Business in Vancouver: News that works for you

    The key to Internet security is already readily available, but Big Brother doesn't like it


    by Alan Zisman (c) 1996 First published in Business in Vancouver ,  Issue #346 June 11, 1996   High Tech Office  column

    As the Internet gets taken more and more seriously as a medium for business communication and commercial transactions, its shortcomings in areas like privacy and security become more apparent.

    Send an e-mail message to a colleague, and your letter may be passing through a dozen or more computers on the way, with the potential of being read at any one of them. And when you receive e-mail, do you have any way of verifying that the name on the FROM: line really is the sender? Never mind that your Visa number is equally at risk any time you read it out over the phone, or whenever a gas jockey takes it into the station to make up your credit-card slip--the perception that the Internet is insecure is holding up the acceptance of on-line sales.

    Ironically, there's been a well-known solution to all these problems since 1977, when the forerunner to the Internet, the Arpanet, was limited to a few hundred U.S. government, military and university computers. Public-key encryption offers the possibility of giving everyone from businesses to private individuals the privacy and security previously available only to a few secret government agencies.

    It uses the idea of prime numbers--one of those concepts most of us half remember from Grade 7 math classes. Prime numbers are numbers that can only be evenly divided by the number 1 and the prime number itself. Now take two primes--say, 3 and 7--and multiply them: the result, which is 21, can only be factored, or evenly divided, by 3 and 7.

    Now, it's easy for a computer to generate two large prime numbers, and multiply them together, but if the numbers are large enough, it's very difficult to work backwards, and find the prime factors of that number. You can use these to generate two different decoding keys: one that you keep, the other destined for your intended recipient.

    The result is a digital signature that can't be forged. Many people may have your public key, which can be used to decode your messages, but only you, with the private key, can encode them, which guarantees that any messages that can be decoded using the public key had to come from you.

    Alternatively, by using your public key, others can encode messages that can only be read by you. When you want to respond, you'll need to use the public key provided by your recipient, creating a message that only he or she can decode.

    The key to this system's security is the length of the prime numbers used to generate the decoding keys. When this system was first developed, its creators thought that a 129-digit prime number would be secure, and challenged the world to crack an encoded message that they published. In 1993, a group of Internet users collaborated to take up the challenge, and broke the code. It's been suggested that a 250-digit key should be safe for the foreseeable future.

    Governments, however, are not pleased that businesses and individuals could create messages that are truly private. The U.S., for example, has forbidden the export of any software using more than relatively easily-deciphered 40-digit keys to encode data. (It can be sold in North America, but not elsewhere.) As a result, you may notice warnings, even on commonly sold products like Norton Utilities, that they must not be exported from North America.

    A few years ago, computer scientist Phil Zimmerman developed a piece of software called Pretty Good Privacy. This software offered easy access to public-key encryption, and was released for free over the Internet. Because the Internet transcends national boundaries, the U.S. Department of Justice threatened prosecution, a threat that it has only recently withdrawn.

    Internet software developer Netscape has been building public-key encryption into its popular server and browser software for the Web, but its limiting of the overseas versions to the weaker, 40-digit versions has resulted in widely publicized accounts of its codes being cracked. Even in North America, where Netscape can use larger, harder-to-decipher keys, it's recently been shown that the widely distributed version 2.0 of its browser was crackable: while it created long code keys, it only created a relatively small number of them, again making the code open to deciphering. An embarrassed Netscape quickly rushed out a fix-version 2.01, so if you've upgraded Netscape recently, make sure that you're using this version.

    Despite these gaffes, and despite government disapproval, public-key encryption provides the possibility for real security on the 'Net and other digital communications. Netscape and others are working hard to integrate it into the 'Net to allow truly secure buying and selling. And it gives us all the power to protect our business and personal privacy.

    The Massachusetts Institute of Technology is distributing Pretty Good Privacy to U.S. or Canadian citizens only at http:// web.mit .edu/network/pgp. It's even got a secure Internet phone system at http:// web.mit.edu/network/pgpfone/.



Google
Search WWW Search www.zisman.ca



Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan