PGP Blogs

PGP Corporation recently commissioned a study that, among other things, measured common beliefs about encryption. I continue to be surprised by the myths and misconceptions that surround this subject. Because I'm assuming that most readers of my blog have an interest in both understanding and propagating the facts about encryption, I've summarized below some of the more common "urban myths" this research has uncovered. Most of you will recognize the following list as legacy problems associated with first-generation PKI systems.

1. Encryption slows desktop hardware and software system performance.
2. Encryption incurs system and network latency.
3. If keys are lost, encrypted information is irretrievable.
4. Encryption can actually make networks less secure by preventing content inspection utilities from filtering out viruses and network "bombs."
5. Replacing certificates and keys can cost hundreds of dollars.

Now, I'm the first to admit that early PKI products had lots of problems, including those listed above. As an industry, however, encryption has come a long way in the last decade and solved nearly all these issues.

Taking these issues one at a time, let me shed some light on what is actually true about current-generation encryption solutions. The claim about encryption absorbing desktop computing resources may be technically accurate in some environments, but unless you're running a 10-year-old PC, simply doesn't matter. Nearly 90% of most desktop CPU cycles are completely wasted. By using a small fraction of the wasted computing power to make communications and storage more secure, encryption users are clearly making a sensible tradeoff. Even users of full disk encryption, arguably a compute-intensive application, rarely notice any overall system latency.

A similar logic applies to the claim about network latency, but with even less impact. Current-generation encryption products tend to actually diminish network latency because they compress messages (and attachments) prior to encrypting them. Besides making the overall message smaller, this compression step also makes the messages more secure.

The third claim above might be true in a badly designed encryption system. It is absolutely not the case with PGP® products. This is, in fact, the reason we developed the option for our customers to deploy the PGP® Additional Decryption Key (ADK) technology. In those cases in which the ADK technology is deployed, enterprises can ensure access to encrypted data (according to policy) regardless of what happens to the primary encryption keys and do so while protecting the security and integrity of the system.

Item number four is one of the more outrageous claims I see periodically. What's more disturbing is that it's currently being propagated by people who should know better. To our knowledge, there is not a single documented instance of a virus or other malware being distributed in an encrypted message. The miscreants that distribute this type of code aim their creations at the most common computer configurations and least-sophisticated users because they are the most vulnerable. They assume, rightly, that anyone that has encryption software that would be capable of decrypting an infected message also probably has an effective anti-virus utility deployed with updated filters. It's just not a percentage play for the virus or "bomb" perpetrator. If you know of an actual instance in which encryption has been used in this way, please let me know.

The final claim above about the cost of certs and keys is potentially accurate, but again only in a system that's either severely out of date or badly designed. This assertion is very much a legacy from the bad old days of PKI when vendors "thought" they could charge for a bag of bits. This concept and most of the businesses based on it died the deaths they deserved years ago. PGP® solutions (and almost all other current-generation encryption products) use more effective means to create and manage keys.

Because of its historical roots and uses, encryption will likely always be subject to misinformation and conspiracy theories such as those above. It's incumbent upon those of us who work with encryption daily to help dispel the myths that prevent users and IT professionals from utilizing this key security tool.

- Phil