The Internet has grown from a resource used only by academic and research organizations to a global network that plays an increasingly important role in personal and corporate communications. Sensitive information of all kinds is increasingly finding its way into electronic form and then onto the Internet.

Unfortunately, because this information is sent over the Internet (which is an open network), valuable data can be easily intercepted and exploited. Obviously, there could be disastrous consequences for individuals and businesses if this information fell into the wrong hands. Enter cryptography and encryption software.

Why encrypt?

Before we delve into the how, we should look at why you might want to encrypt your most sensitive information before sending it to the Internet.

Most people know little about computer security. They don't realize that their e-mail messages are not sent point-to-point. Instead, they are sent from one computer to another. In fact, e-mail is like sending a postcard--anyone who comes across it can read it.

So without the knowledge of either the sender or the recipient, e-mail can easily be intercepted and copied. To remedy this problem, there are quite a few systems for encrypting e-mail on the market today.

And then there is e-commerce. Today, Internet transactions are primarily credit card-based. Steps have to be taken to safeguard credit-card information from prying eyes.

The first step is to have the browser connecting to the e-commerce site's server in secure mode. This is accomplished by using Secure Sockets Layer technology (SSL) to encrypt everything sent back and forth between the browser and the server. If an e-commerce site is going to be secure, then the credit-card info, once collected, needs to be stored in encrypted form--preferably off the server rather than in plain text, as is the case with far too many e-commerce applications. Encryption is mostly needed to help protect against credit-card thieves.

Another component of e-commerce is digital cash. Cryptographer and computer scientist David Chaum developed a set of techniques using digital signatures that makes digital cash possible. Digital signatures can help prove the origin of data (a process called authentication). The technology can also be used to ensure the privacy of the user, permitting payments that do not reveal the customer's identity. Again, encryption plays a key role in making the whole process work.

And while considering these two points (e-mail security and e-commerce transactions) alone ought to give pause to most users before they send information over the Internet, there remain more sinister and compelling reasons to consider encrypting your information.

Today, if the government wants to violate the privacy of ordinary citizens, it has to expend a certain amount of expense and effort to intercept, open, and read paper mail, or listen to and transcribe a spoken telephone conversation. This kind of labor-intensive monitoring is not usually practical on a large scale. And it is only supposed to be done in cases where it seems absolutely necessary.

But more and more of our private communications are being routed through electronic channels. Channels like e-mail are simply too easy to intercept and scan for interesting keywords. This can be done routinely, automatically, and imperceptibly on a very large scale. And as some chilling recent news stories can attest, the National Security Agency, through its project Echelon, already scans international and foreign communications in this way.

Imagine a global spying network that can eavesdrop on every single phone call, fax, or e-mail, anywhere on the planet. It sounds like something out of a Tom Clancy novel, but it exists. According to a BBC report from November 1999, a Cold War­era electronic intelligence-gathering resource has been turned to other purposes--including commercial spying on foreign competitors to American and English businesses.

Powerful computers capable of voice recognition can listen to every international telephone call, fax, e-mail, or radio transmission. They home in on a long list of keywords, or patterns of messages. They are supposed to be looking for evidence of international crime, like terrorism. But there appear to be other, less savory purposes for Echelon than the intelligence, antiterrorism and crime-fighting missions it was originally built to fulfill.

The BBC report cites information from journalist Duncan Campbell, who has spent much of his career investigating Echelon. In a report commissioned by the European Parliament, he produced evidence that the NSA listened in on phone calls from a French firm bidding for a contract in Brazil. It passed the information to an American competitor, which won the contract. Big Brother not only exists; he may already be watching you.

Public-key Cryptography to the Rescue

Now that you're convinced that you don't want other people reading your e-mail without your knowledge or stealing your credit card information, just how are you to go about preventing it?

You need to investigate some of the products available for encrypting your sensitive information. As strange as it may seem, you are in the market to find the same kind (and level) of cryptography technology that governments, multinational corporations and major drug and arms dealers already employ to secure their most sensitive information.

Cryptography is the science of scrambling text so that no one but the intended recipient can read it. The goal is to transform text, called plaintext, into a form that is meaningless to anyone who might intercept it. The coded text is called ciphertext. The process of transforming plaintext into ciphertext is called encryption; the reverse process of transforming ciphertext into plaintext is called decryption.

If you want to encrypt a plaintext or decrypt ciphertext, you need an algorithm and a key. The algorithm usually consists of two parts: The encryption algorithm and the decryption algorithm. Only those who know the key and the respective algorithm can encrypt plaintext or decrypt ciphertext.

This kind of cryptography is known as private-key cryptography, and is also called symmetric cryptography. It uses a single key--the private key--for both encryption and decryption. In this scheme, the communicating parties have to agree on a secret key in advance. The disadvantage is that they have to find a secure way to exchange this key.

In conventional cryptosystems, such as the U.S. Federal Data Encryption Standard (DES), a single key is used for both encryption and decryption. This means that a key must be initially transmitted via secure channels so that both parties can know it before encrypted messages can be sent over insecure channels. This may be inconvenient. It also begs the question that if you already have a secure enough channel for exchanging keys, then why do you need cryptography in the first place?

Public-key cryptography solves this problem by using two keys instead. In public-key cryptosystems, everyone has two related complementary keys, a publicly revealed key and a secret key (frequently called a private key). Each key unlocks the code that the other key makes. Knowing the public key does not help you deduce the corresponding secret key. The public key can be published and widely disseminated across a communications network. This protocol provides privacy without the need for the same secure channels that a conventional cryptosystem requires.

Anyone can use a recipient's public key to encrypt a message to that person, and that recipient uses her own corresponding secret key to decrypt that message. No one but the recipient can decrypt it, because no one else has access to that secret key. Not even the person who encrypted the message can decrypt it.

Message authentication is also provided. The sender's own secret key can be used to encrypt a message, thereby signing it. This creates a digital signature of a message, which the recipient (or anyone else) can check by using the sender's public key to decrypt it. This proves that the sender was the true originator of the message, and that the message has not been subsequently altered by anyone else, because the sender alone possesses the secret key that made the signature. Forgery of a signed message is not feasible, and the sender cannot later disavow his signature.

These two processes can provide both privacy and authentication by first signing a message with your own secret key, then encrypting the signed message with the recipient's public key. The recipient reverses these steps by decrypting the message with her own secret key, then checking the enclosed signature with a public key. These steps are taken automatically by the recipient's software.

To protect e-mail and files, you should look into PGP (Pretty Good Privacy) software in a version that runs on the platform of your choice (Mac, Windows, Unix, etc.) PGP-based products are available in freeware and commercial-grade products. PGP is the world's de facto standard for e-mail encryption and authentication, with more than 6 million users.

PGP 6.5.1 MIT freeware supports RSA, PGP e-mail, and secure client-to-client connections using PGP certificates. It is available for non-commercial use only. You can download freeware versions of PGP for various platforms from MIT.

If you need to use PGP in a commercial environment, the commercial PGP VPN Client, available from Network Associates, supports certificates from industry leaders such as VeriSign, Entrust and Net Tools. PGP VPN can be used to create encrypted network connections to your company for secure remote access. The commercial client also includes PGPdisk for fast disk, file, and directory encryption and authentication, in addition to technical support.

For those more interested in protecting their whole enterprise versus just individual desktops, PGP technology has been extended to the enterprise back office. The PGP E-Business Server (again from Network Associates) enables automated e-commerce applications to leverage the powerful encryption and authentication PGP technologies on Solaris, Windows NT, Linux, AIX, HP-UX, and MVS platforms.This allows corporations to apply the ease of use, strength, and confidence of the PGP technology to protect corporate data in virtually any setting.

E-commerce Encryption

For Web-based e-commerce transactions, make sure that anytime you are exchanging sensitive information, you are connected to the host in secure mode using SSL. You should also do some research before you make a purchase to see if you can determine whether or not the merchant stores your credit-card info on the Web server and if it does, is it stored in plain text or encrypted format? Obviously, you are interested in doing business with the vendors who encrypt your sensitive information while it is in their possession.

And last but not least, consider the source. Today's technology allows almost anybody to easily set up shop on the Internet, where things aren't always what they seem. Make sure you do some checking before you give out vital information like credit-card numbers to complete strangers.

In today's information society, ensuring the security and privacy of its advanced communications has become critically important. Cryptography is a crucial technology to protect these communications.

Contributing Editor Don Fitzwater is a principal partner in Interface Solutions, a Minneapolis consulting firm.