Keep Your Information Out of the Wrong Hands

Encryption, keys and digital signatures, reports of viruses, worms, and hacked Web sites occur on an almost daily basis.

Consequently, security is a growing concern on the Internet. Without the proper precautions being made in advance, it's clear that information on the Internet is anything but secure.

There is software to deal with viruses and worms, and life can be made a bit more difficult for hackers by using firewalls. But how can you make your data more secure, even in the event that it is intercepted on it's way across the Internet?

Encryption is the most common method for making data more secure. Also known as cryptography, encryption is the art of taking your data and scrambling it into a form that can only be understood by the sender and the intended recipient.

Choosing the method for how to scramble your data is a complex field of research. There have been countless methods used, and each method has been "cracked" by someone with enough incentive.

Encryption is an old practice, with references to it being made as early as 2,500 years ago.

One of the better known ancient forms of encryption was the so-called Caesar's Cipher. Caesar wanted to send secret messages to his military leaders, and the method he used involved the shifting of the letters of the alphabet by a given number to the right or to the left.

For instance, if he wanted to write down the message "Attack at dawn", he would replace each letter of the message with the letter in the alphabet three positions to the right. So the letter A would become the letter D, and the letter T would become the letter W. So the message "Attack at dawn" would be written as "Dwwdfn dw gdzq".

The three-letter-shift is the key to the encryption. Caesar and the recipient knew the key, but if the message was intercepted by the enemy they would not have the key to decode it.

This method of encryption is actually pretty easy to decode, because with only 26 letters in the alphabet the key can be found after only 26 attempts. A better key might be one in which each letter is shifted by a different value, such as three letters to the right for the first character in the message, seven letters to the left for the second character, 12 letters to the right for the next character, etc. This would make the enemy's job much harder, but this key would eventually be found as well, given enough time and effort.

The task of cryptology is to find an encryption method that is easy to use but hard enough to decode to make the attempt not worth the effort. It is generally assumed that any method of encrypting data can eventually be decoded by enough people with enough time on their hands.

But the goal is to make the process take long enough that, once the key is found, the content of that message will no longer be of much use.

Methods used today for encrypting computer data essentially involve taking a piece of data and converting it into a very large number. This large number should appear to consist of random sets of numbers, with little or no repetition or any appearance of a pattern. The larger the number the longer it should take to figure out the key and decode it.

This process is an ongoing discipline. Every year some group of scientists will announce that they have found some method for encrypting data into some huge number that would take millions of years to decode. Then a few months later some teenager with a few computers figures out the key. The scientists then return to their labs and figure out some way to generate even larger, more random, encryption keys.

Data can be encrypted at various times. You can encrypt data stored on your computer, so that if anyone accesses your computer they will have a hard time reading your files. You can also encrypt data that will be sent across the Internet, such as your Email. A common tool for encrypting e-mail is PGP, which stands for Pretty Good Privacy. This tool is free and can be downloaded from the Internet at www.pgpi.org.

Using PGP you first generate an encryption key, which is essentially just a very long string of numbers that defines how your message will be encrypted. You give this key to your intended recipient so that he or she will be able to decode your message. You then encrypt your message, send it, and the recipient uses the key to decode the message.

Encryption keys come in two versions, private keys and public keys. Private keys are given only to your intended recipients to ensure that only they will be able to decode your message. Public keys are distributed publicly on the Internet so that anyone can use the public key and compare it to the key that your message used. Public keys help to prove who wrote a message and catch imposters.

In addition to being encrypted, e-mail can also have a digital signature. Despite its name, a digital signature is not a scanned version of your signed name with a pen on paper. It is also a long series of numbers, but is used in the same way as a written signature is used: It is a way for you to "sign" your message as having come from you and not an imposter. In the US a digital signature has the same legal status as a traditionally signed document. For this reason, digital signatures should not be given out freely, since it is essentially your personal ID. You can buy a digital signature from a commercial software dealer, or you can use the free PGP software to generate one.

Data is not just encrypted on your computer. Data can also be encrypted by routers as it is sent over a network. Routers use basically the same methods of key-generation encryption, but it is done between routers, showing up at the sender and recipient's computers in its normal, un-encrypted form. This method makes it easier to ensure that all traffic across a network is secure, but it moves control away from the end-user.

Encryption technology is a sensitive issue when it comes to exporting it across international boundaries.

The American government treats encryption methods in the same way as it treats weapons technology, and therefore falls under military laws. Certain encryption methods that the US government considers medium-level are allowed to be used outside of its borders. But "strong encryption" techniques are tightly controlled and may only be used within US borders.

Some good sources for reading about different encryption methods and how secure they are can be found at the following sites: Electronic Frontier Foundation www.eff.org Cryptography A to Z www.ssh.fi/tech/crypto Centre for Technology and Democracy www.cdt.org/crypto.

So when you are concerned about how to send a message across the Internet in a secure form, away from prying eyes, you are facing the same dilemma that Caesar faced all those years ago. Prying eyes is no less a problem now than it was then, but today you have more options available to you than Caesar did. Perhaps if Caesar had known about PGP encryption, Rome might have lasted even longer than it did.