Encryption Proposal
Encryption is the converstion of data into a form, called a cipher, that can't easily be understood by unauthorized people. The use of encryption is as old as the art of communication. "There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter."--Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and SourceCode in C. Cryptographic strength is measured in the time and resources it would require to recover the plaintext. PGP is also about the latter sort of cryptography, strong cryptography.
PGP (short for Pretty Good Privacy) is a public key encryption program originally written by Phil Zimmerman in 1991. Over the past few years, PGP has has become a de-facto standard for encryption of email and files. PGP (Pretty Good Privacy) is a military grade encryption program that is used to scramble (encrypt) and unscramble (decrypt) data so that it can only be read by those intended to read it.
PGP is a public key cryptosystem (although it uses conventional encryption as well). That means that it uses 2 different keys for encrypting and decrypting data. One key is called a "secret key", which is used with a secret password to decrypt all your encrypted messages and files. The other is your "public key", and this is given out to the friends and associates you wish to communicate with. They use your public key to ENCRYPT a message to you and you will then use your secret key to DECRYPT it. Security is NOT compromised by giving out your public key and that is the beauty of the whole thing. In fact, you must give out your public key to anyone who wants to encrypt a message to you. The PGP program is designed so that you cannot accidentally give out your secret key. PGP automatically brings up your secret key when it needs to so you will never have to worry about it after it is created-there is no need to select a secret key to use for decryption.
There is currently a war going on right now between the US government and privacy advocates on the use of powerful encryption. The government claims they cannot break PGP and that it is an impediment to law enforcement agencies. One of the government's propositions is to have easy access to everyone's keys and store them in a large database (typically referred to as key escrow) so that they can decrypt messages when THEY determine there is a reason to. This is to reduce terrorist activites and organized crime. However, it is important to note that encryption has several legitimate uses such as protecting sensitive data from industrial espionage, conducting financial transactions, talking about intimate issues in a therapy group, securely storing tax information, and keeping a diary private.
In some countries encryption is completely illegal. In the U.S. encryption is legal, but it is regulated by the U.S. government. For example, we have a restriction on the encryption key length to no longer than 128 bits. The current encryption standard in theU.S. is the Data Encryption Standard. "The Data Encryption Standard (DES) was developed in the 1970s by the National Bureau of Standards with the help of the National Security Agency. Its purpose is to provide a standard method for protecting sensitive commercial and unclassified data" (National Bureau of Standards, 1992). DES officially became the standard in November 1976.
The goal of every encryption plan by the U.S. government has been to guarantee access to all our encrypted communications and stored data. This is the reason for the restriction limit of a 128-bit encryption key. The shorter the encryption key length, the faster the government can break it. When the past key restriction was a 56-bit length key, RSA sponsored a series of key-cracking contests to prove the need for encryption stronger than the 56-bit standard. In February 1998, the 56-bit key was recovered in 41 days. In July 1998, it was recovered in 56 hours. Distributed.Net, a worldwide coalition of computer enthusiasts, worked with the Electronic Frontier Foundation's (EFF) "Deep Crack," a specially designed $250,000 supercomputer, and a worldwide network of nearly 100,000 PCs on the Internet, to win RSA Data Security's DES Challenge III in a record-breaking 22 hours and 15 minutes. The Distributed.Net computers were testing 245 billion keys per second when the key was found (RSA Data Security Conference, 1999). This proved that the 56-bit encryption code was insufficient and that we are quickly reaching the time when anyone with a PC can potentially become a real threat to systems relying on such weak security.
AES is in the process of replacing DES. The U.S. National Institute of Standards and Technology (NIST) is in the process of reviewing 15 different algorithm proposals to search for one that will replace the 56-bit Data Encryption Standard (DES) that was recently cracked. DES has been the standard for the last twenty-two years. The new standard would be called the Advanced Encryption Standard (AES), and it is expected to last for at least 30 years. "It will become the government standard and will most likely be adopted by the private sector, as DES was. AES will be available on a royalty-free basis" (Elinor Mills, 1998). AES will have three different key sizes: 128 bits, 192 bits and 256 bits, unlike DES's one key size.
One of the most popular concerns when it comes to privacy and security, is the use of electronic commerce web sites. Millions of people do not use electronic commerce sites because of their fears and lack of trust in these sites. Businesses are losing many potential customers because of this. The National Criminal Intelligence Service (NCIS) has proposed a law that will recognize this. The law "recognizes encryption and its inclusion in electronic commerceas a force for good in helping to tackle fraud, theft of intellectual property and computer misuse. It favors a mandatory key escrow policy of licensed bodies - Trusted Third Parties - holding the keys to coded communications so that law enforcement agencies can retrieve the keys with a warrant when they strongly suspect serious crimes are being committed" ("Encryption", 1999).This law also does not allow keys to be retrieved for any other reason. Furthermore, laws like this will greatly increase the use of electronic commerce.
Currently in the United States, strong cryptography is considered a "munition", or essentially the same as a box of hand grenades. Strict export restrictions are placed on strong cryptosystems, under the assumption that it would prevent foreign enemies from gaining advanced encryption technology. Currently, it's illegal to export cryptosystems that use more than 56-bit key lengths (exactly the length of a DES key), while it's "legal to develop and use encryption with keys up to 128 bits domestically." (#1)
Encryption will play an integral part of future communications technology, as well as protect a person's right to privacy. Legal barriers to encryption are an intolerable sacrifice of freedom and privacy for a token, ineffectual commitment to security.
We plan on running a trial system test with the PGP encryption process and reviewing current literature on the subject of encryption. Our work plan is to have each person cover a different part of the encryption subject. One person will cover the history, another will cover current standards, another person will cover current and proposed laws, another person will cover the future of encryption on the internet. This is a simple break down of our work plan.
Return To Main Page