LightningStrike Studios
PO Box 24040
Cambridge, Ontario
N1R 8E6
1-519-621-1214
info@lightningstrikestudios.com

Cryptography - When You Absolutely Positively Must Keep It Secret

We've probably all seen cheesy Hollywood movies where the hero intercepts a secret communique from the bad guys, deciphers it, and saves the day. Or where the bad guys intercept the message, decipher it, and cause mayhem.

In either case, it's amazing how easily these secret codes are broken, especially considering that advanced cryptography is now freely available. You can download from the Internet small utilities that allow you to protect documents in ways that even the best Hollywood superhero would be hard pressed to compromise.

The secret lies in a system known as PKI.

What is PKI?

PKI is an abbreviation for Public Key Infrastructure. It's based on a simple concept: Documents (or data streams of any sort) are encrypted with a public key or code, but they can only be decrypted with a private key.

The keys are themselves small encrypted documents. How small? A few years ago, 56 bits was the norm. But advances in computer technology made a key that small too easy to break. Now they're typically between 1,024 bits and 4,096 bits long. That's still not very large -- this document in plain text is about 40,000 bits long -- but a 1,024-bit key could take centuries to break using today's fastest commercially available computers.

The Tools

Two related tools now make the use of public key cryptography accessible to the general public.

PGP, which stands for Pretty Good Privacy, was created by Phil Zimmermann in 1991 as freeware. The program went through a number of transformations and owners, and is now distributed as a commercial application by PGP Corporation (http://www.pgp.com/).

GPG, or GNU Privacy Guard, is an open source implementation of PGP, available from http://www.gnupg.org/ GPG is based on OpenPGP, the same protocol on which the commercial PGP is based.

Both PGP and GPG are available for Macintosh, Unix, Windows, and other operating systems. Additional applications have been built on top of the PGP foundation to allow individuals to secure their entire computer, corporations to mass-encrypt e-mail transmissions, and even cellular telephone service providers to encrypt phone conversations.

Why you need it

You may think you have no use for public key cryptography, but if you've spent any time on the Internet you've probably used it without even being aware of it.

Have you ever received a pop-up notice about a certificate when you've used online banking or when you made a purchase through a web site? That's because most such sites now use some form of PKI to encrypt the transaction so nefarious individuals along the way can't steal your private information. Your browser uses the bank's public key or certificate to automatically encrypt the information you send. The servers at the other end use the bank's private key to decrypt the information.

You can see the certificates your browser uses. On the Mac under OS X, open Applications, Utilities, Keychain Access.app. OS X secures its certificates so you may need an administrator password to unlock them.

If you're using the Firefox 1.5 browser, from the menu you can choose Tools, Options, Advanced, View Certificates.

In Microsoft Internet Explorer: Tools, Internet Options, Content, Certificates.

Even if you avoid making online purchases or using Internet banking, you may still have a need for encryption. Businesses often have to exchange industrial drawings, financial information, human resources files, or other sensitive data across the public Internet. FTP and HTTP transfers are easily intercepted, and e-mail messages are often routed through a number of servers before reaching their destination. To be safe, such transmissions should be encrypted.

Suppose you want to send this confidential document to your friend, James:

SMERSH is alive and well!

You merge the document with James' public key, which looks like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (MingW32)

mQGiBEONzjMRBACSa+NBswoVhR3SG/23J/cDYAHhgwrDX5YVHXYz4SvKCvZ+QrCa
fUoCfLZiwgOB8nRJm79IzRvH0oEyaFYQ+x28QrSOmt+JQTsPCBB1in6/4DThc1lh
04FagbFxmQCgqdURvtlpyV0a+mi9fDNArlXhsdQAn2gqm5jzyH2gkLuZ5ostdhfs
-----END PGP PUBLIC KEY BLOCK-----

(We've cut out some of the key to save space, but you get idea.)

The resulting secret message looks like this:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.2 (MingW32)

hQEOAy0DBMaNJDYyEAP/QIq5loPFoqABC+9jx6yQBfj5zG3BUduI/qDz26kKEueL
gl7l56UnOQbVzafLndWuIX/R+6ZC/+2tQ75sR7MxrwgkH8oPZaT033hHgElk3iFc
0rDb0knOIAkveUumbNkc4WAgUoUhB96B79Uzm2hdC0M0A1/Oq/pF8Ja3JlopTaLM
ClIMaHP8ziulxQz6DZV+Joqr+giK2HBY=LRIZ
-----END PGP MESSAGE-----

We then send that message to James.

James' private key looks like this:

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.2 (MingW32)

lQHhBEONzjMRBACSa+NBswoVhR3SG/23J/cDYAHhgwrDX5YVHXYz4SvKCvZ+QrCa
fUoCfLZiwgOB8nRJm79IzRvH0oEyaFYQ+x28QrSOmt+JQTsPCBB1in6/4DThc1lh
CThOc1nTckfxLdikiE8EGBECAA8FAkONzjgCGwwFCQACowAACgkQZgWo04FagbFx
-----END PGP PRIVATE KEY BLOCK-----

He uses this key and his secret passphrase to decrypt the message back into it's original form.

If James wants to respond with a secret message of his own, he'll need your public key. Anyone and everyone can have your public key, but only you have your private key.

As you can see, the encrypted message bears little resemblance to it's unencrypted form. Without the private key and the passphrase, it would be almost impossible to decipher the message. Note that we said "almost." Given sufficient resources and time, it could be done, but it may not be worth it, especially since there are often cheaper options available. We'll discuss those in a moment.

Public/private keys can also be used to sign documents. This is often used in work-flow applications, where each participant is required to acknowledge their step in the process. You sign a document with your private key, and anyone who has your public key can verify that the signature is yours.

It's All About Trust

With a little thought we can see a major flaw with this system. Back to our example with the bank; how do you know the certificate in your browser, the public key, really came from your bank? What if it came from someone else, who's now lured you to a web site set up to look like that of your bank? Your account information and passwords could end up in the hands of criminals.

That's where Certificate Authorities come in. CA's act as go-betweens, signing the bank's public key as a guarantee that the key that claims to be from your bank really is. How much we can trust the certificate authorities to do their job properly is another matter.

If you're exchanging keys with a friend or business associate, chances are you know the person well enough to call them on the phone and confirm that the public key they've sent you is really theirs. Keys can be identified with their signature; if the signature on the public key you were given matches the signature your associate tells you, you know the key is legitimate.

Put A Lock On Your Keys

As we mentioned, without your private key you can't decrypt messages that have been encrypted with your public key. Generating a new key, even with same passphrase, won't work. So, once you create a key pair, make sure you back it up and store it somewhere safe, such as a safety-deposit box at a bank.

The other essential ingredient in a secure public key infrastructure is the passphrase. Notice we said "passphrase" and not "password." That's because a phrase is usually longer than a word, and in the realm of PKI, size matters.

Suppose you have GPG installed on your desktop computer at work. Over night someone breaks into the office or -- more likely -- a co-worker decides to go snooping. They come upon an encrypted file on your computer and try to open it. They're prompted for your passphrase. Of course you wouldn't leave your passphrase written on a sticky-note on the side of your monitor, but is it almost as obvious?

Bad choices for passwords, and the most common choices, are the name of a spouse, a child, or a pet; a license plate number; a birth date or anniversary; or any other word or combination of words in the dictionary.

A good passphrase is long and complex, easy for you to remember, but difficult for others to guess. For example:

mary is a bad password.
Mary is better, because it uses mixed case, but it's too short.
Mary had a little lamb is even better because it's longer, but it still consists solely of dictionary words.
Mary had a little lamb! is better still because it includes a punctuation mark.
Mary had a li11le lamb! is even better; it uses numbers to replace certain letters.

Guessing the last passphrase, or trying to find it with a brute force attack (trying every possible combination of characters) will be far more difficult for an intruder than guessing the first password. You may want a more complex passphrase; just make sure you can remember it.

How Much Is Your Secret Worth?

Remember that we said there are often cheaper options than trying to decrypt a document? It could cost a fortune to set up a super-cluster of computers, working for years to break your secret code. It would likely be far cheaper and easier to simply break the code holder: you. Whether the arena is national security or high-stakes corporate espionage, the more valuable the secret, the greater the lengths some individuals will go to obtain it.

Public key cryptography is a fascinating subject and a valuable aid in keeping data secure. Whether it's enough for your purposes is another matter.

© 2004 - 2008 LightningStrike Studios. All rights reserved.
No portion of this web site, its design, or its contents may be reproduced without the prior written permission of LightningStrike Studios.
www.lightningstrikestudios.com