click here to find out more about us













Out with the old

CRYPTOGRAPHY has been used since the early days of computing and in fact, it is already possible to send encrypted e-mail messages by using familiar applications.

For instance, you could use Microsoft Word to write your messages, encrypt the document with Word's built-in password protection feature, and send it off as an e-mail attachment.

Or you could compose your message with a text editor, then use Winzip to compress the text file into a password-protected zip file, and send that as an e-mail attachment.

In both cases, a new problem crops up after you've sent off an encrypted e-mail attachment -- how are you going to tell the receiver what the password is?

Conventional cryptography presents a Catch-22 situation when it is used for electronic communications. You obviously can't send the password through an insecure communications channel like the Internet because someone could be intercepting your messages.

After all, that is presumably why you needed to use encryption in the first place.

This means both parties must exchange the password either by meeting personally, through the phone, by express courier, or through some other secure communications channel.

But a personal meeting may not always be feasible, especially if your e-mail contacts are in another state or even another country.

One obvious way to communicate the password would be to call up the other person on the phone, but long-distance phone calls are expensive. Besides, phone calls can also be intercepted and recorded.

As for express couriers, there's no guarantee that the company's workers are all completely trustworthy.

Also, if you need to send passwords out to dozens of contacts, the cost of long-distance phone bills or express courier fees would quickly become prohibitive.

And of course, if you already had a secure communications channel to begin with, you probably wouldn't need to use cryptography.

`Ve have vays ...'

The encryption systems used by Word and Winzip are all examples of symmetric cryptography. Basically, this means only one password or key is used, and both parties must know this password.

Other than the inconvenience of having to communicate the password securely, conventional cryptography also presents problems in password management. If you plan to use conventional cryptography a lot, you may need different passwords for different groups of users.

You would preferably memorise these all passwords to ensure maximum security, but most people have trouble remembering more than three or four passwords, so they have to resort to writing down the passwords on a notepad or storing them in a text file in their computer.

This obviously poses a security hazard, because even a casual search of the user's desk or his computer will reveal the passwords; or worse, the other party may be forced to reveal the password or even decide to betray you.

As you share passwords with more people, the chances of a security compromise or a betrayal increases correspondingly.

So even if you keep your passwords secure, somebody else's carelessness or treachery could compromise your secure e-mail communications.

Public friend

Public-key cryptography, or asymmetric cryptography, gets past nearly all the weaknesses of conventional cryptography.

Users do not have to determine a password beforehand and they can exchange their keys through e-mail.

There is no longer a need to memorise many passwords or keep the keys secure, and users do not have to worry about someone else compromising the password.

Plus it also adds important features that protect messages against forgery and tampering.

© In.Tech, Star Publications (M) Berhad.
All Rights Reserved
e-mail intech@thestar.com.my