Back in May I talked about cryptography, which is the science of code making and code breaking. Although we tend to think of codes as a tool of war, they are utterly necessary to e-commerce on the Internet. As always, there are some links at the end.
Q: Colin Jackson joins us now. He’s our resident technology guide and he’s here to talk about cryptography – that’s the science of codes. Colin, why is this important on the Internet?
A: The Internet is an open system just like the post office. In fact, it’s more open – send something across the Internet and you might as well write your message on a series of postcards and mail them.
Q: But do people read your email?
A: Not usually. There are just so many postcards – to pursue the analogy – flowing across the Internet, and yours and mine probably aren’t all that interesting in the first place. But people could read them, and in some cases that’s enough for people to want to hide them.
Q: And that’s where cryptography comes in…
A: Yes. Cryptography literally means “hidden writing”, and these days its meaning is more like hidden meaning. Codes were used by the ancients – in fact, it was damn near essential if you were running a military campaign to have some way to give orders to your field commanders without risking the whole thing if they got caught by the opposition. One method used by the ancient Greeks involved shaving a slave, tattooing a message onto his scalp, waiting for his hair to grow back then sending him off through enemy lines with instructions to tell person he was sent to to give him another shave.
And that’s actually what we’d call today steganography, or covered writing, meaning that nobody even realises there’s writing there. The modern equivalent of that dodge is hiding your message in the background of the picture of something you put up on Trademe. No-one would ever realise you were doing it.
Q: But codes get a lot more complicated than that, surely?
A: Yes. Often you can’t just conceal the fact that you are sending message, but you can try to make the message unreadable to everyone except the recipient. That’s what most people mean by encoding messages. And as I say, these things have been around for ever. Julius Caesar has a code named after him – it’s a really simple one which we’ve all probably played with as children, where you just pick a small number, say 6, and then you add 6 to every letter in your message, so that A becomes G, B becomes H and so forth. The recipient knows about the 6 – we call that the key, and both parties need to have agreed it in advance – and the recipient just subtracts the key off again to get the original message.
Unfortunately that’s not very secure because if you’re used to the English language its pretty easy to stare at an encoded message and figure out which letter is which – it only takes a couple of trial guesses – and then you can work out the key and decode the whole message.
But from there, people have come up much more complicated scrambling systems – first it was you encoded every two letters together, then more and more letters together in a more intricate pattern – but you still have the notion of a message, a type of code, and a key – which might be string of numbers and letters but its still something quite small.
Back in the Cold War spies used to use something called a one-time pad that was basically a huge key. They’d have it written out on small pieces of paper bound into a book and it would be long enough to encode any number of messages, and they’d always burn the pages of the book as they used them. That was pretty near unbreakable, but it was very hard to use because spies had to encode their messages manually and their home base had to stay in sync with them using their copies of the book.
Q: And people try to break codes?
A: Yes, of course they do – that’s called cryptanalysis. Queen Elizabeth’s spymaster, Walsingham, broke the code being used by Mary Queen of Scots to communicate with Babington plotters. The Queen had said that she would not have her cousin put to death without proof positive that Mary was plotting against her – the broken codes showed just that and Mary lost her head as a direct consequence.
Other famous examples were in war time. In the UK, as we now know, the British were reading the German codes for a good chunk of the war. It was really important to their success. The Brits went to huge lengths to disguise this from the Germans – for instance, by happening to send a spy plane over something they already knew was there, with pilot having instructions to make sure he was seen, just so they could justify knowing where that thing was when they bombed it the night afterwards. The British war time code work was led by a brilliant, brilliant man called Alan Turing who basically invented computers to help him break the code. And after the war, when he was shown to be a homosexual, the British establishment forced a form of chemical castration on him that led to him committing suicide.
Q: So how are codes used on the Internet?
A: Codes are used on the Internet because it’s an open communication channel with no built in security. A lot of the time, that doesn’t matter – as I said, who’s going to bother to read everyone’s mail – but for some things, like credit card numbers, it definitely does matter. So, we encrypt a few things on the Internet, but not the bulk of it.
You know when you are doing online shopping or buying flights online – when you get to the bit where the web site is asking for your credit card number – you should be on a secure site. You can tell by the little padlock cartoon that you can see in the grey bar underneath the webpage. That’s actually some rather high-grade cryptography at work.
Q: How is that high grade?
A: Two things – the first thing is it’s what’s called public key – this is a change to the most codes which require you to agree a separate key in advance with every person you might correspond with. A public key system is different, because instead of having a key for every person you correspond with, everyone creates a so-called public key and a private key. The way this works is, that if anyone wants to send you something, they encode it first with your public key – they already know that because you publish it, and the code is such that only your private key can decode it. Of course, you treat your private key like the crown jewels, and then only you can read the messages that someone has sent you. Public keys are on things called certificates which get transmitted to you when you go to secure site – sometimes you see messages about certificates; these are generally bad, they mean that the site concerned hasn’t satisfactorarily identified itself. Never put your credit card or banking details into a site if you are getting messages about certificates when you go there.
Anyway, these codes are very clever. They are based on a system called RSA that was invented in the eighties by an two American civilians and an Israeli – but recently declassified documents show that the British spy services had invented the same system in the seventies. What it relies on is the pattern of prime numbers – you know, numbers that you can’t make by multiplying smaller numbers together. 5 and 7 are primes, and 9 isn’t (because it’s 3×3). Primes occur in no particular pattern, and it’s really fascinating if you like that kind of thing.
Mathematicians have come up with a very clever form of coding which involves a very large number which is almost prime – it’s just two large prime numbers multiplied together and to break the code you need to figure out what the two numbers to multiply together are. All the numbers involved are at least fifty digits so that’s really not an easy problem. If mathematicians could ever figure out the pattern of the prime numbers then this code – which the whole of e-commerce relies on – would fall overnight. Still, mathematicians have been banging their heads on prime numbers for over two thousand years and they still aren’t close to a solution, so we are probably safe for the moment.
Q: What do governments think about people having access to these codes?
A: They used to hate it. The US Government in particular was trying to get all its allies to restrict access to strong crypto, as this sort of thing is called. A very good email encryption tool – called Pretty Good Privacy or PGP, was invented by an American named Phil Zimmerman – and he got endless hassle from the FBI. PGP started popping up all over the Net, including New Zealand, even though the FBI had told Zimmerman he couldn’t export it. New Zealand has its own cryptographer, Peter Gutmann, who became a friend of Zimmerman’s about this time, and who recently wrote a critique of Vista that we talked about a couple of months ago.
Anyway, all through the 1990s the US government was trying to get other governments to prevent the export of strong cryptography. There were arguments about trade favouritism and it all got very nasty for a while.
These days most governments are keen that people use strong codes, for e-commerce and e-banking anyway. They realise how important using the Internet securely is – and they want to use it that way themselves, so they are keen to support initiatives for security on the Net.