In the increasingly sophisticated war between computer boffins and computer hackers, the boffins scored an important victory last week. International Business Machines announced a fancy new system for protecting computer data that is virtually impossible to crack.
The breakthrough could be a big step forward in the security of sensitive information transmitted over the Internet. It could ensure, for instance, that credit card numbers and electronic mail reach their intended recipients, and nobody else.
That is no small advance. Finding better ways to protect data from hackers is critical to the future of electronic commerce. - perhaps the discovery of thousands of credit card numbers or passwords - would deal a severe setback to the thousands of businesses pioneering electronic sales, not to mention their computer and software suppliers.
- so-called extranets - for the same security reasons.
Hence the significance of last week's breakthrough. The new cryptosystem, developed by a mathematician at IBM's research labs in Zurich and a collaborator at the Swiss Federal Institute of Technology, aims specifically at protecting Internet transactions. So what is the problem and how does the solution work?
Internet transactions are typically protected by "public key" systems that scramble data sent by an Internet user using a publicly available formula. Only the legitimate recipient holds the private key that can decode the message.
This is the inverse of the systems found in hotels that provide guests with private door keys and staff with a master key.
To crack encrypted data, hackers may try a "brute force" attack. Powerful computers are used to generate millions of possible keys and trying each one of them until the right one is found. Depending upon the type of encryption and the power of the hacker's computer, it might take days, months or even years to break.
This is analogous to a would-be safe-cracker trying out millions of possible combinations. The chances are high that he will be caught long before he opens the safe. Computers rely on defeating the brute-force hacker in the act in exactly the same way.
But there is a more sophisticated strategy, which involves bombarding a computer with cleverly constructed messages and carefully analysing the responses for clues to what the private encryption key might be. This approach bypasses the primary defences of encryption.
Going back to our safe-cracker, instead of randomly trying combinations, he is now turning the dials and listening for the tell-tale sounds of locks moving - a far more promising approach To thwart this clever hacker, IBM's Swiss researchers invented a way to ensure that a computer leaks no information about its encryption system, in effect silencing the locks.
But even as the boffins appear to have slammed one door shut, hackers have opened another. Even more worryingly, they have done so in a system supposedly so secure that it has been chosen by government agencies and security-sensitive businesses such as defence contractors.
These are the so-called "private key" encryption systems in which both the sender and receiver have the secret key.
The problem is that this system - the US government Data Encryption Standard (DES), in use since the 1970s - has been around too long. Hackers have finally worked it out. Not surprisingly, the US government wants a new super-system. It is therefore challenging allcomers to create an "Advanced Encryption Standard". Fifteen finalists, who will be whittled down over two years, were chosen two weeks ago.
