Data Encryption

Data traveling through the Internet is much like a post card passing through the postal system. It passes through many points between the sender and the intended recipient, and could potentially be read many times before reaching its final destination. This is acceptable most of the time, but could be disastrous should credit card or bank account numbers fall into the wrong hands. To combat these threats, the Internet requires the equivalent of a security envelope or, better still, an armored car service. Data encryption provides this service.

Three of the most common means of encrypting data over the Internet are:
Pretty Good Privacy (PGP)
Secure Socket Layers (SSL)
Secure HTTP (S-HTTP)

Pretty Good Privacy (PGP):
 Created by Philip Zimmerman, PGP is used to encrypt e-mail or files. The PGP user will have two cryptographic "keys"": a private key and password or phrase for their own system, and a public key, which may be provided to anyone. A message is encrypted using the sender's private key, passphrase, and the recipient's public key. The receiver's computer uses the sender's public key plus its own private key (and passphrase) to decrypt the message. Without the recipient's private key, no one, including the person who encoded the message, will be able to decipher the encoded message. A person may encode data for multiple recipients, also.

Examples:

  • Bill wants to send a private file to Greg.
  • Bill encrypts the file with PGP, specifying Greg as the recipient. The PGP software uses Bill's private key and password, and Greg's public key to encode the file.
  • When Greg receives the file, the PGP software uses his private key, passphrase, and Bill's public key to decode the file.
  • Wally Wannabe-Hacker has also intercepted Bill's file. Wally has both Bill. and Greg's public keys, but that doesn't do him any good. Try as he might, he can't decode the file.
  • Wally drowns his sorrows with liters of cola.


  • Greg sends a message to Bill, Ron, and Phil.
  • PGP uses Greg's private key, phrase, and the public keys of Bill, Ron, and Phil.
  • Bill, Ron, and Phil are all able to read Greg's message.
  • Wally can't. A box of cookies feels his wrath.


  • Wally acquires an old hard drive of Phil's.
  • He's overjoyed to discover Phil's private key is still on it.
  • ...But he can't figure out the passphrase Phil uses.
  • Wally viciously attacks a family-sized bag of cheese puffs.

PGP is available for several operating systems.


Secure Socket Layer (SSL) Protocol:
 Developed by Netscape Communications Corporation, SSL is the industry-standard method for transmitting data securely on the World Wide Web. SSL runs in between the TCP/IP protocol, the foundation of the Internet, and higher-level protocols used by the Web, FTP, news, and mail. Thus it's suitable for securing a number of different applications.

SSL establishes an encrypted connection between a client, such as the user's Web browser, and a server, an online store or bank, for example. Older versions of SSL used a 40-bit key to encrypt data (that's 2 raised to the 40th power); the latest version uses a 128-bit number (2 to the 128th power).

Using an attack called "TCP Hijacking" or "Man in the Middle", it's possible for a hacker to set himself up between the client and server. The hacker's computer intercepts the data flowing between the client and server, and pretends to be the client's server and the server's client. The hacker can then monitor, alter, or delete the data passing through his system.

To guard against this, SSL provides a mechanism to authenticate the server's and/or client's identity. This is accomplished using certificates. A certificate is a data object which contains:

  1. A time stamp. Certificates are only valid for a limited time.
  2. The name of the entity which issued the certificate. This name must be in the user's trusted certificate authority (CA) list (any SSL-enabled application will have such a list).
  3. A public key, used to validate the server's identity.
  4. The server's domain name
The certificate must be proved valid, using items 1 to 3 above, and the server's domain must match item 4 in the certificate, for the SSL connection to be established.

User's may recognize an SSL connection by the presence of "https://" in the URL, and possibly a padlock icon in the browser's status bar. However, the padlock icon by itself does not guarantee a secure connection. Clicking on the padlock icon should display the server's address. This address should match the one shown in the browser's address box.


Secure HTTP (S-HTTP):
 A newer form of online security, S-HTTP is an extension to the Hypertext Transfer Protocol (HTTP). S-HTTP adds security through the use of encryption, certificates, or both. Whereas SSL encrypts all data passing through its secure connection, S-HTTP may encrypt individual packets of data. In this way, sensitive information such as a credit card number may be encrypted and passed securely, but trivial data such as button images could be transmitted unencrypted. As encryption and decryption requires time and processing power, the ability to pass unimportant data unencoded can save both the client's and server's time. S-HTTP also offers a more robust method of authenticating a client's identity to a server.



"Data Encryption", by the indecipherable Jody Tierney.
Researched and written March 2003.

Back to Internet Security