Everhart,Glenn From: O'Malley, Brian Sent: Thursday, May 07, 1998 10:01 AM To: Campbell,Amanda; Brian Trevey; Chris Wilson; Glenn Everhart; Scott Sweren Subject: Layman's description of security FYI. a good description. perhaps we can paraphrase and feature this in the monthly article (if we have convinced Amanda to run one). In the next issue we probably should feature password type discussion and user responsibilities. In the next issue we could tackle encryption and also describe what encryption means for FUSA aka what solutions we have in place. " Interview with author of PGP (Pretty Good Privacy) ------------------------------------------------------------------------ An interview by Russell D. Hoffman on his radio show HIGH TECH TODAY. (This interview is also available in Spanish thanks to the kind efforts of Manuel Porras and crew.) ------------------------------------------------------------------------ The following is a full transcript of a radio show broadcast on radio station WALE. The views expressed are solely those of Russell D. Hoffman and Phil Zimmermann and do not necessarily reflect anyone else's point of view. We are pleased to note that this classic interview has now been used in various college courses. Please let us know if you decide to use it! ------------------------------------------------------------------------ February 2nd, 1996 Russell Hoffman ("Host"), High Tech Today Phil Zimmermann ("PZ"), Author of PGP (Pretty Good Privacy). Host: ...And you're listening to HIGH TECH TODAY with your host, Russell Hoffman and today, we're going to be talking about freedom. Freedom is hard to define. Our Declaration of Independence says that we have the right to life, liberty, and the pursuit of happiness. One absolute requirement of a free society is freedom of speech. And there can be no free speech in today's electronic world without encryption. Encryption is the process of turning ordinary text communications, or images, into indecipherable gobbledygook, in such a way that it can be turned back into a meaningful message only by the intended recipient. Why is encryption vital to freedom? Because, BIG BROTHER, whether you want to admit it or not, is watching you. Most of the time he's pretty unobtrusive to the average American, but nevertheless he's there. He might take the form of a computer program that looks for keywords, or a person secretly reading your email or opening your letters. Citizens of a free society have a right to secret communications between themselves. Without that right, we have no freedom. My guest this week is Phil Zimmermann, who wrote a program called PGP or Pretty Good Privacy. PGP is an encryption program for computers which is distributed worldwide via the Internet. This has caused Mr. Zimmermann no small hassle with the government, who tried for five years to prosecute Mr. Zimmermann for making PGP available around the world--for exporting a vital tool of freedom. A couple of weeks ago the U.S. government dropped their lawsuit against Phil and left him free to help others communicate freely. We are honored today to have Mr. Zimmermann as a guest this week on High Tech Today. Mr. Zimmermann, welcome to the show. PZ: Hello Russell. One thing I wanted to add: That is was three years, not five. Host: Three-only three years. PZ: Only three years. Host: You were only under the knife for three years. PZ: That's right, it's not so bad (laughs). Host: And you're fully recovered now? PZ: Oh yeah, I'm--I'm happy! Host: Let's talk a little bit about what an encryption program does, to give people a better view of what we're talking about. PZ: Well, an encryption program scrambles up information in a way that's controlled by a cryptographic key and the way cryptography used to work in the old days is, you send a message to someone that's been encrypted with that key, and they have to use the same key to decrypt the message--to turn it back into plain text. But the only way you could do that was to have the same key. And that means you have to communicate to them what that key is. Well, you need a secure channel to do that. You can't just pick up the phone to tell them what the key is because if you're worried about being intercepted then they could intercept the key--then they could read everything. So, that was a limitation of cryptography. In fact, that's been the problem with cryptography since the days of Julius Caesar. How do you do the key distribution. Well, this was a problem that would mean that cryptography could never be used by millions of people in their daily lives. Governments could handle this by putting a guy on an airplane to Moscow with a briefcase handcuffed to his wrist containing keys that he could take to the embassy there so that encrypted communications could ensue between the embassy and Washington, but if you want to just talk to your cousin in New Jersey, you can't just have couriers and briefcases handcuffed to their wrist. That's just not reasonable for ordinary people to do. So ordinary people can't use cryptography if they're hobbled by this limitation of key distribution. But in the late 1970's, some mathematicians discovered a way around this with the invention of Public Key Cryptography. Public Key Cryptography allows you to communicate securely with people that you've never met without the prior exchange of keys over secure channels. It does this by everybody having two keys in a kind of mathematically related pair. I have a unique pair of keys and so do you. My pair of keys is related is such a way that each key will decrypt what the other key encrypts. They have a kind of a ying-yang relationship. If I publish one of the keys and keep the other one private, then you can encrypt messages to me by using my public key to encrypt the message. But I'm the only one who can decrypt the message, using my corresponding private key. Everyone who then knows my public key can then send me an encrypted message, but no one but I can decrypt it, because no one but I has the private key that goes with the public key. If I wanted to send a message to you, I would use your public key to encrypt it, and you would then use your private key to decrypt it. This solves the key distribution problem, and makes it [encryption] possible when combined with the trappings of the information age--the ubiquitous personal computers, email, modems, fax machines, digital cellular phones, etc. It becomes a force for social change. It means that millions of people can use cryptography in their daily lives. It can be seamlessly integrated into our communications infrastructure. Host: I know one of the facts about cryptography is, with modern computers I guess if they want to try hard enough they are still able to break a message--is that true with your program? If somebody really put the supercomputers to work on it or you--- PZ: That's right! My program can be broken! If you have enough supercomputers working for long enough, they could break it. The question is, how long is that? Well, I don't really know because major governments, such as our own with the NSA, could have methods of breaking it that are faster than we think that it would take. But if there are no tricks that they've learned that produce some kind of breakthrough, if they are just having to use methods that are not too much shorter that what we know in published academic literature, then it could be from now until the next ice age before they can break it. Host: One of the other advantages of having a program like yours is that everybody can use it, and the more people that use encryption, the safer it is for everybody because, if only one person is using it, the government knows who to look at. PZ: That's right. There's safety in numbers. An argument could be made that as a matter of solidarity with the rest of the population you should encrypt your email. If we lived in a society where everyone sent their messages on postcards instead of envelopes--I'm talking about written communications on paper--then anyone who decided to use an envelope would draw suspicion because while everyone else was using a postcard this guy decided to use an envelope, therefore he must have something to hide. ortunately we don't have that kind of social expectation. There's nothing suspicious about putting your mail in envelopes. So there should also be nothing suspicious about encrypting your electronic mail. Host: Tell us a little bit about how you came about the idea of writing an encryption program. It sounds like an awful big task! PZ: Well, I've always been interested in cryptography since I was a kid. I started playing with it in fourth grade. But none of the encryption algorithms that were available to me as a school kid were going to pose any problems for any major governments. Host: The secret decoder ring and... PZ: ...That's right. But when I got to college I started applying computers to it and I thought that I had really good, clever encryption algorithms in college, but I later discovered that these "very clever" encryption algorithms could be easily broken. So that was kind of a humbling experience. I started seriously studying it in 1984. I was writing a paper that got published a couple of years later, and in researching that paper I talked to many cryptographers and read as many papers as I could on the subject in the academic literature and so, I think that's when my learning curve became it's steepest. I've been full time in cryptography for the last six years. Host: You told me before the show that a lot of people contact you with what they think are better ideas. PZ: Oh. Yeah. I always get calls from people with their cockamamie (laughs) encryption algorithms, which are usually about as clever as the ones I had in college, that were easily broken. Host: And, one of the problems there is that the, uh, responsibility of what you're doing. I mean, uh, people in Guatemala or something have to communicate with each other, or some other South American country, and your work is preventing the loss of lives. PZ: Yeah. PGP is used all over the world by human rights groups, human rights activists who are documenting the atrocities of death squads, interviewing witnesses and using that to keep track of human rights abuses, and they encrypt that stuff with PGP, and they tell me that if the government there could get their hands on it they would round up all the witnesses and kill them, after torturing them first. That's in Central America, and I talked to somebody working down there on it. The resistance groups in Burma are using it. Burma has a really horrible government, and there's resistance groups using PGP in jungle training camps. They're being trained to use it on portable computers. Then they are taking them to other jungle training camps and teaching them. They've said that it's helped morale there because before PGP was introduced there, captured documents would lead to the arrest, torture, and execution of entire families. The government in exile in Tibet uses PGP. There's several other examples of third world countries where brutal dictatorships are, where human rights activists are using PGP. Host: I would imagine the brutal dictatorships are also using it on occasion, because that's the way it goes... PZ: Well, I would prefer that they not do that! (laughs) I have no knowledge of that, actually. No one has ever told me of a foreign government using PGP. At least, certainly not any brutal dictatorships. Host: They rule with the iron hand; they're not worried... PZ: Yeah, you see, cryptography tends to equalize the power relationship between the government and its people. The government already has all the power, all the guns, in most countries. So, anything that gives a little bit of power to both sides, evens the score a little bit, and especially, since the people usually don't have the surveillance powers that the government has, so the government using cryptography is kind of a waste of--you know, it's fairly meaningless, because nobody is wiretapping the government communications. Certainly not the disempowered people in those countries, so there's no need to encrypt. Maybe they would have to encrypt to protect against surveillance from other governments but not from their own people. People in those countries do need protection against their own government's surveillance on them and that's where PGP comes into play. But PGP is used for a lot of mundane things here domestically. It is a domestic product. It was released domestically in the United States for domestic use. It turned out though, that it spread all around the world. Host: In reference to the government lawsuit or case that they pursued against you for three years: Did they ever explain to you what it was that really bothered them? PZ: Well, sure. The particular law that I would have been prosecuted under was the Arms Export Control Act. The State Department has a list of items that cannot be exported without a special license. It's called the Munitions list and most of the items on the Munitions list--are weapons. Missiles. Machine guns. And bombs. But one of the items on the list is encryption software, so, that means that you can't export encryption software without a license from the State Department. Now, since PGP was published in June of 1991, it didn't take long for it to spread around the world, and it's free software, so it just blows across the border like dandelion seeds blowing in the wind. So that kind of upset them. And since that time, PGP has been improved, by international efforts--people in Europe and New Zealand adding features and making it better. And now, PGP is published back in the U.S. again, for the last year or so, and it's been improved here also. Host: Tell us a little about the way you go about the process of creating new versions of PGP. What's it like now, now that you're a "big star"? PZ: Well, I don't get to write any code anymore myself, I haven't written code in years, the Peter Principal has taken its toll. Instead the software is written by others under my direction. I guess what I spend most of my time doing is going out and doing public speaking and contact. I'm on the rubber chicken circuit a lot... Host: ...And talking about the need for encryption, and freedom, and why not talk a little bit about what all this means in a political sense. PZ: Cryptography is a very political technology. And the reason why is because there was a time in the past where it was important politically, not at the grass roots level but at a strategic level. Governments needed it for diplomatic and military applications. World War Two was influenced by the Allies breaking the German Enigma Cipher. But, those were the days when computers filled rooms and were made of vacuum tubes, and there were only a few around and they were owned by governments. Today we live in the information age. Everyone has computers. All the trappings of the information age are part of our lives. Paper mail is being replaced by electronic mail. Digital communications is taking over. We need encryption. The common person needs encryption to function effectively in the information age. So it's time for cryptography to step out of the shadows of spies and military stuff, and step out into the sunshine and be embraced by the rest of us. If our government ever goes bad, as sometimes happens in a democracy... Sometimes in a democracy bad people can be elected, and if democracy is allowed to function normally, these people can be taken out of power by the next election. But if a future government inherits a technology infrastructure that's optimized for surveillance, where they can watch the movements of their political opposition, they can see every bit of travel they could do, every financial transaction, every communication, every bit of email, every phone call, everything could be filtered and scanned and automatically recognized by voice recognition technology and transcribed. As we extrapolate our technologies into the future, if the incumbency has that political advantage over their opposition, then if a bad government ever comes to power, it may be the last government we ever elect. Host: With the tools they'd have in hand, it would make Watergate look like a student looking over their shoulder at the next student's paper in comparison. PZ: That's right. And so as a matter of good civic hygiene, I think it's incumbent upon us, to examine public policy issues about technology, and ask ourselves: "What technologies would strengthen the hand of the police state?", and then don't deploy those technologies. The Clipper Chip, from the government, is an example of this. It's an encryption device that the government wants to put into all of our telephones someday, and it encrypts our phone conversation. But, each chip has a unique key that is used for encryption and decryption and the government puts that key into the chip at the time of manufacture and keeps a copy of that key in a vast government database for wiretap purposes. This is, I think, bad for democracy. It's better if we have control of our own cryptography because by doing that, we have control over our own privacy. And privacy is a right that affects many other rights in the Bill of Rights. Host: It's really the first right. In terms of the Clipper chip: That's not really a very effective technology because it has a back door? PZ: Its purpose is to have a back door. The whole reason for inventing the Clipper Chip is to give the government a back door into our encrypted communications. So that your phone can have Big Brother inside. It would be better if we had private industry develop telephone encryption, or fax encryption, or email encryption, that is controlled by the individual users. Host: In terms of sending email, we discussed earlier that everybody should use encryption. Usually that's a two-step process. You have to get your email all ready to send out, and then encrypt it. You're working with some companies to automate that, so that every email they send is encrypted if possible? PZ: Yes, the newest version of PGP that's in development and will soon be released [as of 2/2/96--ed.], is really a big subroutine package that can be called by mailers, so that it's seamlessly integrated with the functionality of an electronic mail package, so that encryption can just be a button on a menu bar. Host: Okay. Why not give the http address where people can find this program. PZ: Okay, it's http://web.mit.edu/pgp Host: And that's the Massachusetts Institute of Technology, is where the thing is distributed. PZ: Yeah, that's right. Host: Okay. My guest today has been Phil Zimmermann, the author of PGP, or Pretty Good Privacy. Phil, I'd like to thank you very much for being on the show, and you've been listening to High Tech Today with your host, Russell Hoffman. ------------------------------------------------------------------------ If you enjoyed this interview, here's others Interview by Russell D. Hoffman The host would like to add the following to this electronically-circulated World Wide Web Internet Page: Please distribute this document IN ITS ENTIRETY (as a raw HTML file or printed document). Please link to it rather than placing it on another server. Thank you. There is a National Cryptologic Museum at NSA at Fort Meade, Maryland which you can get to from the Balitmore-Washington Parkway. Look for signs that are easily decoded. Interview on a related topic: Jim Warren. ------------------------------------------------------------------------ In the May 12, 1997 issue of PC Magazine Online is a short article by John C. Dvorak about linking on the web which many who are reading this will probably also find interesting. ------------------------------------------------------------------------ Table of Contents The Animated Software Company http://www.animatedsoftware.com rhoffman@animatedsoftware.com Last modified September 27th, 1997. Webwiz: Russell D. Hoffman Copyright (c) Russell D. Hoffman Brian O'Malley phone 302-985-8786 fax 302-985-8638 cell 302-598-8252 pager 888-280-2979