page 2  (10 pages)
to previous section1
3to next section

1 Encryption Plays an Essential Role in Protecting the Privacy

of Electronic Information

1.1 There is a need for information security.

As we write this paper in late 1995, the development of electronic commerce and the Global Information Infrastructure is at a critical juncture. The dirt paths of the middle ages only became highways of business and culture after the security of travelers and the merchandise they carried could be assured. So too the information superhighway will be an ill-traveled road unless information, the goods of the Information Age, can be moved, stored, bought, and sold securely. Neither corporations nor individuals will entrust their private business or personal data to computer networks unless they can assure their information's security.

Today, most forms of information can be stored and processed electronically. This means a wide variety of information, with varying economic values and privacy aspects and with a wide variation in the time over which the information needs to be protected, will be found on computer networks. Consider the spectrum:

ffl Electronic Funds Transfers of millions or even billions of dollars, whose short term security is essential but whose exposure is brief;

ffl A company's strategic corporate plans, whose confidentiality must be preserved for a small number of years;

ffl A proprietary product (Coke formula, new drug design) that needs to be protected over its useful life, often decades; and

ffl Information private to an individual (medical condition, employment evaluation) that may need protection for the lifetime of the individual.

1.2 Encryption can provide strong confidentiality protection.

Encryption is accomplished by scrambling data using mathematical procedures that make it extremely difficult and time consuming for anyone other than authorized recipients | those with the correct decryption keys | to recover the plain text. Proper encryption guarantees that the information will be safe even if it falls into hostile hands.

Encryption | and decryption | can be performed by either computer software or hardware. Common approaches include writing the algorithm on a disk for execution by a computer central processor; placing it in ROM or PROM for execution by a microprocessor; and isolating storage and execution in a computer accessory device (smart card or PCMCIA card).

The degree of protection obtained depends on several factors. These include: the quality of the cryptosystem; the way it is implemented in software or hardware (especially its reliability and the manner in which the keys are chosen); and the total number of possible keys that can be used to encrypt the information. A cryptographic algorithm is considered strong if:

1. There is no shortcut that allows the opponent to recover the plain text without using brute force to test keys until the correct one is found; and

2. The number of possible keys is sufficiently large to make such an attack infeasible.