Comprehensive Study of Cryptographic Methods in Practice Today

Internet Encryption

The growing sophistication of internet, along with advancing abilities of individuals to hack into electronic systems is creating a growing need for improved encryption technology. The internet is becoming a domain all to itself, with its own rules, and requirements. The internet is creating new opportunities for the business and communication industries. It is also creating new demands. The internet is now facing a period in its evolution similar to the period of our country's history of westward expansion, and settlement

Wild Wild West years of the internet have passed with the bursting of the Tech bubble in the early 21st century. Now business is building entire enterprises on the net. As hundreds of thousands of dollars change hands based on digital bleeps, the needs for government, business, and individuals to protect their data is becoming of paramount importance. Who will be the Texas Ranger's of the internet, those who will travel long distances, and overcome every obstacle just to keep the e-town safe, and capture the cyber-criminal when they appear? The time has come for an internet police force, and encryption technology will likely be some of the more reliable cyber-deputies.

The science of cryptography offers many potential solutions to the drawbacks of early copy protection schemes, and the operative word is 'potential'. Cryptography has long been used by military and intelligence agencies to transmit messages so that foreign governments could not decipher them. (Fleischmann 1995) As early as the second world war, the U.S. And foreign governments utilized encryption schemes in order to disguise their communications. Simple encryption is the process of scrambling readable text to make it unreadable based on a key known only to the sender and the receiver. Decryption, on the other hand, is the unscrambling process which occurs on the other end.

Before proceeding further into this complex and technical area, it may be useful to review some fundamentals. Cryptography is the practice of transforming a message into gibberish (encryption), transmitting it, and transforming it back into "plaintext" (decryption) at the other end.(Defense Institute of Security Assistance Management, 1994) Though once the province of spies, diplomats, and generals as a device to protect sensitive military and government communications, encryption has moved gradually into the mainstream. With the increasing prevalence of networked computing and its increasing vulnerability to tampering, cryptography has become a valued tool both for businesses and consumers in the protection of proprietary and personal information.

Properly employed, cryptography can perform three distinct functions:

authenticate the sender by means of a unique "signature"; protect the confidentiality of the message during transmission and in storage; and assure the integrity of the message through encrypting a digest.(The Neutrality act of 1939)

In general, the method by which the message is transformed into and out of gibberish is the algorithm." Each particular encryption is achieved by plugging a string of numbers, or a key," into the algorithm and then applying the result to the message. Decryption works by running the encrypted message back through the algorithm key combination. The strength of a cryptographic system is gauged by the length of its key and the complexity of its algorithm. "(Flynn, 1995)

Today, both encryption and decryption are accomplished by means of complex mathematical algorithms. Modern algorithms use keys -- strings of alphanumeric digits -- to encrypt and decrypt messages. (Froomkin, 1995) The length of the key determines the strength of the encryption, and longer keys can produce a theoretically unbreakable security system. For example, to decrypt a 128-bit key would require a computer capable of processing one million keys per second over 10(25) years, which is the numeral 1 followed by 25 zeros. To break this code using a 'trial and error' approach would require a time period longer than the projected age of the universe.

Computer encryption has not garnered a large amount of attention until now because both encryption and decryption require a great deal of computer processing power. Until recently, the processing overhead required to decrypt information in real-time was prohibitive. (Yoshida, 1996) however, with the development of faster computers the science of cryptography can now be applied to many new applications and still be economical, both to the developer and the user.

For example, PGP (.com) is now selling PGP 8.0, and one of the versions is personal encryption software. Early reports describe the software as user-friendly. If the company has managed to create a user friendly product, it will have major ramifications for the security state, the war on terrorism, and the balance of privacy vs. governmental monitoring.

PGP stands for Pretty Good Privacy. It is encryption based on what is called public-key cryptography which is built from the following scenario. Sender and received of messaged have two keys, each being a large binary number. One is a public key, which can safely be given to anyone, or even made available on the Internet. The sender can use this public key to encrypt any message sent out. The other number is called the private key, which is revealed to no one but the person whom you wish to decode the message. Only the private key can decrypt the message. (Reed, 2002)

Economic and E-Business factors related to Encryption

E-commerce can encompass a wide range of electronic transactions, and e-commerce, which is the actual transaction occurring in cyberspace is supported by the ability to send secure email. The expected growth in consumer online sales from $4.5 billion in 1998 to $35 billion in 2002 provides a benchmark of expected growth for the entire sector (Hillison, et.al., 2001). Such explosive growth in electronic transactions will continue to place a tremendous burden on control systems which are used to assure the integrity of the transaction process. With the grow demands, new risks have emerged, creating significant demand for user friendly, and effective controls.

Risks

Conducting business in cyberspace entails the traditional risks of sales and contracting plus new risks which are unique to the electronic environment. Some risks result from the physical separation of customers from goods and services providers. The risk of trust, reliability of vendors, and the assurance that the goods which are sold match what the vendor is advertising are important considerations, which must be addressed as part of the sales process. Other risks arise result from the requirement of creating proper documentation. The following risks, which have been addressed in the non-ebusiness community thorough the use of paper documents, require closer consideration in relationship to security in the e-business world.

Authentication. Just as manual, handwritten signatures have traditionally proven authenticity, electronic signatures are used for the same purpose: to assure the approval of an authorized individual. Certain technologies used in electronic signatures can even offer higher levels of confidence than the handwritten signature. The need for authentication is one security risk of the internet,

Nonrepudiation. Neither party to a sale or contract can be able to claim that the "agreement" is not what was agreed to in order for trust, positive business e-relationships to be established and built. Currently, disputes can arise from the signed and dated copies of documents held by each party. The internet need for digital verification have created additional requirements for verification. Given the appropriate use, electronic signature technology needs to be capable of addressing this risk.

Security. Electronic storage and communications create security risks that are not independent of e-commerce issues. Risks of loss and interception are present during transmission over the open architecture of the internet. Stored digital messages must also be protected after they are received. In today's environment, copies of documents can be made and disseminated in an instant, and database and server environments, which can often make sensitive information widely available. (Hillison, et.al, 2001)

Technical Aspects and Examples of Encryption

Encryption is typically approached through the use of two schemas, private key encryption and public key encryption.

Private Key encryption. The sender signs a document and the receiver verifies the signature using a single key that is not known publicly. The cipher, or decoding sequence is public knowledge. Under this scenario, if Paul wants to send Sally an encrypted message, he uses a key to encode the message and transmits the message to Sally. Sally uses the same key to decode the message, and no other key will work. The encryption process works because one key fills both-functions and only Paul and Sally know the key. Therefore the validity of the message is confirmed, and the message must have come from Paul.

The possibility that others can gain access to the key can undermine confidence in the authentication process. But if the key is kept private between the sender and recipient, then both security and authentication are preserved because any message can be understood only by someone who possesses the appropriate key. In this case, the shared secret code is not based on the cipher algorithm, but on the key that must be used with the cipher to encode and decode the message.

The most popular and widely used private-key cipher is the Data Encryption Standard (DES),which is a federal encryption standard established in 1977. A more secure variant of DES, called Triple DES (which contains 112- or 128-bit keys), is now in wide use in the private sector. (Hillison, et.al, 2001) According to government officials, DES may be soon replaced: In October 2000, the U.S. Department of Commerce announced an encryption algorithm named Rijndael as the proposed new Advanced Encryption Standard (AES). If the AES development process proceeds as has been planned, the new encryption standard should be completed during the summer of 2001. Rijndael will be released as an unclassified, royalty-free, and publicly available encryption process for use and export anywhere in the world. (Hillison, 2001)

Public key (asymmetric) encryption

Unlike private key cryptography, public key cryptography uses a cipher with two unique keys. The two keys are mathematically designed such that one key encrypts the message but cannot subsequently decrypt it. The second key decrypts the code and reveals the message. Additionally, the first key can decrypt only a message encrypted with the second key. This approach to encryption increased the security of the transmission, because the first key cannot be deduced by knowing the second, or vice versa.

The two-key set is used to create unique electronic signatures as follows: The first key can be a signing key that is kept private and the second key can be a validation key available in the public domain. For example, in this scenario, Paul can encrypt a message to Sally using his private key, and Sally can decrypt only with Paul's public key. Paul can also send messages to Tom, Mary, and any other of his staff, and as long as they have access to the public key, all members in the communication chain can decrypt the message, and be sure of the authenticity. As long as the private signing key is kept private by Paul, the integrity of the process can be virtually assured and Sally knows that Paul has signed the message, and that the message has not been received by others during transmission.

In this case, every digital signature is unique to the document for which it was created because it is signed with the authors own key. The process prevents a forger from digitally signing a document and masquerading for another sender, or substituting one document for another. As long as the receiving party can gain access to the public key, the authenticity objective can be met. The level of security provides is determined by the length of the key. Given a key of sufficient length, public-key cryptography can provide protection similar to that of private-key techniques but without the drawbacks of the shared-secret method. (Hillison, et.al, 2001)

Electronic Signatures

Traditionally, a signature is any mark made with the intention of authenticating a specific document. Ling understood by the public is the uniqueness of each person's hand written signature. As documents become increasingly more digital in their origin, the changes in technology have required a reinvention of how to sign electronic documents in order to create the same level of validity confidence with a digital document. Rapid advancement of electronic signature technology as described above implies a need for continual evaluation of related control methods. Two of the current categories of electronic signature technologies are the cryptographic and the noncryptographic.

These approaches are primarily designed to limit identification and authentication risks. Cryptographic methods, in some cases, provide the controls necessary to meet the risks of non-repudiation as identified above, and of personal security. Virtually all noncryptographic and some cryptographic technologies rely on the "shared secret" method - that only the parties to the transaction or communication know the shared secret. When the sender includes the shared secret, then the receiver knows that it can only represent a communication from the sender. Thus, the communication can be considered signed, and the receiver holds the confidence of this validated communication. Although the shared secret method has proved effective in many circumstances, the technique has a number of weaknesses:

The parties must first have a prior relationship to establish the shared secret.

The shared secret must remain known only to the two parties. Without face-to-face contact, establishing the validity of the provided shared secret is often difficult.

Certain cryptographic controls can control authentication as well as nonrepudiation and security risks. In general, a highly secure e-commerce implementation will combine both noncryptographic and cryptographic technologies. (Hillison et.al, 2001)

Regulatory issues related to digital encryption

Advancing encryption technologies, and the increased demand for the same is creating a dilemma for the federal government. While current laws require that a burden of proof be established before a search warrant, or the right to place a wire tap is issues, the federal government is currently able to monitor radio wave-based communications. The NSA has long been thought to be able to monitor millions of conversations daily as they search for key words which could alert them to terrorist, or other illegal activity. With the growing demand for widespread encryption technology, the government is facing the elimination of their ability to perform what they consider as vital national security function.

The Brooks Act authorizes the Department of Commerce to research and recommend data processing standards for the federal government.(International Security Assistance and Arms Export Control Act, 1976) Pursuant to this authority, the Department of Commerce issued the government's first encryption standard, the Data Encryption Standard, (DES) for use in protecting unclassified computer data and communications.

Although the DES algorithm was developed by IBM, as part of the approval process, it had to be submitted to the NSA for approval. The interaction between the computer giant and the government agency left many wondering if the encryption had not been either watered down by the NSA, or if the NSA had written their own back door into the encryption methods to enable them to be able to decrypt messages at will. The result was a basis for future suspicions concerning the NSA's role in the development of encryption.(Flynn, 1995)

Bringing this debate into the present the increasing demands for widespread encryption usage has again places the government agency on opposite sides of the issue from encryption developers. On February 9, 1994, when National Institute of Standards and Technology, (NIST) announced the federal Escrowed Encryption Standard (EES), this simmering debate over encryption policy in the United States boiled over once again. Public interest groups argued that the nationally devised standard would jeopardize an individual's privacy. U.S. multinationals voiced concerns that the government would undercut private encryption technology, and limit their choice of encryption products which became available in the marketplace. Computer software groups claimed that EES lacked commercial appeal. The law enforcement and national security communities weighed in, and countered that the interests of national security required the adoption of EES.

The source of the conflict is that the new standard provided a mandated back door for the government to be able to break into the encoded transmissions. Until recently, the government has enjoyed monopoly oversight over its development and use, but with the increasing demands of the market, the government is in competition for the rights, and the abilities to create, send, and review encrypted information. And the government doesn't like to compete with the private sector. (Flynn, 1995)

Encryption - the need for security vs. The requirements of freedom

In the same way the need for a central government is balanced by the U.S. constitution, the need for government control and oversight of encryption technology also must be dynamically balanced by the guaranteed freedom of U.S. citizens. The following statements, made during congressional hearings regarding internet security issues describe these opposing interests. Presenting the case of freedom is Phillip Zimmerman, the creator of one of the most successful commercial encryption technologies.

When making public policy decisions about new technologies for the government, I think one should ask oneself which technologies would best strengthen the hand of a police state. Then, do not allow the government to deploy those technologies. This is simply a matter of good civic hygiene."(Online Security Issues, 1996)

Phillip R. Zimmermann, creator of "Pretty Good Privacy" encryption standard. (PGP)

On the side of the government, and presenting the governments need to monitor communications as a function of protecting the country is Louis Free, acting director of the FBI.

Thank you Mr. Chairman and members of the Committee for providing me with this opportunity to discuss with you an issue of extreme importance and of great concern to all of law enforcement, both domestically and abroad -- the serious threat to public safety posed by the proliferation and use of robust encryption products that do not allow for timely law enforcement access and decryption." (The creation of online commerce, 1997)

Louis J. Freeh, Director, Federal Bureau of Investigation

This debate on encryption export controls, or encryption control which is in the hands of any one other than the government, is an ongoing exercise in balancing these two viewpoints. With the Internet's rise as a major medium of trade and communication, encryption has become a vital and necessary tool of electronic commerce. Unfortunately, the ability to keep electronic communications secure through encryption can also be used by criminals and terrorists to shield their activities from the law enforcement and national security agencies. Due to the threat to national security that encryption represents, the U.S. government has enacted strong controls on the international distribution of encryption software and hardware. (Levin, 1999)

The following briefly summarizes the main concerns of the critics of the government actions. The following is an overview of these concerns, and is divided into four areas.

A potential constitutional concerns over the restriction of individuals' privacy rights concerns of how the U.S. export regulations restrict domestic computer software companies' ability to compete in the global marketplace discussion on the debate over the national security interests behind the encryption policy.