Nancie Mack (Editor: Nancy Stubbs)

If you ever had a 'secret decoder' ring or attempted to decipher the scrambled phrases found in crossword puzzle books, you’ve dabbled with encryption. Fun and games aside, encryption is serious business. Consumers are (hopefully) protected by sophisticated encryption technology when they send personal data over the Internet, corporations utilize it to defend against industrial espionage, and law enforcement officials want to ensure that it doesn’t impede their access to any and all electronic exchanges they wish to decipher.

ENCRYPTION TECHNOLOGY: A PRIMER

Simply put, encryption is the scrambling and altering of data, but it is accomplished using complex mathematical formulas. The primary encryption technologies involve symmetric and asymmetric algorithms. Symmetric (secret-key or single-key) algorithms either use the same key (password) for encryption and decryption, or the decryption key may be easily derived from the encryption key. Asymmetric (public-key) algorithms use different keys for encryption and decryption, and one cannot be derived from the other; the encryption key is often made public so that anyone can use it, but only the recipient retains the decryption key.

Dunn (1997) provides this simple description of how to employ encryption: ‘Alice (the traditional name of a recipient in cryptography) has a safe deposit box that has two keys. One key, which Alice always keeps as a private key, can only open the box; the other key, which is copied and widely distributed as a public key, can only lock it. When Bob (the traditional sender of a message in cryptography) wants to send a message to Alice, he grabs a public lock key, places his message in the open safety deposit box and then locks it. When Alice wants to read the message, she opens the box with her private key and leaves the box open. Thus only Alice can read, but anyone can send.’

The most widely used encryption technologies are the asymmetric versions of RSA, offered by RSA Data Security, and the symmetric Data Encryption Standard (DES) from International Business Machines. With its encryption technology already incorporated into Netscape and Microsoft products, RSA has become the virtual standard for many Internet applications. In October 1997, the company formally applied to the Internet Engineering Task Force to make it official (Borland 1997). The younger Pretty Good Privacy (PGP) could be a strong competitor; it has given away encryption programs to end-users and has made a strong push into the corporate market. Certification of one product rather than another would create a significant competitive advantage (Borland 1997).

It is not presumed that one method will take precedence over another, however. Most encrypted transactions use symmetric keys to encrypt and decrypt the text, but the secret key sent with the encrypted text is itself encrypted and decrypted using asymmetric technology; this combined method virtually assures data privacy (Erlanger 1997).

Strong encryption is a vital weapon in the battle for privacy and security. Forrester Research Inc. estimates that the total value of goods and services traded over the Internet among American companies will reach $8 billion this year and $327 billion by the year 2002 (Kass 1997). This is contingent upon convincing buyers and sellers that their online transactions are secure, however, and the only way to fully accomplish this is through encryption. In addition to making the consumer feel safe, corporations must safeguard themselves -- computer crime is on the rise and many companies increasingly suspect each other of industrial espionage.

In the corporate arena, leading hardware manufacturers aim to facilitate deployment and administration of encryption, diminish its affect on network performance, and increase its security capabilities by embedding the technology in hardware. Experts predict that encryption technology will migrate from software to hardware in the next five to ten years; the technology will be rooted in the core of personal computers, servers, switches, and other devices such as high-volume chips (e.g., the Pentium) (Joachim 1997). In the meantime, the leading hardware vendors have begun offering coprocessor-type products to handle the heavy computations that may bog down a system when encryption is in use (Joachim 1997). Individual users’ desire for protected electronic mail and other mobile applications is motivating the evolution of ‘smart cards’ to store private keys (for authentication purposes) and any data the user would like to securely store and transport (Joachim, 1997).

Privacy advocates and the industrial sector believe that encryption is necessary for the growth of Internet commerce and to ensure privacy in the information age, but law enforcement officials see it as one more way for the 'bad guys' to avoid detection and pursue their nefarious activities. The United States currently has forty different encryption laws at the state level (Slater 1997), but strong encryption is not restricted unless you’re trying to ship it abroad. The FBI and the National Security Agency are waging an anti-encryption crusade, citing tales of drug dealing, child pornography and terrorist activity on the Internet (Kass 1997). Their intent is to require that spare keys to all scrambled communications be filed with a third party, thereby enabling immediate access (with court authorization) to encrypted data. The White House is backing a less extreme, voluntary key recovery plan, but opponents argue that this is an unconstitutional violation of privacy and free speech rights (Clausing 1998). Privacy advocates and the software industry worry that keys could be too easily stolen, resulting in compromised privacy and security of personal information (Markoff 1998). 'In technological terms it is not possible to prevent criminals from obtaining and using encryption techniques,' according to Martin Bangemann, the European commissioner responsible for high-tech affairs. 'Therefore, there seems little point in preventing legal users from protecting themselves,' he concluded (Slater 1997).

NEW DOORS OPEN…

Until recently, RSA’s encryption technology had only been used in traditional intranet and Internet environments. But Cable Television Laboratories Inc, which claims control of 85 per cent of the American cable subscriber base, has licensed security software from RSA, apparently to stimulate the use of the cable infrastructure to conduct business over Internet provider networks (Dunlap 1998). As access to the Internet and corporate reliance on it continue to grow, so will the need for encryption technologies.

…BUT OTHERS MAY CLOSE

Export controls on encryption software could impair the ability of American industry to compete internationally. ‘This would take away 90 per cent of our business,’ said Jeffrey Punzel, chief executive officer of Octagon Technology Group, an Internet order processor. He believes it would be ‘completely detrimental to electronic commerce as a whole’ (Kass 1997). The outcome of this volatile issue remains to be seen as it winds its way through Congress in the form of the Security and Freedom through Encryption Act (SAFE).

Anderson, M.R. (1998) 'Internet security - firewalls and encryption: the cyber cop's perspective', 17 January. Online. Available HTTP: http://www.forensics-intl.com/art1.html (27 February 1998).

Borland, J. (1997) 'Battle over net encryption heats up', Net Insider, 31 October. Online. Available HTTP: http://www.techweb.com/se/directlink.cgi?WIR1997103111 (27 February 1998).

Clark D. & Wingfield N. (1998) 'Hewlett receives approval to export encryption system', Wall Street Journal, 03 March.

Clausing, J. (1998) 'FBI halts its push for encryption access legislation', New York Times, 18 March. Online. Available HTTP: http://wwwnytimes.com/library/tech/98/03/cyber/articles/18encrypt.html (18 March).

Dunlap, C. (1998) 'Crossing over: RSA moves into cable television network space - Cable Labs licenses security software', Computer ResellerNews, 16 February. Online. Available HTTP: http://www.techweb.com/se/directlink.cgi?CRN19980216S0073 (27 February).

Dunn, A. (1997) ‘Of keys, decoders and personal privacy’, New York Times, 01 October. Online. Available HTTP: http://www.nytimes.com/library/cyber/surf/100197mind.html (27 February 1998).

Erlanger, L. (1997) ‘Disarming the Net’, PC Magazine Online, 10 June. Available HTTP: http://www8.zdnet.com/pcmag/features/inetsecurity/encryption.htm (23 March 1998).

Joachim, D. (1997) ‘Hardcore security – chip-level implementation bolsters encryption technology for electronic commerce’, InternetWeek, 20 January. Online. Available HTTP: http://www.techweb.com/se/directlink.cgi?CWK19970120S0001 (27 February 1998).

Kass, E. (1997) ‘If you water down encryption you’ll kill the golden goose’, InternetWeek, 06 October. Online. Available HTTP: http://www.techweb.com/se/directlink.cgi?INW19971006S0141 (27 February 1998).

Kenworthy, K. (1997) ‘Keep out! Private -- safeguard your data from prying eyes that can peruse your PC, and see what you’ve been up to’, Windows Internet Magazine, 01 October. Online. Available HTTP: http://www.techweb.com/se/directlink.cgi?WIN19971001S0125 (23 March 1998).

Markoff, J. (1998) 'Export law tested by sale of privacy software', New York Times, 20 March. Online. Available HTTP: http://www.nytimes.com/library/tech/yr/mo/biztech/articles/20encrypt.html (20 March 1998).

Patrizio, A. (1997) 'Cylink approved to export hardware-based encryption', TechWeb, 19 December. Online. Available HTTP: http://www.techweb.com/wire/story/TWB19971219S0016 (27 February 1998).

Richtel, M. (1998) 'Study finds rise in computer crime', New York Times (05 March). Online. Available HTTP: http://www.nytimes.com/library/tech/98/03/cyber/articles/05crime.html (05 March 1998).

Slater, M. (1997) 'Europeans clash with U.S. over encryption', TechWeb News, 09 October. Online. Available HTTP: http://www.techweb.com/se/directlink.cgi?WIR1997100907 (27 February 1998).

Wayner, P. (1997a) 'Company's departure reveals rift on encryption', New York Times, 09 December. Online. Available HTTP: http://www.nytimes.com/library/cyber/week/120997encrypt-alliance.html (27 February 1998).

Wayner, P. (1997b) ‘British document outlines early encryption discovery’, New York Times, 24 December. Online. Available HTTP: http://www.nytimes.com/library/cyber/week/122497encrypt.html ( 27 February 1998).

Yasin, R. (1998) 'Open Horizon to ship 56-bit encryption application', InternetWeek, 16 February. Online. Available HTTP: http://www.techweb.com/se/directlink.cgi?INW19980216S0058 (27 February 1998).

Back to Home Page