background image
Tech Note #35: How Encryption and Digital Signatures Work
1999 Bionic Buffalo Corporation; All Rights Reserved.
                  19 May 1999
7 of 10
The amount of security needed may also be determined by how long a message must
remain secret. For example, a military battle plan might have no value after a certain
period of time, or a financial transaction request might have no significance after the
transaction has been completed. For these purposes, less security is required than for
long-term needs, since an attacker would be required to break the code in a limited
period of time and a weaker system might be sufficient.
Computational Effort
The effort required to encrypt or decrypt messages can be considerable. In many cases,
this is an important consideration. Some systems are more efficient or computationally
economical than others.
Many cryptosystems are only marginally different from others, and in such cases the
computational effort may be the deciding factor in choosing one system over the others.
Public key systems have a significant advantage over symmetric key systems: keys can
be exchanged without prior security. Strangers can freely exchange encryption keys,
since they are public and need not be kept secret. When using symmetric keys, on the
other hand, any exchange must be done secretly, since someone overhearing or
intercepting the exchange will be able to decrypt subsequent traffic.
Sometimes, available software already uses certain methods, so it may be more
convenient to use one of these methods.
Implementation Quality
Even when an algorithm is secure, a flawed implementation may render it unsafe. The
worst part is that the user may have a false sense of security, which encourages him to
take unwarranted risks in using the system.
The size or reputation of the vendor is no guarantee that the algorithm will be
implemented correctly. Microsoft, for example, has released erroneous implementations
of encryption algorithms.
As with the security of the algorithm itself, the strongest indication that the
implementation is trustworthy is the availability of the source code. If the source code
has been released, then public scrutiny will presumably find errors that might exist in
the code.