Three decades
>>>"Here we are, three decades later, and strong crypto is everywhere,"<<<
Here we are, three decades later, and governments still don't want us to have strong crypto.
Encryption and verification package Pretty Good Privacy (PGP) has celebrated a troubled 30 years of securing secrets and giving cypherpunks an excuse to meet in person, with original developer and security specialist Phil Zimmermann toasting a world where encryption is common but, he warns, still under threat. "It was on this …
"governments still don't want us to have strong crypto."
But we already have it. It is out in the open. The cat is out of the bag. The horse has bolted. Put a fork in it. The milk has not just been spilled, it has been dumped. The worm can is empty. Etc.
The .govs of the planet are delusional if they think it can be erased at this point. It's time for them to stop wasting our tax dollars on this and move on to something else.
I vote, and I'm known to my elected officials. Can you say the same? Make your collective voices known!
When Phil was being harassed by the US Gov’t goon squad there was a legal defence fund setup that by buying a T-shirt with the algorithm on it you contributed. I wore it proudly to conferences and through airport security regularly to taunt officers.
I use OpenPGP on all my devices still to this day!
I wore the PGP-in-perl T-shirt out of and back into the USA on maybe a dozen flights from '91 to '93 without anybody even blinking at me funny. Later, I occasionally carried a copy of Bruce Schneier's "Applied Cryptography" book containing source examples in the text (which did not fall under the export restrictions) and the disk containing the very same source, which was bound into the cover (and very definitely did fall under those restrictions).
This kind of security theater may be worth the paper it is printed on, but not much more.
I stopped trying to get arrested on principle when I grew up and had a kid of my own to take care of. Priorities & all that. Today, she tells me I shouldn't have wimped out ... but she did take the shirt and the book into "show and tell" occasionally, as examples of governmental stupidity.
My Grand daughter (not quite 11 yet) wanted to do the same show and tell, with the same shirt and book ... and then snip off a corner of the shirt to turn into gun cotton to demonstrate how easy real munitions are to make. I nixed cutting up the shirt (too many memories), and recommended snipping a bit off of another tshirt instead. Her school nixed that option, because children aren't supposed to know such things, and IT WOULD BE DANGEROUS!!! (the school's CAPS and punctuation). Model rocketry is banned for the same reason, much to her deep dismay.
Just ten years old and she's already on "watch list" for her school district because she knows too much. What kind of useless milquetoasts are her generation going to become, anyway?
I was in Canada on the weekend when Phil Zimmerman released his iconic software and I bought 20 or so T-shirts, folded them inside out and later they all departed overseas.
I still have a couple of the original T-shirts. I had a hundred or so printed (very cheap here in South-East Asia) and gave them out to people who asked knowledgeable questions.
Many people owe employment opportunities to Phil, even NSA and GCHQ sub-contractors who were hired to crack Phil's work.
Thank you Phil!
Just ten years old and she's already on "watch list" for her school district because she knows too much. What kind of useless milquetoasts are her generation going to become, anyway?
Conversely, idiot school administrators banning these things (and punishing students for offenses such as biting a Pop-Tart into a gun shape) will thereby make them more attractive to many students who might otherwise dismiss them. There's nothing like forbidding knowledge to encourage people to acquire it.
Of course, it's still a problem, particularly for students whose families don't have the sociopolitical power to deal with any adverse consequences. But I have a couple of granddaughters, and a couple of sort-of-in-practice-if-not-biologically-or-legally grandsons, in that general age range, and I think they're going to do Just Fine. With plenty of encouragement and support from the adults closest to them, of course.
While RC4 is deprecated these days (too many higher-order correlations, plus the inevitable risks of using a stream cipher incorrectly and the lack of an AEAD mode), one of the great things about it was it was so short and simple. It could easily be printed on a t-shirt or even a napkin. Hell, it's pretty trivial to memorize.
In fact, that's one of the things I really like about RC4. It's great for demonstrating the inobvious nature of cryptanalysis. The algorithm is very easy to understand, and when you do it seems "natural": it's easy to see the purpose of every aspect, there are no magic constants or other features that are difficult to explain. That makes its flaws surprising. (How can there be higher-order correlations? Where's the structure? What does it arise from?) It's a great educational tool.
... was because S/MIME was so terrible. If you ever tried to use encrypted email back in the day then you'd enjoy such delights as:
1. Realising you had to pay for your encryption key, and CAs were going to shake you down
2. A key which expired every 6-12 months and had to be replaced
3. Abysmal integration in email products. Support in Outlook/Outlook Express/Netscape was bugridden & barely usable through lack of testing.
4. Encryption was super slow
PGP wasn't perfect but it revolutionised crypto by
1. Making key generation free. If you needed trust you could build a web of it.
2. Initially splitting the crypto out of the email so the email software couldn't screw it up
3. Later providing plugins for better integration
4. Spawning GPG and similar tools.
I'm actually sad that PGP didn't revolutionise web crypto while it was at it - allow anyone to create a key and integrate the web of trust concept on the top of it instead of a rigid all-or-nothing CA.
1. Realising you had to pay for your encryption key, and CAs were going to shake you down
You don't pay for the key, you pay for a certificate.
The trouble with the PGP approach is that in order to know that you can trust someone's key -- that is: be sure that you have a key that really belongs to the person with whom you wish to correspond -- you need to get the key from someone you both know and trust (that may be a keyserver, or may be an individual). That's often not a trivial task.
A PKI system (a la S/MIME) relies on keys that are signed by entities that are generally (rightly or wrongly) regarded as trustworthy. These Certification Authorities are well-known, and their own keys are easily looked up (or are already known because they are distributed with your browser, etc). The key certificate tells you who issued it, so you only need to verify against that one CA, rather than consulting half the PGP keyservers on the planet until you find one that has the right key.
Yes, these CAs tend to be commercial entities who ask to be paid for issuing a certificate. Some certificates are issued with no guarantees, and they tend to be (fairly) inexpensive, other certificates come with financial guarantees of protection against fraud if the certificate is relied upon (backed up by insurance policies, for which a premium must be paid).
It doesn't have to be that way. There are many entities one deals with on a regular basis that have an interest in being able to communicate securely -- your government, your bank, the Post Office, your employer -- and any of these could issue certificates for their own convenience and that of their correspondents.
Imagine: Your national ID card (OK, we don't have those in the UK, but just about everyone else does) could contain a security chip that could generate a private key securely on the card. You could send the corresponding public key to HMRC or the DHSS or whoever got the job of managing secure communications with the public and they would send back a certificate that you would store on the card alongside the private key. Whenever you wanted to send a signed or encrypted message you could insert your ID card into a card reader connected to your computer, enter a PIN (so only you could use your key) and the software would so the necessary.
The technology is all there ... there just aren't any public service CAs (probably because government doesn't want us to use strong crypto)
2. A key which expired every 6-12 months and had to be replaced
It's a good idea for keys to have some expiry date, so that they become invalid before the technology/key length becomes too easy to break. The validity period shouldn't be too short, though, that is just CAs milking the system.
3. Abysmal integration in email products. Support in Outlook/Outlook Express/Netscape was bugridden & barely usable through lack of testing.
Microsoft never really understood security -- I hope they're getting better at it. Good integration of security into products won't come until security is seen as a basic function for everyone, rather than a tiresome add-on for the few.
Hats off to Phil Zimmerman for producing an encryption system that worked within small communities without an infrastructure to support it ... but for widespread use the infrastructure is necessary.
Actually you're paying for the private key and the certificate that encapsulates the public key which is signed by another key or by the private key. But for brevity I said key.
And as far as trust goes, there would be nothing stopping a CA from selling its services and signing a PGP key just like they do now for certs. There would also be nothing stopping multiple CAs from signing a key if a site wanted that. And for random sites, they might prefer to have their site signed by their wholesaler, bank, accountant, business federation or whatever. Those keys might be signed by other signers which could lead back to a CA. Browsers could also ship some of these signatories if they wished just like a trust store.
But unfortunately it didn't happen. So now CAs are the problem and we have workaround bodges like Lets Encrypt trying to shoehorn themselves into a fragile system that wasn't designed for it.
Actually you're paying for the private key and the certificate that encapsulates the public key which is signed by another key or by the private key. But for brevity I said key.
Still wrong.
If your CA is generating your key pair, You're Doing It Wrong. You should be generating the key pair and sending a CSR to the CA. The CA should never have possession of the private key.
And you don't have to pay for a certificate, either. If you're using a self-signed certificate (which I assume is what you meant by "the certificate ... is signed .. by the private key"), then there certainly shouldn't be any CA involved, and so no charge. Even if you have a CA-issued certificate, there isn't inherently any cost; if you're paying, it's for the privilege of participating in the CA's PKI. There are S/MIME deployments within organizations and consortia that manage their own PKI and thus have no reason to charge.
Indeed, there's no reason why a bunch of people can't cooperate on a PKI, which makes this aspect of S/MIME exactly equivalent to PGP's Web of Trust, in the simple model. And, in fact, PKIX allows other types of PKI graphs, so it's more flexible than the PGP Web of Trust PKI.
PGP is important for many reasons, and the Web of Trust PKI, while it has huge problems with scaling and sparse graphs, works for many purposes under many reasonable threat models. But S/MIME's use of PKIX trivially degrades to be functionally identical to the WoT, while offering a variety of alternatives to handle other use cases. This is a false distinction.
Conversely, there are many things wrong with PKIX, starting with the many (many) things wrong with X.509. But this isn't one of them. You're complaining about a particular use case which isn't even available with the WoT (even as augmented by keyservers, which are problematic in themselves). Apples and oranges.
Actually you're paying for the private key and the certificate that encapsulates the public key which is signed by another key or by the private key. But for brevity I said key.
No! You should be generating the keyset (public and provate keys) yourself and keeping the private key securely where nobody else gets to see it. It really is supposed to be private. What you may have to pay for is the certificate, which depends only on the public key.
And as far as trust goes, there would be nothing stopping a CA from selling its services and signing a PGP key just like they do now for certs.
Quite so ... though PGP's concept of a Web of Trust rather suggests a community in which members sign each other's keys for the common good. Methinks a paid-for signing scheme would not fit well into that philosophy.
It's important to appreciate that the difference between PGP and a PKI is as much to do with philosophy as with the difference in software and data formats. You can build a PKI around PGP, just as you can use self-signed X.509 certificates to form a Web of Trust -- by why would you?
So now CAs are the problem ...
The problem isn't CAs. The problem is that most people don't understand that unsigned EMail could have come from anyone, and don't understand that unencrypted EMail could be read by anyone ... and don't understand that there is something that they could do about it. The issue needs to achieve more public recognition, and security needs to become accepted as a commonplace part of doing business online.
As an Englishman living abroad I can already use the identity card of my adopted country, via a reader, to securely send and receive information with governments and banks.
You can challenge the level of security but there are no current reports of the security being broken. So one arm of government loves encryption while another hates it :-)
A key which expired every 6-12 months and had to be replaced
What part of the S/MIME standard do you believe requires this?
Encryption was super slow
An implementation issue. This has nothing to do with S/MIME itself.
I drove a Buick once. It wasn't very good. Therefore all sedans are terrible, and everyone should drive pick-up trucks instead.
I should think that all victims of ransomeware are sick to the back teeth of strong encryption.
Also I noticed the reference to Liberal Democracies attempting to put the toothpaste back in the tube. My emphasis, but the point is that if that is what is voted for then the likes of Zimmermann are going to have to accept and work with the result. Otherwise it won't be a democracy any more.
These restrictions were a paper law that only affected US citizens and companies. Even browsers of the day would accept stronger certs in "international" versions of their products. So it wouldn't have impacted some Russian ransomware gang who could have happily used any length key or algorithm they felt like.
@Jake
What?? Even if they were ACTUALLY stupid?
Ref: Equifax, Deloitte, and lots of other breaches...that we know about. Surely these businesses are in a business where stupidity is a serious risk to their customers.....you know, the customers paying for the service and expecting a secure service.
I guess you get sick far too easily.....see a doctor!
Hello,
I was working at McAfee Associates office at 1900 Wyatt industrial park (long since converted to more expensive real estate) on June 5th, 1991 when "K" showed up at our office, asking to make use of our internet connection. "K" was, well, not so much a friend of Mr. McAfee, per se, but an acquaintance who was heavily involved in mainframe and workstation security (Amdahl, Sun, etc.) and would later go on to be active on the original cypherpunks mailing list. A military vet, "K" took his security seriously, to the point of rigging his van with a groovy green metallic paint job to electrocute anyone who touched it with a 50,000 volt system.
Anyways, "K" drove up in the late morning (might have been around lunch time, even) and ran into the office with a floppy diskette in his hands, saying he urgently needed to speak with Mr. McAfee, who wasn't there at the time. He ended up going back to speak with "M," the developer who wrote all of McAfee Associates' algorithmic detections, disinfectors and other low-level things that had to be coded in assembly. "M's" office, a repurposed janitorial closet, was right outside my office, a repurposed hallway, so I got to listen to their discussion of public and private keys, elliptical curves, and that it was completely urgent that "K" make use of our connection to Netcom, a local ISP, in order to upload this revolutionary (in the more traditional sense of the world) software before it was outlawed by the government.
After a couple of uploads to open ftp servers run by universities outside of the United States, "K" drove away to go to the next company on his list and repeat the process of uploading that first version of PGP to a couple of servers outside the U.S., and repeat.
I had let Mr. McAfee know about our visitor, who came into the office later that afternoon brandishing a South African "street sweeper" style riot shotgun with a huge drum clip slung below it--I'm not sure of the model, it looked like an oversized M-16 to me. Anyways, Mr. McAfee then proceeded to sweep the entire office, ducking around corners before entering rooms and hallways, etc. Lest anyone be concerned, I would note that Mr. McAfee did keep his finger off the trigger, and kept the barrel vertical--he always had good trigger discipline. Finally, he came back to the front of the building (towards where his office was), let the ten (or so) of us employees know that he had swept the building and "K" was no longer present in it, and then proceeded to go into his office, place the shotgun in a corner, and begin his work day. All in all, it was a very Mr. McAfee thing of him to do.
Regards,
Aryeh Goretsky