Encryption is available in two main forms: Single key (symmetric) and public key (asymmetric). In single-key encryption--not unlike the simple ciphers designed by children for secret communication with friends--a plaintext message is run through a computer program, and encoded based on a key. A very simple example of this is the ROT13 encoding, used for hiding messages on Usenet newsgroups. In ROT13, each letter in the plaintext message is exchanged with a letter 13 places later in the alphabet (a becomes m, b becomes n, and so on). In the English 26 letter alphabet, this works especially well, since the same computer program can be used to decrypt the message. More elaborate schemes are available--the most well known one being the DES algorithm, developed and controlled by the US government.
Single key encryption is quick, and can be hard to break, but
requires that the sender and receiver of a message meet (or communicate
through a secure channel) before messages are exchanged and agree
on the key. This key exchange requires that all parties that communicate
keep the key secret--if one person fails to do so, the cipher is broken
and can no longer be trusted. (One-time keys, which are discarded when
they have been used, can mitigate this problem).
While private communication is desirable, private/public key encryption is equally useful when done in reverse: If the sender sends out a message encrypted with the private key, anyone with the public key can read it--and be sure that the sender really is the person that sent it. This ability to authenticate the sender of a message is as important as the ability to send private messages: It is equal to a signature on a document, a necessity for electronic commerce.
The two approaches can be combined: If the message is first encrypted
with the receiver's public key, and then with the sender's private key,
it is both private and signed--a property which is extremely important
if the message is a form of contract, for instance a stock purchase order.
There are still weaknesses in the public/private key encryption scheme--for
instance, you have to be sure that the public key someone sends you is
indeed sent by the right person--but they are addressable in a data communication
environment without having to have a separate, secure communications channel.
The US government, at the initiative of the secretive National Security Agency, has branded computer software that enables public/private key encryption with keys more than 40 bits long as "munitions", falling under a law that prohibits export of weapons. (Certain exceptions are made, for encryption programs that can only be used for authentication, and for internal use in international subsidiaries of US companies.) The reason given is that if public/private encryption becomes widely available, the governments ability to monitor the content of computer communication is harmed--meaning that communications monitoring can no longer be used to capture spies and drug dealers.
However, given the speed of electronic distribution, the cat is alread well out of the bag. A now rather famous cryptographer and computer programmer named Phil G. Zimmermann has written a computer program, available for most computers, that implements public/private key encryption, and made it available in the public domain (that is, free for all). The program, called PGP (for Pretty Good Privacy,) does public/private key encryption and also provides some simple means of managing public keys. The program is available from an FTP server at MIT, but requires that the connecting party is within the United States and also is a US citizen.
Needless to say, the PGP program has spread around the Internet as wildfire, and is now available pretty much to anyone who wants it. The source code of the program has also been published by Zimmermann in a book on MIT Press (see below), since its publication (apparently) does not come under the law of export of munitions. Mr. Zimmermann is facing a number of legal challenges (he is searched every time he leaves the United States, lest he smuggles out a diskette), but receives considerable support from lawyers interested in his case, as well as monetary support from people who think the right to private communication comes in under the First Amendment of the US constitution, which guarantees freedom of expression to its citizens. The latest in the badminton match between Mr. Zimmermann and the spooks is that he has written a PGP version which can be used with the NetPhone program, enabling strongly encrypted digital telephone over the Internet.
It should be noted that the question of PGP by no means is the only issue in the debate over the conflict between citizen's right to privacy and the government's need to monitoring communications: The US government has also tried to legislate that all encryption over telephone and data communications networks be done using a government-controlled computer chip called the Clipper chip, which would allow the government to monitor the communication via a "back door". Unfortunately, this is not some fringe political wing or an out-of-touch bureaucrat speaking out of turn, but a seriously considered legislative proposition. Similarly, the EU has recently discussed legislation limiting the access to strong encryption, notably over the protests of international banks.
For governments, there is more at stake than the ability to eavesdrop
on citizens. If private strong encryption with authentication is widely
available, it can enable digital payment forms (barter or digital cash)
which would allow people to drop out of the official economy altogether.
As [Release 1.0] notes, the issue of the Clipper chip is as much a question
of taxation as privacy--it is hard to tax someone when you cannot confiscate
their business records, or even their money.
Public key encryption enables legally enforceable contracts with
little setup time. In current electronic payment situations, the electronic
relationship is set up outside the electonic communciation systems, typically
through a credit card agreement. The credit card company then takes on
the risk of ensuring that the payment is legitimate, using its knowledge
of prior payments and credit histories to mitigate the risk, and taking
a fee (mostly from the seller) for doing so. With public key encryption,
commercial relationships can be set up directly between the seller and
buyer, without a third party. The additional infrastructure requirements
are fairly low: There is a need for a trusted repository of public keys
(which could be set up by almost anyone, since any two people can control
the integrity of the keys between them), and a need for a trusted source
for the encryption application itself, to make sure than nobody has enabled
a "back door" or "master key". (With PGP, this trust is built on openness:
the source code is available for testing and auditing.) Neither of these
institutions are expensive or difficult to set up (the second exists, on
a small scale, at MIT already). The benefits, in terms of reducing credit
card fraud and enabling easy payment systems across borders, would be huge.
The availability, simplicity and usefulness of PGP, makes it unlikely
that any kind of legislation against it would be effective, or even endorsed
in the long run. Rather, the only people with access to encryption would
be the people that the government would want to monitor--"when encryption
is outlawed, only outlaws have encryption". Companies with international
connections should get involved in making public key encryption widely
available, and lobby against legislation limiting its use. As the situation
is today, large international companies, possibly the new technology's
biggest beneficiaries, are currently the only companies who are really
limited in their ability to use it.
The PGP software program can be found at ftp://netdist.mit.edu/pub/PGP/. The public domain version of PGP is for personal and non-commerical use only. To buy or licence the product, contact ViaCrypt (email: firstname.lastname@example.org, US phone: (602) 944-0773). People outside the United States can find an "international" version of PGP created by Ståle Schumacher Ytteborg at http://www.pgpi.com. This page also has lots of information about the legal, political and technical sides of PGP.
For a listing of security products available for commercial purposes, a good place to start is Trusted Security Systems' worldwide product survey, which can be found at http://www.tis.com/crypto/survey.html.
[Give Feedback][Home page][Serious papers][Humor papers][Norwegian papers]