|Evaluating Encryption Software|
How does one evaluate encryption software? Firstly it should be said that the evaluation is relative to one's needs. What is best for one person or organization may not be best for another. So the first step is to identify one's security needs by considering questions such as the following:
- Which information needs to be protected?
- How well does it need to be protected?
- Is encryption of the data better than other possibilities (such as keeping the information in a safe)?
- Who will maintain the encryption keys and be responsible for performing the encryption and decryption?
- Who might attempt to gain access to the information, and what level of cryptanalytic skills might they possess?
- What methods of encryption are available, how much do they cost and what are their merits?
- Should different methods of encryption be used for different kinds of information?
Assuming that a software encryption process is needed, how to decide among competing encryption software packages? The following questions need to be considered:
- Is the software compatible with the hardware and the operating system that it is to be used on?
- How easy is the system to install? Does it require some hardware device to be installed, and if so, must the machine be opened? Can the software be installed on a hard disk, or must it be run from a floppy disk?
- How easy to use is the software? How much training is required to use the software properly? Does it require a special level of technical expertise? Does the software provide any on-line help?
- What kind of encryption key is required? Does the software allow long keys? Does it allow any typeable and displayable character in keys? Does it allow keys consisting of apparently random bytes? Is there an option to echo the encryption key to the screen during input (or not)?
- Will the software encrypt all kinds of files, and all sizes? Is there a single procedure to encrypt all kinds of files? Does the software allow encryption of multiple files in a single operation?
- If the software allows encryption of multiple files, is there a limit to the number of files which can be encrypted or decrypted in a single operation?
- What encryption options does the software provide? Does it allow encryption or decryption without destroying the original data?
- Does the software compress the data as well as encrypt it?
- Is there a way to save an operation configuration so the configuration does not have to be set up anew each time it is used?
- Is there provision for purging sensitive data which has been encrypted but which may still exist on the hard disk in plaintext form? Does the software handle this automatically? Does the software leave the "deleted" plaintext lying around in sectors for forensic software to find?
- Does the software check for errors? Does it trap user errors?
- Does the software provide some protection against using a wrong encryption or decryption key by mistyping it?
- How much data will be encrypted and decrypted on a daily basis? Is the time the software takes to encrypt and decrypt this amount of data acceptable?
- Is the documentation clear and comprehensible, and does it provide answers to questions that arise?
- Does the software provide means for producing a permanent record of its operations, providing information about the files being encrypted or decrypted? Can this record be saved in a file?
- What if a power failure occurred during encryption or decryption? Would there be loss of data?
- Will the software crash if it tries to encrypt a file of zero length?
- Will the software encrypt itself? If so, could you find yourself with an encryption program which is useless because it is encrypted?
- Is it possible to accidentally encrypt files which are essential for the operation of your computer? Does the program possess any safeguard against this?
- How does the software react to the attempts of anti-virus software to detect and possibily prevent modification of files such as .exe and .doc files?
- Does the software encrypt files on floppy disk? Will it do so successfully if the floppy disk is nearly full?
- What level of security does the software provide? Is it strong enough to withstand the level of cryptanalytic attack that might reasonably be expected to occur? Do encrypted files exhibit any kind of pattern or structure which might assist cryptanalysis?
- Is the cost of the software commensurate with its ease-of-use, reliability, and speed, and with the level of security it provides?
- Is a site license available?
In the design and programming of the Cryptosystem ME6 software all of the above considerations have been taken into account, and all such questions are answered satisfactorily by this software.
|Cryptosystem ME6||Product Information|
|Cryptography||Hermetic Systems Home Page|