How to stay one step ahead of the hackers.
The subject of the contest is cryptography.
Cryptography is the ancient art of using algorithms (techno-speak for complicated rules) to transform plain text into a code for secure transmission or storage. Basically you and I and organisations throughout the world want to communicate electronically in private - just as when we post letters, we put them in envelopes to make sure only the addressee reads the message.
But it's more than just about secure email.
Electronic commerce messages between contracting parties need to be secure to ensure that no intermediary siphons off electronic cash, or that contracting parties masquerade as someone else in order to defraud.
Governments have large and expensive intelligence agencies whose business it is to discover other people's secrets.
Enter the US government which prevents the export of encryption keys longer than 40 bits.
Keys are binary numbers whose bits are combined with your data bits to "lock" them, using complex mathematical algorithms. The longer the key, the stronger the encryption and the more difficult it is to crack. A 40-bit key would take a casual hackerwith pounds 300 of technology about five hours to crack, and an intelligence agency with pounds 200million about 0.0002 seconds.
Increase the key to 56 bits and the casual hacker needs 38 years and the professionals 12 seconds. If I then use a second matching key in the process I make the problem a little more fiendish to solve.
Step up the world's software developers, encouraged by the pioneer of cryptography for the masses, Philip Zimmerman, who defied the US government by freely distributing PGP (Pretty Good Privacy) whose key lengths can reach 2048 bits: they have developed many crypto products for sale outside the US, unhindered by competition from US software houses.
This results in the bizarre spectacle of Sun Microsystems - a large US midrange computer manufacturer - using a Russian software house known as Elvis in order to produce strong crypto for sale outside the US.
Apply Moore's Law where computing power in the Intel camp doubles every 18 months, and you have a new boom software industry, where to stay ahead of the hackers, you need to double your key length at the same rate.
There is a sub-plot around key recovery and certificate authorities. To send encrypted messages both sender and receiver have to know the key, or more correctly the public key which is used to encrypt messages and is freely made available. The matching k ey, or private key is kept secure and is only used for decrypting messages.
Suppose I want to send you an encrypted message - I have to find a key directory and download your public key.
Who manages that repository? And how does the manager irrevocably identify that key with you? This is done by another encrypted set of data known as a Digital Signature. The organisation that does this is a Certificate Authority.
Large organisations will develop their own internal key management, but a public key infrastructure needs construction. In many countries it is post offices that are proposing becoming Certificate Authorities. Governments around the world are demanding k ey recovery powers that will enable them access, subject to legal regulation where there is a strong democratic tradition, to keys.
Privacy advocates and electronic commerce interests are bitterly opposing them.
This is not some obscure debate about the privacy of individuals' messages, for if electronic commerce over the Internet is to develop, everyone involved has to be sure they are trusted and protected because real money is changing hands and that needs pr otecting from the crooks, probably more than it does from governments.
|Printer friendly Cite/link Email Feedback|
|Publication:||The Birmingham Post (England)|
|Date:||May 19, 1998|
|Previous Article:||Millennium bug threat to NHS resources.|
|Next Article:||Business information is made for sharing.|