What is data privacy?
Let's say that ABC, Inc. creates a very important confidential memo intended for its largest client, Widget Enterprises. Because of this memo’s importance, ABC decides to send a backup copy of this memo to one of its servers in another city. However, ABC fails to properly secure the information contained within the memo before transmitting the backup copy across the Internet to its remote server. A hacker intercepts ABC’s confidential memo, and since the information within the memo has not been secured, he is able to read the memo and then distribute the document to whomever he chooses.

A critical aspect of backing up data is ensuring the privacy of the data being protected. Privacy means that only the individuals who are intended to have access to the information are able to access it. If ABC, Inc. had encrypted the data in the memo using a method such as Triple DES encryption prior to Internet transmission, the hacker would have been unable to gain access to ABC’s confidential business information.

What is Triple DES Encryption?
For over twenty years, DES has been subject to intense scrutiny, and there are NO known algorithmic flaws. CST Stockade uses Triple DES (3DES) utilizing a 168 bit key. How much more secure is Triple DES? Let’s put it this way: Triple DES is 256 times stronger than DES. So, that means if a computer could be built which was able to crack a DES key by brute force in 1 second, it would that same computer take two billion years to crack a Triple DES key in the same way.

How does CST Stockade utilize Triple DES encryption?
Upon installation of the CST Stockade backup client, the customer creates a password phrase which will be used to Triple DES encrypt the backups. This password is itself encrypted on the customer’s machine, and is available only to his backup client program. The password does not leave the customer’s machine, and is known only to the person who types it in. CST Stockade software automatically encrypts the customer’s initial backup, as well as each subsequent backup, using the Triple DES encryption method with the customer’s password. CST Stockade assembles the customer’s backups into secure archive files (.ESA files). When the CST Stockade customer has completed his or her initial backup, the CST Stockade software will automatically scan the client’s computer for new and changed information on a nightly basis. The scan recognizes new files as well as modified portions of files that have changed since the previous backup.

CST Stockade then assembles only the block level changes into a single ESA file which is then compressed to one or two percent of its original size. The ESA file is stamped with the time and date and then encrypted for security. This technology enables CST Stockade to reduce backup sizes and speed the transmission of the customer’s backup via the Internet.

Before the customer’s backup set is transmitted over the Internet, CST Stockade creates another level of security for our clients. The customer’s ESA file undergoes another layer of Triple DES encryption. Therefore during Internet transmission, CST Stockade customer backups are encrypted with two layers of Triple DES encryption. After the ESA file has been created and doubly encrypted, the CST Stockade software contacts the CST Stockade data centers and the customer’s backup is transmitted to the CST Stockade servers. When the customer’s backup set has been received at our data centers the outer layer of Triple DES encryption is removed, but the first layer of Triple DES encryption remains intact during the entire time the customer’s ESA files reside on our servers.

CST Stockade customers can quickly restore their own files with a few clicks of the mouse. CST Stockade technical support personnel are available on a 24/7/365 basis for needed assistance. When customer’s retrieve information their ESA file(s) will arrive on their machines in an encrypted format. The customer must type the password to restore the data.

Additional technical information about Triple DES
The DES algorithm (DES stands for Data Encryption Standard) is based on work by IBM and was published as a federal standard in 1977. It was designed to provide a means to protect the confidentiality of the government’s sensitive unclassified computer information. The original DES algorithm has been reviewed and reaffirmed on several occasions. The DES standard requires 16 rounds of operations to mix the data and key together to produce the ciphertext, and the same number of rounds to change the ciphertext back to plaintext. There have been statements that “DES running in only 6 or 8 rounds can be easily broken.” The standard calls for 16 rounds, and any implementation with other than 16 rounds is not DES. There has never been a successful challenge to the mathematical soundness of the algorithm.

Nonetheless, with the power and speed of present day computers, it is possible, by mounting a sophisticated and massive brute force attack on the key, usually with multiple computers, it is possible to completely explore the keyspace and discover the key. This is done by trying every possible key. With 256 keys (72,057,594,037,927,940) to explore it takes a while, but can be done. However, Triple DES (or TDEA -Triple Data Encryption Algorithm) utilizes three rounds of DES using 3 different keys to provide a keyspace of 2168 or 374,144,419,156,711,800,000,000,000,000,000,000,000,000,000,000,000 different possible keys. Even using thousands of very fast computers, exploring the keyspace is impractical. Therefore the Secretary of Commerce, through the National Institute of Standards, has issued the following directive (FIPS46-3):

“ This standard became effective July 1977. It was reaffirmed in 1983, 1988, 1993, and 1999. It applies to all Federal agencies, contractors of Federal agencies, or other organizations that process information (using a computer or telecommunications system) on behalf of the Federal Government to accomplish a Federal function. Each Federal agency or department may issue internal directives for the use of this standard by their operating units based on their data security requirement determinations.

With this modification of the FIPS 46-2 standard:

1. Triple DES (i.e., TDEA), as specified in ANSI X9.52 will be recognized as a FIPS approved algorithm.
2. Triple DES will be the FIPS approved symmetric encryption algorithm of choice.
3. Single DES (i.e., DES) will be permitted for legacy systems only. New procurements to support legacy systems should, where feasible, use Triple DES products running in the single DES configuration.
4. Government organizations with legacy DES systems are encouraged to transition to Triple DES based on a prudent strategy that matches the strength of the protective measures against the associated risk.”

The implementation used by CST Stockade is through the Bokler Software Corporation DLLs, which have been validated by the National Institute of Standards as conforming to the Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"), as specified in Federal Information Processing Standard Publication 46-3, Data Encryption Standard (DES), Certificate Number 12. CST Stockade use all three keys, providing a 168 bit encryption level.

© 2005, CST Stockade
Microsoft, MS Word, MS Excel, MS Outlook, Windows 95, 98, NT, 2000, & XP are registered trademarks of Microsoft Corporation.