Currently public-key cryptography, available from numerous sites around the world, essentially places 'governmental strength' encryption capability in the hands of private individuals and organizations. Using complex
algorithms (and the inherent difficulty in
factoring extremely large numbers), freeware like
P.G.P. (
Pretty Good Privacy), once downloaded and installed generates two keys for every user (Sue for this example): one to be freely distributed- for senders, who ever they may be, to encrypt messages they plan to send to Sue (this is her public key). This key can be attached to her own messages, posted on a trusted
server, or copied to a potential correspondents' system. A second key, one kept undistributed and locked away in Sue's computer, decrypts incoming messages encoded with the public key. It is mathematically infeasible, even if a person were to have the public key, discover the
plaintext of a message and see the encrypted
ciphertext, to work backwards to discover the
algorithm which generated the private key.
In this manner, a text can only be deciphered by obtaining control of the
private key (through the system of the owner and the
passwords put in place) or through '
brute force'
cryptanalysis- that is trying every possible combination of keys. Since a 4096-bit key is essentially a REALLY big number (
hence the 4096 bits to represent it) which is then used by the coding algorithm to
encrypt and '
hash' a message, for a message enciphered at this strength, this is a technical impossibility. The reason encryption is so much easier to do with a set key than 'un-do' by
brute force can be demonstrated by the difficulty of factoring large prime numbers. While it simple enough to generate a large prime number (multiplication on paper of any two randomly selected large numbers will get you an even larger, ostensibly random number), it is painfully difficult to work backwards from that 4096-digit N to arrive at the two specific factors which produced it; there are just far too many combinations of possible numbers to try.
Nearly eighty years after many mathematicians first began to examine the factoring problem for algorithm that might serve as a short-cut, the consensus is it will continue to be an 'intractable' problem for the foreseeable future- which is why it is in essence the theoretical backbone of many
cryptosystems.
Trying to 'brute force' unlock a 4096-bit private key in this way, it is estimated by computer scientists and cryptologists that
there is insufficient computing power on the planet for the foreseeable future to complete such an operation before the Sun burns out. The term 'pretty good protection' coined by the software's designer
Phillip Zimmermann is a healthy bit of
understatement on his part and the security it offers is almost absurdly over-powered for most peoples' concerns or needs. Again however, it should be noted that while the current 56-bit
Data Encryption Standard is viewed as 'weak', and a 4096-bit P.G.P. key is seen as ludicrously strong- there is no hard middle ground. As
Matt Blaze, a well-known commercial cryptologist says, "it has been difficult to find a 'magic' key length that once satisfies the security needs of individual interests and the wiretapping needs of government, because no such key can exist. The threat models used by private interests and government are completely different."
Update: Vitally important quibble, should you be discussing this issue with people in the know:
gn0sis says "the 56 bits of
DES and 4096 of
RSA are not comparable, since DES is
symmetric and RSA isn't.
Nonsymmetric keys have to be a lot longer to be safe." Also,
ariels adds
PGP uses
symmetric key cryptography, or symmetric cipher, for encryption. The
public key aspect is quite separate and solves the key distribution problem, which is quite different from encryption.
RESOURCES
1. Electronic Freedom Foundation web site with subject indexed privacy issues archive: www.eff.org
2. Government of Canada Public Key Infrastructure (PKI) White Paper. Canadian Communications Security Establishment, May 1997. http://www.cse-cst.gc.ca/cse/english/gov.htm & www.ewa-canada.com/toc.htm (Electronic Warfare Associates site) company responsible for building Canada's secure public-key infrastructure.
3. The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption: 1997 report of leading private sector cryptography experts in the U.S. : http://www.crypto.com/key_study/reports.htm
4. 1997 OECD Guidelines on Cryptography Policy : http://www.oecd.org/dsti/sti/it/secur/index.htm