Embed Size (px)
Citation preview
Encryption:Protecting yourself and your information.
Author:Ethan Dutcher
Introduction
Living in our current “digital” age provides a huge number of conveniences. From the comfort of your own home you can buy shoes on Ebay, check your bank statement, pay bills, even do your taxes. It also has changed the way we communicate with each other. Letters became email, answering machines became voice mail, and we can send text, picture, video messages and have live streaming video chats over the Internet. While having all these available to you in your home might make you feel safe, there are risks involved with these activities
Out in the "real world" there are many forms of security that keeps you safe; PINs, signatures on checks, guards in stores and other places of commerce, vaults in your bank. Even something as simple as an envelope that you put your mail in is a measure of security to keep your information or correspondence private. There are tools like these available for your digital information as well, and one of the most important is encryption.
Problem
According to the Federal Trade Commission an estimated 9 million Americans are the victims of identity theft each year. These people have had their credit card numbers stolen, had someone rent an apartment or buy a house in their name, or even have warrants put out for their arrest if an identity thief gives their information to a police officer and skips bail. The victims of these crimes can have serious damage done to their credit and can lead to numerous other problems for a long time.
In recent years, the Internet has become an appealing place for criminals to obtain identifying data, such as passwords or even banking information(Department of Justice). Without proper protection your personal data can be used for a wide array of nefarious deeds. By making sure that you are using encryption when dealing with personal information and data on the Internet you are helping to protect much more than just your money.
Early History and Cryptanalysis
Encryption has been around for thousands of years. One of the first known encryption systems was used by Julius Caesar. Called the Caesar cipher it is created by taking every letter of the message you wish to encode and shift them down to a different letter by a certain number, Caesar used 3. Hence A would become D, B becomes E, and so on. The word hello would be written as khoor. Caesar was thought to have other ciphers but none of them have been documented.(Loshin)
In the 9th century a mathematician named Al-Kindi developed frequency analysis, which was the beginning of cryptanalysis. Cryptanalysis, also called code breaking, is the process of taking an encrypted message and trying to decrypt it without knowing the key. Frequency analysis is a powerful tool that essentially made most standard shifting encryption systems obsolete at the time.
Civil War and World War II
The Civil War was the first war to significantly use encryption, cryptanalysis, and wire tapping(Garfinkel, 118). Both the Union and Confederate troops would tap into the new telegraph lines that were being used by each army. One of the reason the Union won was that it practiced better security(Nichols, 87). The Union encryption system used code word substitution which by the end of the war consisted of over 1,600 different codes. The Confederate system was based off of an alphabet shift with three different key words. Not only was the Union's system better, they were also able to intercept and decode about ninety percent of the Confederate's messages.
Encryption also played a huge role in World War II. The German encryption machine, Enigma, was incredibly secure. The Germans would scramble messages and then shrink the text down to a tiny dot and insert the dot as a "period" in some unsuspecting letter or text for secret communications(Mathai). However once the Allies were able to get a hold of one of the machines the code was broken very quickly. This allowed the Allies to avoid U-boat patrols and ambush enemy supplies. It is widely believed that this brought about the end of the war much more quickly than expected.
Private Key Encryption
For current uses, private key encryption is the probably the simplest method available. However it does have its faults that make it harder to use in certain situations. The way Private key encryption works is that there is a single key that a group of people share. This key both encrypts and decrypts the message through the chosen cryptsystem. This is often convenient for pairs of people who wish to send messages privately, because it is easy.
There are a few drawbacks to this type of system. If the person you want to speak privately with is across the world, how do you safely give them the key? Also, If you want to speak to different people of groups of people securely you need more then one key. Or what if you have a group of people sharing a key and one person allows it to get stolen, then everyone is affected.(Baker, 66)
Image from: http://www.cnp-wireless.com/ArticleArchive/Wireless%20Review/200101Security.gif
Public Key Encryption
Public Key encryption uses two different keys, one public and one private. A person can keep their own private key secret and send out their public key to anyone they want to communicate with. Other people can then encrypt their messages with the public key and send them back. Only the private key can decrypt the messages and only one person has it.
Image From: http://www.uic.edu/depts/accc/newsletter/adn26/figure2.html
PGP and E-Commerce.
One of the best encryption systems available to the public is PGP(Pretty Good Privacy). It is a public key encryption system that also does integrity checks on messages(test if they were altered since authoring). This is an extremely powerful tool for the general public to have access to. The government was so afraid of it they began investigating the creator Phil Zimmerman when it was discovered it was being used overseas(Garfinkel, 111). At the time it was illegal to export a cryptsystem, they were treated as “munitions.” This lasted a few years until it all charges were dropped.
Most current online shops currently use TLS(Transport Layer Security) to encrypt personal data being sent to them. TLS creates an initial contact with a public key encryption system then often sends a private key as an encrypted message. The connection then continues with the private key system for that session. When the session is over the private key is discarded. This creates a temporary secure session between two computers.
Survey
For my observational component I did an anonymous survey online. I made certain that people's identities would be protected by asking them to create a temporary email address and send me the survey that way. What I was asking people was very similar to asking if they locked their door or set their alarm when they left the house. I did not want their responses to be public because I did not want them to become targets(I know it isn't likely, but I thought it was necessary). I also wanted people to respond honestly, and anonymity helps that. The survey questions are below:
Do you use any type of encryption for personal correspondence online?
Do you use any type of encryption when sending or receiving personal or financial data that you send online?
Do you only shop from stores online that use encryption?
If you don't use encryption, why not? What could be done to get you to try it?
Have you ever known someone that was the victim of identity theft?
Survey Results
There were 42 responses. Of those two people used encryption for personal
use. That didn't change for the private/financial usage. 16 people didn't know if every online shop they
went to used encryption, 10 said they shopped at places without, and 16 only shopped at places that used encryption.
The most common reason for not using encryption was not knowing how.
6 people knew someone affected by identity theft.
Solution
The main part of the solution has to come in the form of communication. People need to know what tools are available to them and how to use them. There are a number of different things that everyone should know about sharing data on the Internet.
1. There are a few things to check on your web browser when shopping online:i. You can tell the transaction is encrypted if the website starts with https(this stands
for a secure layered http session)ii. There is also normally a small lock icon that will appear in the bottom of your web
browser.iii. Newer browsers also have the address field change color to blue or green to
indicate a secure connection.
2. Sending email is like sending a postcard, most email is not secured or encrypted in the slightest.
3. You should be taking care to keep the same things private online that you normally would.
4. If there is any doubt about a site or company then you shouldn't deal with them, it is often a lot more difficult to trace cyber crime than normal robberies.
Solution Cont.
The question is, who should get this information out to people? One thought is to have the Internet service providers give pamphlets, a dvd or web link, or even classes to customers when they sign up for Internet access. These are their customers and it would make sense to give them enough information to protect their customers on their service. The government is another choice, and they do have pages dedicated to consumer protection, however they also don't have the budget to send this type of information to the populous.
Communication isn't the only issue needed to resolve the problem of people not properly using encryption. It also has to become easier and more accessible to the general public. Encryption systems should come packaged with email software or they could become integrated in the operating system of personal computers. There are already programs that scan the content of your email as you are writing and before you send it. These programs could scan for key words like 'account number', 'payment', etc. If an email is thought to contain personal information the program could suggest encryption to the user before it is sent out.
Solution - Future(Biometrics)
The major focus for the future of encryption is the field of Biometrics. Using scanners parts of a person can be used to create individual keys for personal encryption. Fingerprints, retinal scans, voice identification, even DNA testing are going to be our future for keeping our personal data secure. It is starting already, there are numerous models of laptops that currently ship with fingerprint scanners to turn on or log in to the computer. Soon you will likely be able to simply sit down in front of your computer and let yourself be the key to your data, but until then it is a good idea to take precautions.
Images from: http://www.biometricvisions.com/technology/technology.htm
