Study Guide

What is Encryption?

Encryption, in the context of software, is process by which data in a computer can be encoded in such a way that no one can determine its original value, save for the original owner of the data and whoever he or she sees fit. In this manner, private or sensitive data can be protected without having to physically deny access to the medium that holds the data (e.g. a server).

In general, encryption consists of three items: the original data, the encryption algorithm known as the cypher, and the "solution" to that algorithm called the key. The cypher uses instructions provided by the key to perform an operation on the data, giving it a new value that does not yield any useful information about the original state of the data. At first glance, the new data may appear to simply be gibberish or random noise. In this state, the data is said to be encrypted. To decrypt the data, one simply has to plug the key back into the cypher and run the operations in reverse.

It is not impossible to perform the decryption without the key, but if the key is of sufficient complexity or length, even a brute-force approach may require an impractical amount of time. It is for this reason that most clients can be certain that their data will not be compromised. It is also for this reason that clients need to take care that their key is only provided to people that they want to share the data with.

Examples of Encryption Software

• PGP-Originally used only to encrypt email messages and attachments, but has since diversified into several applications, including disk encryption for laptops and IM sessions. It is built upon public-key encryption technology[1].
• Skype - Provides telephone services over the internet. Uses several different encryption methods, including RSA. The encryption cannot be disabled by the user, and is managed automatically.

Issues With Encryption

Problems

While encryption is very secure if managed properly, it is not fool-proof. It also comes with some of its own inherent disadvantages. There are many factors that you should consider before deciding to use encryption to protect your data:

• Protecting the key - If an unauthorized person manages to acquire your key, that person can access your data at will, without your knowledge. It does not even necessarily have to be your key; if you share your key with other trusted persons, they can also a copy of the key to escape, accidentally or not. Programs that use public-key encryption have largely eliminated this problem, however.
• Using sufficient key strength - If a key is not large enough, the worst-case time required to perform a decryption via brute force is small. In the US 128-bit encryption or higher is not uncommon, which is more than sufficient, but in other countries it may be as low as 40.
• The process can be slow - Depending upon how much data there is and how often you need to access it, constant decryption and re-encryption can lead to longer access times. This may cause some people to consider it an annoyance and forgo it.

Ethical Considerations

While encryption can be used to protect important but otherwise harmless data such as financial records, there equally exists the possibility that it can be used to hide illegal or malicious data. An obvious example is child pornography. If someone with illegal data were being investigated, nobody could ever prove that they have that data if they never offered the key. Another potential scenario is that two people who are conspiring to commit a crime, terrorist act, etc can do so in safety over the internet via encrypting their exchanges. This raises concerns over whether or not encryption should be regulated and controlled. If investigators needed access to an encrypted computer, they would have a much easier time if the owner was legally required to give them the key if requested.

But then this enters into other sensitive issues, primarily one of privacy vs. security. If authorities are allowed to access your private data at will, then the purpose of the encryption is rendered null. Someone would have to determine what kinds of encryption are acceptable and what kinds are not, and define what the criteria for acceptability would be.

Role of Government

There have been attempts at governmental intervention in the past, often with mixed results.

• Previous Restrictions - In 1993, he US federal government attempted to mount a case against Philip Zimmermann, the creator of PGP. At the time, encryption was legally considered a "munition," and therefore had its exportation restricted. The case was ultimately thrown out after Zimmermann convinced the court that software can be printed in books, and is therefore protected under the 1st Amendment. A couple of years later, the federal government substantially reduced its restrictions upon encryption software and disqualified it as a munition.
• Key Recovery -
• Key Escrowing -

Additional Resources

General Info

• Wikipedia Entry on Encryption
• How Encryption Works by Jeff Tyson
• Piecing Together the Encryption Puzzle by Paul, Hastings, Janofsky & Walker

Ethical Discussion

• Ethical Considerations of Privacy and Cyber-Medical Information by Jonathan Klemens
• Ethical Considerations for Providing Professional Services Online by J.H. Yamamura and F.H. Grupe
• ITLaw.Wikia Entry on Encryption

General Discussion

• Your Encryption Key a Fifth Amendment Right?
• A Pretty Good Way to Foil the NSA by Ryan Singel
• Voice Encryption May Draw U.S. Scrutiny by John Markoff

For Government Regulation

• Federal government pushes full-disk encryption by Dennis Fisher
• Federal encryption standardization by Douglas Schweitzer
• Government buys encryption by Michael Mongold

Against Government Regulation

• Constitutional Conflicts with Encryption Regulation by Regina Winchester

These will be sorted later on.

• The University's Role in Advancing Data Encryption, Part 2 by Andrew Burger
• Unlocking encryption management by Matt Hines