Cryptography enables secure online shopping. [Credit: Jessie Birks]
You enter your credit card numbers online, click “OK” and wait with bated breath for your CD to arrive the next day … but what about that lingering question of how secure you really are?
Cryptography, the process of encoding information, has been around since Julius Caesar’s day. In fact, the technology is so solid, a method that was revolutionary 30 years ago is still used today. It’s called public key cryptography, and despite being decades old, it makes secure Internet commerce easier.
Public key cryptography allows anyone to scramble a message (like credit card information) to an intended party, but it lets only that party unscramble it. It also plays a role in authentication (Is that really Amazon I’m ordering from?).
Public key cryptography’s invention was the “most remarkable act of genius,” says Steven M. Bellovin, a computer science professor at Columbia University in New York who has served on the Department of Homeland Security Science and Technology Advisory Committee.
But if this kind of cryptography is so great, why are we still worried about Internet security? It isn’t cryptography’s fault, says Nasir Memon, a computer science professor and director of Polytechnic University’s Information Systems and Internet Security Lab in Brooklyn.
Memon says it’s like we have nice locks on a cardboard house. He maintains that problems can occur if our information isn’t stored securely once it gets to its destination, if the technology isn’t applied properly or even if we don’t know how to protect ourselves.
Although public key cryptography isn’t the whole story of online security, it is an important component.
Here’s how Memon describes encryption and decryption: Say a professor has 30 students who want to communicate privately with him. He can put up 30 mailboxes outside his office, each locked with a combination for each student, but then he has to remember 30 combinations. This is called private key cryptography — both sides know and agree on a way to encrypt and decrypt the message.
Instead, he could leave a box of unlocked locks next to the open mailboxes. All of these locks require the same combination. This way, every student can lock up a secure message, but the professor is still the only one who can open any of them, and he has only one combination to remember. This is public key cryptography — anyone can encrypt the message to a recipient, but only the recipient can decrypt it.
However, because encryption and decryption by public key cryptography take a long time, people often just use them to decide on a secure way to communicate by private key cryptography.
These processes are admittedly more complicated than the combination lock analogy. In real life, the “keys” involve very large numbers, usually over 100 digits, and people like you and me usually don’t have to think about them when we use secure sites. Here, encryption, decryption and also authentication go on mostly behind the scenes. Try clicking on the little yellow padlock on the web page where you enter your credit card information. You’ll often see the number of bits listed. The more bits, the longer the numbers and the more secure the connection.
The math behind encryption and decryption by public key cryptography is complex. In fact, the processes are incredibly time-consuming, even on the fastest computers, says Scott Annin, an associate professor of mathematics at California State University in Fullerton.
Given long enough, hackers could use trial and error, but secure systems change their keys often. If quantum computers became practical, however, the computers would make breaking in much faster. So far this hasn’t happened, and many believe the threat is a long way off.
The bottom line for now is: The math is working hard for us. It’s the human element that can be the problem. So buy that new CD, but you might also want to learn about other ways to protect yourself online.