Security on the Internet has become more and more important. The casual user
of the internet may well ask why he or she should concern himself or herself
with security. The answer is quite simple: You should be concerned with
security because unless you do, somebody out there will be able to do whatever
you can do. Unlike you, that somebody may have malicious intent. More
importantly, that somebody could be anywhere in the world.
So should you be paranoid now? Well a little paranoia is good. On the other
hand, the most secure computer in the world is one that is not connected with
any other computers and has no users. It is, of course, not very useful. So
the sensible answer is to take reasonable precautions and trust that criminals,
spies and the government have no interest in you.
Public Key Encryption to the Rescue
In the computer/information age, one of the revolutionary developments in society
is that anybody with a personal computer has the ability to encrypt messages that
will take even the United States Government that spend billions of dollars on
computers and really smart people a non-trivial amount of time to crack (of course,
they won't say how long a non-trivial amount of time is). One would hope that
it takes criminals and everybody else a while to do that also.
The reason why this is possible is a system called Public Key Encryption (PKE).
The exact method involves a great deal of mathematics. Suffice it to say that
it involves very large prime numbers. (A prime number is a number that is evenly
divisible by only the number one and the number itself. 23 is a prime number,
but 21 is not since 21=3x7.) What makes public key encryption work is that you
generate two keys using an algorithm that involves large primes. You pick one of
these keys as the public key and the other as the private key. You then publish
the public key for all the world to see. The private key you keep top secret.
When anybody wants to send you a secret message, they encrypt the message using
your public key. However, the encryption algorithm is such that the public key
cannot be used to decrypt the message, only the private key can be used to do that.
Actually, given a big enough computer, the messages could be decoded. However,
the more bits there is in the encryption key, the more effort is involved. With
present day computers, 56 bit keys are easy to break. It is reputed that the US
government can do it in a fraction of a second. Adding a bit approximately
doubles the required effort. Current practice is to use 128 bits which is
reputed to take enough effort that it is not worth anybody's while to crack.
In other words, it will cost the crook more to crack the message with your credit
card number in it than he would be able to steal from you.
Actually, public key encryption has another useful feature: It is symmetric.
What that means is that if you encrypt a message using your private key, that
message can be decrypted only with your public key. Now this is obviously not
the way to send a secret message because evreybody will be able to read it.
However, this can be used to sign messages, that is to certify that you are
really who you say you are.
Isn't my phone line secure?
The internet is a packet switching network. That means any message you send has
an "envelope" put around it which contains the destination address as well as your
address. If you use a dailup service or are lucky enough to be on a DSL or ISDN
or even T1 circuit, your computer sends the message to your Internet Service Provider
(ISP) computer. This computer looks at the envelope, reads the address, and sends
it to another computer, which sends it to another computer, and eventually to the
destination computer. Actually some of these computers are special computers called
routers, which do nothing but forward messages, but that's just semantics.
The important point is that when you make a phone call, you esentially get a copper
wire dedicated just to your call. (Actually even that is no longer true, but you
can think of it that way.) However, when you send a message over the internet, your
messages gets jumbled up with everybody else's messages and it passes through many
computers along the way. Fortunately, computers are not as nosey as humans, so they
just look at the address and pass it on appropriately.
However, the messages are really open for anyone to read. It is possible to use a
"packet sniffer" to read all the messages as they go by. On a cable modem circuit,
you can sniff all packages of all the computers on your circuit. Your computer is
generally polite and throws away messages not intended for it, but a program like
tcpdump will allow you to read all those packets. In principle, anybody along the
whole series of computers along the way can sniff your messages.
I don't send secret messages!
You may not care if somebody reads the jokes you send to your friend, so you only
want to encrypt the email you send to your lover. However, bear in mind that on
the Internet, messages are sent between your computer and other computers for many
other purposes than just email.
Computers are pretty gullible. When you are retrieving your mail from your ISP's
computer, you tell the computer who you are by giving it your user name. Since your
user name has to be widely know for people to send you mail and such, the computer
asks you to certify who you really are by giving it a password. That password is
sent from your computer to the other computer as a message. All somebody has to
do to impersonate you to any such computer is to steal that message that contains
your password and read it.
This is actually very easily done. There are billions of messages flying all over
the internet all the time. However, the TCP/IP protocol that is used for much of
the traffic has a serial number that starts at 0 for every series of messages between
you and another computer. So people have written programs that analyze the start of
all these messages and see if they can pick a password out of it. The destination
address is also part of the message, so not only do they know your password, they also
know the computer on which to use it. So a malicious person can figure out your password
Your password is used in a large number of applications. Your mail reader sends your
password when you retrieve your mail. When using telnet or ftp to conncet to another
computer, you are asked for your password to tell the other computer it is OK to let
you log in. If your password is stolen, the thief can do everything on the target
computer that you are allowed to do, because that computer will believe that the thief
Public Key Encryption offers some neat solutions. For example, instead of using telnet
to log into a remote computer, you can use Secure SHell (ssh). With ssh, the computers
initially exchange public keys. All traffic between the computers is encrypted. The
sending computer uses the public key of the receiving computer to encrypt the messages,
while the receiving computer uses its private key to decrypt it. So while anybody along
the way may see the messages, the messages cannot be read because it is encrypted.
If you are on a Unix system, you can download and compile ssh from
The installation follows the standard GNU procedure: configure, make, make install.
If you are on a Windows or Macintosh system, you can buy ssh or get a free version.
A list of available implementations are available here.
A popular Windows implementation is TTSSH
which requires TeraTerm Pro.
In addition to its default function as a replacement to telnet, ssh also has a port forwarding
feature. For example, if you want to use ftp over a secure link, you invoke ftp within ssh.
The idea is that on the local machine, ssh intercepts traffic from ftp, and on the remote machine,
ssh connects to the server. In between, all traffic is encrypted and therefore secure.
A few other applications uses the same idea, but integrates it so the user does not have to
do anything special. Netscape, for example, introduced something called the Secure Socket
Layer (SSL). An SSL enabled web server such as Apache-SSL sends a public key to your web browser.
The browser then encripts the reply which may enclose your credit card number with this key and
sends the message to the server. The server uses its private key to decrypt the message.