Part 10
c.o.c.ks did not fully appreciate the significance of his discovery. He was unaware of the fact that GCHQ's brightest minds had been struggling with the problem for three years, and had no idea that he had made one of the most important cryptographic breakthroughs of the century. c.o.c.ks's naivety may have been part of the reason for his success, allowing him to attack the problem with confidence, rather than timidly prodding at it. c.o.c.ks told his mentor about his discovery, and it was Patterson who then reported it to the management. c.o.c.ks was quite diffident and very much still a rookie, whereas Patterson fully appreciated the context of the problem and was more capable of addressing the technical questions that would inevitably arise. Soon complete strangers started approaching c.o.c.ks, the wonderkid, and began to congratulate him. One of the strangers was James Ellis, keen to meet the man who had turned his dream into a reality. Because c.o.c.ks still did not understand the enormity of his achievement, the details of this meeting did not make a great impact on him, and so now, over two decades later, he has no memory of Ellis's reaction. problem and was more capable of addressing the technical questions that would inevitably arise. Soon complete strangers started approaching c.o.c.ks, the wonderkid, and began to congratulate him. One of the strangers was James Ellis, keen to meet the man who had turned his dream into a reality. Because c.o.c.ks still did not understand the enormity of his achievement, the details of this meeting did not make a great impact on him, and so now, over two decades later, he has no memory of Ellis's reaction.
[image]
Figure 67 Clifford c.o.c.ks. ( Clifford c.o.c.ks. (photo credit 6.5) When c.o.c.ks did eventually realize what he had done, it struck him that his discovery might have disappointed G.H. Hardy, one of the great English mathematicians of the early part of the century. In his The Mathematician's Apology The Mathematician's Apology, written in 1940, Hardy had proudly stated: "Real mathematics has no effects on war. No one has yet discovered any warlike purpose to be served by the theory of numbers." Real mathematics means pure mathematics, such as the number theory that was at the heart of c.o.c.ks's work. c.o.c.ks proved that Hardy was wrong. The intricacies of number theory could now be used to help generals plan their battles in complete secrecy. Because his work had implications for military communications, c.o.c.ks, like Ellis, was forbidden from telling anybody outside GCHQ about what he had done. Working at a top-secret government establishment meant that he could tell neither his parents nor his former colleagues at Cambridge University. The only person he could tell was his wife, Gill, since she was also employed at GCHQ.
Although c.o.c.ks's idea was one of GCHQ's most potent secrets, it suffered from the problem of being ahead of its time. c.o.c.ks had discovered a mathematical function that permitted public key cryptography, but there was still the difficulty of implementing the system. Encryption via public key cryptography requires much more computer power than encryption via a symmetric cipher like DES. In the early 1970s, computers were still relatively primitive and unable to perform the process of public key encryption within a reasonable amount of time. Hence, GCHQ were not in a position to exploit public key cryptography. c.o.c.ks and Ellis had proved that the apparently impossible was possible, but n.o.body could find a way of making the possible practical.
At the beginning of the following year, 1974, c.o.c.ks explained his work on public key cryptography to Malcolm Williamson, who had recently joined GCHQ as a cryptographer. The men happened to be old friends. They had both attended Manchester Grammar School, whose school motto is They had both attended Manchester Grammar School, whose school motto is Sapere aude Sapere aude, "Dare to be wise." While at school in 1968, the two boys had represented Britain at the Mathematical Olympiad in the Soviet Union. After attending Cambridge University together, they went their separate ways for a couple of years, but now they were reunited at GCHQ. They had been exchanging mathematical ideas since the age of eleven, but c.o.c.ks's revelation of public key cryptography was the most shocking idea that Williamson had ever heard. "Cliff explained his idea to me," recalls Williamson, "and I really didn't believe it. I was very suspicious, because this is a very peculiar thing to be able to do."
Williamson went away, and began trying to prove that c.o.c.ks had made a mistake and that public key cryptography did not really exist. He probed the mathematics, searching for an underlying flaw. Public key cryptography seemed too good to be true, and Williamson was so determined to find a mistake that he took the problem home. GCHQ employees are not supposed to take work home, because everything they do is cla.s.sified, and the home environment is potentially vulnerable to espionage. However, the problem was stuck in Williamson's brain, so he could not avoid thinking about it. Defying orders, he carried his work back to his house. He spent five hours trying to find a flaw. "Essentially I failed," says Williamson. "Instead I came up with another solution to the problem of key distribution." Williamson was discovering Diffieh.e.l.lmanMerkle key exchange, at roughly the same time that Martin h.e.l.lman discovered it. Williamson's initial reaction reflected his cynical disposition: "This looks great, I thought to myself. I wonder if I can find a flaw in this one. I guess I was in a negative mood that day." employees are not supposed to take work home, because everything they do is cla.s.sified, and the home environment is potentially vulnerable to espionage. However, the problem was stuck in Williamson's brain, so he could not avoid thinking about it. Defying orders, he carried his work back to his house. He spent five hours trying to find a flaw. "Essentially I failed," says Williamson. "Instead I came up with another solution to the problem of key distribution." Williamson was discovering Diffieh.e.l.lmanMerkle key exchange, at roughly the same time that Martin h.e.l.lman discovered it. Williamson's initial reaction reflected his cynical disposition: "This looks great, I thought to myself. I wonder if I can find a flaw in this one. I guess I was in a negative mood that day."
[image]
Figure 68 Malcolm Williamson. ( Malcolm Williamson. (photo credit 6.6) By 1975, James Ellis, Clifford c.o.c.ks and Malcolm Williamson had discovered all the fundamental aspects of public key cryptography, yet they all had to remain silent. The three Britons had to sit back and watch as their discoveries were rediscovered by Diffie, h.e.l.lman, Merkle, Rivest, Shamir and Adleman over the next three years. Curiously, GCHQ discovered RSA before Diffieh.e.l.lmanMerkle key exchange, whereas in the outside world, Diffieh.e.l.lmanMerkle key exchange came first. The scientific press reported the breakthroughs at Stanford and MIT, and the researchers who had been allowed to publish their work in the scientific journals became famous within the community of cryptographers. A quick look on the Internet with a search engine turns up 15 Web pages mentioning Clifford c.o.c.ks, compared to 1,382 pages that mention Whitfield Diffie. c.o.c.ks's att.i.tude is admirably restrained: "You don't get involved in this business for public recognition." Williamson is equally dispa.s.sionate: "My reaction was 'Okay, that's just the way it is.' Basically, I just got on with the rest of my life." journals became famous within the community of cryptographers. A quick look on the Internet with a search engine turns up 15 Web pages mentioning Clifford c.o.c.ks, compared to 1,382 pages that mention Whitfield Diffie. c.o.c.ks's att.i.tude is admirably restrained: "You don't get involved in this business for public recognition." Williamson is equally dispa.s.sionate: "My reaction was 'Okay, that's just the way it is.' Basically, I just got on with the rest of my life."
[image]
Figure 69 Malcolm Williamson (second from left) and Clifford c.o.c.ks (extreme right) arriving for the 1968 Mathematical Olympiad. Malcolm Williamson (second from left) and Clifford c.o.c.ks (extreme right) arriving for the 1968 Mathematical Olympiad.
Williamson's only qualm is that GCHQ failed to patent public key cryptography. When c.o.c.ks and Williamson first made their breakthroughs, there was agreement among GCHQ management that patenting was impossible for two reasons. First, patenting would mean having to reveal the details of their work, which would have been incompatible with GCHQ's aims. Second, in the early 1970s it was far from clear that mathematical algorithms could be patented. When Diffie and h.e.l.lman tried to file for a patent in 1976, however, it was evident that they could be patented. At this point, Williamson was keen to go public and block Diffie and h.e.l.lman's application, but he was overruled by his senior managers, who were not farsighted enough to see the digital revolution and the potential of public key cryptography. By the early 1980s Williamson's bosses were beginning to regret their decision, as developments in computers and the embryonic Internet made it clear that RSA and Diffie-h.e.l.lman-Merkle key exchange would both be enormously successful commercial products. In 1996, RSA Data Security, Inc., the company responsible for RSA products, was sold for $200 million.
Although the work at GCHQ was still cla.s.sified, there was one other organization that was aware of the breakthroughs that had been achieved in Britain. By the early 1980s America's National Security Agency knew about the work of Ellis, c.o.c.ks and Williamson, and it is probably via the NSA that Whitfield Diffie heard a rumor about the British discoveries. In September 1982, Diffie decided to see if there was any truth in the rumor, and he traveled with his wife to Cheltenham in order to talk to James Ellis face-to-face. They met at a local pub, and very quickly Mary was struck by Ellis's remarkable character: We sat around talking, and I suddenly became aware that this was the most wonderful person you could possibly imagine. The breadth of his mathematical knowledge is not something I could confidently discuss, but he was a true gentleman, immensely modest, a person with great generosity of spirit and gentility. When I say gentility, I don't mean old-fashioned and musty. This man was a mathematical knowledge is not something I could confidently discuss, but he was a true gentleman, immensely modest, a person with great generosity of spirit and gentility. When I say gentility, I don't mean old-fashioned and musty. This man was a chevalier chevalier. He was a good man, a truly good man. He was a gentle spirit.
Diffie and Ellis discussed various topics, from archaeology to how rats in the barrel improve the taste of cider, but whenever the conversation drifted toward cryptography, Ellis gently changed the subject. At the end of Diffie's visit, as he was ready to drive away, he could no longer resist directly asking Ellis the question that was really on his mind: "Tell me about how you invented public key cryptography?" There was a long pause. Ellis eventually whispered: "Well, I don't know how much I should say. Let me just say that you people did much more with it than we did."
Although GCHQ were the first to discover public key cryptography, this should not diminish the achievements of the academics who rediscovered it. It was the academics who were the first to realize the potential of public key encryption, and it was they who drove its implementation. Furthermore, it is quite possible that GCHQ would never have revealed their work, thus blocking a form of encryption that would enable the digital revolution to reach its full potential. Finally, the discovery by the academics was wholly independent of GCHQ's discovery, and on an intellectual par with it. The academic environment is completely isolated from the top-secret domain of cla.s.sified research, and academics do not have access to the tools and secret knowledge that may be hidden in the cla.s.sified world. On the other hand, government researchers always have access to the academic literature. One might think of this flow of information in terms of a one-way function-information flows freely in one direction, but it is forbidden to send information in the opposite direction.
When Diffie told h.e.l.lman about Ellis, c.o.c.ks and Williamson, his att.i.tude was that the discoveries of the academics should be a footnote in the history of cla.s.sified research, and that the discoveries at GCHQ should be a footnote in the history of academic research. However, at that stage n.o.body except GCHQ, NSA, Diffie and h.e.l.lman knew about the cla.s.sified research, and so it could not even be considered as a footnote.
By the mid-1980s, the mood at GCHQ was changing, and the management considered publicly announcing the work of Ellis, c.o.c.ks and Williamson. The mathematics of public key cryptography was already well established in the public domain, and there seemed to be no reason to remain secretive. In fact, there would be distinct benefits if the British revealed their groundbreaking work on public key cryptography. As Richard Walton recalls: considered publicly announcing the work of Ellis, c.o.c.ks and Williamson. The mathematics of public key cryptography was already well established in the public domain, and there seemed to be no reason to remain secretive. In fact, there would be distinct benefits if the British revealed their groundbreaking work on public key cryptography. As Richard Walton recalls: We flirted with the idea of coming clean in 1984. We began to see advantages for GCHQ being more publicly acknowledged. It was a time when the government security market was expanding beyond the traditional military and diplomatic customer, and we needed to capture the confidence of those who did not traditionally deal with us. We were in the middle of Thatcherism, and we were trying to counter a sort of "government is bad, private is good" ethos. So, we had the intention of publishing a paper, but that idea was scuppered by that blighter Peter Wright, who wrote Spycatcher Spycatcher. We were just warming up senior management to approve this release, when there was all this hoo-ha about Spycatcher Spycatcher. Then the order of the day was "heads down, hats on."
Peter Wright was a retired British intelligence officer, and the publication of Spycatcher Spycatcher, his memoirs, was a source of great embarra.s.sment to the British government. It would be another 13 years before GCHQ eventually went public-28 years after Ellis's initial breakthrough. In 1997 Clifford c.o.c.ks completed some important uncla.s.sified work on RSA, which would have been of interest to the wider community, and which would not be a security risk if it were to be published. As a result, he was asked to present a paper at the Inst.i.tute of Mathematics and its Applications Conference to be held in Cirencester. The room would be full of cryptography experts. A handful of them would know that c.o.c.ks, who would be talking about just one aspect of RSA, was actually its unsung inventor. There was a risk that somebody might ask an embarra.s.sing question, such as "Did you invent RSA?" If such a question arose, what was c.o.c.ks supposed to do? According to GCHQ policy he would have to deny his role in the development of RSA, thus forcing him to lie about an issue that was totally innocuous. The situation was clearly ridiculous, and GCHQ decided that it was time to change its policy. c.o.c.ks was given permission to begin his talk by presenting a brief history of GCHQ's contribution to public key cryptography.
On December 18, 1997, c.o.c.ks delivered his talk. After almost three decades of secrecy, Ellis, c.o.c.ks and Williamson received the acknowledgment they deserved. Sadly, James Ellis had died just one month earlier on November 25, 1997, at the age of seventy-three. Ellis joined the list of British cipher experts whose contributions would never be recognized during their lifetimes. Charles Babbage's breaking of the Vigenere cipher was never revealed during his lifetime, because his work was invaluable to British forces in the Crimea. Instead, credit for the work went to Friedrich Kasiski. Similarly, Alan Turing's contribution to the war effort was unparalleled, and yet government secrecy demanded that his work on Enigma could not be revealed.
In 1987, Ellis wrote a cla.s.sified doc.u.ment that recorded his contribution to public key cryptography, which included his thoughts on the secrecy that so often surrounds cryptographic work: Cryptography is a most unusual science. Most professional scientists aim to be the first to publish their work, because it is through dissemination that the work realizes its value. In contrast, the fullest value of cryptography is realized by minimizing the information available to potential adversaries. Thus professional cryptographers normally work in closed communities to provide sufficient professional interaction to ensure quality while maintaining secrecy from outsiders. Revelation of these secrets is normally only sanctioned in the interests of historical accuracy after it has been demonstrated that no further benefit can be obtained from continued secrecy.
7 Pretty Good Privacy
Just as Whit Diffie predicted in the early 1970s, we are now entering the Information Age, a postindustrial era in which information is the most valuable commodity. The exchange of digital information has become an integral part of our society. Already, tens of millions of e-mails are sent each day, and electronic mail will soon become more popular than conventional mail. The Internet, still in its infancy, has provided the infrastructure for the digital marketplace, and e-commerce is thriving. Money is flowing through cybers.p.a.ce, and it is estimated that every day half the world's Gross Domestic Product travels through the Society for Worldwide Interbank Financial Telecommunications network. In the future, democracies that favor referenda will begin to have on-line voting, and governments will use the Internet to help administer their countries, offering facilities such as on-line tax declarations.
However, the success of the Information Age depends on the ability to protect information as it flows around the world, and this relies on the power of cryptography. Encryption can be seen as providing the locks and keys of the Information Age. For two thousand years encryption has been of importance only to governments and the military, but today it also has a role to play in facilitating business, and tomorrow ordinary people will rely on cryptography in order to protect their privacy. Fortunately, just as the Information Age is taking off, we have access to extraordinarily strong encryption. The development of public key cryptography, particularly the RSA cipher, has given today's cryptographers a clear advantage in their continual power struggle against crypta.n.a.lysts. If the value of N N is large enough, then finding is large enough, then finding p p and and q q takes Eve an unreasonable amount of time, and RSA encryption is therefore effectively unbreakable. Most important of all, public key cryptography is not weakened by any key distribution takes Eve an unreasonable amount of time, and RSA encryption is therefore effectively unbreakable. Most important of all, public key cryptography is not weakened by any key distribution problems. In short, RSA guarantees almost unbreakable locks for our most precious pieces of information. problems. In short, RSA guarantees almost unbreakable locks for our most precious pieces of information.
[image]
Figure 70 Phil Zimmermann. ( Phil Zimmermann. (photo credit 7.1) However, as with every technology, there is a dark side to encryption. As well as protecting the communications of law-abiding citizens, encryption also protects the communications of criminals and terrorists. Currently, the police use wiretapping as a way of gathering evidence in serious cases, such as organized crime and terrorism, but this would be impossible if criminals used unbreakable ciphers. As we enter the twenty-first century, the fundamental dilemma for cryptography is to find a way of allowing the public and business to use encryption in order to exploit the benefits of the Information Age without allowing criminals to abuse encryption and evade arrest. There is currently an active and vigorous debate about the best way forward, and much of the discussion has been inspired by the story of Phil Zimmermann, a man whose attempts to encourage the widespread use of strong encryption have panicked America's security experts, threatened the effectiveness of the billion-dollar National Security Agency, and made him the subject of an FBI inquiry and a grand jury investigation.
Phil Zimmermann spent the mid-1970s at Florida Atlantic University, where he studied physics and then computer science. On graduation he seemed set for a steady career in the rapidly growing computer industry, but the political events of the early 1980s transformed his life, and he became less interested in the technology of silicon chips and more worried about the threat of nuclear war. He was alarmed by the Soviet invasion of Afghanistan, the election of Ronald Reagan, the instability caused by an aging Brezhnev and the increasingly tense nature of the Cold War. He even considered taking himself and his family to New Zealand, believing that this would be one of the few places on Earth that would be habitable after a nuclear conflict. But just as he had obtained pa.s.sports and the necessary immigration papers, he and his wife attended a meeting held by the Nuclear Weapons Freeze Campaign. Rather than flee, the Zimmermanns decided to stay and fight the battle at home, becoming front-line antinuclear activists-they educated political candidates on issues of military policy, and were arrested at the Nevada nuclear testing grounds, alongside Carl Sagan and four hundred other protesters.
A few years later, in 1988, Mikhail Gorbachev became head of state of the Soviet Union, heralding perestroika, glasnost and a reduction in tension between East and West. Zimmermann's fears began to subside, but he did not lose his pa.s.sion for political activism, he merely channeled it in a different direction. He began to focus his attentions on the digital revolution and the necessity for encryption: the Soviet Union, heralding perestroika, glasnost and a reduction in tension between East and West. Zimmermann's fears began to subside, but he did not lose his pa.s.sion for political activism, he merely channeled it in a different direction. He began to focus his attentions on the digital revolution and the necessity for encryption: Cryptography used to be an obscure science, of little relevance to everyday life. Historically, it always had a special role in military and diplomatic communications. But in the Information Age, cryptography is about political power, and in particular, about the power relationship between a government and its people. It is about the right to privacy, freedom of speech, freedom of political a.s.sociation, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone.
These views might seem paranoid, but according to Zimmermann there is a fundamental difference between traditional and digital communication which has important implications for security: In the past, if the government wanted to violate the privacy of ordinary citizens, it had to expend a certain amount of effort to intercept and steam open and read paper mail, or listen to and possibly transcribe spoken telephone conversations. This is a.n.a.logous to catching fish with a hook and a line, one fish at a time. Fortunately for freedom and democracy, this kind of labor-intensive monitoring is not practical on a large scale. Today, electronic mail is gradually replacing conventional paper mail, and is soon to be the norm for everyone, not the novelty it is today. Unlike paper mail, e-mail messages are just too easy to intercept and scan for interesting keywords. This can be done easily, routinely, automatically, and undetectably on a grand scale. This is a.n.a.logous to driftnet fishing-making a quant.i.tative and qualitative Orwellian difference to the health of democracy.
The difference between ordinary and digital mail can be ill.u.s.trated by imagining that Alice wants to send out invitations to her birthday party, and that Eve, who has not been invited, wants to know the time and place of the party. If Alice uses the traditional method of posting letters, then it is very difficult for Eve to intercept one of the invitations. To start with, Eve does not know where Alice's invitations entered the postal system, because Alice could use any postbox in the city. Her only hope for intercepting one of the invitations is to somehow identify the address of one of Alice's friends, and infiltrate the local sorting office. She then has to check each and every letter manually. If she does manage to find a letter from Alice, she will have to steam it open in order to get the information she wants, and then return it to its original condition to avoid any suspicion of tampering. one of Alice's friends, and infiltrate the local sorting office. She then has to check each and every letter manually. If she does manage to find a letter from Alice, she will have to steam it open in order to get the information she wants, and then return it to its original condition to avoid any suspicion of tampering.
In comparison, Eve's task is made considerably easier if Alice sends her invitations by e-mail. As the messages leave Alice's computer, they will go to a local server, a main entry point for the Internet; if Eve is clever enough, she can hack into that local server without leaving her home. The invitations will carry Alice's e-mail address, and it would be a trivial matter to set up an electronic sieve that looks for e-mails containing Alice's address. Once an invitation has been found, there is no envelope to open, and so no problem in reading it. Furthermore, the invitation can be sent on its way without it showing any sign of having been intercepted. Alice would be oblivious to what was going on. However, there is a way to prevent Eve from reading Alice's e-mails, namely encryption.
More than a hundred million e-mails are sent around the world each day, and they are all vulnerable to interception. Digital technology has aided communication, but it has also given rise to the possibility of those communications being monitored. According to Zimmermann, cryptographers have a duty to encourage the use of encryption and thereby protect the privacy of the individual: A future government could inherit a technology infrastructure that's optimized for surveillance, where they can watch the movements of their political opposition, every financial transaction, every communication, every bit of e-mail, every phone call. Everything could be filtered and scanned and automatically recognized by voice recognition technology and transcribed. It's time for cryptography to step out of the shadows of spies and the military, and step into the sunshine and be embraced by the rest of us.
In theory, when RSA was invented in 1977 it offered an antidote to the Big Brother scenario because individuals were able to create their own public and private keys, and thereafter send and receive perfectly secure messages. However, in practice there was a major problem because the actual process of RSA encryption required a substantial amount of computing power in comparison with symmetric forms of encryption, such as DES. Consequently, in the 1980s it was only government, the military and large businesses that owned computers powerful enough to run RSA. Not surprisingly, RSA Data Security, Inc., the company set up to commercialize RSA, developed their encryption products with only these markets in mind. DES. Consequently, in the 1980s it was only government, the military and large businesses that owned computers powerful enough to run RSA. Not surprisingly, RSA Data Security, Inc., the company set up to commercialize RSA, developed their encryption products with only these markets in mind.
In contrast, Zimmermann believed that everybody deserved the right to the privacy that was offered by RSA encryption, and he directed his political zeal toward developing an RSA encryption product for the ma.s.ses. He intended to draw upon his background in computer science to design a product with economy and efficiency in mind, thus not overloading the capacity of an ordinary personal computer. He also wanted his version of RSA to have a particularly friendly interface, so that the user did not have to be an expert in cryptography to operate it. He called his project Pretty Good Privacy, or PGP for short. The name was inspired by Ralph's Pretty Good Groceries, a sponsor of Garrison Keillor's Prairie Home Companion Prairie Home Companion, one of Zimmermann's favorite radio shows.
During the late 1980s, working from his home in Boulder, Colorado, Zimmermann gradually pieced together his scrambling software package. His main goal was to speed up RSA encryption. Ordinarily, if Alice wants to use RSA to encrypt a message to Bob, she looks up his public key and then applies RSA's one-way function to the message. Conversely, Bob decrypts the ciphertext by using his private key to reverse RSA's one-way function. Both processes require considerable mathematical manipulation, so encryption and decryption can, if the message is long, take several minutes on a personal computer. If Alice is sending a hundred messages a day, she cannot afford to spend several minutes encrypting each one. To speed up encryption and decryption, Zimmermann employed a neat trick that used asymmetric RSA encryption in tandem with old-fashioned symmetric encryption. Traditional symmetric encryption can be just as secure as asymmetric encryption, and it is much quicker to perform, but symmetric encryption suffers from the problem of having to distribute the key, which has to be securely transported from the sender to the receiver. This is where RSA comes to the rescue, because RSA can be used to encrypt the symmetric key.
Zimmermann pictured the following scenario. If Alice wants to send an encrypted message to Bob, she begins by encrypting it with a symmetric cipher. Zimmermann suggested using a cipher known as IDEA, which is similar to DES. To encrypt with IDEA, Alice needs to choose a key, but for Bob to decrypt the message Alice somehow has to get the key to Bob. Alice overcomes this problem by looking up Bob's RSA public key, and then uses it to encrypt the IDEA key. So, Alice ends up sending two things to Bob: the message encrypted with the symmetric IDEA cipher and the IDEA key encrypted with the asymmetric RSA cipher. At the other end, Bob uses his RSA private key to decrypt the IDEA key, and then uses the IDEA key to decrypt the message. This might seem convoluted, but the advantage is that the message, which might contain a large amount of information, is being encrypted with a quick symmetric cipher, and only the symmetric IDEA key, which consists of a relatively small amount of information, is being encrypted with a slow asymmetric cipher. Zimmermann planned to have this combination of RSA and IDEA within the PGP product, but the user-friendly interface would mean that the user would not have to get involved in the nuts and bolts of what was going on. cipher. Zimmermann suggested using a cipher known as IDEA, which is similar to DES. To encrypt with IDEA, Alice needs to choose a key, but for Bob to decrypt the message Alice somehow has to get the key to Bob. Alice overcomes this problem by looking up Bob's RSA public key, and then uses it to encrypt the IDEA key. So, Alice ends up sending two things to Bob: the message encrypted with the symmetric IDEA cipher and the IDEA key encrypted with the asymmetric RSA cipher. At the other end, Bob uses his RSA private key to decrypt the IDEA key, and then uses the IDEA key to decrypt the message. This might seem convoluted, but the advantage is that the message, which might contain a large amount of information, is being encrypted with a quick symmetric cipher, and only the symmetric IDEA key, which consists of a relatively small amount of information, is being encrypted with a slow asymmetric cipher. Zimmermann planned to have this combination of RSA and IDEA within the PGP product, but the user-friendly interface would mean that the user would not have to get involved in the nuts and bolts of what was going on.
Having largely solved the speed problem, Zimmermann also incorporated a series of handy features into PGP. For example, before using the RSA component of PGP, Alice needs to generate her own private key and public key. Key generation is not trivial, because it requires finding a pair of giant primes. However, Alice only has to wiggle her mouse in an erratic manner, and the PGP program will go ahead and create her private key and public key-the mouse movements introduce a random factor which PGP utilizes to ensure that every user has their own distinct pair of primes, and therefore their own unique private key and public key. Thereafter Alice merely has to publicize her public key.
Another helpful aspect of PGP is its facility for digitally signing an email. Ordinarily e-mail does not carry a signature, which means that it is impossible to verify the true author of an electronic message. For example, if Alice uses e-mail to send a love letter to Bob, she normally encrypts it with his public key, and when he receives it he decrypts it with his private key. Bob is initially flattered, but how can he be sure that the love letter is really from Alice? Perhaps the malevolent Eve wrote the e-mail and typed Alice's name at the bottom. Without the rea.s.surance of a handwritten ink signature, there is no obvious way to verify the authorship. Alternatively, imagine that a bank receives an e-mail from a client, which instructs that all the client's funds should be transferred to a private numbered bank account in the Cayman Islands. Once again, without a handwritten signature, how does the bank know that the e-mail is really from the client? The e-mail could have been written by a criminal attempting to divert the money to his own Cayman Islands bank account. In order to develop trust on the Internet, it is essential that there is some form of reliable digital signature. Alternatively, imagine that a bank receives an e-mail from a client, which instructs that all the client's funds should be transferred to a private numbered bank account in the Cayman Islands. Once again, without a handwritten signature, how does the bank know that the e-mail is really from the client? The e-mail could have been written by a criminal attempting to divert the money to his own Cayman Islands bank account. In order to develop trust on the Internet, it is essential that there is some form of reliable digital signature.
The PGP digital signature is based on a principle that was first developed by Whitfield Diffie and Martin h.e.l.lman. When they proposed the idea of separate public keys and private keys, they realized that, in addition to solving the key distribution problem, their invention would also provide a natural mechanism for generating e-mail signatures. In Chapter 6 Chapter 6 we saw that the public key is for encrypting and the private key for decrypting. In fact the process can be swapped around, so that the private key is used for encrypting and the public key is used for decrypting. This mode of encryption is usually ignored because it offers no security. If Alice uses her private key to encrypt a message to Bob, then everybody can decrypt it because everybody has Alice's public key. However, this mode of operation does verify authorship, because if Bob can decrypt a message using Alice's public key, then it must have been encrypted using her private key-only Alice has access to her private key, so the message must have been sent by Alice. we saw that the public key is for encrypting and the private key for decrypting. In fact the process can be swapped around, so that the private key is used for encrypting and the public key is used for decrypting. This mode of encryption is usually ignored because it offers no security. If Alice uses her private key to encrypt a message to Bob, then everybody can decrypt it because everybody has Alice's public key. However, this mode of operation does verify authorship, because if Bob can decrypt a message using Alice's public key, then it must have been encrypted using her private key-only Alice has access to her private key, so the message must have been sent by Alice.
In effect, if Alice wants to send a love letter to Bob, she has two options. Either she encrypts the message with Bob's public key to guarantee privacy, or she encrypts it with her own private key to guarantee authorship. However, if she combines both options she can guarantee privacy and authorship. There are quicker ways to achieve this, but here is one way in which Alice might send her love letter. She starts by encrypting the message using her private key, then she encrypts the resulting ciphertext using Bob's public key. We can picture the message surrounded by a fragile inner sh.e.l.l, which represents encryption by Alice's private key, and a strong outer sh.e.l.l, which represents encryption by Bob's public key. The resulting ciphertext can only be deciphered by Bob, because only he has access to the private key necessary to crack the strong outer sh.e.l.l. Having deciphered the outer sh.e.l.l, Bob can then easily decipher the inner sh.e.l.l using Alice's public key-the inner sh.e.l.l is not meant to protect the message, but it does prove that the message came from Alice, and not an impostor. sh.e.l.l using Alice's public key-the inner sh.e.l.l is not meant to protect the message, but it does prove that the message came from Alice, and not an impostor.
By this stage, sending a PGP encrypted message is becoming quite complicated. The IDEA cipher is being used to encrypt the message, RSA is being used to encrypt the IDEA key, and another stage of encryption has to be incorporated if a digital signature is required. However, Zimmermann developed his product in such a way that it would do everything automatically, so that Alice and Bob would not have to worry about the mathematics. To send a message to Bob, Alice would simply write her e-mail and select the PGP option from a menu on her computer screen. Next she would type in Bob's name, then PGP would find Bob's public key and automatically perform all the encryption. At the same time PGP would do the necessary jiggery-pokery required to digitally sign the message. Upon receiving the encrypted message, Bob would select the PGP option, and PGP would decrypt the message and verify the author. Nothing in PGP was original-Diffie and h.e.l.lman had already thought of digital signatures and other cryptographers had used a combination of symmetric and asymmetric ciphers to speed up encryption-but Zimmermann was the first to put everything together in one easy-to-use encryption product, which was efficient enough to run on a moderately sized personal computer.
By the summer of 1991, Zimmermann was well on the way to turning PGP into a polished product. Only two problems remained, neither of them technical. A long-term problem had been the fact that RSA, which is at the heart of PGP, is a patented product, and patent law required Zimmermann to obtain a license from RSA Data Security, Inc. before he launched PGP. However, Zimmermann decided to put this problem to one side. PGP was intended not as a product for businesses, but rather as something for the individual. He felt that he would not be competing directly with RSA Data Security, Inc., and hoped that the company would give him a free license in due course.
A more serious and immediate problem was the U.S. Senate's 1991 omnibus anticrime bill, which contained the following clause: "It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law." The Senate was concerned that developments in digital technology, such as cellular telephones, might prevent law enforcers from performing effective wiretaps. However, as well as forcing companies to guarantee the possibility of wiretapping, the bill also seemed to threaten all forms of secure encryption. ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law." The Senate was concerned that developments in digital technology, such as cellular telephones, might prevent law enforcers from performing effective wiretaps. However, as well as forcing companies to guarantee the possibility of wiretapping, the bill also seemed to threaten all forms of secure encryption.
A concerted effort by RSA Data Security, Inc., the communications industry, and civil liberty groups forced the clause to be dropped, but the consensus was that this was only a temporary reprieve. Zimmermann was fearful that sooner or later the government would again try to bring in legislation that would effectively outlaw encryption such as PGP. He had always intended to sell PGP, but now he reconsidered his options. Rather than waiting and risk PGP being banned by the government, he decided that it was more important for it to be available to everybody before it was too late. In June 1991 he took the drastic step of asking a friend to post PGP on a Usenet bulletin board. PGP is just a piece of software, and so from the bulletin board it could be downloaded by anyone for free. PGP was now loose on the Internet.
Initially, PGP caused a buzz only among aficionados of cryptography. Later it was downloaded by a wider range of Internet enthusiasts. Next, computer magazines ran brief reports and then full-page articles on the PGP phenomenon. Gradually PGP began to permeate the most remote corners of the digital community. For example, human rights groups around the world started to use PGP to encrypt their doc.u.ments, in order to prevent the information from falling into the hands of the regimes that were being accused of human-rights abuses. Zimmermann began to receive e-mails praising him for his creation. "There are resistance groups in Burma," says Zimmermann, "who are using it in jungle training camps. They've said that it's helped morale there, because before PGP was introduced captured doc.u.ments would lead to the arrest, torture and execution of entire families." In 1991, on the day that Boris Yeltsin was sh.e.l.ling Moscow's Parliament building, Zimmerman received this e-mail via someone in Latvia: "Phil, I wish you to know: let it never be, but if dictatorship takes over Russia, your PGP is widespread from Baltic to Far East now and will help democratic people if necessary. Thanks."
While Zimmermann was gaining fans around the world, back home in America he had been the target of criticism. RSA Data Security, Inc. decided not to give Zimmermann a free license, and was enraged that its patent was being infringed. Although Zimmermann released PGP as freeware (free software), it contained the RSA system of public key cryptography, and consequently RSA Data Security, Inc. labeled PGP as "banditware." Zimmermann had given something away which belonged to somebody else. The patent wrangle would continue for several years, during which time Zimmermann encountered an even greater problem.
In February 1993, two government investigators paid Zimmermann a visit. After their initial enquiries about patent infringement, they began to ask questions about the more serious accusation of illegally exporting a weapon. Because the U.S. Government included encryption software within its definition of munitions, along with missiles, mortars and machine guns, PGP could not be exported without a license from the State Department. In other words, Zimmermann was accused of being an arms dealer because he had exported PGP via the Internet. Over the next three years Zimmermann became the subject of a grand jury investigation and found himself pursued by the FBI.
Encryption for the Ma.s.ses...Or Not?
The investigation into Phil Zimmermann and PGP ignited a debate about the positive and negative effects of encryption in the Information Age. The spread of PGP galvanized cryptographers, politicians, civil libertarians and law enforcers into thinking about the implications of widespread encryption. There were those, like Zimmermann, who believed that the widespread use of secure encryption would be a boon to society, providing individuals with privacy for their digital communications. Ranged against them were those who believed that encryption was a threat to society, because criminals and terrorists would be able to communicate in secret, safe from police wiretaps.
The debate continued throughout the 1990s, and is currently as contentious as ever. The fundamental question is whether or not governments should legislate against cryptography. Cryptographic freedom would allow everyone, including criminals, to be confident that their e-mails are secure. On the other hand, restricting the use of cryptography would allow the police to spy on criminals, but it would also allow the police and everybody else to spy on the average citizen. Ultimately, we, through the governments we elect, will decide the future role of cryptography. This section is devoted to outlining the two sides of the debate. Much of the discussion will refer to policies and policy-makers in America, partly because it is the home of PGP, around which much of the debate has centered, and partly because whatever policy is adopted in America will ultimately have an effect on policies around the globe. e-mails are secure. On the other hand, restricting the use of cryptography would allow the police to spy on criminals, but it would also allow the police and everybody else to spy on the average citizen. Ultimately, we, through the governments we elect, will decide the future role of cryptography. This section is devoted to outlining the two sides of the debate. Much of the discussion will refer to policies and policy-makers in America, partly because it is the home of PGP, around which much of the debate has centered, and partly because whatever policy is adopted in America will ultimately have an effect on policies around the globe.
The case against the widespread use of encryption, as argued by law enforcers, centers on the desire to maintain the status quo. For decades, police around the world have conducted legal wiretaps in order to catch criminals. For example, in America in 1918, wiretaps were used to counteract the presence of wartime spies, and in the 1920s they proved especially effective in convicting bootleggers. The view that wiretapping was a necessary tool of law enforcement became firmly established in the late 1960s, when the FBI realized that organized crime was becoming a growing threat to the nation. Law enforcers were having great difficulty in convicting suspects because the mob made threats against anyone who might consider testifying against them, and there was also the code of omerta omerta, or silence. The police felt that their only hope was to gather evidence via wiretaps, and the Supreme Court was sympathetic to this argument. In 1967 it ruled that the police could employ wiretaps as long as they had first obtained a court authorization.
Twenty years later, the FBI still maintains that "court ordered wiretapping is the single most effective investigative technique used by law enforcement to combat illegal drugs, terrorism, violent crime, espionage, and organized crime." However, police wiretaps would be useless if criminals had access to encryption. A phone call made over a digital line is nothing more than a stream of numbers, and can be encrypted according to the same techniques used to encrypt e-mails. PGPfone, for example, is one of several products capable of encrypting voice communications made over the Internet.
Law enforcers argue that effective wiretapping is necessary in order to maintain law and order, and that encryption should be restricted so that they can continue with their interceptions. The police have already encountered criminals using strong encryption to protect themselves. A German legal expert said that "hot businesses such as the arms and drug trades are no longer done by phone, but are being settled in encrypted form on the worldwide data networks." A White House official indicated a similarly worrying trend in America, claiming that "organized crime members are some of the most advanced users of computer systems and of strong encryption." For instance, the Cali cartel arranges its drug deals via encrypted communications. Law enforcers fear that the Internet coupled with cryptography will help criminals to communicate and coordinate their efforts, and they are particularly concerned about the so-called Four Hors.e.m.e.n of the Infocalypse-drug dealers, organized crime, terrorists and pedophiles-the groups who will benefit most from encryption. encountered criminals using strong encryption to protect themselves. A German legal expert said that "hot businesses such as the arms and drug trades are no longer done by phone, but are being settled in encrypted form on the worldwide data networks." A White House official indicated a similarly worrying trend in America, claiming that "organized crime members are some of the most advanced users of computer systems and of strong encryption." For instance, the Cali cartel arranges its drug deals via encrypted communications. Law enforcers fear that the Internet coupled with cryptography will help criminals to communicate and coordinate their efforts, and they are particularly concerned about the so-called Four Hors.e.m.e.n of the Infocalypse-drug dealers, organized crime, terrorists and pedophiles-the groups who will benefit most from encryption.
In addition to encrypting communications, criminals and terrorists are also encrypting their plans and records, hindering the recovery of evidence. The Aum Shinrikyo sect, responsible for the gas attacks on the Tokyo subway in 1995, were found to have encrypted some of their doc.u.ments using RSA. Ramsey Yousef, one of the terrorists involved in the World Trade Center bombing, kept plans for future terrorist acts encrypted on his laptop. Besides international terrorist organizations, more run-of-the-mill criminals also benefit from encryption. An illegal gambling syndicate in America, for example, encrypted its accounts for four years. Commissioned in 1997 by the National Strategy Information Center's U.S. Working Group on Organized Crime, a study by Dorothy Denning and William Baugh estimated that there were five hundred criminal cases worldwide involving encryption, and predicted that this number would roughly double each year.
In addition to domestic policing, there are also issues of national security. America's National Security Agency is responsible for gathering intelligence on the nation's enemies by deciphering their communications. The NSA operates a worldwide network of listening stations, in cooperation with Britain, Australia, Canada and New Zealand, who all gather and share information. The network includes sites such as the Menwith Hill Signals Intelligence Base in Yorkshire, the world's largest spy station. Part of Menwith Hill's work involves the Echelon system, which is capable of scanning e-mails, faxes, telexes and telephone calls, searching for particular words. Echelon operates according to a dictionary of suspicious words, such as "Hezbollah," "a.s.sa.s.sin" and "Clinton," and the system is smart enough to recognize these words in real time. Echelon can earmark questionable messages for further examination, enabling it to monitor messages from particular political groups or terrorist organizations. However, Echelon would effectively be useless if all messages were strongly encrypted. Each of the nations partic.i.p.ating in Echelon would lose valuable intelligence on political plotting and terrorist attacks. of suspicious words, such as "Hezbollah," "a.s.sa.s.sin" and "Clinton," and the system is smart enough to recognize these words in real time. Echelon can earmark questionable messages for further examination, enabling it to monitor messages from particular political groups or terrorist organizations. However, Echelon would effectively be useless if all messages were strongly encrypted. Each of the nations partic.i.p.ating in Echelon would lose valuable intelligence on political plotting and terrorist attacks.
On the other side of the debate are the civil libertarians, including groups such as the Center for Democracy and Technology and the Electronic Frontier Foundation. The proencryption case is based on the belief that privacy is a fundamental human right, as recognized by Article 12 of the Universal Declaration of Human Rights: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."
Civil libertarians argue that the widespread use of encryption is essential for guaranteeing the right to privacy. Otherwise, they fear, the advent of digital technology, which makes monitoring so much easier, will herald a new era of wiretapping and the abuses that inevitably follow. In the past, governments have frequently used their power in order to conduct wiretaps on innocent citizens. Presidents Lyndon Johnson and Richard Nixon were guilty of unjustified wiretaps, and President John F. Kennedy conducted dubious wiretaps in the first month of his presidency. In the run-up to a bill concerning Dominican sugar imports, Kennedy asked for wiretaps to be placed on several congressmen. His justification was that he believed that they were being bribed, a seemingly valid national security concern. However, no evidence of bribery was ever found, and the wiretaps merely provided Kennedy with valuable political information, which helped the administration to win the bill.
One of the best-known cases of continuous unjustified wiretapping concerns Martin Luther King Jr., whose telephone conversations were monitored for several years. For example, in 1963 the FBI obtained information on King via a wiretap and fed it to Senator James Eastland in order to help him in debates on a civil rights bill. More generally, the FBI gathered details about King's personal life, which were used to discredit him. Recordings of King telling bawdy stories were sent to his wife and played in front of President Johnson. Then, following King's award of the n.o.bel Prize, embarra.s.sing details about King's life were pa.s.sed to any organization that was considering conferring an honor upon him. played in front of President Johnson. Then, following King's award of the n.o.bel Prize, embarra.s.sing details about King's life were pa.s.sed to any organization that was considering conferring an honor upon him.
Other governments are equally guilty of abusing wiretaps. The Commission Nationale de Controle des Interceptions de Securite estimates that there are roughly 100,000 illegal wiretaps conducted in France each year. Possibly the greatest infringement of everybody's privacy is the international Echelon program. Echelon does not have to justify its interceptions, and it does not focus on particular individuals. Instead, it indiscriminately harvests information, using receivers that detect the telecommunications that bounce off satellites. If Alice sends a harmless transatlantic message to Bob, then it will certainly be intercepted by Echelon, and if the message happens to contain a few words that appear in the Echelon dictionary, then it would be earmarked for further examination, alongside messages from extreme political groups and terrorist gangs. Whereas law enforcers argue that encryption should be banned because it would make Echelon ineffective, the civil libertarians argue that encryption is necessary exactly because it would make Echelon ineffective.
When law enforcers argue that strong encryption will reduce criminal convictions, civil libertarians reply that the issue of privacy is more important. In any case, civil libertarians insist that encryption would not be an enormous barrier to law enforcement because wiretaps are not a crucial element in most cases. For example, in America in 1994 there were roughly a thousand court-sanctioned wiretaps, compared with a quarter of a million federal cases.
Not surprisingly, among the advocates of cryptographic freedom are some of the inventors of public key cryptography. Whitfield Diffie states that individuals have enjoyed complete privacy for most of history: In the 1790s, when the Bill of Rights was ratified, any two people could have a private conversation-with a certainty no one in the world enjoys today-by walking a few meters down the road and looking to see no one was hiding in the bushes. There were no recording devices, parabolic microphones, or laser interferometers bouncing off their eyegla.s.ses. You will note that civilization survived. Many of us regard that period as a golden age in American political culture.
Ron Rivest, one of the inventors of RSA, thinks that restricting cryptography would be foolhardy: It is poor policy to clamp down indiscriminately on a technology just because some criminals might be able to use it to their advantage. For example, any U.S. citizen can freely buy a pair of gloves, even though a burglar might use them to ransack a house without leaving fingerprints. Cryptography is a data-protection technology, just as gloves are a hand-protection technology. Cryptography protects data from hackers, corporate spies, and con artists, whereas gloves protect hands from cuts, sc.r.a.pes, heat, cold, and infection. The former can frustrate FBI wiretapping, and the latter can thwart FBI fingerprint a.n.a.lysis. Cryptography and gloves are both dirt-cheap and widely available. In fact, you can download good cryptographic software from the Internet for less than the price of a good pair of gloves.
Possibly the greatest allies of the civil libertarian cause are the big corporations. Internet commerce is still in its infancy, but sales are growing rapidly, with retailers of books, music CDs and computer software leading the way, and with supermarkets, travel companies and other businesses following in their wake. In 1998 a million Britons used the Internet to buy products worth $600 million, a figure that was set to quadruple in 1999. In just a few years from now Internet commerce could dominate the marketplace, but only if businesses can address the issues of security and trust. A business must be able to guarantee the privacy and security of financial transactions, and the only way to do this is to employ strong encryption.
At the moment, a purchase on the Internet can be secured by public key cryptography. Alice visits a company's Web site and selects an item. She then fills in an order form which asks her for her name, address and credit card details. Alice then uses the company's public key to encrypt the order form. The encrypted order form is transmitted to the company, who are the only people able to decrypt it, because only they have the private key necessary for decryption. All of this is done automatically by Alice's Web browser (e.g., Netscape or Explorer) in conjunction with the company's computer.
As usual, the security of the encryption depends on the size of the key. In America there are no restrictions on key size, but U.S. software companies are still not allowed to export Web products that offer strong encryption. Hence, browsers exported to the rest of the world can handle only short keys, and thus offer only moderate security. In fact, if Alice is in London buying a book from a company in Chicago, her Internet transaction is a billion billion billion times less secure than a transaction by Bob in New York buying a book from the same company. Bob's transaction is absolutely secure because his browser supports encryption with a larger key, whereas Alice's transaction could be deciphered by a determined criminal. Fortunately, the cost of the equipment required to decipher Alice's credit card details is vastly greater than the typical credit card limit, so such an attack is not cost-effective. However, as the amount of money flowing around the Internet increases, it will eventually become profitable for criminals to decipher credit card details. In short, if Internet commerce is to thrive, consumers around the world must have proper security, and businesses will not tolerate crippled encryption. are still not allowed to export Web products that offer strong encryption. Hence, browsers exported to the rest of the world can handle only short keys, and thus offer only moderate security. In fact, if Alice is in London buying a book from a company in Chicago, her Internet transaction is a billion billion billion times less secure than a transaction by Bob in New York buying a book from the same company. Bob's transaction is absolutely secure because his browser supports encryption with a larger key, whereas Alice's transaction could be deciphered by a determined criminal. Fortunately, the cost of the equipment required to decipher Alice's credit card details is vastly greater than the typical credit card limit, so such an attack is not cost-effective. However, as the amount of money flowing around the Internet increases, it will eventually become profitable for criminals to decipher credit card details. In short, if Internet commerce is to thrive, consumers around the world must have proper security, and businesses will not tolerate crippled encryption.
Businesses also desire strong encryption for another reason. Corporations store vast amounts of information on computer databases, including product descriptions, customer details and business accounts. Naturally, corporations want to protect this information from hackers who might infiltrate the computer and steal the information. This protection can be achieved by encrypting stored information, so that it is only accessible to employees who have the decryption key.
To summarize the situation, it is clear that the debate is between two camps: civil libertarians and businesses are in favor of strong encryption, while law enforcers are in favor of severe restrictions. In general, popular opinion appears to be swinging behind the proencryption alliance, who have been helped by a sympathetic media and a couple of Hollywood films. In early 1998, Mercury Rising Mercury Rising told the story of a new, supposedly unbreakable NSA cipher which is inadvertently deciphered by a nine-year-old autistic savant. Alec Baldwin, an NSA agent, sets out to a.s.sa.s.sinate the boy, who is perceived as a threat to national security. Luckily, the boy has Bruce Willis to protect him. Also in 1998, Hollywood released told the story of a new, supposedly unbreakable NSA cipher which is inadvertently deciphered by a nine-year-old autistic savant. Alec Baldwin, an NSA agent, sets out to a.s.sa.s.sinate the boy, who is perceived as a threat to national security. Luckily, the boy has Bruce Willis to protect him. Also in 1998, Hollywood released Enemy of the State Enemy of the State, which dealt with an NSA plot to murder a politician who supports a bill in favor of strong encryption. The politician is killed, but a lawyer played by Will Smith and an NSA rebel played by Gene Hackman eventually bring the NSA a.s.sa.s.sins to justice. Both films depict the NSA as more sinister than the CIA, and in many ways the NSA has taken over the role of establishment menace. the NSA as more sinister than the CIA, and in many ways the NSA has taken over the role of establishment menace.
While the proencryption lobby argues for cryptographic freedom, and the antiencryption lobby for cryptographic restrictions, there is a third option that might offer a compromise. Over the last decade, cryptographers and policy-makers have been investigating the pros and cons of a scheme known as key escrow key escrow. The term "escrow" usually relates to an arrangement in which someone gives a sum of money to a third party, who can then deliver the money to a second party under certain circ.u.mstances. For example, a tenant might lodge a deposit with a solicitor, who can then deliver it to a landlord in the event of damage to the prop
