by David G. Propson
In early march, the fbi reported that a group of Eastern European hackers had stolen customer data from more than 40 Web sites over the past year, and nabbed more than a million credit-card numbers. Then, in a move reminiscent of classic protection rackets, they threatened to expose these weaknesses to other unless the sites agreed to hire them as Internet security consultants.
This sort of incident that makes businesses and customers think twice about the glories of e-commerce — and even about sending information via e-mail. The Internet is worthless as a business tool unless information can be kept secure.
I occasionally meet with executives from companies who want to sell security products to small businesses. They employ many different weapons, and I confess that many technical details are beyond my understanding. Encryption, in particular, can seem like an arcane art, involving (as it does) complicated algorithms, one-way equations, and other mathematical magic tricks.
The basic problem is how to transmit a piece of information at a distance and keep it out of the hands of everyone except the person it’s intended for. Imagine your mother wants to send you an extremely important, confidential package (probably those embarrassing pictures of you potty-training stage). If she sent it through the mail, it could easily be viewed at any point in its journey. Prying eyes could also steal a peek while it sat in the mailbox, waiting for you to pick it up.
These same types of problems are faced when transmitting information electronically. The data can be intercepted while in transfer or accessed off of an insecure server. Ideally, you’d like to make sure its protected in both places.
Tales From The Crypt
Since the time of Caesar (and probably before) messages have been encrypted using a “secret” key, which the two parties somehow agreed upon in advance. But such an arrangement isn’t well-suited for electronic transmissions, since there is no way to securely agree on a secret key (unless, of course, you use a different secret key). It’s the old problem of pulling yourself up by your bootstraps.
In 1976 Whitfield Diffie and Martin Hellman invented a process for “public-key” cryptography. Public-key cryptography is like a safety deposit box with a self-locking latch. Anyone can lock something in it, but one person can get anything out. Instead of using a single key to both encrypt and decrypt a message, two different ones are used. My “public key” can be posted far and wide, and anyone who likes can use it to send me encrypted messages. But only I have access to my “private key,” and only I can read those messages.
Moreover, it is prohibitively difficult to determine anyone’s private key simply by knowing the public key, because they are determined by the previously mentioned arcane mathematical formulas. Furthermore, a message or document might be encrypted using a public key that is a number on the order of several quadrillion (that’s a number with 15 zeroes after it).
Most e-commerce transactions are already encrypted. Digital signatures, which now can act as legally binding proof of identification, also make use of individual’s public and private keys.
As the Net develops further, expect encryption to become ubiquitous. The current practice of only encrypting information while it is being transferred is somewhat pointless, since any hacker worth his salt can find the same data sitting unencrypted on a server somewhere. It makes more sense to make sure all important information is automatically encrypted. Already, Microsoft’s Windows 2000 operating system comes with encryption technology built in.
You’ll probably never go out and buy a piece of encryption software, and you may not even realize when you’re using it. And though it can seem scarifingly complex, makes the electronic world a lot less scary.