click here to find out more about us













Battle of the standards

IN THE unfortunate tradition of computer standards, there are now two duelling e-mail encryption systems -- Pretty Good Privacy (PGP) and Secure/MIME (S/MIME).

These are the two leading e-mail encryption systems used on the Internet, but unfortunately, they are incompatible with each other.

Although they both use public-key cryptography, PGP and S/MIME differ in technical and implementation aspects.

While it is theoretically possible to crack a message encrypted with PGP or S/MIME, in practice this would require a huge amount of computing resources. The algorithms used both the S/MIME and PGP are very secure and have withstood years of cryptanalytic attacks (codebreaking).

For now, the only way for an unauthorised user to decrypt a message would be through ``brute-force'' attempts to guess the private key.

This means he would have to crack the code by systematically trying every possible key, or keys in the case of 128-bit encryption. This is comparable to trying to guess a PIN on an ATM card you have found by the roadside.

If the card uses a six-digit PIN, you have a 1 in 900,000 chance of guessing it (000000 to 999999).

PGP uses a 128-bit encryption strength, which means there are around 340,282,366,920,938,463,463,374,607,431,768,211,456 possible ``PIN numbers.'' S/MIME supports encryption strengths from 40-bit to 255-bit.

To give you an idea of how secure these cryptosystems are, consider the following statement from William Crowell, deputy director of the National Security Agency during testimony to the US Congress in March last year:

``If all the personal computers in the world -- about 260 million computers -- were put to work on a single PGP-encrypted message, it would take an estimated 12 million times the age of the universe, on average, to break a single message,'' he said.

So, it is extremely unlikely that anyone will spend the time, effort, and money just to decrypt your love letters.

Pretty Good Privacy

Pretty Good Privacy (PGP) is currently the most widely used e-mail encryption technology on the Internet. It was originally developed by Phil Zimmerman, and was first introduced in 1991, long before the Internet went mainstream.

There are currently about four million PGP users worldwide, according to PGP Inc.

The PGP public-key encryption algorithm is extremely secure and does not have any ``backdoors.'' Futhermore, the PGP program source code is freely available on the Internet.

So if you're truly paranoid, you can download the source code, examine it for any weaknesses or backdoors, and compile the program yourself.

However, one major disadvantage of PGP is that it does not support the X.509 standard digital certificates and certificate authorities. PGP does have its own digital signature system though.

This means users usually have to validate or ``sign'' public keys themselves, or if a public key has been signed, they have to decide whether the person who signed it can be trusted.

This system places the burden of trust on the user, and may be difficult to manage for a large number of users.

However, PGP proponents say this system is well suited to the decentralised and semi-anarchic nature of the Internet.

Note that PGP-encrypted messages are not an official Internet standard yet, no more than Microsoft Word file attachments are.

To use PGP, you will need to install the PGP program on your computer. PGP is free for personal use and is available for all major operating systems.

There are also PGP plug-ins for several popular e-mail programs including Qualcomm's Eudora Pro/Light, Microsoft's Outlook Express and Exchange, and Claris Emailer.

The Internet Engineering Task Force (IETF) is currently evaluating a protocol based on PGP, PGP/MIME, as an Internet standard for secure e-mail. If PGP/MIME becomes a standard, it would allow for easier integration of PGP into e-mail clients.

Currently, Qualcomm is the only major vendor that supports PGP/MIME in its e-mail products.

Secure/MIME

Secure/MIME (S/MIME) is a relatively new protocol for secure e-mail which was developed by a consortium of vendors. It was designed for easy integration into e-mail and messaging products.

S/MIME has received strong backing from software vendors, and many major e-mail clients already have built-in support for the S/MIME protocol. These include products from Microsoft, Netscape, Entrust Technologies, Baltimore Technologies and Worldtalk.

Unlike PGP, there is no need to install an additional program if you use e-mail products from one of these companies.

S/MIME offers strong encryption and digital signatures like PGP, but the main advantage of S/MIME is its use of a formal trust hierarchy where a certificate authority validates public keys and issues digital certificates.

That means S/MIME users do not have to validate public keys themselves.

Who do you love?

For e-mail users in Malaysia, the debate between PGP and S/MIME is actually a moot point because we still do not have a certificate authority. As noted earlier, S/MIME requires the presence of a local certificate authority to be effective.

S/MIME users in Malaysia are currently limited to internal e-mail systems or WANs like the AsiaSURE StudentConnect project at Universiti Telekom (Unitele).

On the other hand, a fair number of Net users in Malaysia already use PGP, and it is the most established e-mail encryption standard among Internet veterans.

PGP's lack of government control and open source code would also appeal to those who mistrust central authorities. In fact, Zimmerman developed PGP largely in response to increased government monitoring of communications.

S/MIME, on the other hand may appeal to enterprise and business users because its support for certificate authorities.

Malaysia's Digital Signature Act of 1997 lends credibility to the digital signatures used by S/MIME products and it also confers some legal protection to its users.

In the long run, S/MIME will probably emerge as the secure e-mail standard, although PGP will continue to be used because of its large installed base.

© In.Tech, Star Publications (M) Berhad.
All Rights Reserved
e-mail intech@thestar.com.my