[Home | Contact | What's New? | Products | Services | Tips | Mike |
Living with Schizoaffective Disorder

Why You Should Use Encryption

Do you know it's easy to intercept email, and many phone switches have built-in wiretaps?
Find out why you should use secure encryption and where to get it.

You may think that encryption is the stuff of spies and paranoid kooks. It's a mysterious thing, the US Government says it promotes crime, and it takes some work to use it. Why, you may ask me, is it worth your while to use secure encryption?

Have you ever written a personal letter to a lover and sent it via email? Did it contain embarrassing sexual tidbits? How about pet names? Or have you ever discussed your company's negotiating position on a big deal with a coworker over email?

Do you work on a political campaign, or with a political activism group? How would you feel if the opposition knew your strategies? Remember the Watergate break-in? Richard Nixon, the president of the United States, hired some folks to break into the Washington offices of the Democratic National Committee and bug the telephones there. They were only caught because of an alert security guard. Imagine they could tap the phone without breaking in!

Kathleen Ellis, in White House Subcommittee Endorses Crypto Reform. Will Someone Please Listen? points out:

The human rights issue is a valid one within the debate on U.S. encryption policy. The American Association for the Advancement of Science's Cryptography, Scientific Freedom, and Human Rights program trains human rights workers to use encryption technology in countries like Guatemala and China, where oppressive governments have a way of making insurrectionists disappear. A letter from AAAS to the House or Representatives Committee on International relations states that "human rights activists are killed, tortured, disappeared and jailed for trying to expose horrendous abuses...[they] use encryption to protect themselves, the victims and eyewitnesses they are interviewing, and human rights colleagues around the world when they communicate sensitive information on grave abuses of human rights.

New October 26, 2001, President Bush signs into law the antiterrorism bill, a sweeping assault on our civil liberties. Read my letter urging you to Protect Your Rights with Encryption. Please forward the mail to anyone you feel might benefit from it, or give them the URL

When you send an email, do you realize that it can easily be read...

Do you know that if you speak on the telephone with anyone in the United States, the telephone switching equipment at the phone company offices has wiretaps built into it for easy access by authorities - or actually anyone with the password, such as maintenance personnel. These wiretaps started appearing after the US Congress passed the Digital Telephony Act, because of complaints by law enforcement that modern digital telephone systems were becoming harder to tap

Through the use of secure encryption, you can prevent deception of your personal messages and important business correspondence at every point along its path. You can get free and secure voice encryption software - Speak Freely - for Windows and Unix to scramble your verbal discussions, with the added benefits of cutting your long distance bills

When you get an email from someone, how do you know they sent it? It's very easy to type whatever you want for the return address in an email program. With some work, any crafty hacker can hide even subtle clues of where an email came from

Suppose your boss wrote you an email telling you to commit to a business deal in which your company will pay $100,000 for some expensive product or service. What if that email was actually sent by someone just playing a prank? Or someone trying to get you in trouble?

With a particular kind of encryption called digital signatures you can authenticate an email - ensure that it was written by the person it claims to be from, and also that it has not been tampered with or damaged during transmission. You can even sign contracts or spend cash over the net with digital signatures

How Do I Use Encryption

It is important that you use quality encryption software. There are some encryption programs out there that either do not use secure techniques, or that are buggy. Simply hiding your files with a password doesn't necessarily provide security. It is important that the method of security has been properly examined and tested by experts, that the methods of encryption are publicly known, and that the software is of high quality

A good introduction to email encryption is provided by the government of Ontario, a province of Canada. Click here to read Email Encryption Made Simple. Note - that link was broken for a long time. I just fixed it.

For email and file encryption, I recommend Pretty Good Privacy. PGP uses several encryption methods that are known to be secure. Also, the source code to PGP is publicly available, which allows programming and encryption experts to examine it and search for "back doors" and bugs. PGP has been in use for many years and has is highly regarded among the cryptographic community

It is also available for free under certain conditions. There is a version which is available for international use, which is available at http://www.pgpi.org The commercial US version, which is free for noncommercial use, is available from Network Associates, at http://www.pgp.com

If you're in the United States, you can also purchase PGP on CDROM from Network Associates. I'm afraid that PGP is a pretty full-featured program and so the download file size is quite large. ( let me know if you know where to get it on CD outside the US.)

When you use PGP, you first generate a "key pair". There is a public key, which you give out to anyone (you can post it on your web page, as I do here) and a secret key, which you keep only on your own PC and back up in a secure place

Anyone can send you a private message by encrypting it with your public key. Only you can decrypt the message, because only you have the private key. To keep the private key safe, it is kept encrypted itself on your hard disk. Each time you use it, you enter your "passphrase", a long password which you make up yourself and tell no one

You can send anyone a digitally signed message by signing it with your secret key. Again you enter your passphrase, and you get a document which has the original text plus a block of code text. Anyone can check that the document came from you by testing it with your public key

For example,


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is what a digitally signed email looks like.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBN79D7yDoDQv3YFeGEQIHgACfXtjDgCULwXD9i4w0sAAl8FQjiD0AnjOe
/jgS9+rt0NL/9Zhf92TOaS+A
=n8Lf
-----END PGP SIGNATURE-----

When you paste this message into PGP, it recognizes the signature block and checks the information in it against the text and the sender's public key

It is also possible to digitally sign something and then encrypt it, so you can keep it private but the recipient can be sure it came only from you

Cryptography and the Government

For a long time, mainly before the common use of computers by the public, cryptography has been used only by goverments for use in protecting military and diplomatic messages, and by banks to protect and authenticate financial transactions

It used to be kept out of the public eye. For example, the United States National Security Agency was founded in secrecy and for decades its very existence was secret. (Now that it has had to acknowledge its existence, it has an interesting cryptological museum, which can be viewed on the web.)

There was an important reason to keep cryptography a secret. Early cryptographic tools were not very secure and governments didn't want to tip off the enemy that their messages were being intercepted

For example, the "Enigma" machine which was used by Nazi Germany, was cracked by Alan Turing's team at Bletchley Park in England. The British knew when German ships were to sail and could protect their own convoys as a result. Had the Germans known that the British broke their code, they would either have not sent messages over the radio or invented a more secure technique

The National Security Agency, and similar agencies in other countries, don't just create codes for use by their governments, they also break them - this process is called cryptanalysis. By using cryptanalysis on our own ciphers, the NSA is able to keep US ciphers particularly secure, and they also intercept communications from other countries

But it is a tremendous amount of work to decipher encrypted messages, even when you do know how the encryption algorithm works. In many cases it is not possible at all, not even with the most powerful computers.

Because of this, those who would intercept our messages know that the most effective way to read a message is for it not to be encrypted at all. Alternatively, it is OK for the investigators if the message is encrypted by a weak method - and so they must be very careful not to let anyone know when a method is weak

In the event that the public wants to use encryption, it is in the interest of those who would read our private correspondence to encourage the use of weak encryption methods

For example, the NSA promoted the use of the 56 bit Data Encryption Standard long after computers had become powerful enough to break it by brute force searches for keys - and interestingly they used the argument that alternative stronger techniques were not to be trusted, without actually explaining why.

The United States was in the forefront of cryptographic techniques from the fifties until now. In order to prevent other countries from having access to effective encryption, that the NSA would not be able to intercept, the United States made it illegal to export secure encryption devices without an authorization that is extremely difficult to obtain

In fact, encryption devices are classified as weapons by the United States and to export them requires a license issued by the Department of State. Each particular instance of export requires a separate, very onerous license application, and the applications are routinely denied

Modern technology have rendered this practice completely absurd. It might have made sense when encryption was done by expensive, secretly developed expensive hardware. But encryption is now most effectively done by computer software, and software is easily shipped across national boundaries via the internet or on floppy disk via postal mail

And interestingly, you can't ban the export of a book, because a book is a form of free speech, and free speech is protected by the first amendment to the United States Constitution. So when a new version of PGP becomes available in the United States, it's source code is simply published in book form and mailed overseas, where the source can be retrieved by scanning it and using inexpensive optical character recognition software to convert the printed pages back to machine-readable program text files

On my bookshelf is an attractive hardbound volume, PGP Source Code and Internals, by Philip Zimmerman, published in 1995 by the MIT press. I paid $60 for it at the Computer Literacy Bookstore in San Jose, California and found it a convenient reference when I was working on an encryption program of my own

And of course, there is no shortage of mathematical and computer talent outside of the United States. The IDEA encryption algorithm used by PGP was developed by IBM in Switzerland. And the public domain Speak Freely internet telephony program, which includes a choice of several secure encryption methods, can be downloaded at no charge for Unix and Linux or Windows from Switzerland. (Source code is available; I'm working on a Be operating system port)

Sun, a major Unix hardware and software vendor, caused a lot of consternation with the US Government when it contracted with a Russian firm to develop encryption products for sale worldwide. Because the products would be developed and shipped from other countries, there is no way the feds could control this. I'm not sure what's happened with this

There are hundreds of encryption products available, some as commercial software and hardware products, and some for free. It is a very vigorous growth industry. US companies such as Microsoft, Apple and Sun would like to be able to compete in the encryption arena, but are unable to do so in a realistic way because the export controls only permit encryption so weak that it is laughable when compared to many of the products readily available overseas

Different governments have very different ideas about whether the public should use secure encryption. It may be illegal for you to use encryption at all in your country

You can find out about laws in your country at the Crypto Law Survey.

The government of Ontario is now actively encouraging everyone to use cryptography. See Ontario Promotes Private Crypto from Wired. They even provide this easy to read guide, Email Encryption Made Simple

This is quite a different attitude than is taken by the United States Goverment. As part of the debate over a law to allow Americans to export software products as good as those commonly available overseas, the United States House of Representatives Armed Services Committee and Permanent Select Committee on Intelligence said:

Child pornographers could distribute their filth unimpeded, ... Pedophiles could secretly entice the children of America into their clutches. Drug traffickers will make their plans ... without the slightest concern that they will be detected. Terrorists and spies can cause unspeakable damage without even the possibility of being stopped before it is too late.

A more cogent discussion of the actual effects of encryption on real criminal investigations is given in a memorandum submitted to the British Parliament by Cyber Rights and Cyber Liberties, a group that promotes public interest issues involving computers such as online privacy and encryption.

Basically, the criminals and terrorists who might want to use encryption already have secure methods, or just might not choose to communicate electronically. Further, investigators have plenty of techniques at their disposal to catch crooks without decrypting their communications. It is not the criminals who would be restricted if secure encryption is made illegal - it would be the common people.

Especially worrisome to me is the Cyberspace Electronic Security Act, recently proposed by the US Justice Department, which would allow investigators to secretly break into homes and offices and plant software hacks that would defeat encryption software. See Feds seek authority to secretly crack personal computer codes at SFGate.

Law enforcers would have the authority to secretly crack the security codes of crime suspects' home and office personal computers, under a Clinton administration plan reported today in The Washington Post.

The Justice Department has drafted legislation that, if approved by Congress, would allow federal agents to obtain search warrants from a judge to enter private property, search through computers for passwords and override encryption programs.

I think that this law is especially insidious, because it would allow authorities to break your privacy while allowing you to think that you remain secure. Examples of how this might be done would be to break in and steal your private key and then install keystroke recorders that would intercept your passphrase and forward it to the authorities the next time you connected to the Internet. After that they could read all the messages sent to you.

Another possibility would be to install a small "patch" to your encryption software so that instead of using a new "session key" for each email sent, it would always use the same one. That way the authorities could read each email you sent to anyone else. The emails would all still appear properly formatted so no one would suspect.

Thus you would go on writing down your most private thoughts and plans while the government is recording all of it for their own use.

The legislation specifically protects law enforcement authorities from having to reveal the techniques they used to defeat the encryption even when asked to do so in a civil or criminal trial:

2717. Protection of confidential information

(a) Confidentiality of access techniques.-In any civil or criminal case where a party seeks (1) to discover or introduce plaintext that had been encrypted or protected by other security techniques or devices, and which plaintext had been obtained using government methods of access to such protected information, or (2) to discover or introduce evidence or information concerning government methods of access to such protected information, an attorney for the government (as that term is defined in the Federal Rules of Criminal Procedure), whether or not the government is a party, may file, ex parte and in camera, an application requesting that the court enter an order pursuant to subsection (b) protecting the confidentiality of the technique or mechanism that provided access to that evidence or information.

The fact is, criminals who really wanted to protect their data could easily defeat this by keeping their hard disks or laptops in a safe. Or simply by not recording information on a computer.

But people who had no ill intention, but the government wished to harass in some way, might not know to take such care, and would fall prey to these nefarious schemes. The history of the United States and many others is filled with examples of government authorities exceeding their authority to harass those who would work for social change. Remember the blacklists of the 1950's or the repression - even murder - of antiwar activists during the 1960's.

I feel the basic problem here is that the law enforcement community feels that it is their right to collect any evidence they want during and investigation, no matter what they have to go through to obtain it. I feel that is wrong, and I believe instead the government should recognize - perhaps through explicit legislation or a constitutional amendment - that the people have a basic right to privacy and there simply must be limits placed on the investigators.

Just because computers make it hard to conduct an investigation doesn't justify passing laws to give those who would wish to control us any means to do so.

If you agree with me, and wish to work to stop this and similarly ill-intentioned legislation, in the US or elsewhere, please contact your legislators and explain your feelings. Also contact:

And follow the links below to get your encryption software - PGP for email and file storage, and Speak Freely for scrambled voice communications over the net. (Even without using the encryption option, Speak Freely will save you money by allowing you to talk worldwide over the Internet without paying long distance telephone charges.)

Links

Here are some links of interest to information and software on cryptography, and public issues discussions.

Anonymous Coward writes at Slashdot:

When I was in the Army, we didn't even have encryption; I had to write every secret message in blood on the single piece of toilet paper allotted to me for a day's biological evacuatory activities, wipe my arse over it to obscure the text, and wrap the paper three times around an irregular stick before Fedexing it over enemy lines. You kids today, you don't know the MEANING OF PAIN! Where's my gun.

[Home | Contact | What's New? | Products | Services | Tips | Mike]