Currently public-key cryptography, available from numerous sites around the world, essentially places 'governmental strength' encryption capability in the hands of private individuals and organizations. Using complex

algorithms (and the inherent difficulty in

factoring extremely large numbers), freeware like

P.G.P. (

Pretty Good Privacy), once downloaded and installed generates two keys for every user (Sue for this example): one to be freely distributed- for senders, who ever they may be, to encrypt messages they plan to send to Sue (this is her public key). This key can be attached to her own messages, posted on a trusted

server, or copied to a potential correspondents' system. A second key, one kept undistributed and locked away in Sue's computer, decrypts incoming messages encoded with the public key. It is mathematically infeasible, even if a person were to have the public key, discover the

plaintext of a message and see the encrypted

ciphertext, to work backwards to discover the

algorithm which generated the private key.

In this manner, a text can only be deciphered by obtaining control of the

private key (through the system of the owner and the

passwords put in place) or through '

brute force'

cryptanalysis- that is trying every possible combination of keys. Since a 4096-bit key is essentially a REALLY big number (

*hence the 4096 bits to represent it*) which is then used by the coding algorithm to

encrypt and '

hash' a message, for a message enciphered at this strength, this is a technical impossibility. The reason encryption is so much easier to do with a set key than 'un-do' by

brute force can be demonstrated by the difficulty of factoring large prime numbers. While it simple enough to generate a large prime number (multiplication on paper of any two randomly selected large numbers will get you an even larger, ostensibly random number), it is painfully difficult to work backwards from that 4096-digit N to arrive at the two specific factors which produced it; there are just far too many combinations of possible numbers to try.

*Nearly eighty years after many mathematicians first began to examine the factoring problem for algorithm that might serve as a short-cut, the consensus is it will continue to be an 'intractable' problem for the foreseeable future*- which is why it is in essence the theoretical backbone of many

cryptosystems.

Trying to 'brute force' unlock a 4096-bit private key in this way, it is estimated by computer scientists and cryptologists that

**there is insufficient computing power on the planet for the foreseeable future to complete such an operation before the Sun burns out.** The term 'pretty good protection' coined by the software's designer

Phillip Zimmermann is a healthy bit of

understatement on his part and the security it offers is almost absurdly over-powered for most peoples' concerns or needs. Again however, it should be noted that while the current 56-bit

Data Encryption Standard is viewed as 'weak', and a 4096-bit P.G.P. key is seen as ludicrously strong- there is no hard middle ground. As

Matt Blaze, a well-known commercial cryptologist says, "it has been difficult to find a 'magic' key length that once satisfies the security needs of individual interests and the wiretapping needs of government, because no such key can exist. The threat models used by private interests and government are completely different."

`Update:` Vitally important quibble, should you be discussing this issue with people in the know:

gn0sis says "the 56 bits of

DES and 4096 of

RSA are not comparable, since DES is

symmetric and RSA isn't.

Nonsymmetric keys have to be a lot longer to be safe." Also,

ariels adds

PGP uses

symmetric key cryptography, or symmetric cipher, for encryption. The

public key aspect is quite separate and solves the key distribution problem, which is quite different from encryption.

**RESOURCES**

1. Electronic Freedom Foundation web site with subject indexed privacy issues archive: www.eff.org

2. Government of Canada __Public Key Infrastructure (PKI) White Paper__. **Canadian Communications Security Establishment**, May 1997. http://www.cse-cst.gc.ca/cse/english/gov.htm & www.ewa-canada.com/toc.htm (Electronic Warfare Associates site) company responsible for building Canada's secure public-key infrastructure.

3. __The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption__: 1997 report of leading private sector cryptography experts in the U.S. : http://www.crypto.com/key_study/reports.htm

4. __1997 OECD Guidelines on Cryptography Policy__ : http://www.oecd.org/dsti/sti/it/secur/index.htm