Net security? Read Kamasutra!

The world's `toughest' unbreakable code, created by a U.K.-Indian expert was cracked last month, only days before the biggest hacking effort ever breached Microsoft's defences. Anand Parthasarathy explores the security options for an Internet environment under increasing attack.

A SECRET CODE, said to be the toughest public challenge ever, set by a UK-based Indian expert, has been cracked last month by a team of Swedish programmers. Dr. Simon Singh, author of a popular book on cryptography, entitled The Code Book, which reviews the long history of secret codes and ciphers, included a challenge to readers: a set of ten encrypted puzzles using the best of current and classical computer techniques. His publishers offered a prize of 10,000 pounds sterling (Rs. 7 lakhs) to the first reader to crack the code.

Almost a year after the book was published in October 1999 - and became a global bestseller in hard cover and paperback - a group of Swedish computer buffs, submitted their solution which author Singh (a Ph.D. in Particle Physics from Cambridge University whose parents hail from Punjab and settled in the U.K. in 1950), declared a winner.

The challenge included cipher techniques dating back to ancient Greece and India - and the famous ``Enigma'' code that the Germans used in World War II, featured in the recent Hollywood movie ``U -571''- as well as the latest methods used to provide secrecy for Net transactions. ``It is the toughest code that has been ever cracked!'', Dr. Singh conceded, when he handed over the prize cheque to the Swedish fivesome on October 12.

Last week, the Swedes: Fredrik Almgren, Gunnar Andersson, Torbjorn Granland, Lars Ivansson and Staffan Ulfberg, published their methodology and solution on the Internet (at http://codebook.org/codebook-solution.html) and included details about the toughest part - the final hurdle which involved a 512- bit code (in comparison, a 128-bit code is considered adequate for most e-biz applications).

Dr. Singh who served earlier as producer-director for the BBC TV science programmes ``Horizon'' and 'Tomorrow's World`` has now converted his book into a 5 part TV documentary currently airing on Britain's Channel 4. He has his own website, www.simonsingh.com where details of both book and serial can be found. The TV version of ``The Code Book, entitled ``The Science of Secrecy'' was published last fortnight.

The Kamasutra connection

In his researches into classic coding techniques, Dr. Singh discovered that the Indian classic, Kamasutra including one of the earliest techniques for rendering messages unreadable - using the ''substitution`` method that remained a standard technique well into the 20th century. If an alphabet of 26 letters is substituted with other letters, says Singh, the chance of deciphering all the letters is 400 million billion billion - or virtually impossible. The technique was safe enough for a man in Vatsyayana's time, to communicate with his paramour - without her spouse tumbling to the liaison. And for decades the substitution cryptogram remained an uncrackable code - until technology caught up. Today computers routinely use the frequency analysis of individual letters to crack most such codes ( In English, the letter E is the most frequently used).

Dr. Singh was asked by the (London) Daily Telegraph newspaper to set a classical puzzle and last month he created one based on the Kamasutra model. Nearly 5000 readers cracked the code within days.The author who earlier wrote another popular book on ' 'Fermat's ``Last Theorem'', admits that his challenge involved the sort of techniques used for Internet security today, but does not feel that Net secrecy is under threat. After all, it took five persons a year and the equivalent of 70 years of computer time on a Compaq machine to solve it, using a special ``sieving'' approach they designed, he says. A thief trying to break a credit card number will not find it worth his while.

However, there is bound to be renewed anxiety among major companies whose Net transactions may run into millions of dollars, that diligent hackers could do what the Swedes did - if the stakes are sufficiently high. And such anxieties were further fuelled last week when a hacker penetrated the fire wall of Microsoft's internal network with a ``Trojan Horse'' type virus, and then obtained access to sensitive source codes of upcoming products. The virus known as QAZ originated from China about three months back and appears as a Windows Notepad extension. Once downloaded into a system (as a harmless looking email attachment), the virus looks for ``notepad.exe'' strings and captures them, renaming them as ``note.com''. It then sends a notification to the hacker with the Internet Protocol (IP) address of the affected computer.

At this point the hacker can gain control over the target computer and roam over its files at will. This is what happened in the Microsoft case and from the email address, it appears that the hack was originated in Russia. Symantec, makers of the Norton Anti Virus product as well as competitors like Trend Micro and MacAfee have identified and listed QAZ since September - yet it got past the defences of a company that is otherwise paranoid about security. The Swedish programmers who cracked Simon Singh's code may think of themselves as the good guys - or ``crackers'' as opposed to baddies like ``hackers''. But the distinction is becoming increasingly superfluous. The world's most notorious cyber criminal, Kevin Mitnick who misused the Internet to crack some of the most secure computer systems of the world, and stole commercial secrets from companies like Motorola, Nokia, Sun, Fujitsu and NEC, over a 15 year period, was finally captured in 1995, and spent five years in prison. His pursuit and capture is now the subject of a feature film, ``Takedown'', being produced by Miramax/Disney and based on a book of the same name by Tsutomu Shimomura, the computer whizz kid who cornered Mitnick and John Markoff, a journalist.

`Cracker' or `hacker'?

It takes a thief to catch a thief. Since his release in March this year, Mitnick is much sought after by government agencies and private corporations anxious to learn how to keep their networks safe. Last month he addressed a keynote at an E-business conference in Los Angeles, boasting, ``I was on the other side of the fence; I have a unique perspective''. In the bizarre world of the New Economy, prized crackers are former hackers and heroes were once, certified heels.

This is also probably, the reason, why the annual conference of hackers, Def Con attracts quite a large crowd of legitimate net security experts. The origin of last week's Microsoft hacking somewhere in Russia underlines the fact that Europe is emerging as a major ``graduation school'' for hackers.

A high proportion of intelligent youth, who face unemployment - and are thus drawn into the murky world of computer crime, is offered as one possible explanation. And the interest in hacking - legit. or otherwise is so strong, that last month, a special European avatar of the Def Con was held in Amsterdam.

A U.S. government expert speaking at a National Information Systems Security Conference in Baltimore on October 17, characterised Internet security as ``a tremendous catch up game'' - one has to keep one step ahead of the hackers.

Nowhere is this more apparent than in the burgeoning niche of e commerce. Only 12 nations - the latest is India - have passed legislation to provide a legal framework for Internet-based business. GSR 788(E) the historic gazette notification which gave us what The Times of India called a ``silicon sarkar'', includes provisions crucial to e-biz - like the recognition of ``digital signatures''. An authority called National Controller for Certifying Authorities has been named. He will be the licensing authority for agencies which will licensed to validate digital signatures- a digital guarantee that a document, usually a financial instrument, is authentic. The ``signature'' is in fact an encrypted text, which the recipient decrypts and reconstructs. To verify that it indeed came from the person claiming to send it requires a certificate issued by a third party - the certification authority. Documents electronically signed get to the destination faster - you don't need to send paper copies by courier, and in the end, this is a vastly more efficient way of doing business. Companies like Verisign ( who came to India a decade ago), were quick to establish a niche and today the agency has a global reputation in the authentification business. An agency like Verisign has to pay the Indian controlling agency, Rs. 1 lakh for obtaining a licence. But to the end user, the cost of acquiring a digital signature is around $ 15 (Rs 650).

Encryption approaches

Conventionally there are two approaches to send encrypted messages on the Net. The traditional method called Digital Encryption Standard (DES) employs a secret key available to both sender and receiver. The only hassle is that this secret key or code must first be securely sent to the recipient.

The second method is called Public Key Encryption also known as RSA after the authors Rivest, Shamir and Adleman. Each recipient has his own private key that is known only to him; as well as a public key known to all. The sender uses the recipient's public code to encrypt the message. The recipient uses his private key to unlock the message.

The private keys are never in transit and so are safe. For an elegant introduction to these techniques see the entry under ``cryptography'' in the Computer Desk Encyclopedia which can be found at the website: www.techweb.com/encyclopedia.

The Indian IT Rules of 2000 specify that the cryptography algorithms used to generate digital signatures must conform to the IEEE standard on public key encryption.But some industry bodies are already lobbying for a more ``technologically neutral'' approach which will not rule out new developments that take note of languages like Wireless Markup Language (WML) to create slimmer certification modes for use with mobile devices.

These are minor blimps that will soon be smoothed as India steps into the new era of Net-based business practices. More important, is the awareness that the Brave New World of digital dealings is full of promise - and danger.

A US firm, WearLogic has just launched the world's first ``Smart Wallet'', a leather purse that you can plug into the Internet, with its own display and memory that you can twist crush or fold as you would a normal wallet. You can use it to store all the numbers you need to remember - credit cards, personal ID, telephone numbers. You can download e-money or make payments via the Net.

But just in case a cyber thief is lurking somewhere out there, it is wise to stock the wallet in the old fashioned way - with a few crisp currency notes!

Send this article to Friends by E-Mail

Section  : Science & Tech
Previous : Karl Benz (1844-1929): Inventor of motor car
Next     : Human Genome Project: Missed opportunities for
           India