Research Central : Privacy, Security & Encryption

Page Modified:

Privacy, Security & Encryption

Two of the biggest issues on the Internet today are security and privacy. After some thought, one would think they are mutually exclusive.

How can you obtain absolute security without invading someone's privacy to some degree? Conversely, how can I be assured of privacy, if Big Brother is trying to figure out what my email contains?

Well, there appears to be a solution, at least to some degree.

This is the realm of cryptography, or the art of secret writing. There is a long and rich history to cryptography, going back to about 1900 BC, when a scribe in Egypt used some uncommon hieroglyphics in an inscription. A Google search for 'cryptography' or 'cryptology' will deliver thousands of pages for review. Here, I hope to give you the essentials so that you can make informed decisions for yourself, and understand what the issue is all about and why everyone is concerened about it.

Cryptography has an important place for many issues, from communications during war, to scientific research done over the Internet, to business partners sharing financial reports, to more mundane activities. On the flip side, it is also used by terrorists and organized crime members to communicate securely and privately. Thus, the interest in trying to resolve this pair of seemingly at-odds goals.

Since most readers of this will be of the average Internet sort, I'll limit my discussion to things that affect them, and what can be done to assist them.

First, some terms need to defined.

plaintext: the original message plainly readable
ciphertext: an encrypted message
encryption: the process of altering a plaintext message into an encrypted one (ciphertext)
privacy: no one but the intended recipient can read the message
authentication: proving someone's identity
integrity: ensuring the intended recipient has received an unaltered message
non-repudiation: a way to prove the sender actually sent the message

Within the general realm of cryptography, there are three types: Secret Key Cryptography (SKC), Public Key Cryptography (PKC), and hash functions. Mathematics plays a big part in all of the modern cyrptographic schemes.

The first two are unique in that they allow a message to be encrypted, and then decrypted. The secret of course is having the right 'key'.

Hash functions are also called 'one-way functions'. Once a message is encrypted using this method, it can't be reversed or retrieved. This is typically used for passwords on such systems as Unix. If you forget your password in such a situation, the administrator will have to issue you a new one, once you have been authenticated of course.

The first method (SKC) and hash functions will not be discussed. SKC uses just one single 'key' for both encrypting and decrypting a message. The problem with SKC (or symmetric cryptography), is that you must get the one-and-only key to your intended recipient securely. That method is not generally available to the average user. Hash functions are no good to us either, since they are 'one-way functions' - the message can be encrypted, but not decrypted. We want to be able to reverse the encryption when we get a message.

That leaves us with PKC, also known as asymmetric cryptography. Like SKC, it uses 'keys'. These are mathematically calculated numbers (very big numbers) which are used to encrypt a message. The idea behind these two methods is the mathematical process of factoring large numbers. Factoring is the process of figuring out what numbers, when multiplied together, result in the number in question. It is the mirror image of multiplication. For example, multiplying 12 by 24 results in 288. Very quick and easy to figure out.

If however, I give you the number 288, and ask you to figure out which 2 numbers I used, it will take you much longer. First you have to find all the factors of 288, then figure out which pair I used. Not impossible to do, but good luck (or a good software program) will help out.

A twist to this method is to take two numbers, but use one as an exponent to the other. In our case let's raise 24 to the power of 12. That's something like 3.6520347 ^16. My little calculator ran out of room to give me a definitive answer, but I think you would agree that it is a pretty big number. Again, if I give you that number, and ask you to figure out what 2 numbers I used to get it, it will take you much longer to figure out. In this case you are trying to calculate the logarithm of a number.

Now, just to make it interesting, let's rack this up a few notches and use some really big prime numbers. Prime numbers are numbers that only have 2 factors: 1 and themselves. In other words, no two other numbers multiplied together will result in a prime number.

So now if I use 2 prime numbers such as 104723 and 104729 and mulitply them I get 1.0967535 ^10 (again, limited by my calculator). A big number by my definition. If you were given the job of finding what 2 numbers multiplied together to get that number, I think you would be busy for a very long time. And that is one of the goals of modern cryptography. If I can keep you tied up long enough trying to decrypt my message, by the time you solve the equation, the information will (hopefully) be outdated and useless to you. Bear in mind that I assume you have some serious computing power available. Something NSA or other US federal agencies might have.

An interesting side bar here: if the goal of modern cryptography is to merely keep the bad guys busy, is there really an encryption method that can't be reversed? Is it just a matter of computing power and time?

Public Key Cryptography uses 2 keys: one for encryption and one for decryption. It doesn't matter which is used first, but both are needed to retrieve the message. One key is kept private, and the other is made publicly available to anyone who wants it. This method solves a number of problems. It means that only public information need be available. It also provides authentication - only the owner of the private key could have sent the message. Also, once encrypted, a message can use public transportation methods (the Internet) for delivery without compromising security.

OK, so much for theory. What about the average Internet user? What is available for us little guys?

Enter PGP, or Pretty Good Privacy. This program was developed by Philip R. Zimmermann in 1991 as a means of encrypting Internet email. It uses PKC (Public Key Cryptography). It is available from his site (see below). There has been much conflict and contoversy surrounding PGP, but it has managed to come through just fine.

Based on PGP is another project from GnuPG, a free implementation of the OpenPGP standard.

So, if you are in need of secure email communication, you now have the means to do so. And hopefully, a better understanding of what privacy and security is. For fun (or a good scare) , look up 'Echelon' and 'Carnivore' in a Google search.

Until next time, happy trails and keep on truckin'.

Resources

An Overview of Cryptography
PGP
GnuPG
RSA Laboratories
GIMPS
The Prime Pages

Top of page

Amer Neely