РефератыИностранный языкPGPGP Essay Research Paper PGPstands for

PGP Essay Research Paper PGPstands for

PGP Essay, Research Paper


PGP


stands for "Pretty Good Privacy." It is an encryption program. What


encryption does is hide information from people who do not know the "secret


word" to reveal the information. Louis J. Freeh, the Director of the


Federal Bureau of Investigation, says the honest have nothing to hide, and only


criminals would use encryption. The honest, goes the implication, have no need


of encryption. Let us think about that, for just a minute. The honest have no


need of encryption: they can live completely open lives, and this is desirable.


Their virtue is their defense. This is an attractive argument, but let us see


where it takes us. By this same reasoning, the honest have no need of shades on


their windows. The honest have no need for bathroom doors — or front doors, for


that matter. The honest have no need to seal the envelopes into which they put


their letters or their bill payments. The honest have no need to take their


credit card receipts — complete with account number, expiration date, and


signature — but should just leave them at the sales counter for whoever needs a


piece of scrap paper. The honest have no need to look at anything anyone asks


them to sign, but should just sign. The honest should publish their medical


records in their local newspaper. The honest should have their social security


numbers and birth dates on their checks, along with their names and addresses.


The honest should write their PINs on their ATM cards. I think we can imagine a


world where being "honest" as in these examples would be, shall we


say, "differently clued." I also think that world could easily look a


lot like the one in which we live. Virtue is a defense, and a good one. But


virtue is a defense against false accusation — not victimization. One would


think the FBI could tell the difference. That I use encryption does not mean I


am a criminal. It means I recognize that there are people about who are, or


could be tempted into being, less than perfectly honorable. This recognition has


a name. It is called "prudence." It is a virtue. What I find truly


amusing, though, is that while the FBI argues that I must be a criminal if I use


encryption, the Privacy Act of 1974 requires that I use it if I interact with


the government. The Privacy Act of 1974 imposes the legislative requirement on


all government agencies to: establish appropriate administrative, technical, and


physical safeguards to insure the security and confidentiality of records and to


protect against any anticipated threats or hazards to their security or


integrity which could result in substantial harm, embarrassment, inconvenience,


or unfairness to any individual on whom information is maintained. The Federal


agencies, of course, in turn impose this requirement on their vendors. For


example, the Health Care Financing Administration, through its rule making body,


requires all health care organizations accepting Federal funds (including


Medicare, Medicaid, and Children’s Health Insurance Program) to use, at a


minimum, 112 bit symmetric key encryption and 512 bit asymmetric key encryption.


The FBI says only a pedophile or terrorist would use encryption of this


strength. When information is confidential, using encryption is not furtive: it


is responsible. We do not normally confuse "prudent" and


"criminal," or "responsible" and "furtive." That


the Clinton administration consistently cannot tell the difference between these


when it comes to encryption is curious. That the Clinton administration feels


the need to convince the rest of us that there is no difference is absolutely


fascinating. The only explanation that springs to mind is that the Clinton


administration has a difficult time distinguishing between "public"


and "private," or imagining that anyone could have a legitimate


secret. Given the number of Clinton administration illegitimate secrets that


have been exposed — certain adult activities in the Oval Office, and certain


failures to notice espionage by foreign powers that happen to make large


campaign contributions, for example — I suppose I can understand this point of


view. I do not agree with it, however. It may be that the existence of a pair of


underwear may give the Clinton administration an uncontrollable urge to rummage


around in them. I can imagine the sympathy the Clinton administration has for


someone who really wants to rummage around in someone else’s shorts, and cannot.


But I believe most people would understand that an urge to rummage around in


someone else’s underwear should be suppressed, not made a "right"


under law. Maybe after they outlaw encryption, they will outlaw belts — after


all, belts block access to people’s shorts. "Only someone with something to


hide would use a belt. What is wrong with them? Are they ashamed of what is


inside their pants?" I do not have to be ashamed of what is inside my pants


to decline to show it to you, thank you very much. It says right here in the


Constitution: "The right of the citizen to be free of others rummaging


around in his or her shorts shall not be abridged." Well, actually, it does


not say that, but apparently it should. Perhaps that would be language the


Clinton administration could understand. Ah, but, the argument goes, encryption


may prevent the exercise of purient curiosity, but it also prevents law


enforcement from gathering evidence. Well, this is indeed a concern. None of us


wants criminals and scofflaws to have no fear of law enforcement. However,


encryption in fact does not prevent law enforcement from gathering evidence.


There has not been a single case where encryption has prevented law enforcement


from obtaining a conviction. Not one. Zero. Zip. Nada. This is because


encryption merely raises the bar on obtaining information — it does not prevent


it. And it raises the bar only for the criminal and the curious, not for law


enforcement. Encryption does not encumber action of law: search warrants are not


prevented by encryption; subpoenas are not prevented by encryption;


interrogation is not prevented by encryption. Then the argument goes, but what


if there is no evidence other than the encrypted data? As Freeh says in his


testimony before Congress, Police soon may be unable through legal process and


with sufficient probable cause to conduct a reasonable and lawful search or


seizure, because they cannot gain access to evidence being channeled or stored


by criminals, terrorists and spies. Clearly, this is not desirable. But, let us


think about this, for just a second: how could that be? If the only evidence of


my criminal activity is encrypted data on my computer, it must be some awfully


strange criminal activity. I cannot have stolen anything, for example, the Mona


Lisa: the Mona Lisa is on a block of wood, and it is difficult to encrypt a


block of wood. I cannot have threatened anyone, say, my sister: threatening my


sister would be rather ineffective if no one knew about it. I cannot have killed


anyone: a body and a weapon cannot be encrypted. I cannot have evaded taxes by


concealing income: the bank has to know about my ill-gotten gains for me to


write a check against them. I cannot even have committed copyright infringement:


I need to make illicit copies of something to do that, and if they are all


encrypted their market value is low. Seriously: what possible crime could there


be where the criminal could encrypt all the evidence? Or even enough evidence to


prevent conviction? So, then, why is the Clinton administration so


anti-encryption? It has to be that it just likes rummaging around in other


people’s shorts — or thongs. There really is no other explanation that makes


sense. Encryption does not prevent law enforcement from enforcing the law. What


it does do, however, is keep nosy neighbors’ noses out of my business. If there


is a leg

itimate need to know the information, the neighbor can force the issue


in any number of ways: complain about me to the police, sue me and go through


discovery, subpoena my employer, and so forth. But if it is just purient


curiosity, they are out of luck. And I really feel no need to satisfy someone


else’s purient curiosity. Wink, wink, nudge, nudge — what’s it like?, as the


Monty Python sketch put it. I am just a normal person. I am not even


particularly privacy conscious: I never go around in sunglasses, a trenchcoat


with the collar turned up, and a hat pulled down. I do not have a second


identity and a bank account in Euros. When someone asks me who I am, I tell


them: I do not invent a name for "privacy." I am just a person — a


person who uses envelopes for my mail, who takes my charge card receipts, and


who encrypts my data. This is not criminal. This is not even abnormal. It is


just sensible. What PGP DoesPGP, Network Associates’ encryption program, does


four types of encryption. These types of encryption are useful in different


ways. Each is discussed below. Conventional EncryptionThe first type of


encryption is what most people think of when they think of


"encryption." It is called conventional encryption, or


"symmetric" encryption, or "shared secret" encryption. In


this type of encryption, information is encrypted with a "key," or


secret phrase, and is decrypted (recovered) with the same key. This means that


if I want to end you a message, and we agree on using conventional encryption,


we have to meet and agree on the key. If one of us remembers the key


incorrectly, we cannot communicate. If I encrypt the message with the key


"RED SAIL" and you try to decrypt the message with "READ


SALE," you will not be able to recover the message. "Key


distribution" — getting you the key along with the encrypted message — is


a real problem with convention encryption. There are several possible ciphers,


or encryption algorithms, that PGP can use. These are CAST, IDEA, and triple


DES. (These names are acronyms for the actual cipher names.) Although


cryptographers may prefer one over the other, they are all sufficient to keep


nosy neighbors out of your hair. And none of them are sufficient to keep


governments out of your hair, if you are the type that attracts the attention of


governments. Unless you tell it otherwise, PGP will use CAST. (Previous version


of PGP used IDEA, which is an older cipher than CAST. However, in cryptography,


"new" does not mean "better." Many cryptographers think


"new" means "untried." You can have PGP use IDEA if you are


conservative. Like me.) Public Key EncryptionThe second type of encryption PGP


can do is called public key encryption, or "asymmetric" encryption.


This type of encryption is based on a type of mathematics where the encryption


key and decryption key are different but related. Information is encrypted with


the "public" key but cannot be decrypted without the related


"private" key. This means that if I want to send you a message, I get


your public key somewhere, encrypt my message, and send it. The only knowledge


the public key gives me is how to encrypt a message so you can read it. It does


not let me recover messages encrypted to that key. Only you — with your private


key — can read the message. Now, since the only thing the public key lets you


do is send a message to the owner of the corresponding private key, there is no


need to restrict distribution of the public key. You can give your public key to


everyone you know. You can publish your public key in the newspaper. You can


publish your public key on your web page. Like this: my public keys. PGP’s


public key encryption actually uses a symmetric cipher for the actual data. PGP


generates a random session key for each encryption, and encrypts with that. It


solves the key distribution problem by encrypting the session key with the


recipient’s public key. So only someone who has the recipient’s private key can


recover the session key, and, using that, recover the message. As public key


encryption uses conventional encryption, PGP lets you specify which convention


cipher to use. There are also two types of public keys that PGP can used. These


are RSA and DH. (These names, also, are acronyms for the actual public key


scheme names.) Although cryptographers may prefer one over the other, they are


both sufficient to keep nosy neighbors out of your hair. And neither of them are


sufficient to keep governments out of your hair, if you are the type that


attracts the attention of governments. The freeware version of PGP will use DH,


and in fact cannot use RSA. (This has to do with patent licensing, not


cryptographic security.) Unless, you get the "international" freeware


version of PGP: that version of PGP can do RSA. (The patent that needs to be


licensed is a US-only patent.) Or unless you have the 128-bit security add-on


for Internet Explorer, either version 4 or version 5: then PGP can do RSA.


(Microsoft licensed the patent, and PGP can use the Internet Explorer


libraries.) Note that current freeware versions of PGP can use RSA keys, as


described above. They cannot, however, create RSA keys. You need an old version


of freeware PGP for that. (For which RSA gave a free license.) Or you need the


RSA-capable commercial version of PGP: that PGP can use RSA keys and generate


them. (If you have that version, you licensed the patent, or rather paid the


license fee.) Digital SignaturesThe third type of encryption PGP can do is a


digital signature. This is a variation on public key encryption that lets others


know a message came from you. Remember that keys in public key encryption came


in two related halves: a public key and a private key. The private key can


decrypt messages encrypted with the public key. But the mathematics work out so


that the public key can also decrypt messages encrypted with the private key.


Now, the private key is private — only the owner has access to it. This means


that if you can decrypt a message with someone’s public key, then the message


was encrypted with that person’s private key. This means the message came from


the person. What is actually encrypted is a message digest or a "message


fingerprint," not the actual message. The message digest is a long binary


value derived from the message contents with what is called a cryptographic


hash. What makes a hash "cryptographic" is that it is impossible to


reverse. That in turn means that you cannot come up with a message to match a


specified hash value. So it is impossible to remove the signature from one


message and put it on another. In this way, digital signatures are actually more


secure than physical signatures: no matter how creative I am with photocopiers


or binary editors, I can never get someone’s signature onto a message that they


have not, in fact, signed. Encrypted DisksThe fourth, and last, type of


encryption PGP can do is a "PGP disk." This is a file on your computer


that acts like another disk drive when it is "mounted." But the disk


contents — all of them, files and free space alike — are encrypted. When you


"mount" the disk, you give the pass phrase which decrypts the


encryption key which lets PGP access the "PGP disk" on behalf of other


programs. The other programs do not need to know they are using an encrypted


disk. Without the pass phrase, however, no dice — the data is locked up tight.


You can access the file containing the encrypted "disk," but that will


not give you any information (other than, "this is a PGP disk," but


you could tell that anyway). Other TopicsAfter you get used to using PGP, you


can enter the world of anonymous remailers and nyms. These let you be anonymous


or pseudonymous. And some day, I will write about them.

Сохранить в соц. сетях:
Обсуждение:
comments powered by Disqus

Название реферата: PGP Essay Research Paper PGPstands for

Слов:2884
Символов:18851
Размер:36.82 Кб.