In this chapter, you will find directions for protecting your data beyond the boundaries of external measures and internal permissions. There is only so much that can be done to protect a system, and in the end, the protections a user gives a file may be the last bulwark of defense against unwanted breaches of privacy. Cryptographic software can help protect the information contained in files. Encryption can be used to secure data stored on disk, and encrypted files can be transmitted without fear that they can be read if intercepted. If data is considered sensitive enough to warrant internal protection, encryption can provide the extra security required.
If you are concerned enough about protecting your data to work to secure a machine to any degree beyond the very basics, this chapter may prove quite useful. If you are uncertain , you should at least consider whether using some form of encryption on your data has a place in your workflow.
When using encryption to protect data, it is important to use it correctly. You ll want to be able to recover data if original keys are lost, and there are a number of technical, legal, and ethical issues as well as procedural ones to consider.
|Heads Up|| |
If you find yourself planning on doing a large amount of cryptography, you may want to consider using hardware accelerators. Hardware accelerators speed the encryption process by offloading the encryption from the CPU to a separate device.
Data encryption software provides the extra security sensitive files require. Unfortunately, the use of cryptographic systems is not governed by strictly mechanical considerations alone. Most countries have some form of restrictions in place dealing with what you can and cannot do when using encryption. These restrictions apply to both hardware and software, and there are laws governing key size and usage that do not always seem to make much sense. Please do not set your key sizes based on the examples provided in this chapter. You must determine what adequate sizes are, and use keys large enough to provide protection. Larger keys are harder to break, but the downside is that they tend to take longer to process, thus your workflow or the load you re placing on your machines could be unreasonably impacted by the length of time it takes to encrypt or decrypt a file.
If you have questions about what the laws are and how to comply, doing a lookup in a search engine will bring you a plethora of links. Two useful web sites on compliance may be helpful:
U.S. Bureau of Industry and Security In general, inside the United States, the Department of Commerce s Bureau of Industry and Security currently handles cryptography matters. This web site can help you review any issues you may encounter when dealing with persons or companies in other countries. It s worth noting that there are no proscriptions against using strong cryptography inside the U.S., so you should feel confident in the use of strong keys and strong crypto when working strictly inside the U.S. http://www.bis.doc.gov/encryption/
Crypto Link Farm Outside the U.S., a good set of links can be found at the Crypto Link Farm. These pages deal specifically with law and policy. If the URL below becomes obsolete at some point, a search for Crypto Link Farm should bring up a mirror of it, as it is well distributed. In any case, inside the U.S. or the E.U., you should not worry too much about using encryption for personal use, as even though it s regulated , the laws are not likely to inhibit that sort of utility. Rather, it is sharing data across borders that can cause problems. http://www.cs.auckland.ac.nz/~pgut001/links/standards.html
Before we proceed to the nuts and bolts, it s worth saying something about the ethics of using cryptography. Since cryptography has many laws surrounding it ”and given that there are places in the world where its use can get one imprisoned or even executed ”there exists a lot of ethical confusion that inevitably crops up when considering using it at all. Many governments are at odds with themselves over its usage as well. They want data protected from bad guys, but do not want anyone whom they might consider a bad guy now or in the future to use it. So the opinions that spew forth surrounding cryptography do not always make much sense to someone trying to do the right thing. The simplest test is one of harm. If you re using cryptography to prevent harm from befalling your organization, it could prove beneficial. If you re using cryptography for activities that cause harm to others, suffice it to say that this chapter is not for you.
Situations often crop up where cryptography can help prevent harm to others, such as a company using it to encrypt medical test data on a shared system. In that circumstance, cryptography prevents unauthorized persons from accessing data they shouldn t have and helps protect the company against mistakes that could increase liability. Such a use of cryptography is obviously a laudable one and should be encouraged. Generally speaking, it s best not to get too bound up in the ethics surrounding cryptography. Simply determine if it can help secure your data, look at the circumstances you need to use it in, and make an effort to comply with any applicable laws. Undergoing the process of basic legal research needed to make sure you are following the law is not difficult. The most common hitch to using crypto in organizations is not mechanical, but rather fear, uncertainty, and doubt (FUD) surrounding the use of it. In nearly all cases, the level of FUD is wholly unjustified. It is important to recognize that any questions you have about legal issues are fairly easy to answer. You will not need a barrage of lawyers to comply with the necessary laws, but you may need contract agreements between business partners . They are not the same thing, nor should they be lumped together when considering an implementation. To use cryptography as a personal tool, there s far less need to concern yourself with legal compliance. Generally if you have access to the software and aren t planning on traveling or sending your data elsewhere in the world, there s little to worry about. Even if you are planning on international travel or conveyance, the rules on such things are fairly straightforward and easy to find.