### Publications

## ABA TECHSHOW

# Decrypting Encryption

*By John Simek, ABA TECHSHOW Board 2016 & David Ries, ABA TECHSHOW Faculty 2015*

Encryption is a topic that most attorneys don’t want to touch with a ten-foot pole, but it is becoming a more and more important part of security. Encryption is an electronic process to protect data. It has now reached the point where all attorneys should generally understand encryption, have it available for use when appropriate, and make informed decisions about when encryption should be used and when it is acceptable to avoid it. Fortunately, easy-to-use options are available today for encryption. Most attorneys will need technical assistance to install and set up encryption, but it’s generally easy from there.

**Encryption Overview**

**Encryption**** is the conversion of data from a readable form, called plaintext, into a form, called ciphertext that cannot be easily understood by unauthorized people.**

**Decryption**** is the process of converting encrypted data back into its original form (plaintext), so it can be understood.**

Encryption can protect stored data (on servers, desktops, laptops, tablets, smartphones, portable devices, etc.) and transmitted data (over wired and wireless networks, including the Internet and e-mail).

Encryption uses a mathematical formula to convert the readable plaintext into unreadable ciphertext. The mathematical formula is an **algorithm** (called a cipher). Decryption is the reverse process that uses the same algorithm to transform the unreadable ciphertext back to readable plaintext. The algorithms are built into encryption programs – users don’t have to deal with them when they are using encryption.

This graphic shows the basic steps:

**Encryption keys** are used to implement encryption for a specific user or users. A key generator that works with the selected encryption algorithm is used to generate a unique key or keys for the user(s). A key is just a line or set of data that is used with the algorithm to encrypt and decrypt the data. Protection is provided by use of the algorithm with the unique key or keys.

The process is called **secret key **or** symmetric key encryption** where the same key is used with an algorithm to both encrypt and decrypt the data. With secret key encryption, it is critical to protect the security of the key because it can be used by anyone with access to it to decrypt the data.

Where a **key pair** is used, one to encrypt the data and a second one to decrypt the data, the process is called **asymmetric encryption**. For this kind of encryption, a key generator is used to generate a unique key pair, one for encryption (a public key) and the other for decryption (a private key). With key pairs, it is critical to protect the private decryption key since anyone with access to it can decrypt the data.

Here is an example of a secret key for a commonly used algorithm called the Advanced Encryption Standard-256 (AES-256) algorithm. The same key is used to both encrypt and decrypt the data.

### +30NbBBMy7+1BumpfmN8QPHrwQr36/vBvaFLgQM561Q=

Example AES-256 Key

Let’s look at a simple example of its application. A short line of readable plaintext, “This is an encryption demo,” becomes unreadable ciphertext when this key is used with the algorithm in an encryption program.

Simple Example of Encryption

The same key must be used with the algorithm in an encryption program to convert the ciphertext back to readable plaintext.

Simple Example of Decryption

Symmetric key encryption is frequently used to protect data stored on servers, laptops, portable media, etc. The key is frequently used and stored on a single computer or mobile device where providing the key to someone at a remote location is not necessary. It is difficult to use symmetric key encryption for communications because it is a challenge to securely share the key with the recipient.

**Fortunately, users don’t have to deal with keys during everyday use of encryption. When they log on with the correct password or passphrase, the program automatically accesses the key to decrypt the data. When they log off or shut down, the data is automatically encrypted. **

The following is a longer example - a draft of an article written by the authors. A single key is used to encrypt the article. The same key is necessary to convert it back to plaintext.

Here’s an enlarged view of the plaintext and ciphertext:

Enlarged Example: Symmetric Key Encryption

Asymmetric encryption uses a key pair instead of a single key - one key (a public key) is used to encrypt the data and a second one (a private key) is used to decrypt the data. Key pairs are frequently used for encrypted communications. The sender uses the recipient’s public encryption key to encrypt the communication. The public key cannot decrypt it; only the decryption key can do that. The recipient uses the decryption (private key) to decrypt the data.

Graphically, the process works this way:

Example of Public Key Encryption

This is a brief overview of symmetric and asymmetric encryption and how it works. Attorneys do not have to understand the details. After encryption has been set up, it’s generally automatic or point and click.

Attorneys have ethical and common law duties to protect information relating to clients and often also have contractual and regulatory duties. The Ethics 20/20 updates to ABA Model Rules 1.1 and 1.6 made explicit attorneys’ duty to take competent and reasonable measures to safeguard information relating to clients. Encryption is an important consideration in addressing these duties.

This article is but a taste of what awaits you at the ABA TECHSHOW 2016, March 16-19 at the Hilton Chicago. As a member of Minnesota State Bar Association, we want you to know that you can get a discount on the ABA TECHSHOW 2016. This discount only applies to registrants that qualify for the Standard registration. You can register online and include this unique discount code:

**EP1601**to receive a discount.

Reprinted with Permission. 2015© by the American Bar Association. All rights reserved. This information or any or portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.