Cryptography for the Rest of Us


By Tim O'Connor

At its heart, cryptography is the science of scrambling information so it is meaningless to a random observer but useful to the legitimate recipient, who must possess a secret key that allows the information to be unscrambled.

Once the specialty of spymasters, strong cryptographic tools are now available for personal use, so even modest desktop computers can be used to protect information from snoopers. Perhaps the most prominent encryption software today is PGP (Pretty Good Privacy), which is available for DOS, Mac, OS/2, Amiga, VMS, and Unix platforms. PGP was written by Phil Zimmermann, a programmer who is fascinated by cryptography and its practical applications, and who has a keen interest in maintaining personal privacy.

The Key to Cryptography

A traditional weak point of cryptography has been in getting the secret key that unlocks an encoded message into the hands of the intended recipient. For example, if your communications were monitored by an enemy, and you transmitted the secret key that could unlock your documents, the key itself might be intercepted. This would allow the enemy to decode your later messages, or in some cases to impersonate you by encoding messages with the key.

In 1976, Whitfield Diffie and Martin Hellman invented a new technique known as public-key encryption (reported in IEEE Transactions on Information Theory, Nov. 1976). The Diffie-Hellman algorithm involves the concept of a pair of secret keys. Information generated by the secret keys can be exchanged between two parties to create a "session key," which is then used to encrypt subsequent messages.

In 1978, mathematicians Ron Rivest, Adi Shamir, and Leonard Adleman invented a public-key algorithm known as RSA, which can be used to encrypt a message and to create a digital signature of it. So, a message can be scrambled, requiring the private key to unlock it. In addition, the message might be transmitted without scrambling, but with a digital signature (a kind of electronic certificate) attached, or it can be both encrypted and signed. The signature allows the recipient to verify that the message has not been changed in any way in transit, and that it was truly created by the person who signed it, thereby preventing the distribution of forged messages.

PGP is built around several algorithms, including RSA.

For most people, it is not necessary to contend with the mathematical principles behind PGP. However, having a basic knowledge of how the software works will help you make the most efficient use of encryption and digital signatures. Consider investing in one of the standard PGP books, Protect Your Privacy: A Guide for PGP Users, by William Stallings (Prentice-Hall, 1995) or PGP: Pretty Good Privacy, by Simson Garfinkel (O'Reilly and Associates, 1995). Each provides background details and plenty of helpful hints.

The Key to PGP

At the most basic level, you will need to perform the following steps after you install PGP on your system, following the instructions that come with the software:

  • Generate your own pair of private and public keys. You will keep the private key for your own use only, protected by a secret passphrase you select. You will eventually release the public key to the world. You will need to supply the secret passph