Study Guide

What is Encryption?

Encryption, in the context of software, is process by which data in a computer can be encoded in such a way that no one can determine its original value, save for the original owner of the data and whoever he or she sees fit. In this manner, private or sensitive data can be protected without having to physically deny access to the medium that holds the data (e.g. a server).

In general, encryption consists of three items: the original data, the encryption algorithm known as the cypher, and the "solution" to that algorithm called the key.[1] The cypher uses instructions provided by the key to perform an operation on the data, giving it a new value that does not yield any useful information about the original state of the data. At first glance, the new data may appear to simply be gibberish or random noise. In this state, the data is said to be encrypted. To decrypt the data, one simply has to plug the key back into the cypher and run the operations in reverse.

It is not impossible to perform the decryption without the key, but if the key is of sufficient complexity or length, even a brute-force approach may require an impractical amount of time. It is for this reason that most clients can be certain that their data will not be compromised. It is also for this reason that clients need to take care that their key is only provided to people that they want to share the data with.

In terms of software, key complexity or length refers to how long the binary string representation of that key is. This length is measured in individual 1's and 0's, known as bits. Since there are only two possible values for a single bit, adding just one more bit to the key gives it twice as many possible combinations. A key that is 2 bits long, for example, has 4 possible values it can be, while a 3-bit key has 8 possible values. In the US, keys are typically 128 bits long, if not longer. This results in roughly 3.5x10³⁸ combinations, meaning that the likelihood of correctly guessing the key is astronomically small.

Examples of Encryption Software

• PGP-Originally used only to encrypt email messages and attachments, but has since diversified into several applications, including disk encryption for laptops and IM sessions. It is built upon public-key encryption technology.
• Skype - Provides telephone services over the internet. Uses several different encryption methods, including RSA. The encryption cannot be disabled by the user, and is managed automatically.
• GnuPG - Another free data and communications encryption program that typically comes packaged with open source software such as Linux OS's. It uses some public-key techniques, but for the most part uses unpatented encryption methods.

Issues With Encryption

Problems

While encryption is very secure if managed properly, it is not fool-proof. It also comes with some of its own inherent disadvantages. There are many factors that you should consider before deciding to use encryption to protect your data:

• Protecting the key - If an unauthorized person manages to acquire your key, that person can access your data at will, without your knowledge. It does not even necessarily have to be your key; if you share your key with other trusted persons, they can also a copy of the key to escape, accidentally or not. Programs that use public-key encryption have largely eliminated this problem, however.
• Using sufficient key strength - If a key is not large enough, the worst-case time required to perform a decryption via brute force is small. In the US this is a non-issue, as 128-bit encryption or higher is not uncommon.
• The process can be slow - Depending upon how much data there is and how often you need to access it, constant decryption and re-encryption can lead to longer access times. This may cause some people to consider it an annoyance and forgo it.
• Key escrowing - A variation of key recovery, this is essentially a set-up wherein a person can grant their key to a third party that requires their information (e.g. a private company or a government entity). The third party typically has to present authorization and a compelling reason for needing that access. It is still a controversial topic due to the very nature of third-party access that would be necessary, and to date no one has come up with a sufficiently secure system that was not technically complex.

Ethical Considerations

While encryption can be used to protect important but otherwise harmless data such as financial records, there equally exists the possibility that it can be used to hide illegal or malicious data. An obvious example is child pornography. If someone with illegal data were being investigated, nobody could ever prove that they have that data if they never offered the key. Another potential scenario is that two people who are conspiring to commit a crime, terrorist act, etc can do so in safety over the internet via encrypting their exchanges. This raises concerns over whether or not encryption should be regulated and controlled. If investigators needed access to an encrypted computer, they would have a much easier time if the owner was legally required to give them the key if requested.

But then this enters into other sensitive issues, primarily one of privacy vs. security. If authorities are allowed to access your private data at will, then the purpose of the encryption is rendered null. Someone would have to determine what kinds of encryption are acceptable and what kinds are not, and define what the criteria for acceptability would be.

Role of Government

There have been sporadic attempts at governmental intervention in the past, often with mixed results. One rather famous moment occurred in 1993, when the US federal government attempted to mount a case[2] against Philip Zimmermann, the creator of PGP. At the time, encryption was legally considered a "munition," and therefore had its exportation restricted. The case was ultimately thrown out after Zimmermann convinced the court that software can be printed in books, and is therefore protected under the 1st Amendment. A couple of years later, the federal government substantially reduced its restrictions upon encryption software and disqualified it as a munition.[3]

The general trend in the US has been a push for less government interference into privately-owned encryption services, whereas government control has remained comparatively higher in other countries. The debate is far from over, however.

Additional Resources

Return to topic page

Previous Pages

• Old topic page
• Clipper topic page
• Encryption exporting topic page

General Info

• Piecing together the encryption puzzle by Paul, Hastings, Janofsky & Walker
• Wikipedia entry on encryption
• How encryption works by Jeff Tyson

Ethical Discussion

• Ethical considerations of privacy and cyber-medical information by Jonathan Klemens
• Ethical considerations for providing professional services online by J.H. Yamamura and F.H. Grupe
• ITLaw.Wikia entry on encryption
• The university's role in advancing data encryption, part 2 by Andrew Burger

General Discussion

• Your encryption key a fifth amendment right?
• Security risks in key recovery by Peter Neumann
• Unlocking encryption management by Matt Hines
• A pretty good way to foil the NSA by Ryan Singel
• Voice encryption may draw U.S. scrutiny by John Markoff

For Government Regulation

• Federal government pushes full-disk encryption by Dennis Fisher
• Federal encryption standardization by Douglas Schweitzer
• Government buys encryption by Michael Mongold

Against Government Regulation

• Constitutional conflicts with encryption regulation by Regina Winchester