Encryption

In a world growing increasingly dependent on technology and the desire for privacy in the virtual realm, data encryption techniques have become widely used to insure the protection of important information, such as credit card numbers, e-mail messages, and students' test scores. As much as we value our perception of privacy online, and as powerful as modern data encryption programs are, our privacy may still be compromised.

What is it?

Encryption is a procedure that renders the contents of a message or file unintelligible to anyone not authorized to read it. ( www.ncga.coop/tools_glossary.html). It is the translation of data into a secret code and the most effective way to achieve data security. To read an encrypted file you must have access to a key or password that enables you to decrypt it. Encrypted data is referred to as a cipher text.( www.ask-edi.com/glossary.htm) Decryption is the process of converting encrypted data back into its original form, so it can be understood. ( www.iptv.org/digital/dictionary.cfm)

Types of Encryption

There are two categories of encryption. One is the symmetric system and the other is the asymmetric system. The following is a simple scenerio to help explain the difference.

Imagine two people, Alice and Bob, sending a secret message through the public mail. In this example, Alice has the secret message and wants to send it to Bob, after which Bob sends a secret reply.

With a symmetric key system (private key system), Alice first puts the secret message in a box, and then locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alice's key (which he has somehow obtained previously, maybe by a face-to-face meeting) to open the box, and reads the message. Bob can then use the same padlock to send his secret reply.

In an asymmetric key system (public key system), Bob and Alice have separate padlocks. First, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice's open padlock to lock the box before sending it back to her.

The critical advantage in an asymmetric key system is that Bob and Alice never need send a copy of their keys to each other. This substantially reduces the chance that a third party (perhaps, in the example, a corrupt postal worker) will copy a key while it is in transit, allowing said third party to spy on all future messages sent between Alice and Bob. In addition, if Bob were to be careless and allow someone else to copy his key, Alice's messages to Bob will be compromised, but Alice's messages to other people would remain secret, since the other people would be providing different padlocks for Alice to use. (http://en.wikipedia.org/wiki/Asymmetric_key_algorithm)

From this story you can see that encryption was created to protect the messages that are sent between two or more parties. There are many different programs that are available to help a technology user to encrypt and secure those messages sent and received.

Examples of symmetric (private key) techniques include:

• RC6
• Two Fish
• Mars
• Rijndael
• Blowfish
• Idea
• Gost
• Cast256
• Cast128
• Misty1

http://www.filetopia.org/encryption.htm

stream ciphers which include:

RC4, A5/1, A5/2, Chameleon, FISH, Helix, ISAAC, MUGI, Panama, Pike, SEAL, SOBER, SOBER-128 and WAKE. (http://en.wikipedia.org/wiki/Stream_cipher)

block ciphers which include:

Lucifer (http://en.wikipedia.org/wiki/Block_cipher)

Examples of asymmetric (public key) techniques include:

• Diffie-Hellman
• RSA encryption algorithm
• ElGamal
• DSS (Digital Signature Standard), which incoporates the Digital Signature Algorithm
• Various Elliptic Curve techniques
• Various Password-authenticated key agreement techniques
• Paillier cryptosystem
• PGP
• GPG an implementation of OpenPGP
• ssh
• Secure Socket Layer now implemented as an IETF standard -- TLS

http://en.wikipedia.org/wiki/Asymmetric_key_algorithm

Why Do We Need Encryption?

Data security includes the following four basic functions: Confidentiality that guarantees data is not leaked to third parties. Integrity that prevents alteration of prepared data. Authenticity that guarantees the ostensible preparer of the data is the real preparer. Accountability is used for checking all processes in the past when errors occur and clear assignment of responsibility.

Encryption technology is an important basic technology for realization of these security functions when using computers and other modern day services. ( http://www.ecom.jp/ecom_e/report/no7/wg11.html)

While encryption has been used to protect communications for centuries, only organisations and individuals with an extraordinary need for secrecy have made use of it in the past. In the mid-1970s, strong encryption emerged from the sole preserve of secretive government agencies into the public domain, and is now employed in protecting widely-used systems, such as Internet e-commerce, mobile telephone networks and bank automatic teller machines.

Encryption can be used to ensure secrecy, but other techniques are still needed to make communications secure, particularly to verify the integrity and authenticity of a message; for example, a message authentication code (MAC) or digital signatures. Another consideration is protection against traffic analysis. ( http://en.wikipedia.org/wiki/Encryption)

Weaknesses with Encryption

Although encryption is needed to help insure our security, there have been negative issues with both symmetric and asymmetric systems.

Symmetric ciphers are often susceptible to known-plaintext attacks, chosen plaintext attacks, differential cryptanalysis and linear cryptanalysis. Careful construction of the functions for each round can make these attacks difficult to perform. ( http://en.wikipedia.org/wiki/Symmetric_key_algorithm)

The use of asymmetric key algorithms does not ensure security; it is an area of active research to discover and protect against new and unexpected attacks. A potential weakness in the process of using asymmetric keys is the possibility of a 'Man in the middle' attack, whereby the communication of public keys is intercepted by a third party and modified to provide the third party's own public keys instead. The encrypted response also must be intercepted, decrypted and re-encrypted using the correct public key in all instances however to avoid suspicion, making this attack difficult to implement in practice. The attack is not impossible. This form of attack is being addressed by the development of key distribution methods that can ensure sender authenticity and message integrity, even over insecure channels. ( http://en.wikipedia.org/wiki/Asymmetric_key_algorithm#Weaknesses)

Policies and Regulations Surrounding Encryption

In 1999, the export of encryption devices or programs was illegal, as encryption was classified as munitions under the International Traffic in Arms Regulations (ITAR).

In June of 2002, the U.S. Department of Commerce published an updated "U.S. Encryption Export Control Policy" that states:

"For the first time, 'mass market' encryption commodities and software with symmetric key lengths exceeding 64 bits may be exported and reexported under Export Control Classification Numbers (ECCNs) 5A992 and 5D992, following a 30-day review by the Bureau of Industry and Security (BIS)." (U.S. Department of Commerce, 2002)

The report contains an important disclaimer: "This rule does not change any of the existing restrictions on exports and reexports of encryption items to designated terrorist supporting countries and nationals of such countries" (2002).

The U.S. has obviously relaxed some restrictions on the exchange of commercial encryption devices and programs, but it is very concerned about the use of encryption by terrorist groups, a valid concern since it has been revealed since 9/11 that communications between terrorist members alluding to the upcoming attack were transmitted but not caught by U.S. intelligence agencies until after the fact. Using encryption, these groups could be even more secretive about their communications.

In 2004, the US Government made several changes to the US Encryption Policy. These changes make the use and trade of encryption devices easier for the public. These changes can be found at http://www.bxa.doc.gov/encryption/default.htm.

The US Government and Carnivore

Developed and instituted by the FBI on July 11, 2000, Carnivore is an Internet monitoring system that is installed at the facilities of an Internet Service Provider (ISP) and can monitor all traffic moving through that ISP. According to the Electronic Privacy Information Center (EPIC), "The FBI claims that Carnivore "filters" data traffic and delivers to investigators only those "packets" that they are lawfully authorized to obtain. Because the details remain secret, the public is left to trust the FBI's characterization of the system and -- more significantly -- the FBI's compliance with legal requirements" ("The Carnivore FOIA Litigation," 2002).

The FBI, on its website, provides it own description of the Carnivore program:

"The use of the Carnivore system by the FBI is subject to intense oversight from internal FBI controls, the U. S.Department of Justice (both at a Headquarters level and at a U.S. Attorney's Office level), and by the Court. There are significant penalties for misuse of the tool, including exclusion of evidence, as well as criminal and civil penalties. The system is not susceptible to abuse because it requires expertise to install and operate, and such operations are conducted, as required in the court orders, with close cooperation with the ISPs" ("FBI Programs and Initiatives-The Carnivore Diagnostic Tool," 2002).

So, the FBI, who has been well-known for catching criminals through electronic surveillance for many years, now can essentially view any transmission made through an ISP. This would include what web sites at which you are browsing, e-mail messages being sent, files that are being uploaded or downloaded, and so on.

Since the September 11, 2001 terrorist attacks on the U.S., in which more than 3,000 people were killed after terrorists with ties to the Al-Qaeda terrorist organization hijacked four commercial airliners and aimed them at key targets, including the Pentagon in Washington D.C. and the World Trade Center towers in New York City, the government has reportedly increased its surveillance for suspicious activity that could be tied to terrorism. The Senate has passed legislation making warrants for electronic computer searches easier to obtain, and the Bush administration is preparing a package of proposals that could include restrictions on encryption (Kurtz, 2001).

The FBI has created this program for the purpose of watching for criminal activity through the Internet. However, in 2003 when submitting reports to the US Government, it was noted that the FBI is not using Carnivore to its potential. Instead the have found other more useful programs in commercially available software to do the work needed. ( http://www.epic.org/privacy/carnivore/)

This does make you wonder how safe you are if the government cannot create and use government software that is better that something that can be bought at a public software store.

Protection for the Public and Schools

Encryption programs, PGP, SSL, and other technologies have been around for years, but they are only getting better. For example, PGP, the freeware e-mail encryption program, has released twenty-nine updates to the program for the Windows platform and 19 updates for the Mac platform since 1991 ("Freeware PGP Versions," 2002). More recent developments include Hushmail.com, the "World's First Web-Based Email with End-to-End Security" (Hushmail.com, 2001). The system uses the OpenPGP key management algorithm. It's like a Hotmail or Yahoo email account, only it's encrypted. "ShyFile" software claims to offer 6144 -bit file encryption, "Military security for your email and file encryption" (ShyFile-6144bit Secure Email Encryption Software, 2002). Finally, a research team at Ottawa University have created "Cryptobox," a secure virtual network on the Internet. "From the information that we've been seeing, Cryptobox would have no problem circumventing all of Carnivore's attacks," said Nikola Bobic, leader of the research team (McDonald, 2001). Advances continue to be made in encryption as time progresses.

How does encryption work in an educational setting? In the 1999 paper, the authors stated, "Teachers and parents need to keep the 'lines of communication' open. These 'lines' now include computer modems as well as telephone and postal service! To be able to discuss the important issues affecting our students and their success in school, e-mail must be secured" (Bennett, et al., 1999, 2002). However, the authors offered no examples of any programs or devices that could facilitate open communication between parents, teachers, students, and administrators. In the interim, products intended for this purpose have been developed.

SchoolCruiser is an online service through which:

"Teachers can interact with students, easily post and publish assignments, grades and attendance, host discussion groups, accept assignments on-line and have access to e-mail. All community members receive an e-mail account, communication with parents is just a click away" ("SchoolCruiser Frequently Asked Questions," 2002).

Participants in the service must log in with an ID and password to access the service, and these are protected by SSL, which provides "data encryption, server authentication, message integrity and optional client authentication for a TCP/IP connection" ("SchoolCruiser," 2002).

Another way schools are benefiting from encryption technology is the ability for administrators to access standardized test scores online. The Educational Testing Service's (ETS) Internet Delivery of Scores program offers this technology, which utilizes the PGP algorithm ("ETS Internet Delivery of Scores," 2002). This is an alternative to the much less secure method of mailing test scores to each respective school, which leaves the scores much more vulnerable to interception.

As technology increases, and negative issues surrounding privacy and security grow, the creators of protection software have continued to work hard to protect the public. There are updates with ETS as well as updates with hardware that can be purchased to insure security with all computer users. These updates can be found at http://www.wireless-computing.com/news/20050604_1.shtml and http://www.pcsoftland.com/utilities/encryption-tools/indexrating.htm.

Conclusion

Encryption technology has advanced rapidly over time, and its practical uses have been expanded, even into schools. We are continually developing new and easy ways to ensure our privacy online. There are many commercially bought products that can easily be used to destroy that privacy. More damaging, though, is the fact the government is removing our perception that our privacy online is guaranteed, whether we are each being monitored by the FBI or not. As with any fairly new technology, there are advantages and disadvantages that must be weighed. Less privacy, in the case of the FBI's Carnivore, is in the interest of increased personal and national security. No data is one hundred percent safe, a reality we must accept. While 128-bit encryption and larger more advanced products have made cracking data keys impractical, it cannot be dismissed as impossible.

Encryption technology has shown much promise for the educational environment. Services like SchoolCruiser and the ETS's "Internet Delivery of Scores" have been designed with the interest of personal privacy and information encryption mind. There are also many new products being developed to make encrypting easier, quicker and safer. With student privacy and anonymity online both inside and outside school such an important issue to parents and educators, the protections inherent in these new systems put us at greater ease.