ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Secret code, Mac style

MacWorld Online

June 16, 2000
Web posted at: 8:57 a.m. EDT (1257 GMT)

(IDG) -- If you're worried about the security of your e-mail -- and exchange messages with others who feel the same -- consider using a tool like Pretty Good Privacy (PGP) to protect your messages from prying eyes.

PGP is encryption software that scrambles files and e-mail messages before sending them over the Internet. Once an e-mail is encrypted, only someone with the correct key -- a coded string of characters, similar to a password -- can decipher the file's code and read the message. If someone does intercept your encrypted message, either in transit or while stored on a mail server, all they will find is a long passage of gibberish called ciphertext.

The weak and the strong


Not all encryption is created equal. Just as you can buy flimsy or robust locks to protect your valuables, you can use different strengths of encryption to secure sensitive data. Encryption strength is determined by the length and complexity of the key. Unlike the passwords for servers or e-mail accounts, which only block someone's entry, an encryption key actually encodes and decodes the contents of messages and folders by applying a complex coding algorithm, or cipher, to the data. The more complex the code and the more intricate the process of encrypting and decrypting data, the more difficult and time-consuming it is for a snoop to decipher the code and view your message.

  Protect your e-mail
  Protect yourself online
  Biometrics eye the enterprise
  Is Linux a security risk?
  Reviews & in-depth info at
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletters
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

Older encryption systems, such as the Data Encryption Standard (DES), use a single, shared key to exchange information. This means that to encrypt or decrypt information each party must already possess the necessary key. This presents two problems. First, you can't exchange information with anyone who does not already have your key. Second, exchanging keys presents a potential security risk, whether you transfer them electronically or via disk.

As an alternative, Philip Zimmermann developed PGP in the 1980s. PGP is a hybrid of the simple encryption method described above and public key encryption. In a public key setup, each user creates a pair of keys -- a private key and a public one -- which must be used together to exchange encrypted messages.

Your public key encrypts messages that only you can read. You can share this key with anyone. In fact, the more people who have your public key the better since they must use it to send you encrypted mail. Your public key is transmitted automatically with any e-mail or other data you send to another public key user. You can find other people's public keys and post your own key on public key servers (see "PGP Certificate Server," link below) on the Internet. And since public keys can only encrypt a message -- not decrypt it -- there is no security risk.

You must use your private key to decode messages encrypted with your public key. Your private key remains on your hard disk, and is never shared with anyone.

PGP is considered strong encryption technology, because it uses very long keys, generated by a sophisticated mathematical algorithm. In addition, PGP's use of multiple keys to unlock the contents of each transaction provides a layer of security not found in other encryption systems.

To use PGP on your Mac, you need to install PGP software. You can download a free version from the MIT Distribution Center for PGP (see link below).

Walking through a PGP transaction

Linda, a brilliant chemist, has finally discovered an overnight cure for baldness. As she imagines the truckloads of money that will soon show up at her door, she decides to send an PGP-encrypted e-mail to her business partner, Tom, telling him the good news.

PGP uses three main steps to encrypt Linda's message. First, it compresses the message (so there's no benefit to using Aladdin Systems' StuffIt on a PGP-encrypted file). Aside from speeding up file transfers, compression adds an extra layer of security by masking the patterns found in plain text, making compressed documents harder to decipher.

Next, Linda's PGP software uses a randomly generated, one-time session key to encrypt the message into ciphertext. It then encrypts the session key using Tom's public key, which was already stored in the program. PGP then sends the encrypted session key, along with the ciphertext, to Tom.

Once Tom receives the encrypted e-mail, he reverses the process. In his PGP program, Tom uses his private key to decrypt the session key, which in turn decrypts the ciphertext back into plain text. If Tom's private key doesn't recognize the e-mail's public key, he won't be able to read the message. Finally, the program decompresses the message. To send a reply to Linda, Tom would repeat the process from the beginning -- this time using Linda's public key to encrypt the message.

Keys are the key

To get the most out of your PGP program you should make sure your key matches the level of protection you require. The relative security of an encryption key, public or private, is determined by the size of that key. The larger the key (in bits), the harder it is for someone to decipher the data. PGP supports key lengths up to 4096 bits; but generally 1024 bits is sufficient protection against all but the most determined code crackers. In fact, PGP key sizes provide encryption so strong that, until January, US federal law prohibited the export of PGP software.

When choosing a PGP key size you must balance your own need for security and for speed -- the larger the key, the slower the process of encrypting and decrypting data will be. While it is difficult to precisely quantify the speed of different PGP keys, you can experiment with different key sizes. Keep in mind though that each time you change your key size, you must also regenerate your keys.

When creating your keys you should also take into consideration the requirements of those with whom you'll be corresponding. People with earlier versions of PGP may still be using (Rivest, Shamir, and Adelman) RSA-based PGP encryption, an older public key encryption technology. To exchange messages with an RSA-only user, your key length cannot be longer than 2048 bits. However, since the 2048-bit limit imposed by RSA is strong enough for most needs, you're pretty safe in using a 2048-bit key if you are not sure whether those you communicate with are RSA-dependent or not.

A low-cost utility that hides your tracks
June 8, 2000
Three necessary principles behind privacy laws
June 7, 2000
Online records becoming too public, Clinton official suggests
June 5, 2000
Senate Democrats to introduce bill mandating Web privacy standards
May 24, 2000
Privacy fears prompt study, delay
May 22, 2000

Protect your e-mail
Protect yourself online
The pros of hiring a con
Windows an easy hacker target
Biometrics eye the enterprise
(Network World Fusion)
Denial-of-service victims share lessons learned
Second line of defense
(Network World Fusion)
Is Linux a security risk?
(Computerworld Australia)

PGP Certificate Server
MIT Distribution Center for PGP

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.