Thursday, January 10, 2008

How Secure is Secure?

I recently saw a television news spot where a reporter got his own car key, and found several other cars in a shopping center parking lot (he had the mall security there with him) of the same make. After a few tries, he found that his car key actually opened another owner’s car.

How could this be? With all the millions of cars out there, how easy is it, really, to make that many unique keys?

And what about the internet? How do we make sure that our transactions and logins are truly secure? It’s often difficult to comprehend just how to make things secure, and to understand just how secure things may or may not be. For me, understanding a little bit about the math of encryption and encoding can help me feel more secure.

When you try to unlock a combination, whether you’re unlocking your bike, logging in to PayPal, or sending a credit card purchase over the web, the difficulty someone would have of cracking that encoding depends on how many possible key solutions there are.

For example: Let’s say, I’m at my locker in high school, and I’m dialing the combination on the door. Let’s say that I have to dial three numbers in a row, and that there are ten numbers I can choose from. That means that there are 1000 different number combinations I can dial.

How do I figure that out? Take the number of choices you have (in this case – 10 different numbers you can select each dial) and raise that to the power of the number of times you have to choose an item (How many numbers in a row I have to dial – in this case: 3). 103 = 1000 different possible combinations to dial up on that locker.

The idea is that it’s not very likely that someone would be willing to stand there and risk detection while they try and dial up to 1000 different combinations. The locker is effectively secure.

Look at a briefcase. Let’s say that it has five dials of numbers 0-9 on its lock. How many possible combinations are there? 105 = 100,000 possible combinations. See how just adding a couple of dials dramatically improved the security of the lock?

Now, let’s go virtual.

We’ve been talking about dials with ten choices on each one, but in the computer world, we have to talk in “bits”. Bits show only two choices, a 1 or a 0. So, the possiblities should be much lower, right? Security should be much harder, right?

Let’s look and see.

If we were to run a three-bit lock, we would have three “dials” with only two choices on each one. That would be shown mathematically as 23 = 8 possible combinations. Not much, huh? But the cool thing is that computers have much larger capacity that the mechanical dials on a locker or a briefcase. Let’s keep digging.

What about an 8 bit lock? 28 = 256 possible combinations.

Let’s look at a 16 bit lock (bits tend to double in computers)… 216 = 65,536 possible combinations. Now, we’re getting somewhere!

A 32 bit lock would be: 232 = 4,294,967,296 possible combinations. That’s over 4.25 billion possibilities. That’s BILLION, with a “B”. To give some perspective, the total estimated population of the earth, as of Jan of ’08, is about 6.5 billion.

The cool thing is, that we passed 32 bit encryption years ago. How big is it now? 128 bit. This is where it starts to boggle the mind. The formula looks like this: 2128 = 3.4 x 1038. That’s “Scientific Notation” for: 340,000,000,000,000,000,000,000,000,000,000,000,000. That’s how many possible combinations there are that a hacking computer would have to crack in order to break the code keys and access secured information.

The distance from the earth to the sun in inches is only 5,892,480,000,000. I mean… come on!

Now, granted, there are other ways of gaining access. Thieves can steal your password through a phishing scam, for example. Or they can copy your credit card number that you might have carelessly left visible. But breaking the codes is very very difficult.

I feel safer, now!

Mark is the co-director of, the search marketing consulting arm of Clickincome ( Mark also has other sites and blogs, including and his MoBoy blog.

No comments:

Post a Comment