Analysis/Findings An encryption method might seem 'safe' on the outside, and even accept a ridiculously large key, but

if the data it generates is not random in appearance, there is a possibility to develop a method that exploits the non-random patterns to greatly reduce the amount of time it would take to 'crack' the cipher. This kind of exploitation has already been demonstrated in several instances. One particular method that can be used to reveal weakness is a statistical analysis of the results of the encryption. This can be done with the original or without. A method involving a statistical breakdown of byte patterns, such as the number of times any particular value appears in the encrypted output, would quickly reveal whether any potential patterns might exist. Similar 'byte A follows B' analysis could reveal the same kinds of weaknesses. This sort of analysis could even be done with a spreadsheet application, where high standard deviation would indicate poor entropy. Ideally, the algorithm would have entropy similar to that of a truly random sequence. Another method involves 'predictability'. If you know that a particular sequence of data results in a particular pattern in the encryption stream, you can use these patterns to partially decrypt the content. Once a partial decrypt has been performed, knowledge of the algorithm may be enough to help you generate the key that created the cipher stream. This technique was used to help crack 'Enigma' back in World War 2, by the Bletchley Park team. Commonly used phrases like 'Heil Hitler' were used in their analysis, which in many ways is ironic. They used paper cards to create what they called 'cribs' to help visually locate these patterns within the encrypted data. It got to the point where they could read the encrypted information in 'real time', sometimes before the recipient got his copy of the unencrypted message. Enterprises are using encryption in more places than ever, but they are not properly securing the keys or using consistent products, a recent report found.

Despite using encryption, poor key management and lack of control over the technologies being used can cost the organization an average of $124,965 a year, according to the 2011 Enterprise Encryption Trends Survey report released by Symantec on Nov. 30. The costs of improper key management and fragmented encryption deployments result in the organization not being able to meet compliance requests, said 48 percent of the respondents in the survey. Others named the inability to respond to e-Discovery requests and to access important business information. About 52 percent of the respondents said they have had serious key management problems, with about a third claiming that keys were lost or misplaced keys and another third citing key failure. A little over a quarter or 26 percent for the participants, said former employees refused to hand over keys when they left the company, according to the survey. About 40 percent of the enterprises in the survey were less than somewhat confident they would be able to retrieve keys and 39 percent were less than somewhat confident they would be able to protect data from disgruntled employees, the survey found. It has become fairly easy to get encryption software online and users are becoming more aware of encryption. Malicious insiders may encrypt some files to hide their activities. There may also be a "shadow IT" situation in place where the business has to comply with regulations because of a partner company. For example, regulations may require an insurance company to encrypt certain types of data. The insurance company may in return require partners that handle payments or other business functions to have a system in place to decrypt and encrypt transaction data. With that system from the insurance company in place, the employee at the third-party provider may be encrypting other types of data used internally without IT knowledge.