Small Business Questions & Answers


Filed under Marketing

Ask About Encryption

by Digital Dabbler | October 27, 2011

Subject :Internet

Dear Toolkit,

Can you explain the mysteries of encryption that allegedly keep my credit card numbers safe from marauding cyberbandits when I'm buying stuff online?

Digital Dabbler

Dear Digital,

Mr. Gadske, my long-suffering high school algebra teacher, would be dismayed to know that I (his least promising pupil) am presuming to expound on the mathematical mysteries of encryption. But he's long since gone to his reward, so I guess I'm safe in taking a stab at it.

Encryption is simply the process of creating a cipher so that data can be sent from one point to another with only the sender and authorized receiver being able to decipher it. (Ciphers are different from codes in that the key is a secret. A code is a kind of public shorthand or signal--such as the Morse code or plain old ASCII.)

Simple ciphers substitute letters for numbers or rotate letters to represent other letters. The sender and receiver know the secret key to the cipher. Modern-day computer encryption requires complex ciphers in order to keep data secure. Algorithms are used to rearrange the bits of data into digital signals, effectively encrypting it.

What's an algorithm, you ask? The Mr. Gadskes of the world will tell you an algorithm is a formula or process for solving a recurring problem. Think of them as a process for scrambling digital eggs. (Algorithms were named for an Arab mathematician from the mid-first millennium who was known as Al-Khowarizmi. But don't hold me to that spelling because my algebra class was way back in the mid-second millennium!)

Encryption, then, is a two-part animal consisting of (1) the process we call the algorithm and (2) the key.

Commercial web sites use SSL (Secure Socket Layer) software for this purpose. When you want to know if the data you're entering into a site is secure, check out the URL. Instead of starting out "http://" you'll notice that it says "https://". SSL software comes in degrees, kind of like Excedrin--regular and extra strength. The bigger the size of the secret key (which is measured in bits), the more uncrackable it will be.

Keys are made up of "bits," which have a value of either zero or one. An 8-bit key, for example, will have 256 possible combinations, or 2 to the 8th power. The browsers most folks use have a 40-bit key. This size gives you a trillion encryption combinations and is secure enough for most purposes.

The current legal limit for export purposes is a 56-bit key, which contains 72 quadrillion combinations. As daunting as this sounds, it's still considered decipherable by our current computer technology--that is, if you have enough computers and enough time. But the 128-bit key available in extra strength software is thought to be uncrackable. The time to unravel the innumerable combinations 128 bits would create (something like 10 to the 38th power) would likely be in the billions of years--at least using the current Pentium 4 level of computing power to try to unscramble the digital eggs.

Hence our Uncle Sam has laid out a few rules about exporting 128-bit software. Anything over 56 bits is literally considered a dangerous weapon of war (harking back to WWII laws) and therefore regulated by our federal government, much to the displeasure of software firms who wish to compete in a global market. We can sell 128-bit technology to Canada, but nowhere else. And even the 56-bit flavor is not permitted to be sold to Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and who knows where else this week or next.

The FBI and other agencies concerned with preserving national security are naturally committed to keeping extra strength keys out of the hands of almost everyone who could even remotely constitute a military, political, economic or even just a plain-old criminal threat. The authorities want to be able to decrypt keys to monitor and/or prevent crises. They can handle the light or regular strength editions, but nobody can decrypt 128-bit stuff. Therefore they argue that it should not be allowed to fall (or be marketed) into enemy hands. Software firms argue that other nations are producing and selling 128-bit keys anyway. The legislative debate will no doubt continue for some time to come.

If you'd like to learn more about this fascinating subject, I suggest you find a copy of Richard Smith's 1997 book titled Internet Cryptography, published by Addison Wesley Longman. Dr. Smith is a leading expert in encryption for both commercial and governmental applications, and his book is a very readable overview of this increasingly important topic.

So go ahead and do your cyber-shopping in the knowledge that your credit card numbers are a lot safer being sent through your browser than over your telephone. The magic of SSL will protect you from the mischief of any cyberbanditos.