Related Sites

Security Information

The statements on this page apply to our Online Services (Electronic Reporting and Online Requests) only; not to sending e-mail. Go to our contact us page for further explanation about sending e-mail.

The information that is sent between your computer and our server is encrypted. We are using 128 bit encryption for Netscape Communicator 4.0 and Internet Explorer 4.0 and above. If you are running an older browser version, you may want to download a newer version from Netscape or Microsoft.

Understanding Encryption

Information going from one computer to another passes through numerous other computers before it reaches its destination. This information is not normally monitored, but someone can intercept and eavesdrop on your private conversations or credit card exchanges. Worse still, eavesdroppers might replace your information with their own and send it back on its way. Because of the architecture of the Internet and Intranets, there will always be ways for unscrupulous people to intercept and replace data in transit.

Fortunately there are ways to safeguard privacy over the Internet. You encrypt, or disguise, your information before you send it over the Internet. That way, if someone intercepts it, the data is meaningless. And, if the intercepted data is changed, the intended recipient will know it was altered.

Taking precautions

We use the Secure Sockets Layer (SSL) protocol to safeguard against the threats listed previously.

Confidentiality is ensured through encryption, the process of disguising information so that it can't be deciphered (or decrypted) by anyone but the intended recipient. If the information is intercepted, it will be unreadable by a third party. The only information that can be discovered is that the two parties are communicating. Integrity is also ensured through encryption. If someone attempts to alter an encrypted message, it will not decrypt correctly, alerting the recipient to the fact that someone has tampered with the message.

What is encryption?

Encryption is the process of transforming information so it can't be decrypted or read by anyone but the intended recipient. This disguised information is called ciphertext. It is the ciphertext that you send across the Internet. For example, suppose you have a financial report stored at your web site. If SSL is enabled on your web server, your server encrypts the report and sends the ciphertext to a client, who turns the ciphertext back into the financial report.

Decryption reverses the process, turning the ciphertext back into the original message. Only the recipient can decrypt the text because only the recipient has a key. Only someone with the correct key can "unlock" a message.

How servers use encryption

Public-key encryption takes longer than symmetric encryption. However, client-server communication with SSL uses both types of encryption together to maximize their strengths. Here's how these processes are leveraged: A client and server exchange public keys (public-key encryption), and then the client generates a symmetric encryption key that is used only for a single transaction (symmetric encryption). This key is called a session key. The client encrypts the session key with the server's public key and sends it to the server. When the server receives the session key, it uses its private key to decrypt it. For the rest of that transaction, the client and the server can use the quicker symmetric encryption.

During an SSL connection, the client and the server agree to use the strongest cipher with which they both can communicate.

How safe is encryption?

Technically, it's not impossible to "crack" ciphertext and determine the content of the original message--it just takes a lot of time and money. For example, it would take a single Pentium-based computer more than a billion years to crack the 128-bit encryption.

Of course, you could use several computers in conjunction. For example, if you dedicated ten computers to cracking that same encryption, it would take you one-tenth the time. Even then, only the single message in question would be deciphered because SSL generates a new encryption key for every exchange. However, it is conceivable that someone could use 100 dedicated computers working together to crack it more quickly. Of course, the cost of making such powerful machines unavailable for other tasks for that amount of time would be very high indeed--probably millions of dollars.

The precise level of security a key offers is measured by the size of certain numbers used in creating the key. These numbers are measured in bits. The greater the number of bits, the more secure the key. The key used in the previous example is a 128-bit key, which is so strong that the United States government doesn't allow products containing it to be exported. International versions of Netscape products are limited to 40-bit encryption keys. This is still strong enough to stop most hackers.