Decrypting the Encryption Debate A Framework for Decision Makers (2018) / Chapter Skim
Currently Skimming:
2 Encryption and Its Applications
2 Encryption and Its Applications
Pages 14-31
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 14... ...
It protects information stored on smartphones, laptops, and other devices. Encrypted communication capabilities are built into major computing platforms and in an array of messaging applications that are used by hundreds of millions of users.
|
From page 15... ...
The increased availability and use of encryption -- most notably to protect access to data stored on smartphones and to keep Internet messages confidential -- means that it is increasingly encountered in investigations by law enforcement and intelligence agencies.1 This chapter provides a basic introduction to encryption and its uses. It provides context for subsequent discussions of mechanisms that would afford government access and associated technical and operational risks.
|
From page 16... ...
One can visualize the symmetric encryption process as putting plaintext data in a box and then locking the box using a secret key. The box can be opened only using the same secret key.
|
From page 17... ...
Some use the term for encryption schemes that do not provide technical mechanisms for government exceptional access, while others would consider schemes that include properly engineered access mechanisms to be "strong." Given the different view on what it means for encryption to be "strong" and given the existence of widely accepted standards for encryption technology, this report eschews the term "strong." Unless otherwise qualified, when this report uses the term "encryption," it means encrypting data in a way that makes it im practically difficult for unauthorized individuals to gain access to plaintext. Today, this level of difficulty corresponds to the use of encryption that follows the latest recommendations of the European Union Agency for Network and Information Security,1 the National Institute of Standards and Technology,2 or the National Security Agency.3 1 European Union Agency for Network and Information Security, 2014, Algorithms, Key Size and Parameters Report 2014, November 21, https://www.enisa.europa.eu/publications/ algorithms-key-size-and-parameters-report-2014.
|
From page 18... ...
Although there are encryption algorithms that are perfectly secure in the sense that they are unbreakable,3 these schemes are rarely deployed in the real world because they are not practical. Even though the encryption schemes that are deployed in practice are not perfectly secure, their security is supported by a rigorous design process backed by a mathematically sound framework that allows cryptographers to carefully study and analyze their strengths and weaknesses.
|
From page 19... ...
exploit against secret Web cookies over connections that use data compression, allowing an attacker to hijack an authenticated session. 6 For example, a study of encryption keys used for Web traffic revealed vulnerabilities from poorly implemented key-generation algorithms.
|
From page 20... ...
The pervasiveness of encryption is relevant to public debates about exceptional access, because only certain uses of cryptography in a laptop or smartphone enable encryption of users' data of potential interest to law enforcement or intelligence agencies. Thus a mandate for exceptional access would have to be targeted to specific uses of cryptography where the specifics vary according to the device.
|
From page 21... ...
Full Disk Encryption Many modern operating systems support full disk9 encryption, which protects both user data and system programs from disclosure. As with the file encryption scenario outlined above, the files themselves are protected using symmetric encryption.
|
From page 22... ...
These measures deter phone theft and protect users' data but also can make it extremely difficult for law enforcement to access data that may be relevant to an investigation if the data is stored only on the locked device. Virtual Private Networks A virtual private network (VPN)
|
From page 23... ...
Almost all Web browsers and servers support TLS or one of its predecessors, and many web servers have the public-key certificates necessary to support encrypted sessions. The history of the protocols used for secure Web browsing provides a compelling illustration of how difficult it is to develop encryption protocols and the care that must be taken when adding capabilities to accommodate government requirements.
|
From page 24... ...
Both the initiator and recipient use each other's public keys to generate a master secret key for the session. Each message is then encrypted using symmetric encryption with a unique message key computed based on the master secret key.
|
From page 25... ...
For example, one indication of future technology trends toward greater protection of data in the cloud can be seen in the growing trend of cloud providers to support virtual machines where encrypted data is decrypted only at the time the data is actually used.16 In the long term, emerging techniques for computing on data without decrypting it, such as homomorphic encryption, will further protect data in the cloud and complicate efforts to access it. Because these techniques are likely to be more costly to use than other forms of encryption, it is expected that they will be used -- if and when they are adopted -- with especially sensitive types of data such as medical information.
|
From page 26... ...
For example, a regulation that applies to mass-market messaging applications would not directly affect the use of encryption to protect credit card numbers in e- ommerce applications. On the other hand, if smartphones are used c to provide authentication codes in a multifactor authentication scheme, a requirement for exceptional access to unlock smartphones adds some degree of risk that the authentication codes could be obtained from a lost or stolen phone.
|
From page 27... ...
The "big data" revolution has resulted in a great deal more information about individuals being collected, stored, and analyzed. Consequently, data has become an increasing target and encryption and other applications of cryptography have become important -- and sometimes essential -- tools for protecting data.
|
From page 28... ...
. As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking."21 Since then, reported intelligence attacks on the United States have been growing in severity: • In a 2015 attack attributed to Chinese actors, hackers gained access to 80 million customer records at Anthem, the second largest health insurer in the United States.22 • In 2015, suspected Chinese hackers illegally accessed Office of P ersonnel Management computers and stole more than 21.5 million records including fingerprints of government employees and contractors holding security clearances.
|
From page 29... ...
(Encryption does not protect against all threats -- malware running on a phone or malware running with the privileges of authorized users of an encrypted database can see the unencrypted data.) This explains why 25 North Korea obtained confidential information of Sony Pictures Entertainment, a U.S.
|
From page 30... ...
A sender "Alice" creates a message digitally signed with her private key. If the receiver "Bob" is able to decrypt this message using Alice's public key, he knows that the sender possesses Alice's private key.
|
From page 31... ...
Nonetheless encryption and other uses of cryptography remain an essential tool for enhancing cybersecurity against escalating cyber threats. They are critical parts of a system that includes multifactor authentication, biometric identifiers, and other security tools.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.