Encryption has long been used by militaries and governments to facilitate secret communication. Successfully using encryption to ensure security may be a challenging problem. A single slip-up in system design or execution can allow successful attacks.
Encryption has long been used by militaries and governments to facilitate secret communication. Successfully using encryption to ensure security may be a challenging problem. A single slip-up in system design or execution can allow successful attacks.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online from Scribd
Encryption has long been used by militaries and governments to facilitate secret communication. Successfully using encryption to ensure security may be a challenging problem. A single slip-up in system design or execution can allow successful attacks.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online from Scribd
In cryptography, encryption is the process of transforming information
(referred to as plaintext) using an algorithm (called cipher) to make it
unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted). Encryption has long been used by militaries and governments to facilitate secret communication. Encryption is now used in protecting information within many kinds of civilian systems, such as computers, networks (e.g. the Internet e-commerce), mobile telephones, wireless microphones, wireless intercom systems, Bluetooth devices and bank automatic teller machines. Encryption is also used in digital rights management to prevent unauthorized use or reproduction of copyrighted material and in software also to protect against reverse engineering (see also copy protection). Encryption, by itself, can protect the confidentiality of messages, but other techniques are still needed to protect the integrity and authenticity of a message; for example, verification of a message authentication code (MAC) or a digital signature. Standards and cryptographic software and hardware to perform encryption are widely available, but successfully using encryption to ensure security may be a challenging problem. A single slip-up in system design or execution can allow successful attacks. Sometimes an adversary can obtain unencrypted information without directly undoing the encryption. See, e.g., traffic analysis, TEMPEST, or Trojan horse. Advantage and factors involving risk on the following topics
The primary advantage of public-key cryptography is increased
security and convenience: private keys never need to be transmitted or revealed to anyone. In a secret-key system, by contrast, the secret keys must be transmitted (either manually or through a communication channel) since the same key is used for encryption and decryption. A serious concern is that there may be a chance that an enemy can discover the secret key during transmission. Another major advantage of public-key systems is that they can provide digital signatures that cannot be repudiated. Authentication via secret-key systems requires the sharing of some secret and sometimes requires trust of a third party as well. As a result, a sender can repudiate a previously authenticated message by claiming the shared secret was somehow compromised (see Question 4.1.2.3) by one of the parties sharing the secret. For example, the Kerberos secret-key authentication system (see Question 5.1.6) involves a central database that keeps copies of the secret keys of all users; an attack on the database would allow widespread forgery. Public-key authentication, on the other hand, prevents this type of repudiation; each user has sole responsibility for protecting his or her private key. This property of public-key authentication is often called non-repudiation. A disadvantage of using public-key cryptography for encryption is speed. There are many secret-key encryption methods that are significantly faster than any currently available public-key encryption method. Nevertheless, public-key cryptography can be used with secret-key cryptography to get the best of both worlds. For encryption, the best solution is to combine public- and secret- key systems in order to get both the security advantages of public- key systems and the speed advantages of secret-key systems. Such a protocol is called a digital envelope, Public-key cryptography may be vulnerable to impersonation, even if users' private keys are not available. A successful attack on a certification authority (will allow an adversary to impersonate whomever he or she chooses by using a public-key certificate from the compromised authority to bind a key of the adversary's choice to the name of another user. In some situations, public-key cryptography is not necessary and secret-key cryptography alone is sufficient. These include environments where secure secret key distribution can take place, for example, by users meeting in private. It also includes environments where a single authority knows and manages all the keys, for example, a closed banking system. Since the authority knows everyone's keys already, there is not much advantage for some to be "public" and others to be "private." Note, however, that such a system may become impractical if the number of users becomes large; there are not necessarily any such limitations in a public-key system. Public-key cryptography is usually not necessary in a single-user environment. For example, if you want to keep your personal files encrypted, you can do so with any secret key encryption algorithm using, say, your personal password as the secret key. In general, public-key cryptography is best suited for an open multi-user environment. Public-key cryptography is not meant to replace secret-key cryptography, but rather to supplement it, to make it more secure. State any laws and the punishment of the crime enforce by the law makers
Due to recent developments in software and hardware, some
consumer-level encryption products are now so powerful that law enforcement officials say they can't crack them, even with massive supercomputers. Encryption has become one of the hottest hi-tech issues on Capitol Hill, as Congress debates whether the government should step in and limit the strength of encryption products to maintain law enforcement's historical ability to eavesdrop electronically on anyone it wants. There are currently no restrictions on the use of encryption technology within the United States, though the Clinton administration, citing national security, has long prohibited U.S. firms from selling their best products overseas. Law-enforcement advocates say the government should maintain export limits and maybe even impose restrictions on domestic use of strong encryption. But privacy advocates and U.S. software makers – who are worried about international competitiveness – say the government should get out of the way. Actions taken on such risk on the company concern the government and you.
Modern encryption is achieved with algorithms that use a
"key" to encrypt and decrypt messages by turning text or other data into digital gibberish and then by restoring it to its original form. The longer the "key," the more computing required to crack the code. To decipher an encrypted message by brute force, one would need to try every possible key. Computer keys are made of "bits" of information, binary units of information that can have the value of zero or one. So an eight-bit key has 256 (2 to the eighth power) possible values. A 56-bit key creates 72 quadrillion possible combinations. If the key is 128 bits long, or the equivalent of a 16- character message on a personal computer, a brute-force attack would be 4.7 sextillion (4,700,000,000,000,000,000,000) times more difficult than cracking a 56-bit key. Given the current power of computers, a 56-bit key is considered crackable; a 128-bit key isn't – at least not without an enormous amount of effort. Until 1996, the U.S. government considered anything stronger than 40-bit encryption a "munition" and its The "secure" mode on the latest Netscape browsers available to U.S. and Canadian citizens, for instance, uses 128-bit encryption to encode and decode information that is sent and received. But because of export rules, Netscape can provide overseas users only with browsers that employ much weaker encryption. Encryption software can also use keys in different ways. With single-key encryption, both the sender and receiver use the same key to encrypt and decrypt messages. But that means the sender has to get the key to the receiver somehow, without it being intercepted. One of the most important advances in cryptography is the invention of public-key systems, which are algorithms that encrypt messages with one key (a public one) and permit decryption only by a different key (a private one). Dan can openly publish his "public" key, and if Amy uses it to encrypt a message, the message turns into incomprehensible garbage that can only be decoded with Dan's secret, "private" key. Finally, if Dan's bosses – or the government – insist that there be some way for them to decode his encrypted data and messages in case he gets hit by a truck or appears to be engaging in illegal activity, there are a few basic options. Dan can be forced to turn over a "spare" copy of his secret key to a third party, either private or governmental, who will only allow it to be used under certain circumstances. Or, along the lines of the government's failed "Clipper Chip" initiative, Dan can be told to use only encryption products that automatically create a master key, held in reserve by a third party. Those options are known as "key recovery" or "key escrow." Implementation on law enforcers
Encryption is extremely beneficial when used legitimately to
protect commercially sensitive information and communications. The law enforcement community, both domestically and abroad, is extremely concerned about the serious threat posed by the proliferation and use of robust encryption products that do not allow for the immediate, lawful access to the plaintext of encrypted, criminally-related communications and electronically stored data in accordance with strict legal requirements and procedures. The potential use of such commercially-available encryption products by a vast array of criminals and terrorists to conceal their criminal communications and information poses an extremely serious threat to public safety and national security. Law enforcement fully supports a balanced encryption policy that satisfies both the commercial needs of industry for robust encryption while at the same time satisfying law enforcement's public safety and national security needs. Robust, commerciallyavailable encryption products, which include some type of recoverable capability that allows for immediate, lawful access to plaintext is clearly the best method to achieve the goals of both industry and law enforcement. Since April of 1993, the Clinton Administration has expressed support for the adoption of a balanced encryption policy. In lieu of legislation, the Clinton Administration continues to favor a voluntary approach to address law enforcement’s public safety concerns regarding encryption for domestic use. The Administration has been attempting to work with industry, through "good faith dialogue," and by allowing "market forces," influence and inducements (mainly changes to existing export regulations) to bring about the development, sale and use of recoverable encryption products within the U.S. During the 105th Congress, several encryption-related bills were introduced; however, none were enacted. The main focus of these bills was the relaxation of existing export controls on encryption, regardless of the impact on national security and foreign policy. During the 106th Congress, three encryption-related bills have been introduced. Like last Congress’ encryption related bills, the main focus of these bills is to either relax existing export controls on encryption products and/or prevent the government (federal or state) from imposing domestic requirements on encryption products to ensure that such domestic encryption products include some type of plaintext access for law enforcement should these products be used in the furtherance of serious criminal activity. These bills included: H.R.850, S.798,