************************************************************** * * * CYBERSPACE * * A biweekly column on net culture appearing * * in the Toronto Sunday Sun * * * * Copyright 1999 Karl Mamer * * Free for online distribution * * All Rights Reserved * * Direct comments and questions to: * * * * * ************************************************************** Security wasn't the first concern of the net's creators. Security of private communications came through the expectation that the original users, scientist and university students, would act responsibly. It's not worth risking a loss of tenure or a being kicked out of grad school to read other people's dirty email. These days people trade more than poorly written erotica online. There are as many sites asking you to enter your credit card number as there are university freshmen on alt groups screaming for pictures of "NEKKID GIRLS!!!!" If you were foolish enough to email me your credit card number, your email would likely pass through half a dozen computers before it reached my In box. While I can vouch for my own incredible honesty, I can't vouch for the honesty of those managing the intervening sites. Encryption has always been the way to transmit private information over public lines of communication. For nearly 2,000 years, encryption has involved using a "key" to scramble the information and the person on the other end using the same key to unscramble the information. Since both the sender and receiver have to have the same key, both have to keep this key private. A private key system works well with a limited number of known people. A private key system doesn't work on the net where you want to communicate with thousands of people and businesses. In 1976, the public/private key encryption system was introduced and is the standard method of encryption used over the net. A public key provides enough information to encrypt a message but contains nothing about how to decrypt a message. The only way to decrypt a message is with the private key. It's like having a bank deposit bag with two keys. The public key lets you lock the bag. Once locked, you can't open the bag with the public key, no matter how hard you try. Only the bank teller with the private key can open the bag. The beauty of the public/private key system is that you can distribute your public key to anyone. I can give you, the RCMP, and the hacker kid down the street my public key and as long as no one gets a hold of my private key, I don't anything to fear. In fact, the only way to get anyone to send me encrypted information is by making my public key public. The only real worry is the strength of the encryption system. Strong systems uses very large numbers as keys. Weak systems use smaller numbers. A 40-bit system is considered weak. A bit is either a 0 or 1. A 1-bit system means the key is either 0 or 1. You could guess the private key by first trying 0 and then trying 1. A 2-bit system provides 4 possible keys: 00, 01, 10, or 11. A 3-bit system provides 8 keys. Each time you add a bit, you double possible keys. A 40-bit system provides over a trillion combinations. Like I say, weak. It's been demonstrated that a person with access to a small network of computers (basically, anyone at school or work) can burn through a trillion numbers in a matter of hours. A 128-bit "military grade" system provides more than a trillion times a trillion times a trillion combinations. You could string together a network of super computers and not crack a 128-bit scheme in a human life time. Fortunately, you don't need a super computer to generate a 128-bit key. You can use any PC and a free piece of software called PGP (Pretty Good Privacy). You can get it at www.pgp.net/pgpnet.