Digital data protection traditionally encompasses both physical protection of digital media and algorithmic protection. Physical protection includes the security of the building or office where the digital data is stored and accessed. Physical protection also includes elements such as computer locks and motion alarms attached to the computing device. Algorithmic protection is traditionally based on encryption mechanisms where the data to be protected is encrypted in such a manner that it is not meaningful in its encrypted state.
The information which can decrypt the encrypted data is known as a “decryption key.” Decryption keys comprise binary data and are selected so that it is difficult for an unauthorized user to guess the key, and thereby decrypt the data. However, such keys may not be easy for user's to remember or enter. Consequently, a decryption key can be protected in a form easier for the user to access. In some cases, the original key can itself be encrypted and another decryption key can be used to decrypt the original decryption key. In these cases that subsequent decryption key can itself be protected with hardware that can validate data that is more easily accessible to a user, such as a user-selected password, a user-selected PIN, biometric information that is specific to the user, such as a fingerprint, or other user accessible data. Alternatively, the subsequent decryption key can be protected with hardware that can merely validate the state of the machine itself. The subsequent decryption key can also be protected by the direct cryptographic expansion of user supplied data, such as with a pass phrase. To access algorithmically protected data, the user would enter their password, for example, which would decrypt the key that had encrypted the data the user seeks to access. Once decrypted, that key can be used to decrypt the protected data, thereby providing access to the protected data.
In theory, physical protection and algorithmic protection provide redundant protection of digital data. For example, a computing device that is isolated in a secure building will, theoretically, not require algorithmic protection, since there is no physical mechanism or connection by which the data stored on such a computing device can be accessed. Likewise, data that is protected by algorithmic protection does not, in theory, require physical protection since the data will be inaccessible even if physical access to the data was obtained.
Theoretical protection, however, does not equate to “real world” protection. In practice, even isolated computing devices in secure locations can be accessed by unintended individuals. For example, users can accidentally leave doors unlocked and gates unattended. Likewise, determined individuals can often bypass common physical security mechanisms, such as locks and sensors. Algorithmic protection similarly does not, in practice, provide unbreakable data security. Passwords may be chosen poorly or stored in such a way that they can be easily obtained. Encryption relies on mathematical algorithms that can be reverse engineered or otherwise deciphered. Likewise, software can have bugs and flaws that when discovered can allow the security mechanisms to be subverted.
Consequently, most protection of digital data comprises a combination of physical and algorithmic protection. More specifically, the physical and algorithmic protections are selected in advance to an appropriate level of protection while providing sufficient ease of use for the intended user of the digital data being protected. For example, digital data can be physically protected by locking the corresponding computing device or storage medium to various office furniture while providing a key to the intended user. Likewise, digital data can be algorithmically protected by selecting a secure data encryption mechanism while enabling the intended user to decrypt the data through a password selected by the user. In each case, the level of protection, such as the type of lock or data encryption algorithm, is selected in advance based upon various factors including projected usage patterns, user sophistication, physical constrains and other factors.