-By Dave Ries and John Simek
Dave Ries is a member in the Pittsburgh, PA office of Clark Hill PLC, where he practices in the areas of environmental, commercial, and technology law and litigation. He has used computers in his practice since the early 1980s and since then has strongly encouraged attorneys to embrace technology – in appropriate and secure ways. He is the Chair of the ABA Law Practice Division’s Education Board and a member of the ABA Section of Science and Technology’s Information Security Committee and ILTA’s LegalSEC Council. He served on the ABA TECHSHOW Planning Board from 2005 through 2008.
Dave frequently speaks and writes on ethics, legal technology, and technology law issues for legal, academic and professional groups. He is a co-author of Encryption Made Simple for Lawyers (American Bar Association, scheduled for Spring, 2015 publication) and Locked Down: Information Security for Lawyers (American Bar Association 2012) and a contributing author to Information Security and Privacy: A Legal, Business and Technical Handbook, Second Edition (American Bar Association 2011).
John Simek is the Vice President of Sensei Enterprises, Inc., an information technology, digital forensics and information security firm located in Fairfax, VA. Mr. Simek has a national reputation as a digital forensics technologist and has testified as an expert witness throughout the United States. He holds a degree in engineering from the United States Merchant Marine Academy and an MBA in finance from Saint Joseph’s University.
Mr. Simek holds the prestigious Certified Information Systems Security Professional (CISSP) and EnCase Certified Examiner (EnCE) certifications. He currently provides information technology support to over 220 area law firms, legal entities and corporations. He is a co-host of the Legal Talk Network podcast Digital Detectives. He is a frequent author (ten books published by the ABA and hundreds of articles) and speaker on legal technology, information security and electronic evidence topics. His latest book, Encryption Made Simple for Lawyers, is scheduled for release in March 2015.
This post is excerpted and adapted from the materials they prepared for their ABA TECHSHOW 2015 session “Decrypting Encryption:
Gaining Competence on Encryption for Your Practice.”
Together with Sharon Nelson, Ries and Simek co-authored “Encryption Made Simple for Lawyers,” published by the ABA Law Pratice Division.
Encryption is the conversion of data from a readable form, called plaintext, into a form, called ciphertext that cannot be easily understood by unauthorized people.
Decryption is the process of converting encrypted data back into its original form (plaintext), so it can be understood.
Encryption can protect stored data (on servers, desktops, laptops, tablets, smartphones, portable devices, etc.) and transmitted data (over wired and wireless networks, including the Internet and e-mail).
Encryption uses a mathematical formula to convert the readable plaintext into unreadable ciphertext. The mathematical formula is an algorithm (called a cipher). Decryption is the reverse process that uses the same algorithm to transform the unreadable ciphertext back to readable plaintext. The algorithms are built into encryption programs – users don’t have to deal with them when they are using encryption.
This graphic shows the basic steps:
Encryption keys are used to implement encryption for a specific user or users. A key generator that works with the selected encryption algorithm is used to generate a unique key or keys for the user(s). A key is just a line or set of data that is used with the algorithm to encrypt and decrypt the data. Protection is provided by use of the algorithm with the unique key or keys.
The process is called secret key or symmetric key encryption where the same key is used with an algorithm to both encrypt and decrypt the data. With secret key encryption, it is critical to protect the security of the key because it can be used by anyone with access to it to decrypt the data.
Where a key pair is used, one to encrypt the data and a second one to decrypt the data, the process is called asymmetric encryption. For this kind of encryption, a key generator is used to generate a unique key pair, one for encryption (a public key) and the other for decryption (a private key). With key pairs, it is critical to protect the private decryption key since anyone with access to it can decrypt the data.
Here is an example of a secret key for a commonly used algorithm called the Advanced Encryption Standard-256 (AES-256) algorithm. The same key is used to both encrypt and decrypt the data.
Example AES-256 Key
Let’s look at a simple example of its application. A short line of readable plaintext, “This is an encryption demo,” becomes unreadable ciphertext when this key is used with the algorithm in an encryption program.
Simple Example of Encryption
The same key must be used with the algorithm in an encryption program to convert the ciphertext back to readable plaintext.
Simple Example of Decryption
Symmetric key encryption is frequently used to protect data stored on servers, laptops, portable media, etc. The key is frequently used and stored on a single computer or mobile device where providing the key to someone at a remote location is not necessary. It is difficult to use symmetric key encryption for communications because it is a challenge to securely share the key with the recipient.
Fortunately, users don’t have to deal with keys during everyday use of encryption. When they log on with the correct password or passphrase, the program automatically accesses the key to decrypt the data. When they log off or shut down, the data is automatically encrypted.