
                    *************************************
                    *                                   *
                    *          DB/C Newsletter          *
                    *           December 1995           *
                    *                                   *
                    *************************************

                               Editor's Notes

     If you are reading this newsletter through the WWW server at www.swc.com,
you may be unaware that you can receive each DB/C Newsletter via email.  To
have future issues emailed directly to you, you can subscribe by sending
a message to 'majordomo@swc.com' and in the body of the email message put
this line 'subscribe dbcnews' (in both cases omit the ' characters).

     While you are surfing the web, check out the following interesting WWW
sites.  For those of you who are interested in computer graphics, or if you
happen to be younger than 10 years of age, surf on over to the WWW site for
the movie 'Toy Story'.  The address is http://www.toystory.com.  Another site
that can give you a good feeling for the size and scope of the Internet is
the DejaNews Research Service site.  The address is http://dejanews.com.
DejaNews is a database of USENET postings of the last 6 months.  DejaNews
allows you to search the database using any word or word combination.  The
result is a list of USENET messages that meet or come close to the word
combination you specified.  A click on the list brings up the actual USENET
posting.

     The issue of privacy (or the lack thereof) is highlighted by the
DejaNews service.  I have seen the term 'data mining' used recently to
describe what some software does to accumulate information about people,
places and things.  With access to databases like DejaNews, a 'data miner'
could figure out your hobbies, your business interests, your politics -
in fact, just about everything about your life.  And worse, if someone
decided to impersonate you - major harm to your reputation or finances
could occur.

     As usual, problems created by technology can be solved by technology.
Encryption software can be used to keep private communications really private.
And authentication software can be used to make sure that the person at
the other end of a cyberspace email message or business transaction is really
who you think it is.  Many people have little understanding of the issues and
capabilities of today's encryption software.  Hopefully, the article in this
month's newsletter will help to introduce you to the terminology and the
capabilities of today's software systems.

     There is a political aspect to privacy issue that I will mention here.
Since World War II, the US government has forbidden the export of software
or other devices that implement strong encryption.  This has caused software
vendors to create two versions of their products - one for use inside the US
and another for export.  Netscape Navigator and Lotus Notes are two examples
of software products that have a US only version with strong encryption and
an exportable version with weak encryption.  It is perfectly legal (at least
as far as US laws are concerned) for a person or company to create software
containing strong encryption outside of the US and ship it back into the US.
But that software can't then be taken back out of the US.  In my opinion, the
prohibition of export of strong encryption software needs to be removed so
that people and businesses can be free to send private communications on
public data networks without fear that their data might be compromised or
publicized.

     For those who are waiting for the release of DB/C 9, we appreciate your
patience.  Details of the final release of DB/C 9 will be published in our
January 1996 DB/C Newsletter.

     Happy holidays!

                                                           don.wills@swc.com


                         Encryption and Authentication

     Encryption and authentication are usually discussed together.  They are
similar in some technical aspects, but each provides a very different service.

     Encryption is the process of converting a message or data into a form
that is not understandable by others.  Decryption is the process of converting
an encrypted message or encrypted data back to the original message or data.

     Authentication is the process of adding an unforgeable signature to
a message or data.  This provides the receiver with an assurance that the
message or data is authentic.  Authentication can also provide the receiver
with the assurance that a message has not been altered during transmission.

     Encryption and authentication can be used separately or together.  When
used together, the sender of a message can be assured that the content is
secure and the receiver of a message can be assured that the message is
authentic.

     There are many algorithms used for encryption and authentication.  Most
algorithms are based either on private keys or on public keys.  A private key
system is one in which both the sender and the receiver need to protect their
keys from being found out.  This method is inconvenient unless the parties
can physically communicate keys without fear of their being compromised.

     Public key algorithms solve the problems of key distribution and key
management.  They work like this:  A person who wants to receive messages
(the receiver) generates two keys - the encryption key and the decryption
key.  The receiver then sends the encryption key to all parties who want
to send messages (senders) to the receiver.  When a sender wants to send a
message, he uses the encryption key to convert the message into an encrypted
message.  This message is then sent to the receiver who uses the decryption
key to decode the message.  In public key systems, there is no need for
private communication of keys - the only key that needs to be safeguarded
is the receiver's key - and he was the person who created it - so it never
needs to move.

     Authentication uses a similar approach, except that the sender, not the
receiver, creates the encryption and decryption keys.  When a sender wants
to send a message, he uses the encryption key to convert the message before
transmission.  The sender sends the message to the receiver.  The receiver
then uses the decryption key to prove that the message came from the person
who owns the encryption key that matches.  The algorithm works in such a way
that the only person who could have created the message was someone who knew
the encryption key - which in this case was the sender.  Again, there is no
need for private communication of keys - the only key that needs to be
safeguarded is the sender's key - and he was the person who created it.

     It gets complicated, but both methods can be employed simultaneously.
When used together, public key encryption and authentication systems can
guarantee that a message came from a specific sender, that it was not altered
during transmission, and that the message was secure from anybody else finding
out its content.

     The oldest and most widely used encryption method using a private key
algorithm is called the Data Encryption Standard (DES).  The DES was adopted
as official FIPS and ANSI standards in the late 1970's.  (ISO is not involved
in the standardization of cryptography.)  In DES, the same key is used for
both encryption and decryption.  One of the limitations of DES is that the
secrecy of a message can be compromised if the key is too small.  Most DES
systems in use today use a key that is 56 bits long.  Without knowing the key,
very fast computer systems can decipher a message that is encrypted with DES
using a 56 bit key.  Key lengths longer than 56 bits are not generally used
because export from the US of DES encryption software using longer key lengths
is prohibited by US law (see above).

     The most widely used public key encryption systems are based on an
algorithm called the RSA algorithm.  The RSA algorithm, named for its
inventors Ron Rivest, Adi Shamir and Leonard Adleman, was introduced in 1978.
The RSA algorithm's security is based on the assumption that it is a very hard
problem to factor very large numbers (e.g. numbers with 200 digits) that have
only two prime factors (each factor is a number with 100 digits).  In this
context, the term 'a very hard problem' means that such a number could only be
factored by a network of one million of the fastest computers available today
working continuously for 4000 years.  Thus, using today's technology, the RSA
algorithm is practically unbreakable.

     Unfortunately, the RSA algorithm is anywhere from 100 to 1000 times
slower than DES.  Because of the slowness of RSA, many products (such as
Netscape Navigator and others) use a combination of RSA and other algorithms.
These encryption systems work by sending DES keys encrypted with RSA and then
sending the actual messages encrypted with DES.

     For those who are interested in finding out more about this subject,
I highly recommend the book 'Applied Cryptography' by Bruce Schneier.  It
is the authoritative reference for encryption and authentication.


                             DB/C Class Schedule

     The next DB/C class will be held the week of February 5, 1996.  Exact
time and location will be announced in the January 1996 DB/C Newsletter.