DAILY MAIL & GUARDIAN
01 September 1999
Can you keep a secret?
JAMAIS CASCIO advises suits and other Hollywood weasels on what could happen over the next hundred years. He worries about being called a futurist.
eople who have visited my website may have noticed a large block of numbers and letters at the bottom of the main page. That's my PGP public key, which allows anyone in the world to send me messages (or files) that are encrypted so that only I can read them. I make use of encryption on a regular basis, and so should you.
Encryption is a very powerful tool -- so powerful, in fact, that the United States government considers it a potential weapon of war, and restricts the export of encryption software. All of the encryption software I'm discussing today, however, is available globally, and is just as powerful outside of the US as within it.
If you've ever used a simple substitution code (for example, A=1, B=2...Z=26), you've used encryption. Put most simply, encryption is the process of encoding a document in a such a way that it can't be read or understood without the decryption key. Simple substitution codes can often be broken by a bit of thinking; more complex codes, involving complicated math and repeated calculations, can take computers centuries (or longer) to solve.
There are lots of good reasons to want to use encryption. You may want to keep business files confidential. You may be carrying on a private conversation in e-mail that you don't want other people to read. You may share a computer system with several different people, and may not wish to have others "accidentally" read your files.
Encryption is at the heart of the growing Internet economy. Whenever you visit an electronic commerce site like Amazon.com, eToys, or Blowfish, your web browser makes use of encryption to scramble the message it sends the server, which may include your credit card number. The server software knows how to unscramble that message, but anyone who may be listening along the way will simply see a string of garbled numbers and letters. For the most part, conducting business on the net is safer than giving your credit card to a waiter or sales clerk.
But the level of encryption in a typical web browser isn't sufficient for some people. Because the US government restricts encryption exports, only software with a key length of 56 "bits" or fewer is legal to make globally available from the US. The more bits in the key length, the harder the key is to crack. Generally speaking, each additional bit makes the key twice as hard to break.
Breaking encryption keys, however, is something that computers can do very, very well (in fact, the first real digital computer was built in World War 2 specifically to crack the German "Enigma" encryption). These days, a 40 bit key (typical for most web browsers) or even a 56 bit key could potentially be broken in a matter of a few hours or days, depending upon how much computer power is thrown at the task. This doesn't mean that using your credit card over the net is unsafe -- there are much easier ways of stealing that number than cracking an encrypted message. But it does mean that people who want to encode sensitive material should consider using longer key lengths. The most sophisticated encryption these days uses 1024 or more bits in the key. It would take all of the computers in the world until the end of the life of the universe to break a key of 1024 bits, assuming computers never got faster. More realistically, 1024 bit keys are probably safe well into the next century.
There are basically two kinds of encryption methods: "private key" encryption and "public key" encryption. Private key is the sort of encoding with which most of us are accustomed -- substitution methods, "secret words", etc. A message scrambled with a private key code could be read by anyone who knows that code, meaning that the key must be kept private at by both the sender and the receiver. Private key systems tend to be fast and easy, and are the methods typically used by web browsers for e-commerce. But all private key systems suffer from the same drawback: anyone who uses the key to encrypt a message can also decrypt any other message using that key.
Public key encryption solves that problem. Through a sophisticated bit of mathematics, public key systems allow for two separate keys: one to encode messages, and a second, secret, key to decode the messages. This means that someone who uses public key encryption can give her public key to anyone and everyone, confident that her encoded messages are safe.
Probably the most popular public key system in the world is software called PGP, or "Pretty Good Privacy". There are millions of PGP users around the world, and the latest versions of the software -- which can run on anything from DOS to Mac to Linux to all flavors of Windows -- can be found at www.pgpi.org. The PGP software has modules that add-on to popular e-mail programs (such as Outlook and Eudora), letting you create encrypted messages right from within your mail software.
Many people don't know that e-mail messages are sent over the Internet without any scrambling whatsoever. It doesn't take much effort for a curious hacker to read the data sent along the net, including the entire text of your e-mail. Imagine if all postal mail had to be sent using postcards. Encryption provides an envelope for e-mail. Even if most of the e-mail messages we send are perfectly innocent, we wouldn't necessarily be happy if everyone read them.
This essay really only touches the surface of what can be done with encryption. The Cryptography FAQ at the RSA Labs -- one of the best commercial (US) sources of encryption software around -- gives many more answers. Download PGP and give it a try. Any encrypted e-mail sent to me using my public key will get an immediate reply.
© Daily Mail & Guardian - 01 September 1999
* Jamais Cascio is a consultant and writer specializing in scenarios of how we may live over the next century. His clients have included mainstream corporations, film and television producers. He has written for many publications, including Wired and TIME, and is currently working on a screenplay. He is an active member of the oldest and most influential online community, The Well, and believes that new technologies are pushing people into new social, economic and political realms.
Published weekly by the Electronic Mail & Guardian, Johannesburg, South Africa. Send email comments to the editor, Gavin Dudley