Simple Concept, Complex Technology

Modern encryption programs are tough on hackers trying to crack into your computer system or e-mail messages.

by / February 28, 1998
Not since World War II has encryption received so much attention. Germany, during that time, had some of the most able scientists and cryptographers, but the Allies cracked Germany's submarine codes and discovered valuable information on Germany's strategic plans.

Today, encryption has become an important key in securing computer data from prying eyes. Users can encrypt files that contain sensitive data and protect them from theft or access by unauthorized co-workers or network hackers. Information traveling between computers goes through numerous routes, systems and servers. A hacker can intercept message packets in transit and attempt to reconstruct your message before it reaches its destination.

Computer data security concerns are similar to those of any confidential communication. The reality is that the Internet is no more insecure than any other medium of commerce, such as bank, postal or telephone credit card transactions. But Internet security concerns cannot be overstated either, because computerized tools such as network "sniffers" are employed by hackers to sort, filter and intercept sensitive information from a network.

Many of the newer versions of popular applications -- Microsoft Word, Excel, Corel WordPerfect and others -- already provide encryption. Many experts predict that encryption will soon become an integral part of any application.

While these applications feature less secure algorithms, their encryption is sufficient for most needs. Inexpensive but very effective software programs such as Symantec's Norton DiskLock, Pretty Good Privacy and Netscape Communicator 4.0 provide an excellent way for users to test encryption.

Asymmetric or Symmetric Keys

While the technical details of cryptography are very complicated, the concept is rather simple. Basically, encryption is the scrambling and altering of data until it is no longer readable by anyone who does not have the proper decryption key.

Cryptographers have developed various methods to perform this task. The asymmetric method, also called public-key cryptography, requires two keys -- one to encrypt, and the other to decrypt a message. The user's public key is freely distributable to anyone through several key servers on the Internet. These servers act as public-key white pages.

For example, say Joe wants to send Mary some secure files or messages. To do so, he must request and receive Mary's public key via e-mail or look for it in a public-key server and use that key to encrypt the files. When Mary receives the message, she uses her private key to decrypt the message, which was encrypted with her public key. The security of this system resides in the combination of the two keys; if the keys don't match, the file or message can't be viewed.

Similarly, Mary uses Joe's public key to encrypt her reply before sending it. To assure Joe that she sent the answer and that it was not forged, Mary signs this message with her private key, which generates a digital signature block that Joe can verify using Mary's public key.

Digital certificate authorities issue digital signatures and verify the user's identity much the same way a DMV verifies an identity and issues a driver's license.

Symmetric cryptography uses a single key to encrypt and decrypt messages. Its weakness is that, to transmit an encoded message, users must also send the private key, which means a secure distribution route is needed.

Key Bit Rate

No matter how securely the doors are locked, a persistent intruder can find a way through. While no encryption program is 100 percent uncrackable, most intruders lack the time or skill to bypass or dismantle such security tools.

One primary indicator of encryption strength is the key's bit rate, which is the number of bits in a key. A bit is a single digit in a binary number -- either 0 or 1. The amount of time required to decode depends on the length of the decryption key. A longer key means a hacker must try more combinations in order to decode the data. For example, a combination lock with only one, single-digit number on the tumbler is simple to open by just trying each number. With two or more numbers in the tumbler, the difficulty rises considerably. The cracker must put the first set on one number, then try each number in the second set, then repeat the process with the second number in the first set, etc. The more numbers to try, the more difficult the cracker's job.

Just as with the combination lock example, the higher the bit rate, the harder it is to break the encryption scheme. A 40-bit key, for example -- the U.S. government restricts export of key lengths greater than 40 bits -- requires the cracker to attempt more than a trillion combinations. While this may seem like an extremely large number of keys, an Intel Pentium-based PC -- attempting various combinations in what is called "brute force" -- could crack the key in a matter of hours.

A 56-bit key requires trying more than 72,000 trillion possible combinations. A conventional PC might take about 1,000,000,000,000,000,000,000 years to crack a 128-bit key. In the United States, domestic versions of 128-bit keys are used and are virtually impossible to crack by brute force methods using current computing technologies.

The easiest way to crack a message is to obtain a copy of the sender's private key, or in case of symmetric encryption, to intercept the message and the key en route to its destination.

When DES encryption was devised in the 1970s, the 56-bit key was considered very safe; with the computers of today, a DES-encrypted message is still fairly secure, but a 56-bit key was recently cracked.


One of the shortcomings of public key technology is the extra time it takes to encrypt and decrypt data. The longer the key, the more time required to encrypt or decrypt a message.

To increase the speed of encryption, nCipher's nFast line of cryptographic hardware could be used to accelerate the timing. It does that by off-loading the cryptographic burden from the CPU. Each nFast accelerator improves performance by up to 100 times and is able to handle up to 300 1024-bit key public signings per second.

For additional information on the Internet:

Norton DiskLock

Previous versions of Symantec's DiskLock focused on locking the hard disk and preventing access to specific files. With the spread of Internet and other networks and e-mail, DiskLock shifted its focus to the encryption of files, thereby rendering them useless to an unauthorized user.

The program comes with a group of encryption and decryption tools that provide protection at the file and folder level. Encrypted files and folders cannot be moved, copied or deleted by unauthorized users; if they are opened, the encryption renders them unreadable.

After the encryption and screenlock components are installed on the system, users must enter their user name and password to activate the program each time the machine is turned on. Once the application is activated, users can access the encryption and decryption options.

DiskLock uses an asymmetric encryption scheme that requires two different keys to encrypt and decrypt files. It works with a public and private key, allowing public keys to be exchanged between users wishing to access each other's work. Without a user's private key, however, the public key remains useless, so security is not compromised.

Additionally, DiskLock provides a timeframe access during which someone can access information from a hard drive. It also features an audit log that tracks system activity, revealing what was done to the system and when it occurred.

For additional information, contact Symantec, 10201
Torre Ave., Cupertino, CA 95014. Call 800/
441-7234. Internet: .

Netscape Communicator 4.0

Netscape Communicator 4.0 gives users the most powerful and flexible data security. For a secure communication across the Internet, Netscape developed Secure Socket Layer (SSL), which utilizes encryption.

Web browsers, for example, routinely encrypt credit card numbers and other sensitive information when helping perform online purchases. The encrypted data goes to an online merchant, who decrypts the message and processes the order.

SSL makes sure traffic between the two hosts is not modified in transit. It uses a technique called "hashing" to ensure that message integrity is guaranteed.

Mutual authentication is guaranteed by SSL digital certificates, which are exchanged by the communicating machines at the time they initiate connection.

SSL offers potentially broader security, since it works on a network-transport level. Any program conversing over the network can use SSL, which sets up a safe passageway or tunnel between a client and server. Once erected, everything traveling within the tunnel is secure from outsiders.

For additional information, contact Netscape Communications, 501 East Middlefield Road, Mountain View, CA 94043. Call 415/937-3777. Internet: .

Pretty Good Privacy

PGP (Pretty Good Privacy) for Personal Privacy, written by Phillip Zimmerman in 1991, allows users to encrypt and decrypt files on demand. PGP combines multiple encryption algorithms, most notably those based on RSA Data Security's public key. According to the company, PGP automatically integrates with popular e-mail clients, such as Eudora (Pro or Light Versions) and Microsoft's Exchange.

In September, PGP Inc. released its Business Security Suite -- a trial version of security applications available over the Net for DOS, Windows, OS/2, UNIX and Mac systems.

For additional information, contact Internet: .

Ravlin 10

A growing number of organizations are seeking another innovative and economical alternative -- the virtual private network (VPN). VPNs involve a vendor that controls the Internet connection at both ends, including protocol and secured encryption keys. VPNs use TCP/IP "tunneling" to let users dial in to their offices via the Internet.

RedCreek's Ravlin 10 encryption hardware and software let users create a secure VPN. It is interoperable with firewalls and routers and provides data encryption without slowing the network. According to the company, this lets users create secure virtual private networks without forcing them to make radical changes.

Ravlin 10 allows the establishment of secure VPNs over both private and public networks, and it uses standard DES encryption, authentication and access control using digital signature standards and X.509 digital certificates.

For additional information, contact RedCreek, 3900 Newpark Mall Road, Newark, CA 94560. Call 510/745-3900. Internet: .

The Government Agenda

Longer keys and more complex algorithms are clearly required for meaningful security, but proposals for government access to data are having the opposite effect.

Some government and law enforcement agencies want to keep strong encryption out of the hands of terrorists and other criminals. As a result, a mandatory key escrow has been proposed, whereby government agencies would keep a sort of "skeleton key" to all encrypted data. The FBI wants "realtime" access to all encrypted communications.

Privacy advocates understandably worry that as voice and data networks increasingly carry a larger share of the nation's communications traffic, government agencies will be able to access private networks without safeguards.

Encryption is also grabbing headlines elsewhere. Other countries are contemplating similar moves. The European Union is launching a pilot project called EuroTrust, which could be the first step in creating a single authority to manage the copies of private keys necessary for back-door access to all computer data.

In the most extreme example, France has outlawed the use of encryption of any kind. So in the final analysis, encryption is not just a matter of technology and bit length, but a political, social and policy issue that will become more prominent as global electronic commerce increases and as computer networks reach into more and more homes, businesses and government agencies. *

March Table of Contents