Encryption: Technical and Policy Issues

Doris Chen, Adolfo Perez, Saowaphak Sasanus, Saurabh S Verma Ru-shuen.Chen@Colorado.EDU, aaperez@colorado.edu, Saowaphak.Sasanus@Colorado.EDU, verma@ucsub.colorado.edu

1. Abstract
This paper examines the technical, policy, and economic aspects of the current encryption systems. The paper starts with an introduction to encryption technology, covering both conventional and public-key encryption. It then covers some of the policy issues concerned with encryption including the impact that the new encryption policy has on export limitations and the way the economy of the country is affected due to the new policy. key escrow is an important issue, which deals with human rights. The paper explains the technical features of key escrow and also discusses the effects of the new policy. Finally the paper compares the encryption algorithms to conclude which solution is the most secure system in the market.

2. Introduction
Internet is a very useful tool to obtain information from around the world. However, most users may not realize that they are leaving a trail behind them. Internet is like a digital video camera, which can record almost everything that people have done while being online, including keywords searched on a search engines, sites visited, e-mail messages exchanged, and even the files downloaded to a local computer. The digital tracks exist on backup tapes that might be kept for years, and in databases that are actively repackaged and sold. Sending messages on a computer without encryption is like putting thoughts on a postcard; everyone can read it. Privacy in the computer age requires coding the transmitted information so that only designated recipients can read it. Cryptography is a science of encryption, which is used to make information transmitted over networks such as Internet, secure and private. Encryption can be used to protect voice communications, ATM transactions, and E-mail, by scrambling signals such that the eavesdroppers cannot understand the content of the message. Internet was originally invented for educational research and collaboration, but it now plays a very important role in personal communications and business, which is being carried out online over an insecure medium that entices criminal activity to the internet. In the age of explosive worldwide growth of electronic data storage and communications, users have expressed increasing concerns and demands for effective protection of information. To address this need, this paper will summarize a number of technological solutions have been introduced to assure internet privacy and confidentiality and describe proposed legislation on encryption and export control.
1

3. Encryption Technologies:
The basic definition of Encryption can be described as the transformation of data into a form that is as practically close to being impossible to read without certain appropriate knowledge. Encryption's purpose is to ensure privacy by keeping information hidden from anyone for whom it is not intended, even if they have access to the encrypted data itself. Decryption is the reverse of encryption i.e. it is the transformation of encrypted data back into an intelligible form [1]. The four basic parts in all cryptographic system [2]:

Fig. 1: Encryption

Plaintext: This is the original message in a readable format. Ciphertext: The plaintext message after being modified or obscured to an unreadable format. Cryptographic algorithm: This is the mathematical operation used for converting plaintext to ciphertext. There are two ways in which plaintext can be processed to form the ciphertext such as stream cipher and block cipher1. Key: This is a key used to encrypt and/or decrypt the message. Different keys transform the same plaintext into different ciphertexts. Only people who know the correct key can decrypt the cipertext accurately. Encryption and decryption generally require the use of some secret information, referred to as a key. For some encryption mechanisms, the same key is used for both encryption and decryption, while for other mechanisms, the keys used for encryption and decryption are different. The encryption methods that use the same key are called conventional (or symmetric) encryption. The key used in conventional encryption is usually referred to as a secret key. The encryption that uses different keys is called public key (or asymmetric) encryption.
1

A stream cipher generates a keystream (a sequence of bits used as a key). Encryption is accomplished by combining the keystream with the plaintext. The block cipher technique involves taking a block of the plaintext (n bits) and converting it into an output block, having same number of bits. Encryption of any particular plaintext with a block cipher will result in the same ciphertext when the same key is used. 2

3.1 Conventional Encryption Conventional encryption employs a single key that is shared by the two users. Thus, the user at the source end encrypts a message using the encryption algorithm and a secret key. The user at the destination end decrypts the message using a decryption algorithm and the same secret key. The encryption algorithms are based on substitution and transposition techniques. The substitution process involves mapping the bits in the plaintext to some other bits. The transposition process involves rearranging the bits in the plaintext. Both transposition and substitution are performed several times before the final encrypted ciphertext is produced.

Fig. 2: Conventional Encryption

The level of security provided by conventional encryption is a function of the length of the key and the nature of the algorithm. With 56-bit key, the number of possible keys are 256 (7.2x1016 keys). The best-known way to attack is to simply try all of the possible 56-bit keys until the correct key is found. On average, one expects to go through about half of the key space. For a machine that can perform 106 operations per second, this requires approximately 1142 years. Today, we have much improved processing power and so by combining processing power of several computers it is very easy to break this type of encryption. Thus the key length is a very crucial parameter with regards to the desired security. Some examples of conventional encryption include, Data Encryption Standard (DES) which is a 56-bit key, block cipher encryption technology with block size of 64 bits. Triple DES (3DES) is a 168-bit key, block cipher encryption technology with the block size of 64 bits. Advanced Encryption Standard (AES) is being considered by the US government as a replacement for DES2. RC5 is another block cipher. Here, the key length can vary from 0 bits to 2048 bits, also
2

Several encryption algorithms are currently suggested for AES. The ones that made to the final round include MARS, RC6, Rijndael, Serpent and Twofish. The final decision regarding the selection of one of these will be held 3

the block size can be 32 bits, 64 bits, or 128 bits. International Data Encryption Algorithm (IDEA) is a 128-bit key, block cipher encryption technology and has a block size of 64 bits. Blowfish is another block cipher, and has a key length that can vary from 32 bits to a maximum of 448 bits. DES is the most widely used encryption scheme, especially in financial applications. Several Internet-based applications have adopted triple DES. Amongst the most common ones are PGP and S/MIME3. RC5 is an algorithm with a variable block size, a variable key size, and a variable number of rounds. Such variability provides flexibility at all levels of security and efficiency [3]. IDEA is a symmetric block cipher and is used in PGP, which alone assures widespread use of the algorithm. IDEA uses a 128-bit key to encrypt data in blocks of 64 bits. Blowfish is very fast since it encrypts data on 32-bit microprocessors at a rate of 18 clock cycles per byte, and can run in less than 5K of memory. The variable length key allows a tradeoff between speed and security. Blowfish is one of the most formidable conventional encryption algorithms. 3.2 Public key Encryption Conventional Encryption involved single key called the secret-key. Public-key encryption uses two different keys, which are referred to as public key and "private key. The public key is used for encryption and the private key, which is the one that is kept secret, is used for decryption. Only the matching decryption key can be used to retrieve the original message.

Fig. 3: Public Key Encryption

In conventional encryption, the sender and receiver of a message know the same secret-key. The main challenge here is getting the sender and receiver to agree on the secret key without anyone else finding out. If they are in separate physical locations, they must trust a courier, a
on May 15, 2000. The standard for this selected algorithm will be completed by summer of 2001. More information can be found at the web site http://csrc.nist.gov/encryption/aes/aes_home.htm. 3 PGP (Pretty Good Privacy) is a software package that provides cryptographic routines for e-mail, file transfer, and file storage applications. It runs on multiple platforms. It provides message encryption, digital signatures, data compression, and e-mail compatibility. S/MIME (Secure/ Multipurpose Internet Mail Extensions) is a protocol that adds encryption to Internet MIME (Multipurpose Internet Mail Extensions) messages. 4

phone system, or some other transmission medium and must prevent disclosure of the secret key. The generation, transmission, and storage of a key is called key management. Since all keys in conventional encryption must remain secret, conventional encryption often has difficulty providing secure key management, especially in open systems with a large number of users. In order to solve the key management problem, Whitfield Diffie and Martin Hellman introduced the concept of public-key cryptography in 1976 [4]. Public-key systems have two primary uses, encryption (for privacy), authentication, and digital signatures (for non-repudiation)4. In their system, each person gets a pair of keys, one called the public key and the other called the private key. The public key is published, while the private key is kept secret. The need for the sender and receiver to share secret information is eliminated; all communications involve only public keys, and no private key is ever transmitted or shared. In this system, it is no longer necessary to trust the security of some means of communications. The only requirement is that public keys be associated with their users in a trusted (authenticated) manner (for instance, in a trusted directory). Anyone can send a confidential message by just using public information, but the message can only be decrypted with a private key, which is in the sole possession of the intended recipient. Furthermore, public-key cryptography can be used not only for privacy (encryption), but also for authentication and non-repudiation (digital signatures) and other various techniques. In a public-key system, the private key is always linked mathematically to the public key. Therefore, it is always possible to attack a public-key system by deriving the private key from the public key. Typically, the defense against this is to make the problem of deriving the private key from the public key as difficult as possible. Some examples of the public-key systems include the Rivest-Shamir-Adleman (RSA) scheme that was developed by Ron Rivest, Adi Shamir, and Leonard Adleman, in 1977. Another example is the ElGamal system, which based on the discrete algorithm problem. It consists of both encryption and signature variants. The Merkle-Hellman knapsack is a public-key system first published in 1978. It is commonly referred to as the knapsack cryptosystem. The ChorRivest knapsack system was first published in 1984, followed by a revised version in 1988. LUC is a public-key system developed by a group of researchers in Australia and New Zealand. The cipher implements the analogs of ElGamal, Diffie-Hellman, and RSA over Lucas sequences. LUCELG is the Lucas sequence analog of ElGamal, while LUCDIF and LUCRSA are the Diffie-Hellman and RSA analogs, respectively [5]. The most popular public-key encryption algorithm is the RSA scheme. The algorithm has been employed in the most widely used Internet electronic communications encryption program, Pretty Good Privacy (PGP). It is also employed in both the Netscape Navigator and the Microsoft Explorer web browsing programs in their implementations of the Secure Sockets Layer (SSL), and by Mastercard and VISA in the Secure Electronic Transactions (SET) protocol for credit card transactions.

Authentication is any process through which one proves and verifies certain information. Sometimes one may want to verify the origin of a document, the identity of the sender, the time and date a document was sent and/or signed. A digital signature is a cryptographic means through which many of this may be verified. The digital signature of a document is a piece of information based on both the document and the signers private key. 5

One major advantage of public-key encryption is increased security and convenience, as private keys never need to be transmitted or revealed to anyone. In conventional encryption, by contrast, the secret keys must be transmitted (either manually or through a communication channel). A serious concern is that there may be a chance that an enemy can discover the secret key during transmission. A disadvantage of using public-key encryption is speed. There are many conventional encryption methods that are significantly faster than any currently available publickey encryption method. Nevertheless, public-key encryption can be used with conventional encryption to get the best of both (security advantages of public-key encryption and the speed advantages of conventional encryption).

4. Comparison of Encryption Algorithms

A comparison of a public key encryption system and a conventional encryption system is a tough one to be made since they both have some advantages that the other one does not posses. The conventional encryption system is very fast (almost a thousand times) as compared to the public key encryption system. So whenever the encryption is done, the processing of ciphertext from the plaintext is done using the conventional encryption. However, the major disadvantage of conventional key encryption is the complexity of key management. Moreover, the public-key encryption system can provide several security functionality5 implemented together (it can provide the encryption and authentication together). So, it maybe the best to complement the use of public-key and conventional encryption schemes. While one of these public-key encryption may be used for transferring the keys and authenticating the two parties, conventional encryption can be used for encrypting the plaintext. Technically comparing the various conventional encryption algorithms, with security and speed as the main requirement, Blowfish algorithm provides a highly secured and the most robust encryption algorithm in addition to being the fastest of all. The RC5 algorithm has the longest possible key length (2048 bits), but is not the most secure algorithm. This deficiency is because, security is defined not just key size but also by the algorithm. Blowfish has a better encryption algorithm and substantially larger key size and thus emerges as the most secure system (better than RC5). The governments choice of replacing DES by AES (one of the five finalists) may not be the best choice from the technical (security and speed) perspective. From the economic point of view, 168-bit key, triple DES may be the best to use. Triple DES is just a small variation of DES. Its implementation as a replacement for DES will not require many changes in the software modules or additional investment to upgrade.

The four major security functionality are: Confidentiality or Privacy provided by encryption; Authentication provided by certificates; Integrity provided by secure hash functions in association with message digest; and Nonrepudiation provided by digital signatures. 6

En crp tio n A lgorithm DES

Key Leng th

Bloc k S iz e

cloc k c yc. per byte

56 bits

64 bits 64 bits

45 108 23 50
18

Triple DES 16 8 bits RC5 IDEA

Bl owfi sh

Max. 2048 bits 32, 64 or 12 8 bits 12 8 bits

32 - 4 48 b it s

64 bits
64 bi ts

Table 1: Conventional Encryption

The main comparison in public-key encryption systems is with issues concerning the breaking of the encryption system and the speed involved in decrypting. With these factors, it is concluded that the RSA algorithm is most secure and the fastest. The ElGamal has the disadvantage of being very slow and at the same time it introduces message expansion by a factor of two. The Merkle-Hellman knapsack system and the Chor-Rivest encryption system can be very easily broken. A recent paper by Bleichenbacher shows that many of the supposed advantages of the LUC are either not present or are not as substantial as clamied [13].

RSA E lG am al C h o r-R ivest K nap sack LUC

M ost S ecure, Fastest V ery S lo w E asily B roken L ess efficient

Table 2: Public Key Encryption 5. Encryption Policy

While the intention of using encryption is to protect the security of the communication data, the scope of using this technology has introduced many considerable government concerns. These include issues involving terrorists, foreign political opponents or criminals, trying to prevent being investigated and prosecuted by using the technology to encrypt evidence of illegal activity. Thus the governments have enacted policies to restrict the usage of the cryptography. The
7

policies are known as cryptography policy or encryption policy. However, the effect of the policy has seemed questionable in terms of achieving its initial objectives, and, indeed, it has derived several negative impacts. The issue - whether government should implement any cryptography policies -is, therefore, controversial. According to the U.S. Department of State report in 1996 Country Reports on Human Rights Practices, there were widespread illegal or uncontrolled use of wiretaps by both government and private groups in over 90 countries [6]. This report indicates that the governments have abused their power to invade people's privacy. In some countries, dissidents and human rights organizations under repressive regimes use encryption technologies to share their concerns and transmit sensitive information. Any restrictions on use of encryption would create possibilities for the violation of free expression for individuals in countries where dissent is punished. For two decades, software companies have fought in vain for the right to export encryption products free of stringent licensing requirements. Such worries are decidedly muted on the Clinton Administration new policy, announced on September 16, 1999. This new policy will open the entire commercial sector as a market for strong U.S. encryption products. It will be implemented through regulations to be issued by December 15 [7]. The new policy sets aside years of warnings from law enforcement and defense officials that such a step would endanger national security. With such worries in mind, the administration also announced legislation that would give law enforcement greater resources to combat the use of computers by criminals and terrorists, creating a new FBI unit to focus on cracking codes [8]. In support of human rights, the Cyberspace Electronic Security Act of 1999 ensures that law enforcement maintains its ability to access decryption information stored with third parties, while protecting such information from inappropriate release. It also protects sensitive investigative techniques and industry trade secrets from unnecessary disclosure in litigation or criminal trials involving encryption, consistent with fully protecting defendants rights to a fair trial [9]. In years past, individual shipments of encryption products required federal licenses before export. Under the new policy, companies will need one-time certification for their products. Then they will be free to export as many shipments as they like.

6. Economic Aspects
The objectives of the above polices and encryption technologies are concluded for securing the national security. Although the initial intention may be positive, the result may cause several negative influences that can be categorized into two main aspects: economics and human rights. A study by the Committee to Study National Cryptography Policy has stated that the export control for cryptography creates negative impacts on country's economic development. Consistent with rising emphasis on the international dimensions of business, many U.S. companies must exchange important and sensitive information with their foreign partners or agencies. The restriction policy initially forced the foreign entities to use relative weak cryptography technologies. Under this circumstance, the strength of the U.S. cryptography
8

deployed to protect its data was not meaningful since the information could leak from the foreign side. The intention of the cryptography policy was, therefore, less effective. The present export control regime overcomes the disadvantages of the old one, which caused an impediment to the information security efforts of U.S. corporations competing and operating in world markets. The current regime addresses the globally increasing need for secure communication systems. This was very much needed since even the non-U.S. venders were devoting efforts on developing superior encryption technology and competing with U.S. vendors. Removing the restrictions on the strength of the cryptographic product no longer obstructs the U.S. product's competitiveness, thus enhancing the U.S. firms' competing ability.

7. Key Escrow Feature

The key escrow is a management idea involved with having a trusted third party keep a copy of an encryption key to encrypt or decrypt other people's data. The key could be accessed by law enforcement agencies during an investigation. The EES (escrowed encryption standard) uses a classified algorithm developed by the National Security Agency (NSA). The Department of Commerce issued the EES as a federal information-processing standard for encrypting unclassified information in February 1994 [10]. The criteria, as determined by the U.S. Department of State, for key escrow encryption export licensing mandates that the keys required to decrypt the encryption product's key escrow cryptographic functions' ciphertext shall be accessible through a key escrow feature [11]. The product's key escrow cryptographic functions' keys are escrowed with escrow agents certified by the U.S. Government consistent with law enforcement and national security requirements. Until these agents are certified, the cryptographic functions are inoperable. The ciphertext of the above cryptographic functions contain, in an accessible format, the identity of the key escrow agents and information sufficient for these agents to identify the keys required to decrypt the ciphertext. The product's key escrow feature allows access to the keys needed to decrypt the product's ciphertext regardless of whether the product generated or received the ciphertext. These features also allow for the recovery of multiple decryption keys during the period of authorized access. Under the Key Length feature, the product's key escrow cryptographic functions use an unclassified encryption algorithm with a key length not to exceed sixty-four (64) bits and do not provide the feature of multiple encryption (eg. Triple DES). With the interoperability feature, the product's key escrow cryptographic functions inter-operate only with key escrow cryptographic functions in products that meet these criteria, and not with the cryptographic functions of a product whose key escrow encryption function has been altered, bypassed, disabled, or otherwise rendered inoperative. In the new policy observed on September 16, 1999, the administration dropped the most controversial element of a provision, that would have allowed law enforcement officers to secretly search computers and disable secrecy codes as a prelude to wiretapping (the so called Key Escrow). The encryption keys in the hands of third parties are very sensitive and play a vital
9

role in the still emerging world of cyberspace. No court has considered the issue. The Justice Department's analysis of CESA6 clearly states, "there is no constitutionally protected expectation of privacy in recovery information held by a third party but not under a confidentiality arrangement." Thus, in the Justice Department's view, key recovery agents, in the absence of a contractual confidentiality agreement, could voluntarily disclose keys to the government, and even with such an agreement, the government might be able to compel disclosure of a key with a mere grand jury or administrative subpoena issued without judicial approval and without notice to the person who created the key [12]. CESA seeks to moot the constitutional question by creating a narrow statutory privacy right in escrowed keys, while simultaneously providing a mechanism for the government to get those keys.

As part of its package of encryption policy reforms announced on September 16, the Clinton Administration is transmitting to Congress draft legislation entitled the Cyberspace Electronic Security Act ("CESA"). 10

8. Conclusion
The paper explored the various aspects related to technology, policy, and economics of encryption. The new policy for encryption is good from the economic perspective since it now lets the US companies develop domestic and international products without a limitation on the size of the key, which implies more secured applications. This relaxation of limitation also helps the companies compete in the international market. This policy does decrease the possibility of law-enforcement to invade personal privacy. However, it does not solve the issue of human rights since the keys generated by an entity can be viewed first by the third party recovery agent and secondly by the government which can still have the key issued without judicial approval and without notice to the person who created the key. We would like to recommend that in the upcoming version of the encryption policy, the issue of human rights must be considered in more detail. Also, it was observed that the public key encryption system and the conventional encryption system must be used to complement each other to get the maximum out of both the systems. The most secure and fast conventional encryption algorithm was Blowfish while the best public-key algorithm was RSA. With no more restriction on the key-size for export, more competent, fast, inexpensive, and secured algorithms will constitute the future generation of encryption systems.

11

References
[1] What is cryptography? RSA Laboratories, FAQ can be found at http://www.rsasecurity.com/rsalabs/faq/12.html accessed on November 3, 1999. [2] Web-Security: A Step by Step Reference Guide, chapter 2. Author Lincoln D. Stein, published by Addison Wesley Pub Co, in January 1998. [3] What is RC5? RSA Laboratories, FAQ can be found at http://www.rsasecurity.com/rsalabs/faq/3-6-4.html accessed on November 3, 1999. [4]What is public-key cryptography? RSA Laboratories, FAQ can be found at http://www.rsasecurity.com/rsalabs/ faq/2-1-1.html accessed on November 3, 1999. [5] What are some other public-key cryptosystems? RSA Laboratories, FAQ can be found at http://www. rsasecurity.com/rsalabs/faq/3-6-8.html accessed on November 3, 1999. [6] An international survey of encryption policy, Cryptography and Liberty 1998, can be found at http://www.gilc. org/crypto/crypto-survey.html. Accessed on November 3, 1999. [7] Administration Announces New Approach to Encryption, statement by the press secretary, accessible at the website http://www.bxa.doc.gov/Encryption/whpr99.htm accessed on November 3, 1999. [8] The Washington Post,Curbs on Export of Secrecy Codes Ending by Peter S. Goodman and John Schwardc, Friday, September 17, 1999, accessible at the website http://www.washingtonpost.com/wp-srv/business/daily/ sept99/encryption17.htm [9] Administration Announces New Approach to Encryption, statement by the press secretary, accessible at the website http://www.bxa.doc.gov/Encryption/whpr99.htm accessed on November 3, 1999. [10] Another Whack Against GAK, by J. Orlin Grabbe, dated December 21, 1996. Can be found at the web-site http://www.aci.net/kalliste/gak.htm [11] Draft Software Key Escrow Encryption Export Criteria, dated November 6, 1995 can be accessed at the web-site http://csrc.nist.gov/keyrecovery/criteria.txt [12] Initial CDT Analysis of the Clinton Administration's Proposed Cyberspace Electronic Security Act (CESA): Standards for Government Access to Decryption Keys dated - September 23, 1999. Accessible at the web-site http://www.cdt.org/crypto/CESA/cdtcesaanalysis.shtml [13] D. Bleichenbacher, W. Bosma, and A. Lenstra. Some remarks on Lucas-based cryptosystems. In Advances in Cryptology Crypto '95, pages 386-396, Springer-Verlag, 1995.

12