Title: Should The Cyberspace Electronic Security Act CESA Have Been Passed
1Should The Cyberspace Electronic Security Act
(CESA) Have Been Passed?
2Before we talk about CESA, lets learn about
encryption.
3What Is Encryption?
- The Growth of the internet has excited both
businesses and consumers with its promise of
changing the way we live. A major concern has to
be how secure is the internet? We send sensitive
information through the web and to be honest
there is a lot of information we do not want
other people to see. - Such as
- CREDIT CARD INFORMATION/ BANK ACCT INFO
- SOCIAL SECURITY NUMBERS
- PRIVATE CORRESPONDANCE
- PERSONAL DETAILS
- SENSITIVE COMPANY INFORMATION
-
4 The Definition of Encryption Encryption is the
conversion of data into a form, technically
called cipher text, that cannot be easily
understood by unauthorized people. Decryption is
the process of converting encrypted data back
into its original form so it can be easily
understood.
5Classical Cryptographic Methods
- Masking- the use of masking leads to
substitution. Often the message is masked in such
a way that the resulting message that goes out in
an open communication channel seems harmless and
inconspicuous - Veiling- the use of veiling leads to
transposition as veiled messages are usually not
masked at all but simply combined within other
items regularly in such a way that the resulting
message takes form of yet another message called
acrostics
6 - Translation table- each byte of data is used as
an offset within a translation table and the
resulting translated value from within the table
is then written into the output stream. The
encryption and decryption programs would each use
a table that translates to and from the encrypted
data.
7Todays Encryption
- Mathematical
- Non-linear cryptosystems
- Can take months or even years to break
- Used by
- Industry competitors
- Groups and individuals
- Internet shoppers
- Terrorist groups
- Criminals
8Two Main Categories of Encryption
- Symmetric-key encryption
- Public key-encryption (asymmetrical key
encryption)
9Symmetric-Key Encryption
It is a traditional encryption technique that
relies on both the sender and the receiver of a
message knowing a particular secret key (or
code). Symmetric-Key Encryption requires that you
know which computers will be talking to each
other so the key can be installed on each one.
The sender encrypts the message with a particular
cryptosystem using the secret key and the
receiver decrypts the message with the same key.
It relies on no one else being able to find out
what the private key is.
10Example
You create a coded message to send to a friend in
which each letter is substituted with the letter
that is two down from it in the alphabet. So A
becomes C and B becomes D. You have already
told a trusted friend that the code or key is
shift by two. Your friend gets the message and
decodes it. Anyone else who sees the message,
will only see nonsense.
11- This is fine if the other person is nearby. If
not, then somehow the key must be sent. What are
some ways you can send it? - Courier
- Told over the phone
- Send it separately from the actual message
- All these methods involve trusting a third party
not to divulge the secret key. Obviously, the
receiver of the message has to be trusted because
they could decrypt any message sent using the
same key. - Lets try it!!!
12The CODE is shift THREE UP QEFP FP QFJB
ZLKPRJFKD.
13Answer is This is time consuming. It would be
time consuming unless you had a computer program
doing this for you.
14Disadvantages
- For use in anything other than private encryption
of files, one cant determine the authenticity of
the originator of the data. This lack of
protection doesnt allow this method to verify
electronic orders and financial transactions - The private key used now has to be transmitted in
a very secure channel. Spontaneous transmission
may not be feasible - When used across a network of users, there may
have to be a large number of keys to facilitate
one to one communication between each user
15Think of it as a car key. The owner of a car has
the key. When the owner walks away from the car,
she locks it and keeps the key so it is securely
protected. No one can get into or use the car
without some sort of brute force. Responsibility
of protecting the key rests solely with the owner
of the car. If the owner puts the key in one of
those magnetized key holders underneath the car,
thats a very loose method of security. If the
owner always keeps the key around her neck,
thats a pretty good level of key security. Say
the owners friend needs to borrow the car. So
the owner, passes along an extra set of keys for
the friend to use. Both can now drive the car but
the security has been compromised because someone
else has a key. If the friend makes copies of the
key, (for others to use when the owner is out of
town for instance) the level of security becomes
even more diluted. Eventually, the original lock
key security will be lost entirely. In order to
recover it, the owner will have to have new locks
put on the car and have new keys made.
16 Keys used in encryption have the same problems as
conventional keys. They can be lost, stolen, or
even bought and sold. Some can even be discovered
by crackers through a method called social
engineering.
17Public-key Encryption (Asymmetrical Encryption)
- Invented in 1976
- Public-key encryption uses a combination of a
private key and a public key. The private key is
known only to your computer. The owner of the
private key should never share it with anyone.
The public key is given by your computer to any
computer that wants to communicate securely with
it. To decode an encrypted message a computer
must use the public key provided by the
originating computer and its own private key.
18 - The public and private keys of a particular user
are related via complex mathematical structure in
such a way that links one key with the other.
This relationship is crucial to making
public/private key based encryption work - The public key is used for encrypting the message
while the private key is necessary for the
recipient to decrypt the message. Even the person
who did the encrypting cannot decrypt the message
because he does not hold the private key
19Here is an example http//computer.howstuffworks
.com/ encryption.htm/printable
20 - In the study of cryptography, the length of keys
are referred to by bits - The longer the key the more difficult it is to
break the encrypted message - Most common method of breaking ciphers is by
brute force attack - It is said that any university computer science
major would have enough computer power available
to be able to break most 56 bit key cryptosystems
in less than one week
21Guidelines for Choosing Appropriate Key Lengths
22Why was CESA so controversial?
23CESA Would Have
- Ensured that law enforcement maintained its
ability to access decryption information stored
with third parties, while protecting such
information from inappropriate release. Law
enforcement would have been required to inform a
person whose key was obtained using court
process, and must destroy the keys after their
use is complete and when Federal records laws
permit. Law enforcement may only use decryption
keys obtained from a key recovery agent for an
explicitly authorized purpose. A key recovery
agent may not disclose or use a decryption key,
nor disclose the identity of a customer, except
under explicit and limited circumstances.
Individuals remain completely free to use or not
to use the services of a recovery agent
24- Ensured that sensitive investigative techniques
and industry trade secrets remained useful in
current and future investigations by protecting
them from unnecessary disclosure in litigation or
criminal trials involving encryption. Orders
protecting such techniques and trade secrets must
be consistent with fully protecting defendants
rights to a fair trial under the Constitutions
Due Process clause and the Sixth Amendment. The
protection of techniques requires a judicial
finding in accordance with specified criteria.
Firms competitive and liability positions would
have been protected when lawfully assisting law
enforcement through the sharing of trade secrets.
25- Authorized 80 million dollars over four years for
the FBIs Technical Support Center, which would
have served as a centralized technical resource
for Federal, State, and local law enforcement in
responding to the increasing use of encryption by
criminals. - Established standards for courts to issue court
orders for government access to escrowed keys or
passwords.
26Opposition Arguments to CESA
27- The standard proposed by the administration for
government access to decryption keys falls far
short of Fourth Amendment privacy protections. - A provision for foreign governments to access
passwords and keys of US citizens or foreigners
using US recovery agents raises multiple issues. - A provision allowing courts to cast a cloud of
secrecy over government decryption methods and
product vulnerabilities raises due process
concerns, implicating the Sixth Amendment right
of defendants to cross examine government
witnesses. - By narrowly focusing only on access to keys and
passwords, the legislation fails to address the
much larger question of privacy for documents and
information stored in the emerging networked
environment.
28- That law enforcement officials could
inadvertently modify or destroy a companys files
as they recover encrypted information. - Innocent people could be punished mistakenly if
they not able to comply with court orders for
legitimate reasons such as they lost their key. - The emergency clause of the proposed bill leaves
the door wide open to abuse by officials.
29THE END