by Simon Singh
Businesses also desire strong encryption for another reason. Corporations store vast amounts of information on computer databases, including product descriptions, customer details and business accounts. Naturally, corporations want to protect this information from hackers who might infiltrate the computer and steal the information. This protection can be achieved by encrypting stored information, so that it is only accessible to employees who have the decryption key.
To summarize the situation, it is clear that the debate is between two camps: civil libertarians and businesses are in favor of strong encryption, while law enforcers are in favor of severe restrictions. In general, popular opinion appears to be swinging behind the proencryption alliance, who have been helped by a sympathetic media and a couple of Hollywood films. In early 1998, Mercury Rising told the story of a new, supposedly unbreakable NSA cipher which is inadvertently deciphered by a nine-year-old autistic savant. Alec Baldwin, an NSA agent, sets out to assassinate the boy, who is perceived as a threat to national security. Luckily, the boy has Bruce Willis to protect him. Also in 1998, Hollywood released Enemy of the State, which dealt with an NSA plot to murder a politician who supports a bill in favor of strong encryption. The politician is killed, but a lawyer played by Will Smith and an NSA rebel played by Gene Hackman eventually bring the NSA assassins to justice. Both films depict the NSA as more sinister than the CIA, and in many ways the NSA has taken over the role of establishment menace.
While the proencryption lobby argues for cryptographic freedom, and the antiencryption lobby for cryptographic restrictions, there is a third option that might offer a compromise. Over the last decade, cryptographers and policy-makers have been investigating the pros and cons of a scheme known as key escrow. The term “escrow” usually relates to an arrangement in which someone gives a sum of money to a third party, who can then deliver the money to a second party under certain circumstances. For example, a tenant might lodge a deposit with a solicitor, who can then deliver it to a landlord in the event of damage to the property. In terms of cryptography, escrow means that Alice would give a copy of her private key to an escrow agent, an independent, reliable middleman, who is empowered to deliver the private key to the police if ever there was sufficient evidence to suggest that Alice was involved in crime.
The most famous trial of cryptographic key escrow was the American Escrowed Encryption Standard, adopted in 1994. The aim was to encourage the adoption of two encryption systems, called clipper and capstone, to be used for telephone communication and computer communication, respectively. To use clipper encryption, Alice would buy a phone with a preinstalled chip which would hold her secret private key information. At the very moment she bought the clipper phone, a copy of the private key in the chip would be split into two halves, and each half would be sent to two separate Federal authorities for storage. The U.S. Government argued that Alice would have access to secure encryption, and her privacy would only be broken if law enforcers could persuade both Federal authorities that there was a case for obtaining her escrowed private key.
The U.S. Government employed clipper and capstone for its own communications, and made it obligatory for companies involved in government business to adopt the American Escrowed Encryption Standard. Other businesses and individuals were free to use other forms of encryption, but the government hoped that clipper and capstone would gradually become the nation’s favorite form of encryption. However, the policy did not work. The idea of key escrow won few supporters outside government. Civil libertarians did not like the idea of Federal authorities having possession of everybody’s keys—they made an analogy to real keys, and asked how people would feel if the government had the keys to all our houses. Cryptographic experts pointed out that just one crooked employee could undermine the whole system by selling escrowed keys to the highest bidder. And businesses were worried about confidentiality. For example, a European business in America might fear that its messages were being intercepted by American trade officials in an attempt to obtain secrets that might give American rivals a competitive edge.
Despite the failure of clipper and capstone, many governments remain convinced that key escrow can be made to work, as long as the keys are sufficiently well protected from criminals and as long as there are safeguards to reassure the public that the system is not open to government abuse. Louis J. Freeh, Director of the FBI, said in 1996: “The law enforcement community fully supports a balanced encryption policy … Key escrow is not just the only solution; it is, in fact, a very good solution because it effectively balances fundamental societal concerns involving privacy, information security, electronic commerce, public safety, and national security.” Although the U.S. Government has backtracked on its escrow proposals, many suspect that it will attempt to reintroduce an alternative form of key escrow at some time in the future. Having witnessed the failure of optional escrow, governments might even consider compulsory escrow. Meanwhile, the proencryption lobby continues to argue against key escrow. Kenneth Neil Cukier, a technology journalist, has written that: “The people involved in the crypto debate are all intelligent, honorable and proescrow, but they never possess more than two of these qualities at once.”
There are various other options that governments could choose to implement, in order to try to balance the concerns of civil libertarians, business and law enforcement. It is far from clear which will be the preferred option, because at present cryptographic policy is in a state of flux. A steady stream of events around the world is constantly influencing the debate on encryption. In November 1998, the Queen’s Speech announced forthcoming British legislation relating to the digital marketplace. In December 1998, 33 nations signed the Wassenaar Arrangement limiting arms exports, which also covers powerful encryption technologies. In January 1999, France repealed its anticryptography laws, which had previously been the most restrictive in Western Europe, probably as a result of pressure from the business community. In March 1999, the British Government released a consultation document on a proposed Electronic Commerce Bill.
By the time you read this there will have been several more twists and turns in the debate on cryptographic policy. However, one aspect of future encryption policy seems certain, namely the necessity for certification authorities. If Alice wants to send a secure e-mail to a new friend, Zak, she needs Zak’s public key. She might ask Zak to send his public key to her in the mail. Unfortunately, there is then the risk that Eve will intercept Zak’s letter to Alice, destroy it and forge a new letter, which actually includes her own public key instead of Zak’s. Alice may then send a sensitive e-mail to Zak, but she will unknowingly have encrypted it with Eve’s public key. If Eve can intercept this e-mail, she can then easily decipher it and read it. In other words, one of the problems with public key cryptography is being sure that you have the genuine public key of the person with whom you wish to communicate. Certification authorities are organizations that will verify that a public key does indeed correspond to a particular person. A certification authority might request a face-to-face meeting with Zak as a way of ensuring that they have correctly catalogued his public key. If Alice trusts the certification authority, she can obtain from it Zak’s public key, and be confident that the key is valid.
I have explained how Alice could securely buy products from the Internet by using a company’s public key to encrypt the order form. In fact, she would do this only if the public key had been validated by a certification authority. In 1998, the market leader in certification was Verisign, which has grown into a $30 million company in just four years. As well as ensuring reliable encryption by certifying public keys, certification authorities can also guarantee the validity of digital signatures. In 1998, Baltimore Technologies in Ireland provided the certification for the digital signatures of President Bill Clinton and Prime Minister Bertie Ahern. This allowed the two leaders to digitally sign a communiqué in Dublin.
Certification authorities pose no risk to security. They would merely have asked Zak to
reveal his public key so that they can validate it for others who wish to send him encrypted messages. However, there are other companies, known as trusted third parties (TTPs), that provide a more controversial service known as key recovery. Imagine a legal firm that protects all its vital documents by encrypting them with its own public key, so that only it can decrypt them with its own private key. Such a system is an effective measure against hackers and anybody else who might attempt to steal information. However, what happens if the employee who stores the private key forgets it, absconds with it or is knocked over by a bus? Governments are encouraging the formation of TTPs to keep copies of all keys. A company that loses its private key would then be able to recover it by approaching its TTP.
Trusted third parties are controversial because they would have access to people’s private keys, and hence they would have the power to read their clients’ messages. They must be trustworthy, otherwise the system is easily abused. Some argue that TTPs are effectively a reincarnation of key escrow, and that law enforcers would be tempted to bully TTPs into giving up a client’s keys during a police investigation. Others maintain that TTPs are a necessary part of a sensible public key infrastructure.
Nobody can predict what role TTPs will play in the future, and nobody can foresee with certainty the shape of cryptographic policy ten years from now. However, I suspect that in the near future the proencryption lobby will initially win the argument, mainly because no country will want to have encryption laws that prohibit e-commerce. However, if this policy does turn out to be a mistake, then it will always be possible to reverse the laws. If there were to be a series of terrorist atrocities, and law enforcers could show that wiretaps would have prevented them, then governments would rapidly gain sympathy for a policy of key escrow. All users of strong encryption would be forced to deposit their keys with a key escrow agent, and thereafter anybody who sent an encrypted message with a nonescrowed key would be breaking the law. If the penalty for nonescrowed encryption were sufficiently severe, law enforcers could regain control. Later, if governments were to abuse the trust associated with a system of key escrow, the public would call for a return to cryptographic freedom, and the pendulum would swing back. In short, there is no reason why we cannot change our policy to suit the political, economic and social climate. The deciding factor will be whom the public fears the most-criminals or the government.
The Rehabilitation of Zimmermann
In 1993, Phil Zimmermann became the subject of a grand jury investigation. According to the FBI, he had exported a munition because he was supplying hostile nations and terrorists with the tools they needed to evade the authority of the U.S. Government. As the investigation dragged on, more and more cryptographers and civil libertarians rushed to support Zimmermann, establishing an international fund to finance his legal defense. At the same time, the kudos of being the subject of an FBI inquiry boosted the reputation of PGP, and Zimmermann’s creation spread via the Internet even more quickly—after all, this was the encryption software that was so secure that it frightened the Feds.
Pretty Good Privacy had initially been released in haste, and as a result the product was not as polished as it could have been. Soon there was a clamor to develop a revised version of PGP, but clearly Zimmermann was not in a position to continue working on the product. Instead, software engineers in Europe began to rebuild PGP. In general, European attitudes toward encryption were, and still are, more liberal, and there would be no restrictions on exporting a European version of PGP around the world. Furthermore, the RSA patent wrangle was not an issue in Europe, because RSA patents did not apply outside America.
After three years the grand jury investigation had still not brought Zimmermann to trial. The case was complicated by the nature of PGP and the way it had been distributed. If Zimmermann had loaded PGP onto a computer and then shipped it to a hostile regime, the case against him would have been straightforward because clearly he would have been guilty of exporting a complete working encryption system. Similarly, if he had exported a disk containing the PGP program, then the physical object could have been interpreted as a cryptographic device, and once again the case against Zimmermann would have been fairly solid. On the other hand, if he had printed the computer program and exported it as a book, the case against him would no longer be clear cut, because he would then be considered to have exported knowledge rather than a cryptographic device. However, printed matter can easily be scanned electronically and the information can be fed directly into a computer, which means that a book is as dangerous as a disk. What actually occurred was that Zimmermann gave a copy of PGP to “a friend,” who simply installed it on an American computer, which happened to be connected to the Internet. After that, a hostile regime may or may not have downloaded it. Was Zimmermann really guilty of exporting PGP? Even today, the legal issues surrounding the Internet are subject to debate and interpretation. Back in the early 1990s, the situation was vague in the extreme.
In 1996, after three years of investigation, the U.S. Attorney General’s Office dropped its case against Zimmermann. The FBI realized that it was too late-PGP had escaped onto the Internet, and prosecuting Zimmermann would achieve nothing. There was the additional problem that Zimmermann was being supported by major institutions, such as the Massachusetts Institute of Technology Press, which had published PGP in a 600-page book. The book was being distributed around the world, so prosecuting Zimmermann would have meant prosecuting the MIT Press. The FBI was also reluctant to pursue a prosecution because there was a significant chance that Zimmermann would not be convicted. An FBI trial might achieve nothing more than an embarrassing constitutional debate about the right to privacy, thereby stirring up yet more public sympathy in favor of widespread encryption.
Zimmermann’s other major problem also disappeared. Eventually he achieved a settlement with RSA and obtained a license which solved the patent issue. At last, PGP was a legitimate product and Zimmermann was a free man. The investigation had turned him into a cryptographic crusader, and every marketing manager in the world must have envied the notoriety and free publicity that the case gave to PGP. At the end of 1997, Zimmermann sold PGP to Network Associates and he became one of their senior fellows. Although PGP is now sold to businesses, it is still freely available to individuals who do not intend to use it for any commercial purpose. In other words, individuals who merely wish to exercise their right to privacy can still download PGP from the Internet without paying for it.
If you would like to obtain a copy of PGP, there are many sites on the Internet that offer it, and you should find them fairly easily. Probably the most reliable source is at http://www.pgpi.com/, the International PGP Home Page, from where you can download the American and international versions of PGP. At this point, I would like to absolve myself of any responsibility-if you do choose to install PGP, it is up to you check that your computer is capable of running it, that the software is not infected with a virus, and so on. Also, you should check that you are in a country that permits the use of strong encryption. Finally, you should ensure that you are downloading the appropriate version of PGP: individuals living outside America should not download the American version of PGP, because this would violate American export laws. The international version of PGP does not suffer from export restrictions.
I still remember the Sunday afternoon when I first downloaded a copy of PGP from the Internet. Ever since, I have been able to guarantee my e-mails against being intercepted and read, because I can now encrypt sensitive material to Alice, Bob and anybody else who possesses PGP software. My laptop and its PGP software provide me with a level of security that is beyond the combined efforts of all the world’s codebreaking establishments.
8 A Quantum Leap into the Future
For two thousand years, codemakers have fought to preserve secrets while codebreakers have tried their best to reveal them. It has always been a neck-and-neck race, with codebreakers battling back when codemakers seemed to be in command, an
d codemakers inventing new and stronger forms of encryption when previous methods had been compromised. The invention of public key cryptography and the political debate that surrounds the use of strong cryptography bring us up to the present day, and it is clear that the cryptographers are winning the information war. According to Phil Zimmermann, we live in a golden age of cryptography: “It is now possible to make ciphers in modern cryptography that are really, really out of reach of all known forms of cryptanalysis. And I think it’s going to stay that way.” Zimmermann’s view is supported by William Crowell, Deputy Director of the NSA: “If all the personal computers in the world-approximately 260 million computers-were to be put to work on a single PGP encrypted message, it would take on average an estimated 12 million times the age of the universe to break a single message.”
Previous experience, however, tells us that every so-called unbreakable cipher has, sooner or later, succumbed to cryptanalysis. The Vigenère cipher was called “le chiffre indéchiffrable,” but Babbage broke it; Enigma was considered invulnerable, until the Poles revealed its weaknesses. So, are cryptanalysts on the verge of another breakthrough, or is Zimmermann right? Predicting future developments in any technology is always a precarious task, but with ciphers it is particularly risky. Not only do we have to guess which discoveries lie in the future, but we also have to guess which discoveries lie in the present. The tale of James Ellis and GCHQ warns us that there may already be remarkable breakthroughs hidden behind the veil of government secrecy.