Currently public-key cryptography, available from numerous sites around the world, essentially places 'governmental strength' encryption capability in the hands of private individuals and organizations. Using complex algorithm
s (and the inherent difficulty in factoring
extremely large numbers), freeware like P.G.P.
(Pretty Good Privacy
), once downloaded and installed generates two keys for every user (Sue for this example): one to be freely distributed- for senders, who ever they may be, to encrypt messages they plan to send to Sue (this is her public key). This key can be attached to her own messages, posted on a trusted server
, or copied to a potential correspondents' system. A second key, one kept undistributed and locked away in Sue's computer, decrypts incoming messages encoded with the public key. It is mathematically infeasible, even if a person were to have the public key, discover the plaintext
of a message and see the encrypted ciphertext
, to work backwards to discover the algorithm
which generated the private key.
In this manner, a text can only be deciphered by obtaining control of the private key
(through the system of the owner and the password
s put in place) or through 'brute force
- that is trying every possible combination of keys. Since a 4096-bit key is essentially a REALLY big number (hence the 4096 bits to represent it
) which is then used by the coding algorithm to encrypt
' a message, for a message enciphered at this strength, this is a technical impossibility. The reason encryption is so much easier to do with a set key than 'un-do' by brute force
can be demonstrated by the difficulty of factoring large prime numbers. While it simple enough to generate a large prime number (multiplication on paper of any two randomly selected large numbers will get you an even larger, ostensibly random number), it is painfully difficult to work backwards from that 4096-digit N to arrive at the two specific factors which produced it; there are just far too many combinations of possible numbers to try. Nearly eighty years after many mathematicians first began to examine the factoring problem for algorithm that might serve as a short-cut, the consensus is it will continue to be an 'intractable' problem for the foreseeable future
- which is why it is in essence the theoretical backbone of many crypto
Trying to 'brute force' unlock a 4096-bit private key in this way, it is estimated by computer scientists and cryptologists that there is insufficient computing power on the planet for the foreseeable future to complete such an operation before the Sun burns out.
The term 'pretty good protection' coined by the software's designer Phillip Zimmermann
is a healthy bit of understatement
on his part and the security it offers is almost absurdly over-powered for most peoples' concerns or needs. Again however, it should be noted that while the current 56-bit Data Encryption Standard
is viewed as 'weak', and a 4096-bit P.G.P. key is seen as ludicrously strong- there is no hard middle ground. As Matt Blaze
, a well-known commercial cryptologist says, "it has been difficult to find a 'magic' key length that once satisfies the security needs of individual interests and the wiretapping needs of government, because no such key can exist. The threat models used by private interests and government are completely different."
Vitally important quibble, should you be discussing this issue with people in the know: gn0sis
says "the 56 bits of DES
and 4096 of RSA
are not comparable, since DES is symmetric
and RSA isn't. Nonsymmetric
keys have to be a lot longer to be safe." Also, ariels
uses symmetric key cryptography
, or symmetric cipher, for encryption. The public key
aspect is quite separate and solves the key distribution problem, which is quite different from encryption.
1. Electronic Freedom Foundation web site with subject indexed privacy issues archive: www.eff.org
2. Government of Canada Public Key Infrastructure (PKI) White Paper. Canadian Communications Security Establishment, May 1997. http://www.cse-cst.gc.ca/cse/english/gov.htm & www.ewa-canada.com/toc.htm (Electronic Warfare Associates site) company responsible for building Canada's secure public-key infrastructure.
3. The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption: 1997 report of leading private sector cryptography experts in the U.S. : http://www.crypto.com/key_study/reports.htm
4. 1997 OECD Guidelines on Cryptography Policy : http://www.oecd.org/dsti/sti/it/secur/index.htm