Is There Safety in Numbers?
By Amit Asaravala
Whereas privacy is an abstract concept, its concrete side is security. The former follows from the latter, provided that everything is correctly implemented. Unfortunately for many consumers, e-businesses often are overwhelmed by the hype over which security method is best, so they just don't choose one. And crackers continue to break security packages, endangering customer privacy even at businesses that do have security systems in place.
The RSA algorithm used in most Web software packages requiring encryption is based on the following equation: C = Me mod N. C is the resulting encrypted text, M is the original message, N is the product of some prime numbers p and q, and e is a number that's relatively prime to the product of p-1 and q-1. (See the comp.security.pgp FAQ for further explanation.)
Most of the current discussion about encryption—and how to break it—is focused on the p's and q's. Software programs first pick two very large prime numbers, p and q, and from these numbers they calculate e and N for use in the equation. You can encrypt messages to a business partner if your software knows his or her public key, which is made up of e and N. To decrypt the message, your partner's software uses a slightly different equation and his or her private key, which consists of d and N. In this equation, d is also based on the p and q primes.
The idea is that public keys are exactly that: public. Anyone should be able to obtain e and N to send you an encrypted message. But then, why can't a cracker unravel e and N to find out what p and q are, and ultimately calculate the decrypting d value?
The answer is that there's no known way to easily factor a large number.
