# The Internet is Simple, Part Three

You will probably want to read Part One and Part Two of this series before continuing…

We’ve talked about asymmetric and symmetric encryption keys here but without really going into them. Encryption is a way of scrambling data so that it is unreadable, unless you have the key to turn it back into the original message. If Alice has something she wants to keep secret (or Victoria, for that matter), she can get a box with a lock. She can lock the box with the key, and if she wants to let Bob into her box, she can give him a copy of the key. In a nutshell, the same (symmetric) key locks and unlocks the box, and the key can be copied and given to other people, should Alice want to let Charlie and Dave into her box, too. Filth!

Asymmetric keys are a bit special. Imagine Alice has a box with a clever lock that has 3 settings – A, B and C. A and C are locked, no one can get into Alice’s box. Only when the lock is in position B can the box be opened.

There are two keys for this clever lock, one will turn the lock from A to B to C, and the other will turn from C to B to A. Alice picks the key that will turn the lock “forwards” (from A to B to C) and this is called the private key because only Alice has it. The second key is called the public key, and Alice can make copies for Bob, Charlie, and anyone else if she’s feeling especially accommodating. She’ll even give it out to people she’s only just met! The public key can only turn the lock “backwards” – from C to B to A.

So, when Bob wants to put something into Alice’s box, he takes the unlocked (lock set to position B) box, and uses the public key he got from Alice to turn the lock to A. The only key that can turn the lock back to position B and open the box is Alice, using her “forwards” private key to turn the lock from A to B.

Alice can do one more thing with her special box. If she uses her private key to lock the box from B to C, anyone who has her public (“backwards”) key can use this key to unlock this box. The only person who can lock the box from B to C is Alice with her private (“forwards”) key, so Bob knows that only Alice can have locked the box. This is called a digital signature – it’s a way of authenticating that the contents of the box were put there by the person you were expecting.

Encryption keys in the online world are basically very long numbers – see Old Trout’s previous articles on GP for this. The idea is that you don’t need to exchange the secret, private keys that someone else can intercept and then use to peek on your conversations. Only the public key is ever shared, it is enough to lock the box. Only people with the private key (which is never shared) can unlock the box. This public / private key pairing is used to generate a shortlived encryption key for the duration of your https connection, the entire conversation is encrypted with this. When your conversation is over, the key should be thrown away.

Whilst the encryption itself is pretty hard to crack, it is not mathematically impossible. Sufficiently motivated people with enough time can run enough iterations of the numbers in your keys to stumble upon the key. This is known as brute forcing the key. For a single key, it would take the most powerful computer several years to chew through the numbers and find your key. This of course is if those that created the encryption mechanism themselves did not make a mistake, or worse, were forced to leave a back door in to circumnavigate the key. The problem here is that if there is a back door to break the cypher, anyone could potentially find it.

There is also the possibility that the owner of the secret key may be compelled to give it up to a third party. This is what happened to Lavabit. It is also what the government is targeting when they talk of WhatsApp and other encrypted messaging systems – they want to be able to use the secret key to read your messages, or for the messaging provider to log the message content for them to peruse. The minute that secret keys are disclosed on a regular basis means that the platform is no longer viable – who would trust a banking application that the council can, on a whim, start looking through transactions?

The first real protection offered by public / private key pairings was PGP – pretty good privacy. The guy that wrote it was subjected to a number of travails for his pains.

Unfortunately various parties want to have a look at our conversations, for reasons of crime, intellectual property protection or “security”. There are a number of things about your conversations on the internet that these people are interested in.