Encryption: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
 
(30 intermediate revisions by 2 users not shown)
Line 5: Line 5:
Encryption, in the context of software, is process by which data in a computer can be encoded in such a way that no one can determine its original value, save for the original owner of the data and whoever he or she sees fit. In this manner, private or sensitive data can be protected without having to physically deny access to the medium that holds the data (e.g. a server).
Encryption, in the context of software, is process by which data in a computer can be encoded in such a way that no one can determine its original value, save for the original owner of the data and whoever he or she sees fit. In this manner, private or sensitive data can be protected without having to physically deny access to the medium that holds the data (e.g. a server).


In general, encryption consists of three items: the original data, the encryption algorithm known as the cypher, and the "solution" to that algorithm called the key. The cypher uses instructions provided by the key to perform an operation on the data, giving it a new value that does not yield any useful information about the original state of the data. At first glance, the new data may appear to simply be gibberish or random noise. In this state, the data is said to be encrypted. To decrypt the data, one simply has to plug the key back into the cypher and run the operations in reverse.
In general, encryption consists of three items: the original data, the encryption algorithm known as the cypher, and the "solution" to that algorithm called the key.[http://en.wikipedia.org/wiki/Cryptography#Terminology] The cypher uses instructions provided by the key to perform an operation on the data, giving it a new value that does not yield any useful information about the original state of the data. At first glance, the new data may appear to simply be gibberish or random noise. In this state, the data is said to be encrypted. To decrypt the data, one simply has to plug the key back into the cypher and run the operations in reverse.


It is not impossible to perform the decryption without the key, but if the key is of sufficient complexity or length, even a brute-force approach may require an impractical amount of time. It is for this reason that most clients can be certain that their data will not be compromised. It is also for this reason that clients need to take care that their key is only provided to people that they want to share the data with.
It is not impossible to perform the decryption without the key, but if the key is of sufficient complexity or length, even a brute-force approach may require an impractical amount of time. It is for this reason that most clients can be certain that their data will not be compromised. It is also for this reason that clients need to take care that their key is only provided to people that they want to share the data with.


In terms of software, key complexity or length refers to how long the binary string representation of that key is. This length is measured in individual 1's and 0's, known as bits. Since there are only two possible values for a single bit, adding just one more bit to the key gives it twice as many possible combinations. A key that is 2 bits long, for example, has 4 possible values it can be, while a 3-bit key has 8 possible values. In the US, keys are typically 128 bits long, if not longer. This results in 2^128 combinations, meaning that the likelihood of correctly guessing the key is very small.
In terms of software, key complexity or length refers to how long the binary string representation of that key is. This length is measured in individual 1's and 0's, known as bits. Since there are only two possible values for a single bit, adding just one more bit to the key gives it twice as many possible combinations. A key that is 2 bits long, for example, has 4 possible values it can be, while a 3-bit key has 8 possible values. In the US, keys are typically 128 bits long, if not longer. This results in roughly 3.5x10<sup>38</sup> combinations, meaning that the likelihood of correctly guessing the key is astronomically small.


=== Examples of Encryption Software ===
=== Examples of Encryption Software ===


* [http://www.pgpi.org/ PGP-]Originally used only to encrypt email messages and attachments, but has since diversified into several applications, including disk encryption for laptops and IM sessions. It is built upon public-key encryption technology[http://www.webopedia.com/TERM/P/public_key_cryptography.html].
* [http://www.pgpi.org/ PGP-]Originally used only to encrypt email messages and attachments, but has since diversified into several applications, including disk encryption for laptops and IM sessions. It is built upon [http://www.webopedia.com/TERM/P/public_key_cryptography.html public-key encryption] technology.
*[http://about.skype.com/ Skype] - Provides telephone services over the internet. Uses several different encryption methods, including RSA. The encryption cannot be disabled by the user, and is managed automatically.
*[http://about.skype.com/ Skype] - Provides telephone services over the internet. Uses several different encryption methods, including [http://mathcircle.berkeley.edu/BMC3/rsa/node4.html RSA]. The encryption cannot be disabled by the user, and is managed automatically.
*[http://www.gnupg.org/ BnuPG] - Another free data and communications encryption program that typically comes packaged with open source software such as Linux OS's. It uses some public-key techniques, but for the most part uses unpatented encryption methods.
*[http://www.gnupg.org/ GnuPG] - Another free data and communications encryption program that typically comes packaged with open source software such as Linux OS's. It uses some public-key techniques, but for the most part uses unpatented encryption methods.


== Issues With Encryption ==
== Issues With Encryption ==
Line 24: Line 24:


* ''Protecting the key'' - If an unauthorized person manages to acquire your key, that person can access your data at will, without your knowledge. It does not even necessarily have to be your key; if you share your key with other trusted persons, they can also a copy of the key to escape, accidentally or not. Programs that use public-key encryption have largely eliminated this problem, however.
* ''Protecting the key'' - If an unauthorized person manages to acquire your key, that person can access your data at will, without your knowledge. It does not even necessarily have to be your key; if you share your key with other trusted persons, they can also a copy of the key to escape, accidentally or not. Programs that use public-key encryption have largely eliminated this problem, however.
*''Using sufficient key strength'' - If a key is not large enough, the worst-case time required to perform a decryption via brute force is small. In the US 128-bit encryption or higher is not uncommon, which is more than sufficient, but in other countries it may be as low as 40.
*''Using sufficient key strength'' - If a key is not large enough, the worst-case time required to perform a decryption via brute force is small. In the US this is a non-issue, as 128-bit encryption or higher is not uncommon.
*''The process can be slow'' - Depending upon how much data there is and how often you need to access it, constant decryption and re-encryption can lead to longer access times. This may cause some people to consider it an annoyance and forgo it.
*''The process can be slow'' - Depending upon how much data there is and how often you need to access it, constant decryption and re-encryption can lead to longer access times. This may cause some people to consider it an annoyance and forgo it.
*[http://itlaw.wikia.com/wiki/Key_escrow ''Key escrowing''] - A variation of [http://www.csl.sri.com/users/neumann/judiciary.html key recovery], this is essentially a set-up wherein a person can grant their key to a third party that requires their information (e.g. a private company or a government entity). The third party typically has to present authorization and a compelling reason for needing that access. It is still a controversial topic due to the very nature of third-party access that would be necessary, and to date no one has come up with a sufficiently secure system that was not technically complex.


=== Ethical Considerations ===
=== Ethical Considerations ===
Line 33: Line 34:
But then this enters into other sensitive issues, primarily one of privacy vs. security. If authorities are allowed to access your private data at will, then the purpose of the encryption is rendered null. Someone would have to determine what kinds of encryption are acceptable and what kinds are not, and define what the criteria for acceptability would be.
But then this enters into other sensitive issues, primarily one of privacy vs. security. If authorities are allowed to access your private data at will, then the purpose of the encryption is rendered null. Someone would have to determine what kinds of encryption are acceptable and what kinds are not, and define what the criteria for acceptability would be.


== Role of Government ==
=== Role of Government ===


There have been sporadic attempts at governmental intervention in the past, often with mixed results.
There have been sporadic attempts at governmental intervention in the past, often with mixed results. One rather famous moment occurred in 1993, when the US federal government attempted to mount a case[http://www.toad.com/gnu/export/export.html] against Philip Zimmermann, the creator of PGP. At the time, encryption was legally considered a "munition," and therefore had its exportation restricted. The case was ultimately thrown out after Zimmermann convinced the court that software can be printed in books, and is therefore protected under the 1st Amendment. A couple of years later, the federal government substantially reduced its restrictions upon encryption software and disqualified it as a munition.[http://www.washingtonpost.com/wp-srv/politics/special/encryption/stories/limits091798.htm]


In 1993, he US federal government attempted to mount a case against Philip Zimmermann, the creator of PGP. At the time, encryption was legally considered a "munition," and therefore had its exportation restricted. The case was ultimately thrown out after Zimmermann convinced the court that software can be printed in books, and is therefore protected under the 1st Amendment. A couple of years later, the federal government substantially reduced its restrictions upon encryption software and disqualified it as a munition.
The general trend in the US has been a push for less government interference into privately-owned encryption services, whereas government control has remained comparatively higher in other countries. The debate is far from over, however.
 
= Additional Resources =
 
[http://pg-server.csc.ncsu.edu/mediawiki/index.php/CSC_379_SUM2008:Topics#Encryption '''Return to topic page''']


The general trend in the US has been a push for less government interference into privately-owned encryption services. The debate is far from over, however.


= Additional Resources =
Previous Pages
*[http://ethics.csc.ncsu.edu/privacy/encryption/ Old topic page]
*[http://ethics.csc.ncsu.edu/privacy/encryption/clipper/ Clipper topic page]
*[http://ethics.csc.ncsu.edu/privacy/encryption/export/ Encryption exporting topic page]




General Info
General Info
*[http://en.wikipedia.org/wiki/Encryption ''Wikipedia Entry on Encryption'']
*[[Image:new.gif|New]][http://library.findlaw.com/1997/Jul/1/126870.html Piecing together the encryption puzzle] by Paul, Hastings, Janofsky & Walker
*[http://computer.howstuffworks.com/encryption.htm ''How Encryption Works''] by Jeff Tyson
*[http://en.wikipedia.org/wiki/Encryption Wikipedia entry on encryption]
*[http://library.findlaw.com/1997/Jul/1/126870.html ''Piecing Together the Encryption Puzzle''] by Paul, Hastings, Janofsky & Walker
*[http://computer.howstuffworks.com/encryption.htm How encryption works] by Jeff Tyson




Ethical Discussion
Ethical Discussion
*[http://ezinearticles.com/?Ethical-Considerations-of-Privacy-and-Cyber-Medical-Information&id=1077289 ''Ethical Considerations of Privacy and Cyber-Medical Information''] by Jonathan Klemens
*[[Image:new.gif|New]][http://ezinearticles.com/?Ethical-Considerations-of-Privacy-and-Cyber-Medical-Information&id=1077289 Ethical considerations of privacy and cyber-medical information] by Jonathan Klemens
*[http://www.nysscpa.org/cpajournal/2008/508/essentials/p62.htm ''Ethical Considerations for Providing Professional Services Online''] by J.H. Yamamura and F.H. Grupe
*[[Image:new.gif|New]][http://www.nysscpa.org/cpajournal/2008/508/essentials/p62.htm Ethical considerations for providing professional services online] by J.H. Yamamura and F.H. Grupe
*[http://itlaw.wikia.com/wiki/Encryption ''ITLaw.Wikia Entry on Encryption'']
*[[Image:new.gif|New]][http://itlaw.wikia.com/wiki/Encryption ITLaw.Wikia entry on encryption]
*[[Image:new.gif|New]][http://www.technewsworld.com/story/60102.html The university's role in advancing data encryption, part 2] by Andrew Burger




General Discussion
General Discussion
*[http://www.dslreports.com/shownews/Your-Encryption-Key-a-Fifth-Amendment-Right-90282 ''Your Encryption Key a Fifth Amendment Right?'']
*[[Image:new.gif|New]][http://www.dslreports.com/shownews/Your-Encryption-Key-a-Fifth-Amendment-Right-90282 Your encryption key a fifth amendment right?]
*[http://www.wired.com/news/technology/0,70524-0.html?tw=wn_index_1 ''A Pretty Good Way to Foil the NSA''] by Ryan Singel
*[[Image:new.gif|New]][http://www.csl.sri.com/users/neumann/judiciary.html Security risks in key recovery] by Peter Neumann
*[http://www.nytimes.com/2006/05/22/technology/22privacy.html ''Voice Encryption May Draw U.S. Scrutiny''] by John Markoff
*[[Image:new.gif|New]][http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/12/19/Unlocking-encryption-management_1.html Unlocking encryption management] by Matt Hines
*[http://www.wired.com/news/technology/0,70524-0.html?tw=wn_index_1 A pretty good way to foil the NSA] by Ryan Singel
*[http://www.nytimes.com/2006/05/22/technology/22privacy.html Voice encryption may draw U.S. scrutiny] by John Markoff




For Government Regulation
For Government Regulation
*[http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1238490,00.html ''Federal government pushes full-disk encryption''] by Dennis Fisher
*[[Image:new.gif|New]][http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1238490,00.html Federal government pushes full-disk encryption] by Dennis Fisher
*[http://blogs.computerworld.com/federal_encryption_standardization ''Federal encryption standardization''] by Douglas Schweitzer
*[[Image:new.gif|New]][http://blogs.computerworld.com/federal_encryption_standardization Federal encryption standardization] by Douglas Schweitzer
*[http://securityblog.typepad.com/technology_security/2007/06/government_buys.html ''Government buys encryption''] by Michael Mongold
*[[Image:new.gif|New]][http://securityblog.typepad.com/technology_security/2007/06/government_buys.html Government buys encryption] by Michael Mongold




Against Government Regulation
Against Government Regulation
*[http://oai.dtic.mil/oai/oai?verb=getRecord&metadataPrefix=html&identifier=ADA392334 ''Constitutional Conflicts with Encryption Regulation''] by Regina Winchester
*[[Image:new.gif|New]][http://oai.dtic.mil/oai/oai?verb=getRecord&metadataPrefix=html&identifier=ADA392334 Constitutional conflicts with encryption regulation] by Regina Winchester
 
 
These will be sorted later on.
*[http://www.technewsworld.com/story/60102.html ''The University's Role in Advancing Data Encryption, Part 2''] by Andrew Burger
*[http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/12/19/Unlocking-encryption-management_1.html ''Unlocking encryption management''] by Matt Hines
*[http://www.csl.sri.com/users/neumann/judiciary.html ''Security Risks in Key Recovery''] by Peter Neumann

Latest revision as of 01:54, 5 August 2008

Study Guide

What is Encryption?

Encryption, in the context of software, is process by which data in a computer can be encoded in such a way that no one can determine its original value, save for the original owner of the data and whoever he or she sees fit. In this manner, private or sensitive data can be protected without having to physically deny access to the medium that holds the data (e.g. a server).

In general, encryption consists of three items: the original data, the encryption algorithm known as the cypher, and the "solution" to that algorithm called the key.[1] The cypher uses instructions provided by the key to perform an operation on the data, giving it a new value that does not yield any useful information about the original state of the data. At first glance, the new data may appear to simply be gibberish or random noise. In this state, the data is said to be encrypted. To decrypt the data, one simply has to plug the key back into the cypher and run the operations in reverse.

It is not impossible to perform the decryption without the key, but if the key is of sufficient complexity or length, even a brute-force approach may require an impractical amount of time. It is for this reason that most clients can be certain that their data will not be compromised. It is also for this reason that clients need to take care that their key is only provided to people that they want to share the data with.

In terms of software, key complexity or length refers to how long the binary string representation of that key is. This length is measured in individual 1's and 0's, known as bits. Since there are only two possible values for a single bit, adding just one more bit to the key gives it twice as many possible combinations. A key that is 2 bits long, for example, has 4 possible values it can be, while a 3-bit key has 8 possible values. In the US, keys are typically 128 bits long, if not longer. This results in roughly 3.5x1038 combinations, meaning that the likelihood of correctly guessing the key is astronomically small.

Examples of Encryption Software

  • PGP-Originally used only to encrypt email messages and attachments, but has since diversified into several applications, including disk encryption for laptops and IM sessions. It is built upon public-key encryption technology.
  • Skype - Provides telephone services over the internet. Uses several different encryption methods, including RSA. The encryption cannot be disabled by the user, and is managed automatically.
  • GnuPG - Another free data and communications encryption program that typically comes packaged with open source software such as Linux OS's. It uses some public-key techniques, but for the most part uses unpatented encryption methods.

Issues With Encryption

Problems

While encryption is very secure if managed properly, it is not fool-proof. It also comes with some of its own inherent disadvantages. There are many factors that you should consider before deciding to use encryption to protect your data:

  • Protecting the key - If an unauthorized person manages to acquire your key, that person can access your data at will, without your knowledge. It does not even necessarily have to be your key; if you share your key with other trusted persons, they can also a copy of the key to escape, accidentally or not. Programs that use public-key encryption have largely eliminated this problem, however.
  • Using sufficient key strength - If a key is not large enough, the worst-case time required to perform a decryption via brute force is small. In the US this is a non-issue, as 128-bit encryption or higher is not uncommon.
  • The process can be slow - Depending upon how much data there is and how often you need to access it, constant decryption and re-encryption can lead to longer access times. This may cause some people to consider it an annoyance and forgo it.
  • Key escrowing - A variation of key recovery, this is essentially a set-up wherein a person can grant their key to a third party that requires their information (e.g. a private company or a government entity). The third party typically has to present authorization and a compelling reason for needing that access. It is still a controversial topic due to the very nature of third-party access that would be necessary, and to date no one has come up with a sufficiently secure system that was not technically complex.

Ethical Considerations

While encryption can be used to protect important but otherwise harmless data such as financial records, there equally exists the possibility that it can be used to hide illegal or malicious data. An obvious example is child pornography. If someone with illegal data were being investigated, nobody could ever prove that they have that data if they never offered the key. Another potential scenario is that two people who are conspiring to commit a crime, terrorist act, etc can do so in safety over the internet via encrypting their exchanges. This raises concerns over whether or not encryption should be regulated and controlled. If investigators needed access to an encrypted computer, they would have a much easier time if the owner was legally required to give them the key if requested.

But then this enters into other sensitive issues, primarily one of privacy vs. security. If authorities are allowed to access your private data at will, then the purpose of the encryption is rendered null. Someone would have to determine what kinds of encryption are acceptable and what kinds are not, and define what the criteria for acceptability would be.

Role of Government

There have been sporadic attempts at governmental intervention in the past, often with mixed results. One rather famous moment occurred in 1993, when the US federal government attempted to mount a case[2] against Philip Zimmermann, the creator of PGP. At the time, encryption was legally considered a "munition," and therefore had its exportation restricted. The case was ultimately thrown out after Zimmermann convinced the court that software can be printed in books, and is therefore protected under the 1st Amendment. A couple of years later, the federal government substantially reduced its restrictions upon encryption software and disqualified it as a munition.[3]

The general trend in the US has been a push for less government interference into privately-owned encryption services, whereas government control has remained comparatively higher in other countries. The debate is far from over, however.

Additional Resources

Return to topic page


Previous Pages


General Info


Ethical Discussion


General Discussion


For Government Regulation


Against Government Regulation