First off, the word "encryption" is not in Part 97 at all. What hams are thinking of is Section 97.1 13(a)(4) of the FCC rules, which prohibits "messages in codes or ciphers intended to obscure the meaning thereof, except as otherwise provided herein.. ."
The ARRL feels that encryption is ok as long as the purpose is NOT TO HIDE the message content is within Part 97. While the basic point is that our ham bands are not meant to be secure against casual listening. However, when we are providing communications for some agency or organization, such as for disaster relief, those agencies have some expectation of confidentiality. Information about people, as well as movement of supplies and resources, is not meant to be heard by the general public.
As one should see in this case, the encryption's purpose is not to "obscure" but to provide security for sensitive / confidential information from the general public, not even necessarily from other amateurs. A good long standing precedent example is where encryption has been used on amateur satellite control uplinks for many years.
In a data applications, this easily can apply to passwords and access control. Passwords or small snippets of data surely don't hide the message as they are not necessarily even the message itself.
To further this, an amendment made to Article 25.2A (1A) at the 2003 World radio Conference no longer specifically prohibits the use of encryption and other strong security measures on transmissions between Amateur Radio stations within the same jurisdiction.
To summarize, the the purpose is what matters, or your intent. The rule is not regulating a method or practice; it regulates a purpose or intent.
If we are encrypting for network security and access control, emergency communications, and/or practice for the same—our purposes in using encryption are the security of the network and the privacy of third-party information. In either case, the purpose is not to obscure meaning.
Whatever encryption methods you use WEP, WPA, WPA2, or whatever—it must be publicly documented. (This is to conform with 97.309's authorized data emission code requirement.) Please note that this specifically means the encryption algorithm, not the encryption key.
Frank Rietta, KI4AWF writes a good piece titled; Authentication Without Encryption for Ham Radio.
The type of authentication process he illustrates has been used for a couple decades on packet radio nodes for remote access to the sysop / administration modes.
I feel few will have any qualms about this use of authentication in ham radio.
So ask yourself if this is okay, what about authenticating entire messages?
Again it has has to do with intent. Further exemplified by:
From the ARRL Message Handing Form:
ARRL FSD-3 contains Relief Emergency Recommended Procedures which allow for the use of “numbered” Radiograms. FCC rules and regulations allow for these ARRL numbered shortcuts as they are not intended to obscure the contents of the message, but rather to further reduce the possibility of ambiguity or error. These “numbers” refer to the following shortcuts in Group One for Possible Relief Emergency traffic – not to the “message number” box on the Radiogram.
For further reading see;
"Data Encryption is Legal," by N2IRZ, CQ Magazine Aug 2006 Or his other version printed in TAPR's PSR, Summer 2006, titled "Some Encryption is Legal"
"HSMM and Information Security," by K8OCL CQ-VHF Fall 2004