How Encryption Works
Prime Numbers - Encryption is based
on prime numbers - two prime numbers to be exact. When multiplied
together, two prime numbers will yield a product that is only divisible
by one and itself – and those two prime numbers. These prime numbers are
used in a complex algorithm to scramble (encrypt) a message or file.
Thereafter, the two prime numbers are needed again in order to
unscramble (decrypt) the message or file.
Size of the Prime Numbers
- The size of prime numbers used dictate how secure the encryption
will be. A message encrypted with prime numbers that are 5 digits in
length (40-bit encryption) yields about 1.1 trillion possible results. A
message encrypted with prime numbers that are 7 digits in length (56-bit
encryption) yields about 72 quadrillion possible results. However using
128-bit encryption (16 digit numbers) yields
340,282,366,920,938,463,463,374,607,431,768,211,456 possible results.
Mathematically, It would take a super computer testing 100 billion
passwords per second, 107,829 billions years to break 128-bit encryption
using brute force. (Today’s fastest chips can handle about 256 million
encryptions per second.)
Time Needed To Crack
- Mathematically speaking, based upon today’s top computing power
40-bit, 56-bit, 64-bit, and 128-bit encryption could be broken in 1
second, 19 hours, 7 months and 11,000 quadrillion years, respectively.
This is why 128-bit encryption is the standard used world wide to
protect financial transactions and sensitive data.
|
Key Length
(bits) |
1995 |
2000 |
2005 |
|
40 |
68 seconds |
8.6 seconds |
1.07 seconds |
|
56 |
7.4 weeks |
6.5 days |
19 hours |
|
64 |
36.7 years |
4.6 years |
6.9 months |
|
128 |
6.7e17 millennia |
8.4e16 millennia |
1.1e16 millennia |
|
Table of time needed to break certain key sizes using hardware
http://www.cs.bris.ac.uk/~bradley/publish/SSLP/chapter3.html
|
It has been estimated that 128-bit
encryption will be breakable in about 105 to 125 years (by the years
2109 to 2129).
Letters versus Numbers
- You might be interested to know that four words selected at random
are much more effective than 56 Bit encryption. According to Jeremy
Bradley of the University of Bristol, a 7-character password (56-bit)
has 1,028,071,702,528 possible results. However four random words yield
a total of 390,625,000,000,000,000 possible results. His basis for this
claim is explained here:
http://www.cs.bris.ac.uk/~bradley/publish/SSLP/chapter3.html.
Symmetric-key versus
Public-key
Most computer encryption systems used today
fall in one of two categories: Symmetric-key encryption or
Public-key encryption. These concepts are described below:
Symmetric Key
- In symmetric-key encryption, each computer has a secret key (code)
that it can use to encrypt data that is sent back and forth.
Symmetric-key requires that you know which computers will be talking to
each other so you can install the key on each one.
Public Key
- Public-key encryption uses a combination of a private key and a
public key. The public key (makes the message public) is stored only on
your computer, while the private key (makes the message private) is
given to anyone who wants to communicate securely with you. A very
popular public-key encryption utility is called Pretty Good Privacy (PGP),
which allows you to encrypt almost anything. This product is discussed
below.
PGP (Pretty Good
Privacy)
PGP or Pretty Good Privacy was released on
June 5, 1991. Developed by Phil Zimmerman, Phil first sent PGP to Allan
Hoeltje and then Kelly Goen who in turn released PGP through Internet
user groups. This set off an unexpected feeding frenzy. Volunteers
around the world offered to help Phil port PGP to other platforms, add
enhancements, and generally promote the product.
Fifteen months later, in September 1992, PGP
2.0 was released for MSDOS, Unix, Commodore Amiga, Atari, and a few
other platforms, and in about ten foreign languages. Shortly thereafter
US Customs took an interest in the case. At first the government tried
to build a case against Phil for exporting weapons outside the US, and
they frequently harassed him. By doing so the government helped propel
PGP's popularity by igniting controversy that would eventually lead to
the demise of the US export restrictions on strong cryptography. Today,
PGP remains just about the only way anyone encrypts their email. And
now there are a dozen companies developing products that use the OpenPGP
standard, all members
You can download PGP for free, or purchase a
more feature rich version at this web site:
www.pgp.com. Here is a quick introduction into using PGP:
To start using PGP, launch the product and
start the wizard to generate the encryption keys as shown below:
The PGP wizard shown above walks you through the process of creating
your encryption keys.
PGP is based on public key cryptography, a
widely accepted and highly trusted public key encryption system, by
which you and other PGP users generate a key pair consisting of a
'private key' and a 'public key'. As its name implies, only you have
access to your private key, but in order to exchange files with other
PGP users you need a copy of their public key and they need a copy of
yours. You use your private key to sign the file attachments you send to
others and to decrypt the files they send to you. Conversely, you use
the public keys of others to send them encrypted files and to verify
their digital signatures. PGP won't route your e-mail over a Secure
Socket Layer (SSL), but it will be unreadable by anyone other than you
and the person to whom it is addressed. Keep in mind that encryption is
for the message body only - it does not hide the subject line or the
headers.
One popular
implementation of public-key encryption is the Secure Sockets Layer (SSL).
Originally developed by Netscape, SSL is an Internet security protocol
used by Internet browsers and
Web servers to transmit sensitive
information. SSL recently became part of an overall security protocol
known as Transport Layer Security (TLS).
Look for the "s"
after "http" in the address whenever you are about to enter sensitive
information, such as a credit-card number, into a form on a Web site
In
your browser, you can tell when you are using a secure protocol, such as
TLS,
in a couple of different ways. You will notice that the "http" in the
address line is replaced with "https," and you should see a small
padlock in the status bar at the bottom of the browser window.
The padlock symbol lets you know that you are using
encryption.
Public-key encryption takes a lot of
computing, so most systems use a combination of public-key and symmetry.
When two computers initiate a secure session, one computer creates a
symmetric key and sends it to the other computer using public-key
encryption. The two computers can then communicate using symmetric-key
encryption. Once the session is finished, each computer discards the
symmetric key used for that session. Any additional sessions require
that a new symmetric key be created, and the process is repeated.
When PGP was first developed, it was
absolutely understood that the only person capable of reading an e-mail
encrypted with PGP was the e-mail recipient. Although this is
unconfirmed, it is strongly suspected that since PGP was purchased from
Phil Zimmermann, its developer, by Network Associates, Inc. (NAI)
several years ago, it is quite possible that a 'master key' exists in
the hands of both NAI and the U.S. Federal Government. Even with this in
mind, PGP is just about the safest and most reliable method of
encryption available. PGP Corporation provides the source code for PGP
upon request and acceptance of a license agreement. Though not fully
open-source, certain elements of PGP subject it to the General Public
License so that modifications can be reviewed by customers and
cryptography experts.
In October, 2001, NAI put PGP up for sale. With no buyers, in March of
2002 NAI dropped support and development of its PGP desktop encryption
software.
On August 19, 2002, NAI sold PGP to
PGP Corporation, a newly formed
company. The deal gives the new company a line of encryption products
based on the PGP algorithm, including PGPmail, PGPfile, PGPwireless,
PGPkeyserver, for the Windows and Macintosh operating systems.
A full history of PGP can be found at
www.pgp.com/company/pgphistory.html
Though a freeware version of PGP does exist,
the End User License Agreement (EULA) is rather restrictive limiting it
to home-based non-profit use. Freeware PGP set-up only takes a few
minutes, but users should note these facts about the free version of PGP:
-
Does not include automatic encryption of email file attachments
-
Does not provide plug-in integration with Outlook, Outlook Express,
and other email applications
-
Does not operate with PGP Admin or other PGP deployment tools
GNUPG
www.gnupg.org
Free Software Foundation, Inc. offers GnuPG, (GNU Privacy Guard) a
complete and free replacement for PGP. Because it does not use the
patented IDEA algorithm, it can be used without any restrictions. GnuPG
is a RFC2440 (OpenPGP) compliant application.
Conclusion
While freeware and open-source software may
not be the solution for every company, small to medium size businesses
can benefit from the low TCO and the community of users working to
improve or enhance the product. Furthermore, cautious companies can
purchase the software with included support contracts from distributors
to achieve a comparable level of documentation and support as other
commercially marketed solutions.
The existence of coded messages (or
cryptography) has been verified as far back as the Roman Empire.
RSA: 56-bit crypto too weak -
http://news.com.com/2100-1023-204556.html?legacy=cnet
- END -
