The key
to Internet
security is already readily available, but Big Brother doesn't like
it
by Alan Zisman (c) 1996 First published
in Business in Vancouver
, Issue #346 June 11, 1996 High Tech Office column
As
the Internet
gets taken more and more seriously as a medium for business
communication
and commercial transactions, its shortcomings in areas like privacy
and security become more apparent.
Send an
e-mail message
to a colleague, and your letter may be passing through a dozen or
more computers on the way, with the potential of being read at any
one of them. And when you receive e-mail, do you have any way of
verifying
that the name on the FROM: line really is the sender? Never
mind that your Visa number is equally at risk any time you
read it out over the phone, or whenever a gas jockey takes it into the
station to make up your credit-card slip--the perception that the
Internet is insecure is holding up the acceptance of on-line sales.
Ironically,
there's
been a well-known solution to all these problems since 1977, when
the forerunner to the Internet, the Arpanet, was limited to a few
hundred U.S. government, military and university computers. Public-key
encryption offers the possibility of giving everyone from businesses
to private individuals the privacy and security previously available
only to a few secret government agencies.
It uses
the idea of
prime numbers--one of those concepts most of us half remember from
Grade 7 math classes. Prime numbers are numbers that can only be evenly
divided by the number 1 and the prime number itself. Now take two
primes--say, 3 and 7--and multiply them: the result, which is 21,
can only be factored, or evenly divided, by 3 and 7.
Now, it's
easy for a
computer to generate two large prime numbers, and multiply them
together,
but if the numbers are large enough, it's very difficult to work
backwards,
and find the prime factors of that number. You can use these to
generate
two different decoding keys: one that you keep, the other destined
for your intended recipient.
The result
is a digital
signature that can't be forged. Many people may have your public key,
which can be used to decode your messages, but only you, with the
private key, can encode them, which guarantees that any messages that
can be decoded using the public key had to come from you.
Alternatively,
by using
your public key, others can encode messages that can only be read
by you. When you want to respond, you'll need to use the public key
provided by your recipient, creating a message that only he or she
can decode.
The key to
this system's
security is the length of the prime numbers used to generate the
decoding
keys. When this system was first developed, its creators thought that
a 129-digit prime number would be secure, and challenged the world
to crack an encoded message that they published. In 1993, a group
of Internet users collaborated to take up the challenge, and broke
the code. It's been suggested that a 250-digit key should be safe for
the foreseeable future.
Governments,
however,
are not pleased that businesses and individuals could create messages
that are truly private. The U.S., for example, has forbidden the export
of any software using more than relatively easily-deciphered 40-digit
keys to encode data. (It can be sold in North America, but not
elsewhere.)
As a result, you may notice warnings, even on commonly sold products
like Norton Utilities, that they must not be exported from
North America.
A few
years ago, computer
scientist Phil Zimmerman developed a piece of software called
Pretty Good Privacy. This software offered easy access to public-key
encryption, and was released for free over the Internet. Because the
Internet transcends national boundaries, the U.S. Department of Justice
threatened prosecution, a threat that it has only recently withdrawn.
Internet
software developer Netscape has been building public-key
encryption into
its popular server and browser software for the Web, but its limiting
of the overseas versions to the weaker, 40-digit versions has resulted
in widely publicized accounts of its codes being cracked. Even in
North America, where Netscape can use larger, harder-to-decipher keys,
it's recently been shown that the widely distributed version 2.0 of
its browser was crackable: while it created long code keys, it only
created a relatively small number of them, again making the code open
to deciphering. An embarrassed Netscape quickly rushed out a
fix-version
2.01, so if you've upgraded Netscape recently, make sure that you're
using this version.
Despite
these gaffes,
and despite government disapproval, public-key encryption provides
the possibility for real security on the 'Net and other digital
communications.
Netscape and others are working hard to integrate it into the 'Net
to allow truly secure buying and selling. And it gives us all the
power to protect our business and personal privacy.
The
Massachusetts Institute
of Technology is distributing Pretty Good Privacy to U.S. or Canadian
citizens only at http:// web.mit .edu/network/pgp. It's even got a
secure Internet phone system at http:// web.mit.edu/network/pgpfone/.