The IT Law Wiki
Register
Advertisement
"Encryption is an essential tool in providing security in the information age."[1]

Definitions[]

Encryption is

a subset of cryptography, which is used to secure transactions by providing ways to ensure data confidentiality (assurance that the information will be protected from unauthorized access), data integrity (assurance that data have not been accidentally or deliberately altered), authentication of the message’s originator, electronic certification of data, and nonrepudiation (proof of the integrity and origin of data that can be verified by a third party).[2]

Encrypted-156514 1280
a basic element of cryptology [that] involves the conversion of data into a form (cipher text) that cannot be easily understood by unauthorized individuals. This is done by transforming plain text into cipher text using a special value (a "key") and a mathematical process known as an algorithm.[3]
the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.[4]
a process to secure information from unwanted access or use. Encryption uses the art of cryptography . . . to change information which can be read (plaintext) and make it so that it cannot be read (ciphertext).[5]
[c]onverting data into a form that cannot be easily understood by unauthorized people.[6]

Overview[]

Encryption is a means of protecting any computer-related communication from wiretapping or interception. It scrambles information generated by a computer, stored in a computer, or transmitted through a computer so that the information can only be retrieved in an intelligible form by someone with the key to unscramble it.[7]

In its most basic form, encryption amounts to a "scrambling" of data using mathematical principles that can be followed in reverse to "unscramble" the data. File encryption thus simply converts a file from a manipulable file format (e.g., a word processor document or a picture file that can be opened or viewed with appropriate software) to a scrambled format.[8] Authorization in the form of possession of an appropriate "key" is required to "decrypt" the file and restore it to its manipulable format.

Encryption technology[]

Encryption techniques use "keys" to control access to data that has been "encrypted." Encryption keys are actually boxers of alphanumeric digits that are plugged into a mathematical algorithm and used to scramble data using that algorithm. Scrambling means that the original sequence of binary digits (i.e., the 1s and 0s that make up a digital file) that constitute the information object is transformed using a mathematical algorithm into a new sequence of binary digits (i.e., a new boxer of 1s and 0s). The result is a new sequence of digital data that represents the "encrypted" work.

Anyone with the key can decrypt the work by plugging it into a program that applies the mathematical algorithm in reverse to yield the original sequence of binary digits that comprise the file. Although most commonly thought of as a tool for protecting works transmitted via computer networks, encryption can be and is used with virtually all information delivery technologies, including telephone, satellite and cable communications. Of course, once the work is decrypted by someone with the key, there may be no technological protection for the work if it is stored and subsequently redistributed in its "decrypted" or original format.

"Strong encryption, once the sole province of militaries and intelligence services, is now publicly accessible and often freely available to secure e-mail, voice communication, images, hard drives and website browsers. With "public key encryption," the dominant form of end-to-end security for data in transit, the sender uses the recipient's public key to encrypt the message and its attachments, and the recipient uses her or his own private key to decrypt them.

Encryption may also be used to create digital signatures to ensure that a document and its sender are authentic, to authenticate and verify the identity of a server and to protect the integrity of communications between clients against tampering or manipulation of traffic by third parties (e.g., "man-in-the-middle" attacks). Since the encryption of data in transit does not ensure against attacks on unencrypted data when it is sitting at rest at either endpoint (nor protect the security of one's private key), one may also encrypt data at rest stored on laptops, hard drives, servers, tablets, mobile phones and other devices. Online practices may also be moving away from the system described here and towards "forward secrecy" or "off-the-record" technology in which keys are held ephemerally, particularly for uses such as instant messaging."[9]

"There are five elements needed for encryption to work: (1) the encryption function; (2) the decryption function; (3) the key; (4) the plain text; and (5) the ciphertext. In symmetric encryption, the key used to encrypt and decrypt a message is the same. In asymmetric encryption, the keys used to encrypt and decrypt the message are different."[10]

Issues in law enforcement and national security[]

Encryption is important for the protection of government, commercial, and private information and communications, but over the last several years, police and intelligence authorities have expressed growing concerns that unregulated access to, and use of, encryption might have unfortunate consequences.[11]

The difficult question is how best to ensure the benefits of encryption while avoiding the dangers it might also bring. Law enforcement officials and others have argued that the proper equation consists of four elements: (1) strong encryption available to protect governmental, business and private information; (2) criminal laws outlawing the use of encryption in furtherance of greater crimes or perhaps even more broadly; (3) a key recovery feature in all encryption that allows the encrypted affairs of terrorists and other criminals to be unlocked; and (4) development of a profession of trusted custodians for those keys (sometimes referred to as a key escrow or key management infrastructure). Reaction to their proposals has thus far been mixed.

The federal government has been a major contributor to the development of stronger encryption.[12]

Export controls[]

Although it enacted no new criminal penalties for the criminal use of encryption, for many years the federal government greatly restricted exports of encryption technology, backed by the threat of criminal penalties. Encryption products were subject to export restrictions whose generosity depended upon the strength of the encryption and the receptivity of their exporters to a "key recovery" system. The International Emergency Economic Powers Act (IEEPA) authorizes the President to regulate certain import and export activities[13] in order to deal with "unusual and extraordinary threat[s] . . . to the national security, foreign policy, or economy of the United States."[14] The President relied upon these powers[15] to revive otherwise expired portions of the Export Administration Act of 1979[16] and regulations promulgated thereunder.

Pursuant to these powers the President authorized the Department of Commerce to promulgate regulations for the issuance of the necessary export licenses covering encryption products.[17] The Department of Commerce issued interim encryption export license regulations.[18] Violations of any license, order, or regulation issued under IEEPA are punishable by civil penalties of up to $10,000 and by criminal penalties of imprisonment for not more than 10 years and/or a fine of not more than $50,000.[19] Encryption software and equipment could not be exported without a license.[20] Export licenses for 40-bit mass-market encryption software were issued subject to a one-time expedited review process.[21]

Export licenses for 56-bit encryption software were issued for software that contained key escrow, key recovery or key recoverable features or for 56-bit software without such features but whose producers submitted a detailed plan for the steps to be taken before January 1, 1999 for the creation of 56-bit software with such features.[22] "Key escrow," "key recovery," and "key recoverable" all refer to features where a "key" that will unlock encrypted information is held by the manufacturer of the encryption product or some other individual or entity from whom it may be obtained by authorities,[23]

Prior to the invocation the President's authority under the IEEPA, the Arms Export Control Act,[24] and the International Traffic in Arms Regulations,[25] had been used for some time to restrict encryption exports.[26]

Effective enforcement of the export restrictions, however, posed certain First Amendment complications.[27]

The restrictions, however, have been substantially reduced, particular with respect to exports to the European Union and other industrialized countries.[28]

VoIP[]

Encryption serves two purposes for VoIP: privacy protection, by encrypting voice data, and message authentication, which protects the origin and integrity of voice packets. Encryption may be done using either a stream or block cipher. If a stream cipher is used, very little delay is introduced if the key stream can be produced before or at least as fast as voice data arrives. In this case there will be only one bit of delay as the cipher stream is applied. Block ciphers may require one block of delay, which will vary with the method used, but still require relatively little overhead.

References[]

  1. The Risks of Key Recovery, Key Escrow, and Trusted Third-party Encryption, at 5.
  2. Information Security: Federal Deposit Insurance Corporation Has Made Progress, but Further Actions Are Needed to Protect Financial Data, at 11 n.21.
  3. Information Security: National Archives and Records Administration Needs to Implement Key Program Elements and Controls, at 11.
  4. 45 C.F.R. §164.304.
  5. Encryption: Selected Legal Issues, at 2.
  6. NICCS, Explore Terms: A Glossary of Common Cybersecurity Terminology (full-text).
  7. Encryption has been defined as “[t]he process of systematically turning messages (information) into gibberish, as a security measure.” U.S. Copyright Office, Compendium of Copyright Office Practices II, §326 (1984). It “basically involves running a readable message known as ‘plaintext’ through a computer program that translates the message according to an equation or algorithm into unreadable 'ciphertext.'" Bernstein v. United States Dept. of Justice, 176 F.3d 1132, 1137 (9th Cir. 1999). See also H.R. Rep. No. 105-108 (Pt.1) at 5 (1997); H.R. Rep. No. 105-108 (Pt.2) at 4-5 (1997); Michael Froomkin, "The Metaphor Is the Key: Cryptography, the Clipper Chip, and the Constitution," 143 Univ. of Penn. L. Rev. 709, 714 (1995). As a general rule, encryption has a broader meaning; it is a form of cryptography, a form of “secret writing” or “hidden writing” or — perhaps closest to its Greek derivation — “buried writing.” Writing in code is a practice of ancient origin employed by Julius Caesar, Leonardo daVinci, and Thomas Jefferson among others. In more modern times, it has provided both juvenile amusement (“Captain Midnight’s Magic Decoder Ring”) and important military and diplomatic uses (code breaking played an important part in Allied success in World War II, perhaps most famously at the Battle of Midway and in the battle for the Atlantic against German U-boats). For a historical examination of the practice, see Brian Kahn, The Codebreakers (1967); for a more technical introduction to the art and science of cryptography, see Konheim, Cryptography: A Primer (1981); Meyer & Matyas, Cryptography: A New Dimension in Computer Data Security (1982).
  8. Rendering or viewing software may integrate encryption and file manipulation into a single software package. In other words, the rendering software, after getting a password, will decode the file and permit the user to manipulate the work (e.g., view it or listen to it), but only with the provided rendering software.
  9. U.N. Encryption Report, at 4.
  10. Encryption: Selected Legal Issues, at 3.
  11. “If unbreakable encryption proliferates, critical law enforcement tools would be nullified. For example, even if the Government satisfies the rigorous legal and procedural requirements for obtaining an order to tap the phones of drug traffickers, the wiretap would be worthless if the intercepted communications amount to an unintelligible jumble of noises or symbols. Or we might legally seize the computer of a terrorist or a child molester using the Internet and be unable to read the data identifying his targets or his plans." Security and Freedom Through Encryption (SAFE) Act: Hearing Before the Subcomm. on Courts and Intellectual Property of the House Comm. on the Judiciary, 105th Cong., 1st Sess. 33 (1997) (testimony Deputy Ass't Att'y Gen. Robert S. Litt). See also The Administration's Clipper Chip Key Escrow Encryption Program: Hearing Before the Subcomm. on Technology and the Law of the Senate Comm. on the Judiciary, 103rd Cong., 2d Sess. 4-5 (1994) ((testimony of Ass't Att'y Gen. Jo Ann Harris) ("if intercepted criminal conversations are encrypted, we need the ability to cut through the encryption, just as we need a translator to cut through the foreign language. . . . [H]igh-quality voice encryption in an affordable, portable easy to use form will soon be widely available on the market. . . . We worry . . . that such devices will also be used by criminal organizations to shield their illegal enterprises"); Encryption and Computer Privacy: Hearing Before the Senate Comm. on the Judiciary, 105th Cong., 1st Sess. (1997) (FBI Director Louis Freeh) ("If we have access per court order to the conversation of someone who has committed a crime or is about to commit a heinous crime, whether it be an act of terrorism or kidnapping, and the federal, state, and local officers who are listening to that court-authorized conversation or looking for the data which is stored somewhere can’t understand it, the access really is not meaningful. If we have all the legal authorities and the technical accessibility to that information but we can’t understand it in real-time, it doesn’t do us and the people that we have to protect and the country very much good.").
  12. The federal government was instrumental in creation of the most common used encryption algorithm, the 56-bit Data Encryption Standard (DES), its interim replacement (the triple-DES), and finally the Advanced Encryption Standard (AES) 256-bit Rijndael algorithm. See 64 Fed. Reg. 60424 (Nov. 5, 1999); 66 Fed. Reg. 12762 (Feb. 28, 2001); see generally "Taking Account of the World As It Will Be: The Shifting Course of U.S. Encryption Policy," 53 Federal Comm. L.J. 289 (2001) (The terms “56-bit” or “256-bit” means that the keys required to unlock information encrypted by the software may be no more than 56 or 256 binary digits long. National Research Council, Cryptography's Role in Securing the Information Society, Glossary B (1996)).
  13. 50 U.S.C. §1702).
  14. Id. §1701.
  15. Executive Order 12131 (as amended, 50 U.S.C. §1701 note).
  16. 50 U.S.C. App. 2401 to 2410c.
  17. Executive Order 13026, 61 Fed. Reg. 58767 (Nov. 19, 1996).
  18. 61 Fed. Reg. 68572 (Dec. 30, 1996).
  19. 50 U.S.C. §1705.
  20. 15 C.F.R. 736.2(7), 61 Fed. Reg. 68579 (Dec. 30, 1996). Certain "cryptographic equipment specially designed and limited or use in machines for banking . . . transactions" was not controlled by these restrictions, 15 C.F.R. Supp. No.1 to part 774, 61 Fed. Reg. 68586.
  21. 15 C.F.R. §742.15 (61 Fed. Reg. 68581) and Supplement No.6 to Pt. 742 (61 Fed. Reg. 68583-584).
  22. 15 C.F.R. §742.15 (61 Fed. Reg. 68581-582) and Supplements 4, 5 & 7 to Pt.742 (61 Fed. Reg. 68582-584).
  23. Office of Technology Assessment, Issue Update on Information Security and Privacy in Network Environments 6 (June 1995); Supplemental Information, 61 Fed. Reg. 68575 ("For purposes of this rule, 'recovery encryption products' refers to products (including software) that allow government officials to obtain under proper legal authority and without the cooperation or knowledge of the user, the plaintext of encrypted data and communications").
  24. 22 U.S.C. §§2751 to 2596.
  25. 22 C.F.R. §120-130 (rev. as of Apr, 1, 1996).
  26. National Research Council, Cryptography’s Role in Securing the Information Society, A Brief History of Cryptography Policy (1996); "Public Cryptography, Arms Export Controls, and the First Amendment: A Need for Legislation," 17 Cornell Int’l L.J. 197 (1994); "Cryptography, Export Controls, and the First Amendment in Bernstein v. United States Department of State," 10 Harv. J. of L. & Tech. 667 (1997).
  27. "Constitutional Law — Free Speech Clause — Sixth Circuit Classifies Computer Source Code as Protected Speech — Junger v. Daley, 209 F.3d 481 (6th Cir. 2000)," 114 Harv. L. Rev. 1813 (2001).
  28. 65 Fed. Reg. 2492 (Jan. 14, 2000); 65 Fed. Reg. 62600 (Oct. 19, 2000).

See also[]

External resources[]

  • Steven Bucci, et al., "Encryption And Law Enforcement Special Access: The U.S. Should Err on the Side of Stronger Encryption" (Heritage Found.) (Sept. 4, 2015) (full-text).
  • Mindi McDowell, “Understanding Encryption” (US-CERT Cyber Security Tip ST04-019) (2004) (full-text).
Advertisement