display | more...
Currently public-key cryptography, available from numerous sites around the world, essentially places 'governmental strength' encryption capability in the hands of private individuals and organizations. Using complex algorithms (and the inherent difficulty in factoring extremely large numbers), freeware like P.G.P. (Pretty Good Privacy), once downloaded and installed generates two keys for every user (Sue for this example): one to be freely distributed- for senders, who ever they may be, to encrypt messages they plan to send to Sue (this is her public key). This key can be attached to her own messages, posted on a trusted server, or copied to a potential correspondents' system. A second key, one kept undistributed and locked away in Sue's computer, decrypts incoming messages encoded with the public key. It is mathematically infeasible, even if a person were to have the public key, discover the plaintext of a message and see the encrypted ciphertext, to work backwards to discover the algorithm which generated the private key.

In this manner, a text can only be deciphered by obtaining control of the private key (through the system of the owner and the passwords put in place) or through 'brute force' cryptanalysis- that is trying every possible combination of keys. Since a 4096-bit key is essentially a REALLY big number (hence the 4096 bits to represent it) which is then used by the coding algorithm to encrypt and 'hash' a message, for a message enciphered at this strength, this is a technical impossibility. The reason encryption is so much easier to do with a set key than 'un-do' by brute force can be demonstrated by the difficulty of factoring large prime numbers. While it simple enough to generate a large prime number (multiplication on paper of any two randomly selected large numbers will get you an even larger, ostensibly random number), it is painfully difficult to work backwards from that 4096-digit N to arrive at the two specific factors which produced it; there are just far too many combinations of possible numbers to try. Nearly eighty years after many mathematicians first began to examine the factoring problem for algorithm that might serve as a short-cut, the consensus is it will continue to be an 'intractable' problem for the foreseeable future- which is why it is in essence the theoretical backbone of many cryptosystems.

Trying to 'brute force' unlock a 4096-bit private key in this way, it is estimated by computer scientists and cryptologists that there is insufficient computing power on the planet for the foreseeable future to complete such an operation before the Sun burns out. The term 'pretty good protection' coined by the software's designer Phillip Zimmermann is a healthy bit of understatement on his part and the security it offers is almost absurdly over-powered for most peoples' concerns or needs. Again however, it should be noted that while the current 56-bit Data Encryption Standard is viewed as 'weak', and a 4096-bit P.G.P. key is seen as ludicrously strong- there is no hard middle ground. As Matt Blaze, a well-known commercial cryptologist says, "it has been difficult to find a 'magic' key length that once satisfies the security needs of individual interests and the wiretapping needs of government, because no such key can exist. The threat models used by private interests and government are completely different."

Update: Vitally important quibble, should you be discussing this issue with people in the know: gn0sis says "the 56 bits of DES and 4096 of RSA are not comparable, since DES is symmetric and RSA isn't. Nonsymmetric keys have to be a lot longer to be safe." Also, ariels adds PGP uses symmetric key cryptography, or symmetric cipher, for encryption. The public key aspect is quite separate and solves the key distribution problem, which is quite different from encryption.


1. Electronic Freedom Foundation web site with subject indexed privacy issues archive: www.eff.org
2. Government of Canada Public Key Infrastructure (PKI) White Paper. Canadian Communications Security Establishment, May 1997. http://www.cse-cst.gc.ca/cse/english/gov.htm & www.ewa-canada.com/toc.htm (Electronic Warfare Associates site) company responsible for building Canada's secure public-key infrastructure.
3. The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption: 1997 report of leading private sector cryptography experts in the U.S. : http://www.crypto.com/key_study/reports.htm
4. 1997 OECD Guidelines on Cryptography Policy : http://www.oecd.org/dsti/sti/it/secur/index.htm