All of the protected parts of our website now use 128
bit encryption. This is the same level of encryption used by on-line shopping site's
and even banks! We've achieved this, with no cost, by establishing our own
"Root Certification Authority". That is basically a computer that issues
digital certificates for encrypting data. Unfortunately this "Root CA" is not
trusted by your computer yet, so that means you get that annoying security warning every
time you enter our website. To avoid the security warning you will need to tell your
computer to trust our "Root CA" (see the last section on this page).
There are many types of encryption. Normal
encryption uses a simple encryption key. The problem with that is that
the encryption key needs to be transmitted secretly so only the two people
communicating and read a message. The type of encryption explained below
is called RSA encryption, named for the three men who worked it out, Rivest,
Shamir and Adleman. This type of encryption allows the secret
transmission of data without having to first transmit a secret key.
However, it is quite heavy for your computer to calculate it so it is usually
only used to transmit a normal encryption key that is then used for the actual
transmission of data.
How RSA Encryption Works:
You have a "public key" that is known to
everyone and a "private key" that is known only to you. Everything that is
encrypted using this "public key" can ONLY be decrypted by using your
"private key". This means that if I encrypt some data using your "public
key", you will be the only person able to decrypt it, because only you have the
equivalent "private key".
It also works the other way around. Anything that you
encrypt using your "private key" can ONLY be decrypted using your "public
key" - therefore proving that the data (normally an e-mail in this case) came form
you and not from someone posing as you.
It is important to note that once data is encrypted
with one of these keys it CAN NOT be decrypted using the same key, but ONLY the other key
in that "public/private key pair".
When your computer makes a connection to our website
everything that you send to our server is encrypted using our public key. This is
exactly what happens when you send us you user name and password. In this way
everything you type in and click on can only be decrypted by our server.
BUT, I hear you say, what about the other way around? I
don't have a public/private key pair, do I?
Well, yes and no. You don't have a digital
certificate, but for encrypted connections your computer has created it's own
public/private key pair. This key does not prove who you are, like a digital
certificate, so it is only used to establish encrypted connections to other computers.
Your computer then sends that public key to our server and everything our server sends to
your computer is encrypted using your computer's public key, so that only your computer
can decrypt it.
Just in case your interested the public key of our
server is below. You can see this for yourself if you click on the "View
Certificate" button on the security warning you receive when entering our site.
Of course we're not going to show you our private key!
To avoid the security warning you will need
to tell your computer to trust our "Root CA" (see the last section on this page).
The Technical Details
of RSA Encryption:
This whole thing works by using prime numbers and a
special one-way mathematical function. Essentially all your computer does to create
the public/private key pair is to take two prime numbers and multiply them together.
p x q = N
11 x 17 = 187
in this case 11 and 17 ("p" and "q") are
used to calculate your private key while
187 ("N") and another number "e" become your public key. "e" can be any
Of course in real life the prime numbers
that are multiplied are "not trivial". But the fact remains that this
system can be cracked - simply by dividing "N" by prime numbers until you find
the correct pair of prime numbers. The only problem with this theory is
that it would take your desktop computer a few hundred thousand years to
achieve this with a 128 bit number.
Most digital certificates use much bigger
numbers. The digital certificate for our server is 1024 bits and they
can be as large as 16,384 bits. That may not seem like much but with
every extra bit on the number you double the possible number of numbers.
For 16,384 bits we're talking:
1.189731495357231765085759326628 x 104932
That's a VERY big number! Even 128 bits is:
3.4028236692093846346337460743177 x 1038
Encrypting Your Message:
Because a mathematical function is used for
encryption, all the characters need to be turned into numbers. On
computers this is usually achieved by substituting the character for its ASCII
equivalent (e.g. X = 88).
In order to use these keys to encrypt data
a special one way mathematical function is used. This function uses circular
arithmetic such as we use on a clock. If you start at 0 and count around
the clock 50 hours you'll end up at 2, but if you only know the answer it is
impossible to get back to the original number. This is called a modular
function, where the "mod" is the number of hours on the clock face. For
example, the above calculation would be shown:
50 (mod 12) = 2
To encrypt a message to you your friend
would use the formula:
C = Me (mod N)
C is the resulting encrypted number,
M is the number you want to encrypt,
e is one part of your public key, and
N is the multiple of the two prime numbers
that make your private key
Your friend is then ready to transmit the
encrypted number to you....
Decrypting the message:
In order to decrypt the number you need
calculate your private key "d" according to the following formula:
e x d = 1 (mod (p - 1) x (q - 1))
Once that is done you can decrypt the
message using this formula:
M = Cd (mod N)
M is the decrypted number,
C is the encrypted number,
d is your private key, and
N is the multiple of the two prime numbers
that make your private key
And there you have it.... Your friend
has transmitted a number to you without having to transmit a secret key.
The more astute of you may have noticed that the Public
Key in our server's digital certificate has letters in it also. This is because it
is in four bit hexadecimal format.
"Well, what's that than" I hear you ask....
We people work with decimal numbers -
0,1,2,3,4,5,6,7,8,9. Computers work is "bits" or binary numbers - only 0 and 1.
But to make it easier for us to read, the bits are represented by hexadecimal (16) numbers
- 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F. So:
Decimal = Binary
00 = 0000 = 0
01 = 0001 = 1
02 = 0010 = 2
03 = 0011 = 3
04 = 0100 = 4
05 = 0101 = 5
06 = 0110 = 6
07 = 0111 = 7
08 = 1000 = 8
09 = 1001 = 9
10 = 1010 = A
11 = 1011 = B
12 = 1100 = C
13 = 1101 = D
14 = 1110 = E
15 = 1111 = F
So, in our digital certificate each number/letter
actually represents four bits. If you count them all up you'll find that there are
256 number/letters which is 1024 bits.
My knowledge of this subject comes
primarily from the wonderful book
The Code Book
The secret history of codes & code-breaking
by Simon Singh
Fourth Estate Limited
If you are interested in learning more, I
would thoroughly recommend it.
I've also found this great website about
How to Trust the Cohn Family
You need to install the digital certificate of the Cohn
Family Root Certification Authority into your computer. Follow these steps*:
*These instructions were taken from a computer
running Windows 2000 Professional with Internet Explorer 6. The exact steps may vary
with other versions of Windows and Internet Explorer.
Download the certificate by clicking this link.
Click on "Open".
Click on "Install Certificate...".
The "Certificate Import Wizard"
begins. Click on "Next".
Select "Automatically select the certificate
store based on the type of certificate" and click on "Next".
Click on "Finish".
Click on "Yes".
Click on "OK". Click on
"OK" again (to close the certificate).
Finished. Your computer will now automatically trust
any certificate issued by our "Root CA"