HOW YOU CAN USE DATA ENCRYPTION TO SAFEGUARD YOUR PRIVACY You can beat the bureaucrats and busy-bodies at their own game, with their own technology. Unless you are a computer security specialist, you probably haven't thought much about secret codes. Indeed, why should anyone except the military or large, multinational corporations be concerned with protecting communications and information systems? Information Superhighway-Men If you use your PC to communicate with other people through networks such as Internet, CompuServe, even inner-company e-mail, you leave yourself wide open to intruders -- intruders who may read your messages or even gain access to the files you store on your hard drive. Anyone with a PC and a modem has the potential to infiltrate any computer system in the world. Spies, tax collectors, and other enemies of your privacy are continually developing powerful computer espionage techniques. Anyone may fall prey to the bandits of the information superhighway. Already, computers have been hooked up to interactive systems that combine telephone, fax, television and other, more conventional telecommunications technologies, thus providing unsecured access through a variety of input channels. Most of the entryways used by data thieves to gain entry to your files can be safeguarded by the electronic equivalent of the number lock. The art of disguising messages is called "encryption." Encryption in its most basic form involves techniques such as "substitution." For instance, shift the alphabet over two letters (A becomes C, B becomes D, etc.) so that "SECRET" becomes "UGETGS." The original messages is the "plaintext"; the disguised message is the "ciphertext." The cryptographic system as a whole is a "cipher." The art of breaking ciphertext is called "cryptoanalysis." Cryptographers and cryptoanalysts employ cryptology, a mystery-clouded branch of mathematics. The message is encrypted with an algorithm, a mathematical function. The cryptographic algorithm is a series of steps that turns plaintext into ciphertext or vice versa. Algorithms use a key. Without the key, you can't decrypt the ciphertext. The key is selected from an immense array of possible values. With a good cryptographic algorithm, one way to cryptoanalyze a ciphertext is to try all possible keys, known as a "brute force" attack. But imagine trying to unlock someone's door with one of 10,000,000,000 available keys on the key ring. Unless you were the kind of person who'd win the lottery jackpot 100 times in a row, the building would collapse from old age before you could open the door. Cryptography works on the same principle. It is possible to generate algorithms that would require more time than the universe has been in existence to crack -- even if every computer in the world were at your disposal. So how would you use a cryptographic algorithm? Let's say that you run your own business, and you want your accountant to explain why he didn't deduct the cost of your car from your income statement. You want to keep your correspondence private, and not have any of your employees listen in. First, you hand the key to the accountant in person. Then you return to your computer and encrypt your message with the key and send the encrypted message to the accountant. The accountant decrypts the key, and repeats the procedure when communicating with you. Anyone intercepting the message will be unable to read it. This type of cipher is called a "symmetric key" algorithm. The decryption key is the same as (or easily derivable from) the encryption key. The advantage of this type of cipher is the case with which it may be used. The problem is that someone may steal the key from the accountant, or the accountant may intentionally reveal it. Also, it may be difficult to physically transfer the key. To solve the security risk inherent to symmetric key systems, cryptographers invented "public key" systems, which have two keys: an encryption key (the public key) and a decryption key (the private key). It's mathematically impossible to derive the private key from the public key. The public key is made available in your communications network. Someone who wants to communicate with you uses your public key to encrypt messages. As long as you keep the private key private, the system is completely secure. Secret handshake Another arrangement is used in message authentication. A message is authenticated with a digital signature, the way a written contract is validated with a signature. Without message authentication, a crook could pretend to be your spouse. He might convince you that your spouse's car has broken down. You leave your house, only to return, alone, to find that it had been robbed. Digital signature algorithms are the reverse of public key ciphers. In this case, the decryption key is public, while the encryption key is private. Only the possessor of the key could have authored the message bearing the correct digital signature. As with encryption algorithms, the security of digital signature algorithms lies entirely with key management. If an eavesdropper discovers your private key, he can send messages in your name. If the keys are insecure, a cryptographic algorithm is useless. Let's say your business uses a public key system, or you are encrypting your own files for later use. A good way to store the key is to memorize it. However, the key could easily be compromised if someone were looking over your shoulder when you typed in the key, or if you were interrogated. A better way to secure your key would be the installation of a magnetic key card system. You could split the key in two, storing half in the card and half in the memory of the computer itself. Even were either half compromised, the system would remain secure. The key-splitting technique should also be applied to key distribution. If you need to send someone a symmetric key to set up a two-way communication channel, divide it into several pieces. Send them through different channels at different times (in person, through the mail, etc.) Any piece by itself is useless. Electronic locksmith Ironically, cryptographic algorithms developed in secret are the least secure. Avoid encryption producyts that claim to involve "new" or "secret" algorithms. Most of them are simply unable to withstand the scrutiny of professional cryptoanalysts. There are several effective, powerful algorithms that have been around for over a decade. While new encryption technology may emerge, rendering current algorithms obsolete, it is safer to stick with proven systems. DES (Data Encryption Standard) is an international encryption system endorsed by the U.S. government. This is also its major flaw. There are unconfirmed rumors that the U. S. National Security Agency (NSA) apparently holds a key to a secret "trapdoor" to the algorithm. DES uses a 56-bit key, which would take thousands of years to break -- even assuming the existence of supercomputers that transcend current limitations. While it is possible to find algorithms with a greater key length, the additional security is offset by decreased speed and efficiency. Also, the widespread use of DES makes it very convenient to use. Electronic data encryption opens up an incredible entrepreneurship potential for information-related services. In an electronic marketplace with hundreds of thousands of potential clients worldwide, even small-scale offers of information, say, a comic strip, a bawdy limmerick, or a stock report suddenly become marketable. Encryption could help meter it out according to a pay-per-view system.