How It Works: Encryption
If you're not paranoid, maybe you should be. If you use a PC, unscrupulous types can intercept e-mail you send, and coworkers could be reading your documents. Encryption--the process of encoding data so that it requires a special key to be read--can protect your data from prying eyes. Once the domain of spies, encryption is fast becoming an advisable precaution for businesses and home users: It's your best tool for protecting your trade secrets and privacy.
Whether your encryption program is stand-alone or built into your e-mail
app, the encryption process is the same: Data passes through a mathematical
formula called an
There are two types of encryption: symmetric and asymmetric (also called
Asymmetric encryption is more complex--and more secure. Two related keys are required: a public key and a private key. You make your public key available to anyone who might send you encrypted information. That key can only encode data; it cannot decode it. Your private key stays safe with you. When people wish to send you encrypted information, they encrypt it using your public key. When you receive the ciphertext, you decrypt it with your private key. Asymmetric encryption's added safety comes at a price: More computation is required, so the process takes longer.
Symmetric and asymmetric encryption use different algorithms to produce ciphertext. In symmetric encryption, the algorithm divvies up data into small chunks called blocks. It then switches letters around, changes the information in each block into numbers, compresses and expands the data, and runs those numbers through mathematical formulas that include the key. Then the algorithm repeats the process, sometimes dozens of times over. An asymmetric encryption's algorithm, on the other hand, treats the text as though it were a very large number, raises it to the power of another very large number, and then calculates the remainder after dividing it with a third very large number. Finally, the remainder number is converted back into text. Encryption programs can use the same algorithms differently, which is why the recipient needs to use the same application to decode the message that you used to encode it.
Keys are the final piece in the encryption puzzle. Keys vary in length and, consequently, in strength. The reason: The longer the key, the greater the number of possible combinations. For example, if your encryption program uses 128-bit keys, your particular key could be any of more than 3.4 trillion billion billion billion--or 2 to the power of 128--possible combinations of zeros and ones. A hacker is more likely to win the lottery than to crack that level of encryption using the brute-force method (systematically trying key combinations until they find the right one). By comparison, encryption experts can crack the average 40-bit symmetric key in about six hours on a typical home PC using brute force. However, even 128-bit encryption is vulnerable to some extent; pros have some sophisticated techniques that can help them crack even the toughest codes.
Encryption technology has been big with the military ever since 479 B.C.: According to the historian Herodotus, secret communiques, scratched into wooden tablets that were then covered with wax, tipped off Spartan leaders to an imminent Persian invasion. Corporate IS types have taken advantage of it for years, as well. But home users are increasingly using encryption tools, whether they know it or not.
You can also take a more active role in protecting your data. Popular e-mail
For additional protection, stand-alone utilities can encrypt more than
just e-mail messages, including binary images and documents and folders on
hard drives. PGP for Personal Privacy is the most popular of these programs;
you can download a free version of
Analysts expect use of strong encryption tools to increase thanks to a recent change in the U.S. Commerce Department's cryptography export regulations. Prior to January 13, most encryption programs were categorized as munitions and subject to the same export restrictions as hand grenades and rockets. You could not export encryption software with keys stronger than 40 bits, under penalty of heavy fines or imprisonment. Under the new rules, the Commerce Department allows some kinds of strong encryption technologies to be exported outside the U.S. Analysts say this won't have much effect initially because most encryption applications were produced outside the U.S. and import of such software was already legal. American software companies stand to gain the most from the new rules, as they will no longer have to develop encryption programs in other countries.