUR EMAIL
Microsoft Outlook 2007 and 2010 have built-in support for public-key encryption, so if you’re already using Office it’s simple to exchange secure email with other Outlook users. Configuring the feature takes a few steps, but after the initial setup the process is effortless.
First, you’ll need what Microsoft calls a “Digital ID” – a pair of encryption keys, combined with a certificate from a trusted certifying authority, such as VeriSign or IntelliSafe. This certificate confirms that an encrypted message came from a particular person, adding extra security.
Most certifying authorities will charge you for a Digital ID, but you can get a free certificate for personal use from security vendor Comodo. Sign up at http://tinyurl.com/36qsxvm – we suggest you visit in Internet Explorer; rather annoyingly, we’ve found other browsers can’t always handle the process.
Once you’re at the site, click the Free Download button, then fill in your name and email address, along with a password for revoking your certificate should it become compromised (such as if your PC is stolen). Your certificate will be tied to the email address you provide here, so make sure you enter the right one. A minute or two later, you’ll receive an email from Comodo containing a link that you can follow (again, in Internet Explorer) to install your new certificate in Windows.
Once your certificate is installed, it may look like nothing’s changed. The next time you create an email in Outlook, however, you should see two new buttons under the Options tab: Encrypt and Sign. If you click on Encrypt, Outlook will send your email in an encrypted format that can only be read by the intended recipient.
At least, it will try: the first time you try sending an encrypted email, you may see a warning that your message can’t be encrypted. Because of the way public-key encryption works, you can send only encrypted email to recipients whose public keys are known to Outlook – and, likewise, your colleagues can send you encrypted mail only once they have your key. You can give it to them by simply selecting Sign on an outgoing message: their copy of Outlook will automatically store your key. Similarly, once someone else has sent you a signed message, you’ll be able to encrypt your emails to them. Encrypted messages are shown with a blue padlock, while signed messages have a small red rosette.
Although encrypted messages are illegible to anyone spying on your mail server or your network traffic, you should note that they’re automatically decrypted as they arrive in your inbox, so they’re readable by anyone with access to your computer. If that’s a concern, you may wish to consider additional security measures, such as encrypting the system disk (see above).
If you want Outlook to encrypt and sign your messages by default, you’ll find the option hidden away in the Office Trust Center. Click on the File tab (or the Orb in Outlook 2007), then Options | Trust Center | Trust Center Settings | E-mail Security. In the window that appears, tick the two top tickboxes to turn on encrypt and digital signing by default. If you have more advanced needs, you can configure additional settings, and save multiple encryption profiles, by clicking Settings.
If you’re using a different mail client, you can usually add public-key encryption capabilities with a plugin. The open-source GPG tool – short for GNU Privacy Guard – can be added to clients including Thunderbird and Eudora. Alternatively, switch to a client that has public-key encryption built in, such as Claws Mail or Evolution. You’ll find more information about GPG at www.gnupg.org.