What do you have in common with
military generals, CIA agents,
banks, and multinational
corporations? Secrets you'd like to
keep, that's what! While in your
case, national security might not
hang in the balance, you have every
right to maintain your own personal
privacy (at the very least). Every
one of us needs to keep some things
on a "need to know basis." The good
news is there's a relatively simple
way to secure your communications
and also prevent evil-doers from
plundering the files on your
computer.
From Zero to Hero
By now, you know that email is
NOT secure and that your computer's
hard drive can be scanned and copied
in minutes. There's no such thing as
a "deleted" email and there's
undoubtedly a whole lot more
sensitive info on your computer than
you realize. While you may recognize
the danger of sending credit card
numbers and private business data in
a cleartext email, most people do so
anyway. However, in this age of
rampant identity theft, cybercrime,
and dumpster-diving opportunists,
keeping secrets has never been more
important.
But how? How do you go from zero
security to a bulletproof defense
without encumbering your life with
all kinds of tech stuff and
complication? Face it, if the
approach I recommend isn't going to
be simple, cheap, and easy, you're
not going to bother.
What Does GRJ Mean?
Luckily,
most of the math-laden heavy lifting
has been automated. But it's still
important that you understand the
basics. Remember last month's
introduction and Caesar's cipher?
[Link to part one of this article] To protect his
written military orders and
messages, Julius Caesar shifted
each character three spaces to
the right, so, for example, the
word DOG became GRJ. The "key"
to unlock this cipher was a
single number: the digit three.
While a page of encrypted words
would appear to be gibberish, a
single item of information would
decipher the emperor's orders.
Simple substitution ciphers
like this are extremely easy to
crack. Grade school kids can do
it. Our language has a high
degree of redundancy; certain
letters and word forms appear
more frequently than others.
However, you can already see how
to make it much harder to crack.
Rather than shifting letters up
or down a certain number, you
could create a complex
mathematical formula for
scrambling the characters.
Indeed, until just twenty years
ago, that was one of the two
ways secret messages were
transmitted. (The other was via
pairs of matched code books).
Airport
Espionage
You've seen the airport courier with
a briefcase handcuffed to his wrist,
and wondered what's inside. I can
tell you this: it probably wasn't a
secret formula or a document
containing the evil plan for world
domination. No, those things are
usually securely encrypted and
transmitted via electronic means.
The courier's probably carrying the
key codes to unlock them.
That's a limitation of
conventional *symmetric key*
cryptography: the need to somehow
securely transmit the unlock key to
the recipient. I say symmetric
because the same key is used to both
encrypt and decrypt the message.
Therefore, all kinds of cloak and
dagger methods are used for
delivering those secret codes, or
private keys.
Public Key Crypto
That's what led to a huge
breakthrough by Whitfield Diffie and
Martin Hellman thirty years ago: the
concept of public key cryptography,
which is the basis of nearly all
current business document security
systems and private email
communications. Here's how it works:
You choose a secure passphrase.
Remember, that's like a password,
but much longer. It's usually
composed of a string of words you've
memorized that either have some
meaning to you but nobody else, or a
nonsense phrase generated by the
diceware method. (See my
November 2005 article and video
in the archives)
Software
installed on your computer takes
that passphrase and generates two
keys from it: a private key that
you'll keep very secret and a public
key that you can show to the world.
If somebody wants to send you a
secret message, they use your public
key to encode it. But it's a one-way
function. Once encoded, only your
private key can unlock the message.
Likewise, if you want to send
somebody else a secret message, you
encode it to their public key, and
it's unscrambled by the receiver
with their private key.
That's the beauty of public key
crypto. You and your counterparty
never have to exchange information
that could fall into the wrong
hands. There's no way to take a
public key and mathematically deduce
the corresponding unique private key
from it. Like I said, it's a one-way
function.
The public key encodes and
the private key decodes. Cool.
From Tactical to Practical
We're almost done with the
classroom part of this, so stay
with me. In the next issue, I'm
going to show you how to use PGP
to dramatically increase the
security and privacy of your
communications and also keep
strangers and evil-doers out of
your private computer
information. Again, even if you
don't think you're much of a
target, you really ought to step
up and increase your security
level. It's easy, and doesn't
cost much. I'll step you through
the process.
Stay tuned.
Return
to Archive