Data Encryption

Following a rigorous selection process in which fifteen competing designs were presented and evaluated, the United States Government selected an encryption algorithm developed by two Belgian cryptographists. In May 2002, Advanced Encryption Standard (AES) became effective as a federal US government standard and became the first (and only) publicly accessible encryption algorithm approved by the National Security Agency (the NSA) for top secret information.

In accordance with the algorithm, the text that needs encryption is divided into blocks of 128 bits in length, and each block is subject to several manipulations using an encryption key. The block structure is such that the change of a single bit, either in the key or the original text, results in a completely different outcome. If one has the encryption key, both encrypting the original text and decrypting the encrypted text involve a relatively simple computing process.

The complexity of decrypting without the key depends entirely on the length of the key. For a 2-bit key, there are only four possible keys therefore it would be relatively easy to run the AES decryption algorithm four times to decrypt the text. For a 128-bit key, on the other hand, the number of possible keys is not 4 but a number with 39 digits (or 340 282 366 920 938 000 000 000 000 000 000 000 000). The world’s fastest supercomputer will take thousands of years to crack a 128-bit AES encryption.

With no practicable attack possible against a 128-bit AES encryption, AES has become and remains the preferred encryption standard for governments, banks and high security systems around the world. 128-bit AES is the encryption standard underlying SC Spheres.

The biggest threat to the security of encrypted documents is the management, or rather mismanagement, of the encryption key. Most software systems will generate a key and must ensure that the algorithm used to generate the key cannot be copied even when someone gains access to the program code. To get around this problem, the key generation algorithm uses a random number that is generated from seed data that is known when the key is generated but cannot be re-engineered afterwards.

One of the more robust algorithms for key generation uses seed data generated from various readings from the computer’s operating system. These readings can arise from keyboard timings, mouse movements, audio and video data and even readings from sensors built to measure air turbulence inside of disk drives.

Even with a robust key generation algorithm, the key must still be converted to a simpler password to enable the user to decrypt and read the text. Getting this password to the user is a major problem and weak spot in the system. This problem was addressed in 1977 by two Americans and an Israeli who developed an algorithm that was named the RSA algorithm using the first letters of each of their surnames. The algorithm was a neat mathematical trick that generated two keys where the one key could encrypt and the other key decrypt text.

The RSA algorithm allows the user to set his or her own password for decrypting text. Using the RSA algorithm, the user’s password is used to generate a private key and a public key. The public key can be stored to enable documents to be encrypted, whereas the private key need only be generated when the user submits his or her password to decrypt the documents.

The private and public keys are generated by applying two different mathematical calculations (the RSA algorithm) on two large prime numbers. The mathematics includes multiplication for the generation of both keys. The reason why the private key cannot be derived from the public key lies in the size of the prime numbers used to generate the two keys and the difficulty in factorising integers that are a product of two large prime numbers.

Factorising large prime numbers is not impossible but very time consuming when the numbers are sufficiently large. The keys for asymmetric cryptography (where there are two keys as in the RSA algorithm) must be longer than the key used for symmetric cryptology (where there is only one key as in the case of AES encryption) to achieve the same level of security. The RSA algorithm applied in SC Spheres uses a 2048-bit key as recommended by the United States National Institute of Standards and Technology.

The size of the keys makes asymmetric encryption much slower than symmetric encryption. It is for this reason that the 2048-bit RSA algorithm is used only to encrypt the keys used for the 128-bit AES encryption in SC Spheres, and the documents themselves are encrypted using the much faster 128-bit AES encryption.