This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
A secure computing environment would not be complete without consideration of encryption technology. The term encryption refers to the practice of obscuring the meaning of a piece of information by encoding it in such a way that it can only be decoded, read and understood by people for whom the information is intended. It is the process of encoding data to prevent unauthorized parties from viewing or modifying it.
The use of simple codes to protect information can be traced back to the fifth century BC. As time has progressed, the methods by which information is protected have become more complex and more secure. Encryption can be used to provide high levels of security to network communication, e-mail, files stored on hard drives or floppy disks, and other information that requires protection.
The goal of this article is to present the reader with an introduction to the basics of encryption, its role in the small office/ home office environment and the benefits and drawbacks of encryption to the non-professional user who is concerned about information security.
Encryption is said to occur when data is passed through a series of mathematical operations that generate an alternate form of that data; the sequence of these operations is called an algorithm. To help distinguish between the two forms of data, the unencrypted data is referred to as the plaintext and the encrypted data as cipher text. The security of encryption lies in the ability of an algorithm to generate cipher text that is not easily reverted to the original plaintext.
In a very simple example, encryption of the word "secret" could result in "terces." Reversing the order of the letters in the plaintext generates the cipher text. This is a very simple encryption - it is quite easy for an attacker to retrieve the original data. A better method of encrypting this message might be to create an alternate alphabet by shifting each letter by some arbitrary number. This is known as a substitution cipher, a form of encryption that is still used in puzzle books today. For example, encrypting the word "secret" with an alphabet shifted by 3 letters to the right produces "vhfuhw." A substitution cipher simply exchanges one letter or word with another. This particular algorithm is called the "Caesar Cipher".
Understanding of Encryption
Suppose we want to encrypt a simple message like "THIS IS ENCRYPTED"
consider a string of alphabets as shown below:
Have another string of alphabets like those shown below:
Now position the alphabets in such a way that we move each alphabet in the above string to 4 places to the right. So that it looks like:
Now keep both the strings one below the other, like shown below
ABCD EFGH IJKL MNOP QRST UVWXYZ
WXYZ ABCD EFGH IJKL MNOP QRSTUV
You have re-arranged alphabets which correspond to the original alphabet you would like to use. Hence, "THIS IS ENCRYPTED" would read as "PDEO EO AJYNULPAZ"
So you could now successfully encrypt a message, using an algorithm (Moving it to X places right and writing down the alphabet that corresponds to the original one , after moving it) and a key ( that you moved it to 4 places right).
So if your recipient knows this, it is easy to decrypt the code and read the message. However, from a purely security standpoint -- this is still very vulnerable to hacks because it is relatively easy to try the keys between the range of 0 to 26 in this case and crack the code.
In the quest for a more secure method of protecting information, the introduction of a key adds another level of security. A key is a piece of information that allows only those that hold it to encode and decode a message. Keys come in many different forms such as passwords, numbers generated by an algorithm, digital fingerprints and even electronic devices that work like door keys. It is a series of numbers or symbols that are used to encode a message so that it can only be read by someone in possession of that key or a related key. A key allows both the sender and the recipient of the message to understand how the message has been encrypted and assures them that nobody else knows how it has been encrypted. It is the key that enables the recipient to properly decode the message.
Using the previous example of a substitution cipher, anyone who knows the Caesar Cipher can decrypt all messages encrypted with it, regardless of who actually encrypted the message. One could strengthen the substitution cipher with a key, by choosing an arbitrary number and using that as the number of letters by which to shift when creating their alternate alphabet. That number therefore becomes the key by which the message is unlocked.
The individual who is sending the message communicates the key to the recipient of the message, allowing them to unlock it. One disadvantage of this system is that an attacker can decrypt the message if the key is intercepted. To protect the key, encryption can be used during communication or the key can be sent in a separate communication.
Symmetric and Asymmetric Encryption
There are two general categories for key-based encryption - symmetric and asymmetric. Symmetric encryption uses a single key to encrypt and decrypt the message. This means the person encrypting the message must give that key to the recipient before they can decrypt it. To use symmetric encryption, the sender encrypts the message and, if the recipient does not already have a key, sends the key and cipher text separately to the recipient. The recipient then uses the key to decrypt the message. This method is easy and fast to implement but has weaknesses; for instance, if an attacker intercepts the key, they can also decrypt the messages. Furthermore, single key encryptions tend to be easier for people to crack, which means that the algorithm that is used to encode the message is easier for attackers to understand, enabling them to more easily decode the message.
Asymmetric encryption, also known as Public-Key encryption, uses two different keys - a public key to encrypt the message, and a private key to decrypt it. The public key can only be used to encrypt the message and the private key can only be used to decrypt it. This allows a user to freely distribute his or her public key to people who are likely to want to communicate with him or her without worry of compromise because only someone with the private key can decrypt a message. To secure information between two users, the sender encrypts the message using the public key of the receiver. The receiver then uses the private key to decrypt the message. Unlike with single or shared keys, in the asymmetric key system only the recipient can decrypt a message; once the sender has encrypted the message he or she cannot decrypt it. The private key is never distributed; therefore an attacker cannot intercept a key that decrypts the message.
The process of converting messages, information, or data into a form unreadable by anyone except by the intended recipient has been carried out through ages. Encrypted data must be deciphered, or decrypted, before it can be read by the recipient. The root of the word encryption-crypt-comes from the Greek word kryptos, meaning hidden or secret. In its earliest form,
People have been attempting to conceal certain information that they wanted to keep to their own possession by substituting parts of the information with symbols, numbers and pictures, this paper highlights in chronology the history of Cryptography throughout centuries. For different reason humans have been interested in protecting their messages.
The Assyrians were interested in protecting their trade secret of manufacturing of the pottery. The Chinese were interested in protecting their trade secret of manufacturing
Silk. The Germans were interested in protecting their military secrets by using their famous Enigma machine. With the advancement of computers and interconnectivity, the United States governmental institutions and industries are subject to cyber attacks, intrusion and industrial espionage.
4500 BC: Egypt
Around 4500 BC during the Egyptian Old Kingdom some hieroglyphics were incorporated with hidden meanings that do not fit in context with the rest of the writings they are found in. It is believed that these are an early form of encryption, but their purpose cannot be discerned.
Around this time period documented cases of steganography are common. This was practiced on slaves, who had their heads first shaved, then a coded message tattooed on them. Their hair would then grow back, concealing the message.
500 BC - Middle East
Somewhere around this time the Hebrew people began to use monoalphabetic substitution ciphers to hide their religious works. This was important to prevent persecution in case a document was captured. It is believed that some other pieces in the works might have used coding to refer to contemporary figures.
E.g. A=Z | N=M
C=X | P=K
D=W | Q=J
E=V | R=I
F=U | S=H
G=T | T=G
In 1795 Thomas Jefferson invented a cipher system known as the Jefferson disk. The disk used 26 wheels with letters of the alphabet arranged randomly around them. The ordering of the disks is the central part of the encryption. With the disks in order the coder spells out the message with the disks, and then picks any of the other sections that are encoded to write out the message. The receiver then has to put the disks in the prescribed order, put in the message, and the coded text will be revealed.
1919 CE - Germany
The Weimar Germany Foreign Office adopts a short lived trial in the usage of a manual one-time pad for sensitive communications. A one-time pad, considered possibly the only form of unbreakable encryption is a single way of ciphering that is used only one time in one instance, and then never again. The key to the message must travel with it, and after its single use is no longer used.
1975 CE - America
IBM submitted a proposal to develop a secure standard for businesses like banks to communicate electronically. The Standard, called the Data Encryption Standard (DES) uses what was even then considered a weak form of 56 bit encryption. Despite being broken on numerous occasions it is still widely used today.
1976 CE - America
Whitfield Diffie and Martin Hellman publish their asymmetric key system to the public. An asymmetric key is different because it allows two users to communicate securely without having access to a shared secret key. For example, the public key acts as a key to lock a lock and the private key can only unlock it. The two keys are related mathematically, and breaking one should not affect the other. This directly led to modern day encryption methods.
1976 CE - America
Whitfield Diffie and Martin Hellman publish their asymmetric key system to the public. An asymetric key is different because it allows two users to communicate securely without having access to a shared secret key. For example, the public key acts as a key to lock a lock, and the private key can only unlock it. The two keys are related mathematically, and breaking one should not affect the other. This directly led to modern day encryption methods.
1991 CE - America
The first case of widespread regulation by the government on encryption methods was the publishing of the Pretty Good Privacy (PGP) Program by Phil Zimmerman in 1991. The program was initially intended so that people could use secure BBS systems and store files. The program's source code was openly distributed and no charges were applied for its use. Zimmerman became the target of a criminal investigation when the program began to be distributed internationally. At the time, using systems with over 40 Bits of encryption were considered illegal, and PGP used just under 128. Charges were eventually dropped due to public response, but the regulations are still in place.
Common Uses of Encryption
Authentication is the process of logging in, signing on or otherwise presenting information or oneself in a manner that proves his or her identity. The most common example of authentication is the use of a username and password to gain access to a system, network or web site. The username and password combination is often referred to as a person's credentials and it is frequently sent over networks. Encryption is used to protect these credentials. If no encryption is used to protect the information as it is sent over the network, an attacker could capture those credentials and assume the identity of the originator.
Validation: Fingerprints and Digital Signatures
Validation describes the ability to provide assurance that a sender's identity is true and that a message, document or file has not been modified. Encryption can be used to provide validation by making a digital fingerprint of the information contained within a message. A digital fingerprint is a code that uniquely identifies a file or a message by reflecting the content of the file with tremendous specificity.
The encryption program produces the digital fingerprint by performing a byte-by-byte mathematical analysis of the message. Any attempt to modify the message will change the fingerprint. Comparison between a fingerprint known to be good and one sent to the recipient can indicate whether or not the message has been modified. While a fingerprint can indicate that the message has not been tampered with, it does not assure the recipient of the identity of the sender. For that assurance, the sender can utilize a digital signature.
A digital signature is a piece of information that proves the identity of the sender. It is a digital stamp or personal seal that is made using a private key. A sender can electronically or digitally sign a message and its fingerprint before delivery to a recipient. Upon receiving the message, the recipient verifies this signature, using the public key that the sender has previously communicated, indicating that the sender is the expected person. The recipient can verify the fingerprint of the message. Upon validation, the recipient can be reasonably sure that the message came from a trusted person and that the contents of the message have not been modified.
Probably the most widely-used application of encryption is in the area of data protection. The information that a business owns is invaluable to its productive operation; consequently, the protection of this information is paramount. For people working in small offices and home offices, the most practical uses of encryption for data protection are file and email encryption.
Encryption of files protects the data that is written to the hard disk on the computer. This information protection is vital in the event of theft of the computer itself or if an attacker successfully breaks into the system. However, file encryption becomes more difficult to use and manage if the office has multiple employees. Because each employee needs the encryption key, protection of the key becomes a more difficult task. The more people who have access to encryption keys, the less effective encryption becomes. The risk of loss, theft or compromise of information rises as the number of users increases. Files that have been encrypted are also vulnerable to employees who leave the organization or who are disgruntled and may want to cause the organization harm.
Email encryption can be used more easily in office environments as private encryption keys are not generally shared among users and each user has a separate mailbox. When sending a message to multiple recipients, it can be encrypted for each person individually. The encryption key is therefore still private to the sender.
Secure Socket Layers: Encryption for E-Commerce
While we have discussed encryption in the context of file protection and e-mail security, it is also a valuable security resource for web-based information exchange. The small office/ home office or personal computer user often sees this when doing business via web sites. E-commerce web sites use SSL (Secure Sockets Layer) to protect important information such as credit card numbers as they travel across the network. SSL creates a private communication path between the web browser and the web server, encrypting all information that goes between the systems. Most common web browsers have SSL support built in and e-commerce companies can purchase or get freely available web servers that support SSL.
Virtual Private Networks
The use of encryption has been extremely valuable in the increase of people who are able to work from home. Encryption provides a secure means for users to connect to their employer's network from outside of the home or office. Virtual Private Networks (VPN) allow remote users to connect to the home- and small-office network from distant places via the Internet by creating an encrypted path to that network. This is useful when cooperating with other organizations, working from remote locations or allowing remote users access to the local network.
Security, Encryption and the Small Office/ Home Office User
The use of encryption alone does not guarantee security; rather, it is one piece of a more complex security puzzle. Encryption can provide a higher level of security when implemented in conjunction with other security measures as it protects data during storage and when communicating information between parties. It is important to note that encryption does not protect the user or network from other security threats such as viruses, network attacks and system compromise. Encryption can be very useful in protecting information that is being transmitted from one computer to another; however it does nothing to protect the integrity of the channels along which those messages travel. As such, it has no bearing on denial of service attacks, port scanning and other network attacks.
Encryption and Viruses
Viruses infect computers many different ways, some of the most common methods are via file transfer and email. In and of itself encryption does not prevent the transmission of malicious code of any kind. However, the use of encryption as a validation mechanism can provide a higher level of trust when receiving files and information from other people by ensuring that the source and contents of the message are trusted. Digital signatures and message fingerprints can provide reasonable assurance that the file originates from the expected party and that it has not been tampered with. Encryption does not necessarily solve the problem completely though - a trusted source may unsuspectingly send an already infected file that is then validated.
Denial of Service Attacks
Encryption can protect a user's credentials from capture, but is somewhat helpless against attacks that are intended to compromise a system. System compromise results from attacks against an operating system feature or service, and can only be rectified by secure development practices and analysis of the software. Encryption does not protect against network attacks such as denial of service, port scanning and other information gathering tactics. These attacks are generally independent of the use of encryption within a network or system.
Implementation and Use
When working in or establishing a small office and home office environment it is important to establish the need for security of company files, data and information. Encryption can help provide a high level of security, but there are other pertinent factors that can help users decide if it is the best solution for their needs.
Aside from the technical aspects and benefits of it encryption technology, it is important to consider the surrounding business issues with the use of encryption. Cost and technical support along with ease of implementation and use are factors that merit consideration. Encryption technology is very complex and requires deep technical knowledge to be implemented properly. The implementation often requires additional hardware and software, as well as the aid of technical experts to setup the system. As well, as a business enterprise grows, costs for encryption may also increase. It is vital that small office and home office users decide whether or not encryption is necessary or justified for their security purposes before undertaking the monetary and time commitments required to implement encryption properly.
There are many commercial packages that provide data encryption, network security and other features. Commercial vendors make encryption technology easy to use by helping them with installation, setup and the support of experts. They also provide simple user interfaces that make them easy to use. The cost for this level of involvement and support is high.
As an alternative to these commercial applications, free encryption technology can be found on the Internet; however, they may require a high degree of technical understanding because the installation, setup, use and management falls on the shoulders of the business and its users. Users must rely on Internet mailing lists and newsgroups for information, as dedicated support resources are often unavailable. In short, there are monetary and complexity costs that need consideration with both commercial and alternative packages.
Technicality of Encryption
Cipher (or cypher) is an algorithm for performing encryption or decryption. A cipher is a series of well-defined steps that can be followed as a procedure. In simpler terms, a "cipher" is the same thing as a "code"; however, the concepts are distinct in cryptography. Codes work by substituting from a codebook. It links a random string of characters or numbers to a word or phrase. For example, "TGBYH" could be the code for "This is a code block". In a cipher the original information is referred to as plaintext, and the encrypted form as ciphertext. The ciphertext message contains all the information of the plaintext message, but it is not in a format readable by a human or computer without the proper mechanism to decrypt it. It may resemble to random gibberish to those who are not intended to read it.
The operation of a cipher usually depends on a piece of auxiliary information, called a key. The encrypting procedure is varied depending on the key, which changes the detailed operation of the algorithm. A key must be selected before using a cipher to encrypt a message. Without knowledge of the key, it should be difficult, if not nearly impossible, to decrypt the resulting ciphertext into readable plaintext.
Most modern day ciphers can be categorized in several ways.
By whether they work on blocks of symbols usually of a fixed size (block ciphers), or on a continuous stream of symbols (stream ciphers).
By whether the same key is used for both encryption and decryption (symmetric key algorithms), or if a different key is used for each (asymmetric key algorithms). If the algorithm is symmetric, the key must be known to the recipient and sender and to no one else. If the algorithm is an asymmetric one, the enciphering key is different from, but closely related to, the deciphering key. If one key cannot be deduced from the other, the asymmetric key algorithm has the public/private key property and one of the keys may be made public without loss of confidentiality.
Some of the different ciphers used by people around the world are:
Transposition & Substitution Ciphers
Transposition type of ciphers are created by simply rearranging the letters in the word itself. For example, the letters in the word CHYPRAGTOPRY can be unscrambled to reveal the word CRYPTOGRAPHY.
Substitution ciphers involves changing the letters of a message and replacing them with numbers, symbols or even other alphabets. So if we were to substitute C=D, R=O, Y=H then cryptography might look like dohomrzofqyh.
Is a cipher which incorporates the message (the plaintext) into the key.
There are two forms of autokey cipher:
i) key autokey ciphers - It uses the previous members of the keystream to determine the next element in the keystream.
ii)text autokey ciphers - It uses the previous message text to determine the next element in the keystream.
The communication channel is a standard wire, and conceptually the sender can transmit a message by simply switching between two different resistor values at one end of the wire. At the other end, the receiver can also reciprocate by switching in and out resistors. No signals are sent along the line. The receiver simply uses a spectrum analyser to passively measure the Johnson noise of the line. From the noise, the total resistance of the line can be calculated. The receiver knows his/her own resistor value, so can then deduce the sender's resistor. In this way messages can be simply encoded in terms of binary states dependent on two resistor values. The system is thought to be secure because although an eavesdropper can measure the total resistance, he/she has no knowledge of the individual values of the receiver and sender.
The use of resistors is an idealization for visualization of the scheme, however, in practice, one would use artificially generated noise with higher amplitude possessing Johnson-like properties. This removes the restriction of operation within thermal equilibrium. It also has the added advantage that noise can be ramped down to zero before switching and can be ramped up back to the nominal value after switching, in order to prevent practical problems involving unwanted transients.
To protect the Kish cypher against invasive attacks, including man-in-the-middle attacks, the sender and receiver continuously monitor the current and voltage amplitudes and broadcast them via independent public channels. In this way they have full knowledge of the eavesdropper's information.
These are just a few possibilities. Creating a cipher is easy but creating one which cannot be cracked by others easily is a tough task. The cipher should serve its purpose i.e. only the people for whom the plaintext is intended for should be able to open it.
Data Encyption Standard:
 Data Encryption Standard, Federal Information Processing
Standards Publication (FIPS PUB) 46, National Bureau of
Standards, Washington, DC (1977).
 Data Encryption Algorithm (DEA), ANSI X3.92-1981, American
National Standards Institute, New York.
Advanced Data Encryption Standard:
SafeBoot® Device Encryptionâ„¢
In today's organizations, mission-critical data travels freely across networked environments and the Internet, and it is stored and accessed on PCs, laptops, tablet PCs, a variety of mobile devices, and even removable storage devices such as discs. SafeBoot Device Encryption for PCs, laptops, and tablet PCs uses strong access control, and pre-boot protection to authenticate users, and it supports Single Sign-On (SSO). It uses algorithms such as RC5-1024 and AES-256 to encrypt data on all storage drives. Encryption and decryption are transparent to the user and performed on the fly, with
virtually no performance loss. In addition to industry-leading, award-winning authentication and encryption technologies, SafeBoot Device Encryption for PCs, laptops, and tablet PCs offers, central management capabilities, extensive mandatory security policies, and secure
Strong Access Control, Pre-Boot Protection and Certificate Integration
The SafeBoot Device Encryption solution offers secure hibernation and authenticates both users and machines prior to the system ever booting (it also offers pre-boot event logging). In addition to password authentication, SafeBoot Device Encryption supports two-factor pre-boot authentication (F2-PBA), which requires users to both "know something" and "have something" before PCs, laptops, and tablet PCs are allowed to start. SafeBoot Device Encryption also offers multiple options for two-factor security, including numerous Smart Cards and USB token technology. SafeBoot Device Encryption supports authentication via PKI certificates and provides access to SafeBoot and the machine's PKI infrastructure.
Extensive Mandatory Security
SafeBoot Device Encryption's central management system provides an administrator with the tools to easily set and enforce extensive mandatory security policies. Users have no control over the SafeBoot security policies, because these policies are transparently enforced. Also, administrators will find great ease-of-use in setting mandatory security policies for users.
If a user forgets a password, loses a token, or leaves the organization, SafeBoot Device Encryption's tools safely recover the protected systems, without using an unsafe master password as a "backdoor." Password and token recovery is only a phone call or a Web page away.
Benefits of SafeBoot Device Encryption
SafeBoot Device Encryption for PCs, laptops, and tablet PCs offers users and organizations the following features and benefits:
â- Protects PCs, laptops, tablet PCs against unauthorized access
â- Offers full encryption of data on hard disks
â- Eliminates the need for hard drive shredding
â- Helps achieve compliance with legislation (i.e. Sarbanes-Oxley, HIPAA, etc.)
â- Helps enforce mandatory, company-wide security policies
â- Offers boot protection, pre-boot authentication, pre-boot event logging, and protects against master boot viruses
â- Encrypts data on-the-fly and is transparent, requiring no end-user training
â- Supports Single Sign-On (SSO) and all popular Smart Cards and tokens
â- Supports all common languages, keyboards, and Windows OS.
â- Uses multiple standardized algorithms such as RC5-1024
Architecture: BlackBerry Enterprise Server
The BlackBerry® Enterprise Server consists of various components that are designed to perform the following actions:
provide data from an organization's applications to its BlackBerry device users
monitor other BlackBerry Enterprise Server components
process, route, compress, and encrypt data
communicate with the wireless network
Standard BlackBerry encryption
The BlackBerry® Enterprise Solution uses a symmetric key encryption algorithm that is designed to protect data in transit between a BlackBerry device and the BlackBerry® Enterprise Server. Standard BlackBerry encryption, which is designed to provide strong security, helps protect data in transit to the BlackBerry Enterprise Server when message data is outside of the organization's firewall.
Standard BlackBerry encryption is designed to encrypt messages that a BlackBerry device sends or that the BlackBerry Enterprise Server forwards to the BlackBerry device. Standard BlackBerry encryption encrypts messages as follows:
from the time the user sends an email message or PIN message from the BlackBerry device to the time when the BlackBerry Enterprise Server receives the message
from the time the BlackBerry Enterprise Server receives a message to the time when the user opens the decrypted message on the BlackBerry device
Before the BlackBerry device sends a message, it compresses the message and then encrypts the message using the master encryption key, which is unique to that BlackBerry device. The BlackBerry device does not use the master encryption key in the compression process.
When the BlackBerry Enterprise Server receives the message from the BlackBerry device, the BlackBerry Dispatcher decrypts the message using the master encryption key of the BlackBerry device, and then decompresses the message.
How the BlackBerry Enterprise Server uses a Triple DES encryption algorithm
The BlackBerry® Enterprise Solution uses a two-key Triple DES encryption algorithm to create message keys and master encryption keys. In each of three iterations of the DES algorithm, the first of two 56-bit keys in outer CBC mode encrypts the data, the second key decrypts the data, and then the first key encrypts the data again. For more information, see Federal Information Processing Standard - FIPS PUB 81 .
The BlackBerry Enterprise Solution stores the message keys and master encryption keys as 128-bit long binary strings, with each parity bit in the least significant bit of each of the 8 bytes of key data. The message keys and master encryption keys have overall key lengths of 112 bits and include 16 bits of parity data.
Data that BlackBerry devices encrypt by default
The BlackBerry® Enterprise Solution encrypts data traffic in transit between the BlackBerry® Enterprise Server and the BlackBerry devices automatically. By default, the BlackBerry Enterprise Solution generates the device transport encryption key and message key that the BlackBerry Enterprise Server and BlackBerry devices use to encrypt and decrypt all data traffic between them.
System requirements for file encryption on BlackBerry devices Internal files
Device transport encryption keys
Java® based BlackBerry devices that run BlackBerry® Device Software Version 4.0 or later
BlackBerry Enterprise Server Version 4.0 SP6 or later
Java based BlackBerry devices that support external file storage using a media card (BlackBerry devices that run BlackBerry Device Software Version 4.2 or later)
BlackBerry Enterprise Server Version 4.0 SP3 or later
Java based BlackBerry devices that run BlackBerry Device Software Version 4.1 or later
Users can configure the following options to turn on encryption of stored files on their supported BlackBerry devices. Internal files
Device transport encryption keys
Turn on the Content Protection option (Options > Security Options > General Settings).
1. Turn on Media Card Support (Options > Media Card or Options > Memory > Media Card Support).
2. Set the encryption mode for the external file system. The BlackBerry device encrypts files stored on the media card.
3. Choose whether to encrypt media files in external memory only on the device.
BlackBerry Device Software version 4.7 or later: If you set the Encrypt Media Files option to Yes, the BlackBerry device encrypts all files that have an audio, image, or video MIME type, excluding OMA DRM file types (.dcf, .odf, .o4a and .o4v).
BlackBerry Device Software version earlier than 4.7: If you set the Encrypt Media Files option to Yes, the BlackBerry device encrypts files according to the folders they are stored in on the media card (/BlackBerry/videos/, /BlackBerry/music/, /BlackBerry/pictures/, /BlackBerry/ringtones/ and /BlackBerry/voicenotes/).
Note: The BlackBerry device does not encrypt files transferred using USB while the Mass Storage Mode Support option is turned on, or OMA DRM files. OMA DRM files are protected using the OMA DRM standard.
This option is not available for control by BlackBerry device users.
Protecting user data stored on a locked BlackBerry device
If content protection is turned on, on BlackBerry devices, user data that the BlackBerry devices store is always protected with the 256-bit AES encryption algorithm. Content protection of BlackBerry device user data is designed to perform the following actions:
use a 256-bit AES content protection key to encrypt stored data when the BlackBerry device is locked
use an ECC public key to encrypt data that the BlackBerry device receives when it is locked
Turning on protected storage of BlackBerry device data in internal memory
You turn on protected storage of data on the BlackBerry device by setting the Content Protection Strength IT policy rule. You should choose a strength level that corresponds to the desired ECC key strength.
If a BlackBerry device user turns on content protection on the BlackBerry device, in the BlackBerry device Security Options, the BlackBerry device user can set the content protection strength to the same levels that you can set using the Content Protection Strength IT policy rule.
Guidelines for setting the internal memory encryption level
When the content-protected BlackBerry device decrypts a message that it received while locked, the BlackBerry device uses the ECC private key in the decryption operation. The longer the ECC key, the more time the ECC decryption operation adds to the BlackBerry device decryption process. Choose a content protection strength level that optimizes either the ECC encryption strength or the decryption time.
If you set the content protection strength to Stronger (to use a 283-bit ECC key) or to Strongest (to use a 571-bit ECC key), consider setting the Minimum Password Length IT policy rule to enforce a minimum BlackBerry device password length of 12 characters or 21 characters, respectively. These password lengths maximize the encryption strength that the longer ECC keys are designed to provide. The BlackBerry device uses the BlackBerry device password to generate the ephemeral 256-bit AES encryption key that the BlackBerry device uses to encrypt the content protection key and the ECC private key. A weak password produces a weak ephemeral key.
Trends in government encryption policies
Network World on Security, 08/18/99
One of the most challenging aspects of this new, global Internet-based economy is maximizing your potential across geographical boundaries while working within the constraints of each country's laws and regulations. The complexities of encryption policies around the world illustrate this point best. The research projects we've done in the area of international encryption policy have given us the sense that we have horse-and-buggy government policies in an age of rocket-fueled economies. However, we are seeing trends that give us some hope.
Encryption Policies are relaxing
While this certainly is not occurring at a pace encryption advocates would prefer, we are seeing more "safe" countries with each report and have seen a few key events take place in 1999 that seem to point to less controls for crypto:
France: which has historically had one of the most draconian sets of encryption restrictions, significantly liberalized its policies this past March. The supply and use of crypto systems with up to 128-bit keys now require simple declaration as opposed to prior authorization.
Germany: In June, the German government issued "Cornerstones of German Encryption Policy," a document that clearly shows a shift in policy towards promoting strong crypto as a way to protect personal liberties. We believe this will be a growing trend and that law enforcement will begin to see that strong encryption prevents more crimes than it conceals.
The U.S.: Bernstein vs. Department of Justice ruling in May is being considered by many the beginning of the end of government encryption controls. Professor Bernstein won the case, stating that his First Amendment rights to free speech were violated when he could not post his strong crypto algorithms on his Web site as an instructional aid in support of his cryptography course. Pending legislation in Congress, like the SAFE Act, promises some relaxation of export policies, though it is hard to tell how relaxed it will be when it's finally enacted into law.
To be sure, the path towards free use of crypto is not direct - it is more like two steps forward, one step back. However, the pressure exerted by grassroots organizations and the industry appears to be turning the tide.
Most crypto friendly region in the world? Latin America While the U.S. and Europe tend to have dual-use restrictions (easy to import, hard to export), Latin America seems to be lacking laws restricting import, export or domestic usage of cryptography. Argentina is the sole nation in South America to have signed the Wassenaar Arrangement for crypto control. When you consider that developing nations appear to be proportionately higher adopters of Open Source and Linux technology, this region could have a very bright future.
The former Soviet bloc is a mixed bag
Russia and some of the breakaway Soviet states, such as Kazakhstan and Uzbekistan, have some of the most prohibitive laws. On the other hand, Lithuania and Latvia have no restrictions. Hungary and Slovenia have laws encouraging encryption as a means of encouraging personal privacy. The Wassenaar Arrangement is an anomaly
Thirty-three nations, including the U.S., signed the Wassenaar Arrangement on Dec. 3, 1998, to set boundaries for international exports of encryption. The primary function of Wassenaar has been to control the export of munitions into terrorist nations; however, encryption technology is also covered by the agreement, due in large part to the efforts of the U.S. Some of the 33 countries that signed Wassenaar, including most European nations, are presently the major sources for the international distribution of cryptographic software.
Previously, generally available encryption software was exempt from export restrictions under the Wassenaar Arrangement. But the December changes impose greater restrictions on overseas developers whose products incorporate strong encryption. The agreement is purposefully vague about "public domain" and "mass market" exemptions, mentioning mail-order distribution as possibly being exempt but making no mention of Internet distribution. However, it is up to each member nation to enforce Wassenaar, and it appears that by the recent actions of Wassenaar signatory nations that things are moving in exactly the opposite direction. At this point in time, it is important to check frequently with the Wassenaar nations and track changes.
When in doubt
If export regulations are an issue for you, it is easier to bring a clean machine through customs and download the crypto software you need. PGP [Pretty Good Privacy], for example, is widely available outside of the U.S. at locations such as Replay. It is possible to generate key pairs, use the software, and then remove it before traveling. The software can then be downloaded and reinstalled. If crypto regulations are not changed soon, we will see this mode of operation automated, and technology will again make policy obsolete. We are starting to see install stubs and scripts in the Open Source software world. Rather than putting some export-controlled strong encryption code on a distribution medium, it can be replaced by an install script. When the software is installed, the script can perform an Internet download from a "legal" site and install the strong encryption code. Technology like this threatens to make export restrictions obsolete.
Jim Reavis, the founder of SecurityPortal.com, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects.
Government and encryption
The 47-6 vote to amend the Security and Freedom through Encryption (SAFE) Act, a bill that would remove all controls on the export of computer encryption products, comes just weeks after senior Defense Department and intelligence officials warned lawmakers that eradicating controls on the technology would give terrorists and other criminal organizations around the world the means to cloak their plans for carrying out violence in a web of electronic secrecy.
The amendment, introduced by representatives Curt Weldon (R-Pa.), Norman Sisisky (D-Va.) and Robert Andrews (D-N.J.), allows the export of encryption products developed by U.S. firms but also calls for strict licensing approval before companies can export the most powerful products currently on the market. In addition, the amendment makes no mention of controls on the domestic use of encryption products and does not include any language covering encryption-key recovery or key escrow.
"Calling [House Resolution] 850 the 'SAFE' Act is like calling Slobodan Milosevic a saint-it's a serious misnomer," said Weldon, who also serves as chairman of the House Armed Services Committee's Research and Development Subcommittee. "The SAFE Act, without this amendment, would do more harm than good," Weldon said. "In fact, it would seriously jeopardize America's national security by allowing the uncontrolled, worldwide proliferation of our nation's most advanced encryption technology," he said.
Speaking before the committee markup session began, committee chairman Rep. Floyd D. Spence (R-S.C.) said the amendment "will make sure that the federal government is not arbitrarily handicapped in its ability to protect public safety and national security." In addition, "it also recognizes the need for flexibility in this fast-changing technological sector by giving the president the tools necessary to strike a balanced national policy," he said.
"This amendment ensures that the concerns raised by federal agencies that are responsible for protecting our national security are met," Weldon said. While Weldon's amendment allows the export of encryption technology, "it simply requires licensing approval for encryption above certain levels to ensure that we do not endanger our own national security," he said