The Fatass And The Jackass

Ben Dahl CNS 378 The Fatass and The Jackass: A Tale of Electronic Faux-Pas While remaining politically neutral is one of the fundamental tenets of the educational system, the Internet has permeated even this stereotypically geriatric arena. Technological issues are the hot-button topics of this election, and are present regardless of political leaning. The Democrats use e-mail, the Republicans use e-mail, and the Independents use email; e-mail has become as much a part of societal operation as face-to-face communication, postal mail, and the telephone. The problem is that the information being stored and transmitted has not been protected, an issue found on almost every computer and network across the globe. Generally, this does not present a problem, but people began using free Yahoo! e-mail accounts to conduct official government business. While this is nothing short of offensive, it presents a picture perfect opportunity to investigate the applications of encryption in a formal setting. While e-mail is obviously a pressing issue as it relates to encryption, it is only a piece of a very larger puzzle. There are a number of options available for public-key encryption of email: PGP, GPG, etc. As opposed to discussing these types of encryption, a more available, user-friendly method will be discussed. In order to investigate this issue, the program WinZip and the AES encryption standard will be discussed. WinZip is the industry leader in file compression software, and is responsible for the proliferation of the popular .zip file extension. More importantly, the software is available for download and includes all options during the trial period. The ease of acquisition and the

1|P age

company's vast resources allowed WinZip to integrate a very important aspect into newer versions of the program, encryption based on Dr. Brian Gladman's AES encryption schema [1]. WinZip encrypts these files using the U.S. Government's National Institute of Science and Technology (NIST) Advanced Encryption Standard (AES), and is FIPS-197 Certified [6]. Additionally, WinZip supports AES encryption in both the 125-bit and 256-bit flavors. In order to fully appreciate the significance of WinZip encryption, AES as an encryption scheme must be investigated. While the FIPS-197 Certification Document [4] proves an invaluable resource in regards to the actual operation of AES, it describes concepts to an almost obtuse mathematical extent. In light of this, Wikipedia [2] was also used a reference because it presents a more digestible perspective about the encryption. These sources provide the background for the following paragraphs, and a wealth of additional information is provided by both resources. AES is a substitution-permutation network that operates in a finite field and focuses on a fixed array of bytes called the "State." The cipher goes through a number of steps to encrypt the plain-text to cipher-text, and then reverses this process to decrypt the information. The AES encryption scheme has a number of steps that are described in the following paragraphs. The four primary steps of the AES encryption scheme are as follows: Key Expansion, Initial Round, Rounds, and Final Round. AES, like most other ciphers uses a key schedule to create the encryption key. In the case of AES, this Key Expansion step expands a short-key to a series of round keys, which will be used later. During the Initial Round step, the AddRoundKey operation is performed, which derives a subkey from the key schedule and combines it with the "State."

2|P age

The Rounds phase is next and is composed of a number of sub-phases: SubBytes, ShiftRows, MixColumns, and another AddRoundKey. The SubBytes step linearly replaces bytes based on the lookup table. The ShiftRows operation transposes "State" rows by shifting them cyclically. Next, the MixColumns step mixes "State" columns to combine the four bytes. Finally, another AddRoundKey operation is performed as described above. The final phase of AES encryption is appropriately titled the Final Round, and utilizes all steps of the Rounds phase except for MixColumns [2, 4]. As previously discussed, AES is provided in two easy to digest flavors; the extremely powerful 125-bit version and the more robust 256-bit version. The 256-bit AES encryption scheme has not been broken and is certified for NSA "Top Secret" level government documents, but even the 128-bit version of the scheme is incredibly difficult to crack [2]. The development team from AES described this in the original specifications document when they wrote, "Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old" [3]. Obviously, it is quite a tall order to brute-force crack even the lowest provided AES encryption option. WinZip uses the AES encryption scheme to make the content of encrypted files inaccessible without the appropriate password. WinZip does this in a way the developers describe as, "AES-encrypted files are stored within the guidelines of the standard Zip file format using only a new 'extra data' field, a new compression method code, and a value in the CRC field dependant on the encryption version. The basic Zip file format is otherwise unchanged" [6]. Essentially, additional information is being added into the header and the CRC, but the .zip file

3|P age

format remains unaltered. This is important because it would otherwise affect the compatibility with different versions of the program. If the fundamental operations of the .zip format were changed, the file might not be able to be decompressed properly. WinZip obviously utilizes a very robust encryption scheme, with little or no detriment to the original file format. If this encryption is so powerful, how easy could it possibly be to use? WinZip encryption requires no more than nine mouse clicks from the end user. Select the files to be encrypted, right-click and select WinZip "Add to Archive." The user then selects "Encrypt Added Files" and types in an archive name. After clicking "Add," WinZip will prompt the user for the desired encryption type and the password for the file. Two more clicks complete the operation and the final step is to close the encrypted archive file. There are a number of possible uses for encryption of this type. Storage of encrypted information is the first and most relevant of these options. Protection of information from prying eyes on a local or wide area network is something that is dealt with on a regular basis. As opposed to something like TrueCrypt which requires a more advanced user, WinZip is easy to use and protects the contents of sensitive files. In addition to storage, WinZip files can be used to protect sensitive information transmitted over the Internet. A file can be encrypted with WinZip and sent to the recipient as an e-mail attachment. The file can then only be decoded by a trusted party, something that would most certainly have prevented certain aforementioned political scandal. Unlike certain command line e-mail encryption suites (GnuPG), this technique requires only knowledge of WinZip and how to attach a file to an e-mail. In addition to this, there does not need to be a discussion about the proliferation of a public key and how it differs from a private key with the user.

4|P age

WinZip isn't all sunshine and butterflies, because the encryption method is not without its caveats. In the case of email, all information that will be encrypted needs to be added to the email in the form of attachments. This may not be a significant amount of work, but it is additional work nonetheless. The recipient also needs to have a copy of WinZip 10.0+ in order to be able to decrypt the compressed file. Regardless of the proposed application of WinZip encryption, the titles of the files are also still visible without having to enter the file password. The contents of the files themselves are not accessible without the password, but the titles need to be changed in order to totally obfuscate the information. The final caveat of the entire scheme lies, much like many other systems, in the password for the encrypted file itself. In order for this type of encryption to be effective, the password must not be easily brute-forced. This generally means that the password is long and composed of characters that make it difficult to remember. The password also needs to be transmitted from the sender to the receiver in order for the information to be accessed, one of the fundamental downfalls of private-key encryption. Essentially, two transactions are being performed. The encrypted information needs to be distributed, along with the password. In an age where information is power and Google rules the world, encryption is no longer an option, it is a necessity. The attention spans of the general population are measured in milliseconds and information is proliferated at an alarming rate. If this information is to remain powerful and also relevant, it must be protected from those who should not have access to it. When an encryption tool as powerful as WinZip is so accessible and easy to use, the question it elicits changes. It is no longer a question of if it should be used, but why wouldn't it be used? If this question was properly answered by the politicians, no one would be inundated with news about "HI SARAH" e-mails.

5|P age

References [0] 2004 Rijndael. Boston College. 1 November 2008 . [1] A Secure File Encryption Utility. 10 May 2007. Dr. Brian Gladman. 29 October 2008 . [2] Advanced Encryption Standard. 24 October 2008. Wikipedia. 27 October 2008 . [3] CSRC - Cryptographic Toolkit. 2 October 2000. National Institute of Standards and Technology. 30 October 2008 < http://csrc.nist.gov/archive/aes/index.html>. [4] Fips-197. 26 November 2001. National Institute of Standards and Technology. 30 October 2008 . [5] WinZip - AES Coding Tips For Developers. 21 July 2008. WinZip. 25 October 2008 . [6] WinZip - AES Encryption Information. November 2006. WinZip. 25 October 2008 2006 . [7] WinZip - The Zip File Utility For Windows. November 2006. WinZip. 25 October 2008 2006 .

6|P age