Page 283

windows are provided by other routes into the computer, files are left in the clear, and encryption keys are too often easily guessed or left accessible. Even when all these mistakes are avoided, other techniques may be used to gain unauthorized access, such as "social engineering" (i.e., tricking someone into surrendering the information, or the password or key). These examples make clear that advanced encryption alone, although providing important tools, is only a part of the story.

Encryption

Encryption is an underpinning for many computing and communications security services because it provides the only way to transmit information securely when others can eavesdrop on (or corrupt) communication channels. The goal of encryption is to scramble information so that it is not understandable or usable until unscrambled. The technical terms for scrambling and unscrambling are "encrypting" and "decrypting," respectively. Before an object is encrypted it is called "cleartext." Encryption transforms cleartext into ''ciphertext," and decryption transforms ciphertext back into cleartext.1

Encryption and other closely related mechanisms can be used to help achieve a wide variety of security objectives, including:2

Privacy and confidentiality;

Data integrity: ensuring that information has not been altered;

Authentication or identification: corroborating the identity of a person, computer terminal, a credit card, and so on;

Message authentication: corroborating the source of information;

Signature: binding information to an entity;

Authorization: conveying to another entity official sanction to do or be something;

Certification: endorsing information by a trusted entity;

Witnessing: verifying the creation or existence of information;

Receipt: acknowledging that information has been received;

Confirmation: acknowledging that services have been provided;

Ownership: providing an entity with the legal right to use or transfer a resource to others;

Anonymity;

Nonrepudiation: preventing the denial of previous commitments or actions; and

1These terms are used even when the medium involved is not text. For example, one may refer to a "cleartext image."

2Adapted from Menezes et al. (1997), p. 3.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement