Our Encryption:
All of the protected parts of our website now use 128 bit encryption. This is the same level of encryption used by on-line shopping site's and even banks! We've achieved this, with no cost, by establishing our own "Root Certification Authority". That is basically a computer that issues digital certificates for encrypting data. Unfortunately this "Root CA" is not trusted by your computer yet, so that means you get that annoying security warning every time you enter our website. To avoid the security warning you will need to tell your computer to trust our "Root CA" (see the last section on this page).
There are many types of encryption. Normal encryption uses a simple encryption key. The problem with that is that the encryption key needs to be transmitted secretly so only the two people communicating and read a message. The type of encryption explained below is called RSA encryption, named for the three men who worked it out, Rivest, Shamir and Adleman. This type of encryption allows the secret transmission of data without having to first transmit a secret key. However, it is quite heavy for your computer to calculate it so it is usually only used to transmit a normal encryption key that is then used for the actual transmission of data.
How RSA Encryption Works:
You have a "public key" that is known to everyone and a "private key" that is known only to you. Everything that is encrypted using this "public key" can ONLY be decrypted by using your "private key". This means that if I encrypt some data using your "public key", you will be the only person able to decrypt it, because only you have the equivalent "private key".
It also works the other way around. Anything that you encrypt using your "private key" can ONLY be decrypted using your "public key" - therefore proving that the data (normally an e-mail in this case) came form you and not from someone posing as you.
It is important to note that once data is encrypted with one of these keys it CAN NOT be decrypted using the same key, but ONLY the other key in that "public/private key pair".
When your computer makes a connection to our website everything that you send to our server is encrypted using our public key. This is exactly what happens when you send us you user name and password. In this way everything you type in and click on can only be decrypted by our server.
BUT, I hear you say, what about the other way around? I don't have a public/private key pair, do I?
Well, yes and no. You don't have a digital certificate, but for encrypted connections your computer has created it's own public/private key pair. This key does not prove who you are, like a digital certificate, so it is only used to establish encrypted connections to other computers. Your computer then sends that public key to our server and everything our server sends to your computer is encrypted using your computer's public key, so that only your computer can decrypt it.
Just in case your interested the public key of our server is below. You can see this for yourself if you click on the "View Certificate" button on the security warning you receive when entering our site. Of course we're not going to show you our private key!
To avoid the security warning you will need to tell your computer to trust our "Root CA" (see the last section on this page).
The Technical Details of RSA Encryption:
This whole thing works by using prime numbers and a special one-way mathematical function. Essentially all your computer does to create the public/private key pair is to take two prime numbers and multiply them together. For Example:
p x q = N
11 x 17 = 187
in this case 11 and 17 ("p" and "q") are used to calculate your private key while 187 ("N") and another number "e" become your public key. "e" can be any number.
Of course in real life the prime numbers that are multiplied are "not trivial". But the fact remains that this system can be cracked - simply by dividing "N" by prime numbers until you find the correct pair of prime numbers. The only problem with this theory is that it would take your desktop computer a few hundred thousand years to achieve this with a 128 bit number.
Most digital certificates use much bigger numbers. The digital certificate for our server is 1024 bits and they can be as large as 16,384 bits. That may not seem like much but with every extra bit on the number you double the possible number of numbers. For 16,384 bits we're talking:
1.189731495357231765085759326628 x 104932
That's a VERY big number! Even 128 bits is:
3.4028236692093846346337460743177 x 1038
that is: 340,282,366,920,938,463,463,374,607,431,770,000,000
Encrypting Your Message:
Because a mathematical function is used for encryption, all the characters need to be turned into numbers. On computers this is usually achieved by substituting the character for its ASCII equivalent (e.g. X = 88).
In order to use these keys to encrypt data a special one way mathematical function is used. This function uses circular arithmetic such as we use on a clock. If you start at 0 and count around the clock 50 hours you'll end up at 2, but if you only know the answer it is impossible to get back to the original number. This is called a modular function, where the "mod" is the number of hours on the clock face. For example, the above calculation would be shown:
50 (mod 12) = 2
To encrypt a message to you your friend would use the formula:
C = Me (mod N)
where:
C is the resulting encrypted number,
M is the number you want to encrypt,
e is one part of your public key, and
N is the multiple of the two prime numbers that make your private key
Your friend is then ready to transmit the encrypted number to you....
Decrypting the message:
In order to decrypt the number you need calculate your private key "d" according to the following formula:
e x d = 1 (mod (p - 1) x (q - 1))
Once that is done you can decrypt the message using this formula:
M = Cd (mod N)
where:
M is the decrypted number,
C is the encrypted number,
d is your private key, and
N is the multiple of the two prime numbers that make your private key
And there you have it.... Your friend has transmitted a number to you without having to transmit a secret key.
Hexadecimal Numbers:
The more astute of you may have noticed that the Public Key in our server's digital certificate has letters in it also. This is because it is in four bit hexadecimal format.
"Well, what's that than" I hear you ask....
We people work with decimal numbers - 0,1,2,3,4,5,6,7,8,9. Computers work is "bits" or binary numbers - only 0 and 1. But to make it easier for us to read, the bits are represented by hexadecimal (16) numbers - 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F. So:
Decimal = Binary = Hexadecimal
00 = 0000 = 0
01 = 0001 = 1
02 = 0010 = 2
03 = 0011 = 3
04 = 0100 = 4
05 = 0101 = 5
06 = 0110 = 6
07 = 0111 = 7
08 = 1000 = 8
09 = 1001 = 9
10 = 1010 = A
11 = 1011 = B
12 = 1100 = C
13 = 1101 = D
14 = 1110 = E
15 = 1111 = FSo, in our digital certificate each number/letter actually represents four bits. If you count them all up you'll find that there are 256 number/letters which is 1024 bits.
Further Reading:
My knowledge of this subject comes primarily from the wonderful book
The Code Book
The secret history of codes & code-breaking
by Simon Singh
Fourth Estate Limited
1999, 2000
ISBN 1-85702-889-9If you are interested in learning more, I would thoroughly recommend it.
I've also found this great website about How Encryption Works.
How to Trust the Cohn Family "Root CA":
You need to install the digital certificate of the Cohn Family Root Certification Authority into your computer. Follow these steps*:
*These instructions were taken from a computer running Windows 2000 Professional with Internet Explorer 6. The exact steps may vary with other versions of Windows and Internet Explorer.
Click on "Open".
Click on "Install Certificate...".
The "Certificate Import Wizard" begins. Click on "Next".
Select "Automatically select the certificate store based on the type of certificate" and click on "Next".
Click on "Finish".
Click on "Yes".
Click on "OK". Click on "OK" again (to close the certificate).
Finished. Your computer will now automatically trust any certificate issued by our "Root CA"
