Encryption

From Expertiza_Wiki
Jump to navigation Jump to search

Study Guide

What is Encryption?

Encryption, in the context of software, is process by which data in a computer can be encoded in such a way that no one can determine its original value, save for the original owner of the data and whoever he or she sees fit. In this manner, private or sensitive data can be protected without having to physically deny access to the medium that holds the data (e.g. a server).

In general, encryption consists of three items: the original data, the encryption algorithm known as the cypher, and the "solution" to that algorithm called the key. The cypher uses instructions provided by the key to perform an operation on the data, giving it a new value that does not yield any useful information about the original state of the data. At first glance, the new data may appear to simply be gibberish or random noise. In this state, the data is said to be encrypted. To decrypt the data, one simply has to plug the key back into the cypher and run the operations in reverse.

It is not impossible to perform the decryption without the key, but if the key is of sufficient complexity or length, even a brute-force approach may require an impractical amount of time. It is for this reason that most clients can be certain that their data will not be compromised. It is also for this reason that clients need to take care that their key is only provided to people that they want to share the data with.

In terms of software, key complexity or length refers to how long the binary string representation of that key is. This length is measured in individual 1's and 0's, known as bits. Since there are only two possible values for a single bit, adding just one more bit to the key gives it twice as many possible combinations. A key that is 2 bits long, for example, has 4 possible values it can be, while a 3-bit key has 8 possible values. In the US, keys are typically 128 bits long, if not longer. This results in 2^128 combinations, meaning that the likelihood of correctly guessing the key is very small.

Examples of Encryption Software

  • PGP-Originally used only to encrypt email messages and attachments, but has since diversified into several applications, including disk encryption for laptops and IM sessions. It is built upon public-key encryption technology[1].
  • Skype - Provides telephone services over the internet. Uses several different encryption methods, including RSA. The encryption cannot be disabled by the user, and is managed automatically.
  • BnuPG - Another free data and communications encryption program that typically comes packaged with open source software such as Linux OS's. It uses some public-key techniques, but for the most part uses unpatented encryption methods.

Issues With Encryption

Problems

While encryption is very secure if managed properly, it is not fool-proof. It also comes with some of its own inherent disadvantages. There are many factors that you should consider before deciding to use encryption to protect your data:

  • Protecting the key - If an unauthorized person manages to acquire your key, that person can access your data at will, without your knowledge. It does not even necessarily have to be your key; if you share your key with other trusted persons, they can also a copy of the key to escape, accidentally or not. Programs that use public-key encryption have largely eliminated this problem, however.
  • Using sufficient key strength - If a key is not large enough, the worst-case time required to perform a decryption via brute force is small. In the US 128-bit encryption or higher is not uncommon, which is more than sufficient, but in other countries it may be as low as 40.
  • The process can be slow - Depending upon how much data there is and how often you need to access it, constant decryption and re-encryption can lead to longer access times. This may cause some people to consider it an annoyance and forgo it.
  • Key Escrowing - A variation of key recovery, this is essentially a set-up wherein a person can grant their key to a third party that requires their information (e.g. a private company or a government entity). The third party typically has to present authorization and a compelling reason for needing that access. It is still a controversial topic due to the very nature of third-party access that would be necessary, and to date no one has come up with a sufficiently secure system that was not technically complex.

Ethical Considerations

While encryption can be used to protect important but otherwise harmless data such as financial records, there equally exists the possibility that it can be used to hide illegal or malicious data. An obvious example is child pornography. If someone with illegal data were being investigated, nobody could ever prove that they have that data if they never offered the key. Another potential scenario is that two people who are conspiring to commit a crime, terrorist act, etc can do so in safety over the internet via encrypting their exchanges. This raises concerns over whether or not encryption should be regulated and controlled. If investigators needed access to an encrypted computer, they would have a much easier time if the owner was legally required to give them the key if requested.

But then this enters into other sensitive issues, primarily one of privacy vs. security. If authorities are allowed to access your private data at will, then the purpose of the encryption is rendered null. Someone would have to determine what kinds of encryption are acceptable and what kinds are not, and define what the criteria for acceptability would be.

Role of Government

There have been sporadic attempts at governmental intervention in the past, often with mixed results. One rather famous moment occurred in 1993, when the US federal government attempted to mount a case against Philip Zimmermann, the creator of PGP. At the time, encryption was legally considered a "munition," and therefore had its exportation restricted. The case was ultimately thrown out after Zimmermann convinced the court that software can be printed in books, and is therefore protected under the 1st Amendment. A couple of years later, the federal government substantially reduced its restrictions upon encryption software and disqualified it as a munition.[2]

The general trend in the US has been a push for less government interference into privately-owned encryption services, whereas government control has remained comparatively higher in other countries. The debate is far from over, however.

Additional Resources

General Info


Ethical Discussion


General Discussion


For Government Regulation


Against Government Regulation


These will be sorted later on.