The Cutting Edge: COMPUTING / TECHNOLOGY / INNOVATION : Encryption Brings Code Comfort to Those Seeking E-Mail Privacy

Spend enough time in cyberspace and sooner or later you’ll stumble into the never-ending controversy about whether regular folks--presumably including international narcoterrorists--should have access to message-encoding systems so crack-proof that the government can’t monitor their communications.

What the fuss is all about is encryption. Codes are as old as communications; what else is English but an elaborate code that represents the external world? Today, though, personal computers are making extraordinary levels of encryption available to the average user, encryption that can be used to secure communications in cyberspace.

We’re not going to spend much time on whether this should be permitted, because I don’t think there is any very effective way to keep this kind of technology out of circulation.

Consider Nautilus, the latest and perhaps most interesting example. Nautilus is software that lets you conduct scrambled phone conversations by routing your call through your computer’s sound card and modem. You and your friend in San Francisco, for instance, can understand each other perfectly, but no one else can listen in. Do you have to be a spy to access such technology? Not at all. Just point your World Wide Web browser at ftp://ripem.msu.edu/pub/crypt/GETTING--ACCESS. You will have to jump through some hoops, but the directions are fairly clear.

Chances are you’ve come across encryption elsewhere on the Internet. Perhaps you’ve seen a newsgroup posting or electronic mail message with what looked like some gibberish at the bottom. What you’re seeing is a manifestation of the Internet’s favorite form of encryption, widely available thanks to a software package called Pretty Good Privacy. PGP is available free to non-commercial users all over the Internet, on the various on-line services and on many local computer bulletin board systems.

PGP is the creation of Phil Zimmerman, a cryptology consultant in Boulder, Colo., who built on the work of Massachusetts Institute of Technology professors Ronald Rivest, Adi Shamir and Len Adleman. Their initials, RSA, became the name of the licensing company that sells commercial rights to their system throughout the computer industry. RSA is also the name of the technology.

Zimmerman has gotten himself into hot water by making PGP freely available. According to the Zimmerman Legal Defense Fund Web pages (https://www.netresponse.com/zldf/), he is the subject of a federal grand jury investigation surrounding “the international distribution, over the Internet,” of PGP. For national security reasons, U.S. law prohibits the export of such a cryptographic system except to Canada, but thanks in part to the Internet, PGP has by now found its way all over the world.

Should it find its way to your computer? As the lawyers say, that really depends. I send and receive tons of e-mail, and until last week I never used PGP.

I recognize that a certain class of Internet user will be appalled by this. E-mail from my house to, say, Silicon Valley might pass through any number of computers, where any savant who happens to be interested can hack up a way to read what I’ve written.

Of course, chances are that what I’ve written is a chronicle of the way my latest all-night effort to upgrade my computer began with a disk and ended with a saber saw, ultimately saving me precious nanoseconds if I ever get around to using the system for anything truly productive. (How could I, what with all this e-mail?) The e-mail I receive tends to be equally stirring, I’m afraid.

On the other hand, PGP is free, and thanks to some Windows and Macintosh add-on software, is getting easier to use. I believe that sooner or later, a lot more e-mail--maybe most e-mail--will be encrypted.

PGP offers something that may ultimately prove even more important: a digital signature that cannot be forged, and that assures that the “document” to which it is attached has not been altered by anyone else. Using encryption this way will help open up cyberspace for commerce of all kinds.

RSA technology--as embodied in PGP--can be used this way because of its “dual-key” nature. Each key is a large prime number, but one serves as your private key, shared with no one, and the other is your public key, available to anyone. An e-mail message signed with your private key results in an encrypted “signature” that takes account of your exact message; when someone decides to decrypt the message using your public key, the software issues a warning if there has been even the slightest change to the message’s text since you signed it.

PGP also enables you to encrypt messages so that only your intended recipient can read them. To get PGP via the Web, point your browser at https://web.mit.edu/network/pgp-form.html. You’ll be asked to attest that you won’t export this program, after which you’ll be permitted to download it.

*

Daniel Akst can be reached at [email protected].

(BEGIN TEXT OF INFOBOX / INFOGRAPHIC)

More on PGP

There’s a pretty good PGP FAQ (for Frequently Asked Questions) available using my favorite FAQ-getting technique, which is via the Web at https://www.cis.ohio-state.edu/hypertext/faq/usenet/top.html.

If you want to know more about PGP, several books are available, including Phil Zimmerman’s “Official PGP User’s Guide” (MIT Press), William Stallings’ “Protect Your Privacy: The PGP User’s Guide” (Prentice Hall PTR), and the one I use, Simson Garfinkel’s clearly written “PGP: Pretty Good Privacy” (O’Reilly & Associates).