FreeWire

Debating Encryption Privacy Vs. Electronic Piracy

In the age of sailing ships, traders braved the dangers of pirates and privateers to create the first global economies. Dodging both lawbreakers and lawmakers, commerce endured the Jolly Roger as well as the depredations of Europe's constantly warring nation-states, which controlled trade as an instrument of national policy.

Today's burgeoning world of digital commerce faces similar challenges, as individuals and corporations build global electronic markets in the face of both packet pirates and national policies designed to cripple information security. Many pundits believe that as the amount of sensitive traffic moving over public data networks increases, lack of security could become a major factor inhibiting growth.

Numerous companies have developed encryption and authentication tools that provide excellent protection against even the most well-equipped byte buccaneers . Unfortunately, the problem of conducting private business while surrounded by constantly-warring nation- states is still with us. The "war on drugs" may have replaced the War of the Roses as our national dementia, but the impulse to subordinate trade to the dictates of state policy remains the same.

Working at blatant cross-purposes to the demands of industry, national governments, led by our own, continue to ban the export of strong encryption even as the current administration acknowledges that outlaw organizations already possess the proscribed technology. Offering unacceptable key-recovery alternatives, an escalating propaganda campaign alarms the public about the dangers of information insecurity while hinting of greater perils should loosely defined "enemies of the people" be allowed to shield their business from the watchful eye of Big Brother. The solution being peddled is to disarm the law-abiding citizens, asking us to place our trust in the integrity of public officials, who would never dream of abusing their positions. Hey, have we seen this movie before?

Who Is That Masked Man? The reason certain government agencies keep trying to stuff the encryption genie back in the bottle involves a mix of mathematics, geopolitics and congressional budget mongering. Sorting this out without getting bamboozled by the cybercrats requires a little grounding in cryptology--an arcane subject difficult to penetrate without having your eyes glaze over. I'll attempt to provide a few essentials here. Skip ahead if you're already an expert, or for a more detailed treatment, see the excellent tutorial provided on RSA Data Security's Web site entitled "Frequently Asked Questions About Today's Cryptography" (www.rsa.com) .

There are two major classes of cryptographic systems: symmetric and public key. In symmetric systems, both the sender and receiver hold the same secret key, with which the sender encrypts data and the receiver decrypts. In public-key systems, keys come in ma tched pairs. Any sender can use a public key to encrypt data while only the recipient holds the s ecret portion of the key pair, which is used for decryption.

The vulnerability of either system to attack by evil hackers (or righteous government agents protecting us from the enemies of the people) is related to the length of the keys--the longer the key, the harder to crack. So why not use megabit keys? Unfortunately, the time it takes to process messages increases as key lengths grow, putting a practical limit on key size for routine correspondence. The more powerful the computer, the longer the practical key length.

Symmetric systems, such as the widely used DES standard, have the virtue of being computationally efficient, that is, you can use longer keys without having to go out for a cup of coffee every time you encrypt your e-mail. Unfortunately, key distribution is a major pain, requiring the use of some other secure communications channel.

Public-key systems, while less computationally efficient, allow everyone to place their public keys in an easily accessible directory, keeping their p rivate keys to themselves. Public-key systems also have the virtue that if they are used in reverse--that is, if the private key is used to encrypt a message--secure authentication can be provided. This is an important feature for commercial transactions that need to be protected from spoofing. (What do you mean, I bought a Mercedes-Benz?!)

Many commercial systems use public-key algorithms to encrypt digital envelopes containing symmetric keys, which are then used to decode the particular piece of correspondence. This gives users the advantages of both approaches.