Public Key Cryptography

1
Public Key Cryptography

• Alice and Bob agree on a key, without meeting!

2
Cryptosystems
Eve
3
Secure Internet Communication

• https//www99.americanexpress.com/
• https (with an s) indicates a secure, encrypted
  communication is going on
• We are all cryptographers now
• So is Al Qaeda(?)
• Internet security depends on difficulty of
  factoring numbers -- doing that quickly would
  require a deep advance in mathematics

4
Confidential email from anyone

• Bob picks secret key b and computes his public
  key B
• Bob publishes B in a public directory!
• Now Anyone can send Bob secret email
• Pick secret key a and compute public key A
• Compute encryption key K using a and B
• Send encrypted message and also include public
  key A in the same email!
• Bob computes K using A and b and decrypts the
  message!

5
But theres a problem

• How can Alice know that the listing in the
  directory is really Bobs?
• Maybe it is Eve pretending to be Bob!
• Certificates and certifying authorities provide
  solution to authentication problem

6
(No Transcript)
7
Two more problems solved by digital signatures

• Integrity When Bob receives a message, he can be
  sure that it was not modified en route after
  Alice sent it.
• Non-repudiation Alice cannot later deny that the
  message was sent. Bob cannot later deny that the
  message was received.
• Digital signatures are a variant on public-key
  encryption technology

8
http//upload.wikimedia.org/wikipedia/commons/2/2b
/Digital_Signature_diagram.svg
9
Cryptography and National Security
There is a very real and critical danger that
unrestrained public discussion of cryptologic
matters will seriously damage the ability of this
government to conduct signals intelligence and
the ability of this government to carry out its
mission of protecting national security
information from hostile exploitation. -- Admiral
Bobby Ray Inman (Director of the NSA, 1979)
10
CALEA, October 1994
to make clear a telecommunications carrier's
duty to cooperate in the interception of
communications for Law Enforcement purposes, and
for other purposes.
11
Governments big hammerCrypto export controls

• Pre-1995 Encryption technology classified by
  State Department as a munition
• Illegal to export hardware, software, technical
  information, unless you register as an arms
  dealer and adhere to stringent regulations
• Illegal to provide material or technical
  assistance to non-US citizens (even within the
  US)
• 1996 Jurisdiction for crypto exports transferred
  to Commerce Department, but restrictions remain.

12
The basic proposal escrowed encryption

• Require encryption products to have a back door
  controlled by a set of keys (escrowed keys)
  that are held by the government or by its
  licensed agents
• Might require this for products that can be
  exported, or maybe all encryption products
• Proposal first unveiled for telephones in 1994
  (the Clipper phone)
• Modified in various ways throughout 1994-1998

13
(No Transcript)
14
The crypto wars, 1994-1998

• Dramatis Personae
• Industry
• Law enforcement
• National security
• Civil libertarian groups

15
Industry claims and issues

• Customers want security for electronic commerce,
  for protecting remote access, for confidentiality
  of business information.
• Export restrictions are a pain in the butt.
• Providing encryption is cheap, but providing an
  escrow infrastructure is not, and theres no
  commercial demand for it.

16
Law enforcement claims and issues

• Wiretapping is a critical law-enforcement tool.
• Wiretaps are conducted on specific, identified
  targets under lawful authority.
• Many criminals are often sloppy and/or stupid
  They wont use encryption unless it becomes
  ubiquitous. Some criminals are far from sloppy
  or stupid They will use encryption if it is
  available.

17
Civil libertarian claims and issues

• As computer communication technology becomes more
  pervasive, allowing government access to
  communications becomes much more than traditional
  wiretapping of phone conversations.
• How do we guard against abuse of the system?
• If we make wiretapping easy, then what are the
  checks on its increasing use?
• There are other tools (bugging, data mining, DNA
  matching) that can assist law enforcement.
  People have less privacy than previously, even
  without wiretapping.

18
National security establishment claims and issues

• We cant tell you, but they are really serious.

19
Legislation, 1997

• Bills introduced in Congress all over the map,
  ranging from elimination of export controls to
  bills that would mandate key escrow, even for
  domestic use.

20
More recently

• 1998-2000 Crypto export regulations modified and
  relaxed, but still exist
• Sept. 13, 2001 Sen. Judd Gregg (New Hampshire)
  calls for encryption regulations, saying
  encryption makers have as much at risk as we
  have at risk as a nation, and they should
  understand that as a matter of citizenship, they
  have an obligation to include decryption methods
  for government agents.
• By October, Gregg had changed his mind about
  introducing legislation.

21
Why Arent Emails Encrypted?

• Email is more like postcards than letters!
• Standard email software doesnt make it easy
• But encrypted-email software is freely available
  (PGP)
• Regulations require some businesses to know what
  their employees are doing