**************************************************************
*                                                            *
*                         CYBERSPACE                         *
*         A biweekly column on net culture appearing         *
*                in the Toronto Sunday Sun                   *
*                                                            *
* Copyright 1999 Karl Mamer                                  *
* Free for online distribution                               *
* All Rights Reserved                                        *
* Direct comments and questions to:                          *
*                                         *
*                                                            *
**************************************************************

Security wasn't the first concern of the net's 
creators. Security of private communications came 
through the expectation that the original users,
scientist and university students, would act 
responsibly. It's not worth risking a loss of tenure 
or a being kicked out of grad school to read other 
people's dirty email.

These days people trade more than poorly written 
erotica online. There are as many sites asking you to 
enter your credit card number as there are university 
freshmen on alt groups screaming for pictures of 
"NEKKID GIRLS!!!!"

If you were foolish enough to email me your credit 
card number, your email would likely pass through half 
a dozen computers before it reached my In box. While I 
can vouch for my own incredible honesty, I can't vouch 
for the honesty of those managing the intervening 
sites.

Encryption has always been the way to transmit private 
information over public lines of communication. For 
nearly 2,000 years, encryption has involved using a 
"key" to scramble the information and the person on 
the other end using the same key to unscramble the 
information. Since both the sender and receiver have 
to have the same key, both have to keep this key 
private.

A private key system works well with a limited number 
of known people. A private key system doesn't work on 
the net where you want to communicate with thousands 
of people and businesses. In 1976, the public/private 
key encryption system was introduced and is the 
standard method of encryption used over the net.

A public key provides enough information to encrypt a 
message but contains nothing about how to decrypt a 
message. The only way to decrypt a message is with the 
private key. It's like having a bank deposit bag with 
two keys. The public key lets you lock the bag. Once 
locked, you can't open the bag with the public key, no 
matter how hard you try. Only the bank teller with the 
private key can open the bag.

The beauty of the public/private key system is that 
you can distribute your public key to anyone. I can give 
you, the RCMP, and the hacker kid down the street my 
public key and as long as no one gets a hold of my 
private key, I don't anything to fear. In fact, the 
only way to get anyone to send me encrypted 
information is by making my public key public.

The only real worry is the strength of the encryption 
system. Strong systems uses very large numbers as 
keys.  Weak systems use smaller numbers.

A 40-bit system is considered weak. A bit is either a 
0 or 1. A 1-bit system means the key is either 0 or 1. 
You could guess the private key by first trying 0 and 
then trying 1. A 2-bit system provides 4 possible 
keys: 00, 01, 10, or 11. A 3-bit system provides 8 
keys. Each time you add a bit, you double possible 
keys. A 40-bit system provides over a trillion 
combinations. Like I say, weak. It's been demonstrated 
that a person with access to a small network of 
computers (basically, anyone at school or work) can 
burn through a trillion numbers in a matter of hours. 

A 128-bit "military grade" system provides more than 
a trillion times a trillion times a trillion combinations.
You could string  together a network of super computers 
and not crack a 128-bit scheme in a human life time. 
Fortunately, you don't need a super computer to generate 
a 128-bit key. You can use any PC and a free piece of 
software called PGP (Pretty Good Privacy). You can 
get it at www.pgp.net/pgpnet.

    Source: geocities.com/lapetitelesson/cs/text

               ( geocities.com/lapetitelesson/cs)                   ( geocities.com/lapetitelesson)