TypewriterFrom The Urbach Letter January 2007

Return to Archive

Keeping Secrets (Part 2)

Top Secret Folder

What do you have in common with military generals, CIA agents, banks, and multinational corporations? Secrets you'd like to keep, that's what! While in your case, national security might not hang in the balance, you have every right to maintain your own personal privacy (at the very least). Every one of us needs to keep some things on a "need to know basis." The good news is there's a relatively simple way to secure your communications and also prevent evil-doers from plundering the files on your computer.

From Zero to Hero
By now, you know that email is NOT secure and that your computer's hard drive can be scanned and copied in minutes. There's no such thing as a "deleted" email and there's undoubtedly a whole lot more sensitive info on your computer than you realize. While you may recognize the danger of sending credit card numbers and private business data in a cleartext email, most people do so anyway. However, in this age of rampant identity theft, cybercrime, and dumpster-diving opportunists, keeping secrets has never been more important.

But how? How do you go from zero security to a bulletproof defense without encumbering your life with all kinds of tech stuff and complication? Face it, if the approach I recommend isn't going to be simple, cheap, and easy, you're not going to bother.

What Does GRJ Mean?
Digital WomanLuckily, most of the math-laden heavy lifting has been automated. But it's still important that you understand the basics. Remember last month's introduction and Caesar's cipher? [Link to part one of this article] To protect his written military orders and messages, Julius Caesar shifted each character three spaces to the right, so, for example, the word DOG became GRJ. The "key" to unlock this cipher was a single number: the digit three. While a page of encrypted words would appear to be gibberish, a single item of information would decipher the emperor's orders.

Simple substitution ciphers like this are extremely easy to crack. Grade school kids can do it. Our language has a high degree of redundancy; certain letters and word forms appear more frequently than others. However, you can already see how to make it much harder to crack. Rather than shifting letters up or down a certain number, you could create a complex mathematical formula for scrambling the characters. Indeed, until just twenty years ago, that was one of the two ways secret messages were transmitted. (The other was via pairs of matched code books).

Courier BriefcaseAirport Espionage
You've seen the airport courier with a briefcase handcuffed to his wrist, and wondered what's inside. I can tell you this: it probably wasn't a secret formula or a document containing the evil plan for world domination. No, those things are usually securely encrypted and transmitted via electronic means. The courier's probably carrying the key codes to unlock them.

That's a limitation of conventional *symmetric key* cryptography: the need to somehow securely transmit the unlock key to the recipient. I say symmetric because the same key is used to both encrypt and decrypt the message. Therefore, all kinds of cloak and dagger methods are used for delivering those secret codes, or private keys.

Public Key Crypto
That's what led to a huge breakthrough by Whitfield Diffie and Martin Hellman thirty years ago: the concept of public key cryptography, which is the basis of nearly all current business document security systems and private email communications. Here's how it works: You choose a secure passphrase. Remember, that's like a password, but much longer. It's usually composed of a string of words you've memorized that either have some meaning to you but nobody else, or a nonsense phrase generated by the diceware method. (See my November 2005 article and video in the archives)

Old KeysSoftware installed on your computer takes that passphrase and generates two keys from it: a private key that you'll keep very secret and a public key that you can show to the world. If somebody wants to send you a secret message, they use your public key to encode it. But it's a one-way function. Once encoded, only your private key can unlock the message. Likewise, if you want to send somebody else a secret message, you encode it to their public key, and it's unscrambled by the receiver with their private key.

That's the beauty of public key crypto. You and your counterparty never have to exchange information that could fall into the wrong hands. There's no way to take a public key and mathematically deduce the corresponding unique private key from it. Like I said, it's a one-way function.

The public key encodes and the private key decodes. Cool.

From Tactical to Practical
We're almost done with the classroom part of this, so stay with me. In the next issue, I'm going to show you how to use PGP to dramatically increase the security and privacy of your communications and also keep strangers and evil-doers out of your private computer information. Again, even if you don't think you're much of a target, you really ought to step up and increase your security level. It's easy, and doesn't cost much. I'll step you through the process.

Stay tuned.

Return to Archive

(c) Copyright 2002-2010 Victor Urbach
This article
may be reprinted with permission and attribution