January 1, 1996

New encryption methods strengthen Net security

Public-key encryption will change cyberspace and electronic communications dramatically, turning a free-for-all system with minimal security into a system in which you can be sure that your private information remains private and in which the authors of messages and documents can be identified positively.

There are two major problems with communications on the Internet and through the many BBSs and online services. First, there’s the question of security. Can you be sure that your communications will be private, that information you want to remain private will notbe accessible to others? For instance, can you buy something on the Internet securely, transferring your credit-card number without any risk of the number being intercepted?

The theft of credit-card numbers on the Internet is probably infrequent right now, but that’s not because it’s hard to do – there are many ways for messages to be read by the wrong people. Then there’s the question of identification: How do you know that a message you receive really came from the person it seems to come from?

Forging e-mail is remarkably easy and very common. It’s usually done by pranksters, though there have been cases of serious and damaging forgeries. Cyberspace needs a way in which messages can be authenticated, so the recipient can confirm that an important message is not forged. How can public-key encryption help? It can ensure that messages you send can be read only by the intended recipients. and it provides a way to add a digital “signature” to messages so recipients can confirm the identity of the sender.

Before I explain “public-key encryption,” let me explain “private-key encryption.” The concept is quite simple. If you want to encrypt a computer file, you use an encryption program. You tell the program the name of the file you want to encrypt — which may contain an e-mail message, a spreadsheet, word-processing document or whatever –and give the program your key.

The key is a sort of code, and is known as a private key — or secret key — because you must keep the key confidential. Once the program has encrypted the file, the file can’t be used; it’s turned into a jumble of digital dross, rubbish that can’t be used by any program.

Now, what happens when you — or the recipient, if you sent the file to someone — want to decrypt your file to convert it back to a format that you canuse? Well, you use the same program; you tell the program the name of the file, and give it the key again, and the program converts it back to its original format.

There’s a big problem with this system, though; you have to use the same key to encrypt as you do to decrypt. So if you want to send an e-mail message to someone, you’ll have to send that person the key, too!

Public-key encryption gets around this problem by using “two” keys. Through the magic of rather complicated mathematics, these two keys are related. If you encrypt the message with one key, you only can decrypt it with the other key — the key used to encrypt the file will not decrypt it.

Here’s how you would use a system like this. Let’s say that you want to send a message to your colleague, Fred. First, you get hold of Fred’s public key. Fred can give this key away freely — it’s a small computer file that you load into the encryption program. He can send it to you via e-mail, and it doesn’t matter if anyone intercepts it because, as its name implies, it doesn’t contain anything that has to be kept secret.

Now you tell the program to use Fred’s key, and tell it which file to encrypt. Then you send the file off to Fred. When Fred receives the file, what does he do? He uses the same program. He tells the program which file to decrypt and then tells it to use his “private” key, the key that is mathematically related. He keeps this one secret. Only this private key can be used to decrypt files encrypted with the corresponding public key.

Now, how about proving that a message comes from you? Here’s what you do. You use your “private” key to encrypt your message, and then send it to Fred. Fred can then use your “public” key to decrypt your message. If your public key decrypts the file, it means that the message must have been encrypted with your private key. And as your private key is, well, “private,” it means that it must have come from you. It is, in effect, “digitally signed.”

Public-key encryption is turning up everywhere. Microsoft fax — built into Windows ’95 — allows you to send encrypted and digitally signed faxes, for instance. Only the people you want to view your faxes will be able to do so, and you even can prove that a fax came from you.

Public-key encryption also is at the heart of the secure credit-card transaction systems on the World Wide Web — such as the system used by the popular Netscape Web

browser. Netscape will use public-key encryption to provide secure e-mail, too, in a few months.

Until now, electronic communications have been considered to be rather suspect. They are so easy to intercept and so easy to forge — nothing beats a signature on a piece of paper. Things are changing, though, and pretty soon, thanks to public-key encryption, we may see the day when digital communications are not only secure, but accepted as widely as paper communications.

Peter Kent is a Colorado-based writer specializing in computers. He’s the author of “Using Microsoft Network” (Que) and “Using Netscape 2.” Peter can be reached at pkent@labpress.com.

Public-key encryption will change cyberspace and electronic communications dramatically, turning a free-for-all system with minimal security into a system in which you can be sure that your private information remains private and in which the authors of messages and documents can be identified positively.

There are two major problems with communications on the Internet and through the many BBSs and online services. First, there’s the question of security. Can you be sure that your communications will be private, that information you want to remain private will notbe accessible to others? For instance, can you buy something on the Internet securely, transferring…

Related Content