Cyphernomicon Top
Cyphernomicon 6.3

The Need For Strong Crypto:
General Uses of and Reasons for Crypto


    6.3.1. (see also the extensive listing of "Reasons for Anonymity,"
            which makes many points about the need and uses for strong
            crypto)
    6.3.2. "Where is public key crypto really needed?"
           - "It is the case that there is relatively little need for
              asymmetric key cryptography in small closed populations.
              For example, the banks get along quite well without.  The
              advantage of public key is that it permits private
              communication in a large and open population and with a
              minimum of prearrangement." [WHMurray, sci.crypt, 1994-08-
              25]
           - That is, symmetric key systems (such as conventional
              ciphers, one time pads, etc.) work reasonably well by
              prearrangement between parties. And of course one time pads
              have the additional advantage of being information-
              theoretically secure. But asymmetric or public key methods
              are incredibly useful when: the parties have not met
              before, when key material has not been exchanged, and when
              concerns exist about storing the key material. The so-
              called "key management problem" when N people want to
              communicate pairwise with each other is well-founded.
           - And of course public key crypto makes possible all the
              other useful stuff like digital money, DC-Nets, zero
              knowledge proofs, secret sharing, etc.
    6.3.3. "What are the main reasons to use cryptography?"
           - people encrypt for the same reason they close and lock
              their doors
           + Privacy in its most basic forms
             - text -- records, diaries, letters, e-mail
             - sound -- phone conversations
             - other --video
             + phones, intercepts, cellular, wireless, car phones,
                scanners
               + making listening illegal is useless (and wrong-headed)
                 - and authorites are exempt from such laws
             - people need to protect, end to end
             + "How should I protect my personal files, and my phone
                calls?"
               - Personally, I don't worry too much. But many people do.
                  Encryption tools are widely available.
               - Cellular telephones are notoriously insecure, as are
                  cordless phones (even less secure). There are laws
                  about monitoring, small comfort as that may be. (And
                  I'm largely opposed to such laws, for libertarian
                  reasons and because it creates a false sense of
                  security.)
               - Laptops are probably less vulnerable to Van Eck types
                  of RF monitoring than are CRTs. The trend to lower
                  power, LCDs, etc., all works toward decreasing
                  vulnerability. (However, computer power for extracting
                  weak signals out of noise is increasing faster than RF
                  are decreasing....tradeoffs are unclear.)
           + encrypting messages because mail delivery is so flaky
             - that is, mail is misdelivered,via hosts incorrectly
                processing the addresses
             - encryption obviously prevents misunderstandings (though
                it does little to get the mail delivered correctly)
           + Encryption to Protect Information
             - the standard reason
             + encryption of e-mail is increasing
               - the various court cases about employers reading
                  ostensibly private e-mail will sharpen this debate (and
                  raise the issue of employers forbidding encryption;
                  resonances with the mostly-settled issue of reasonable
                  use of company phones for private calls-more efficient
                  to let some personal calls be made than to lose the
                  time of employees going to public phones)
             + encryption of faxes will increase, too, especially as
                technology advances and as the dangers of interception
                become more apparent
               - also, tighter links between sender and receive, as
                  opposed to the current "dial the number and hope it's
                  the right one" approach, will encourage the additional
                  use of encryption
             - "electronic vaulting" of large amounts of information,
                sent over T1 and T3 data networks, e.g., backup material
                for banks and large corporations
             + the miles and miles of network wiring within a
                corporation-LANs, WANs, Novell, Ethernet, TCP-IP, Banyan,
                and so on-cannot all be checked for taps...who would even
                have the records to know if some particular wire is going
                where it should? (so many undocumented hookups, lost
                records, ad hoc connections, etc.)
               - the solution is to have point-to-point encryption, even
                  withing corporations (for important items, at least)
             - wireless LANs
             + corporations are becoming increasingly concerned about
                interception of important information-or even seemingly
                minor information-and about hackers and other intruders
               - calls for network security enhancement
               - they are hiring "tiger teams" to beef up security
               + cellular phones
                 - interceptions are common (and this is becoming
                    publicized)
                 - modifications to commercial scanners are describe in
                    newsletters
               - something like Lotus Notes may be a main substrate for
                  the effective introduction of crypto methods (ditto for
                  hypertext)
             - encryption provides "solidity" to cyberspace, in the
                sense of creating walls, doors, permanent structures
             - there may even be legal requirements for better security
                over documents, patient files, employee records, etc.
             + Encryption of Video Signals and Encryption to Control
                Piracy
               - this is of course a whole technology and industry
               - Videocypher II has been cracked by many video hackers
               - a whole cottage industry in cracking such cyphers
               - note that outlawing encryption would open up many
                  industries to destruction by piracy, which is yet
                  another reason a wholesale ban on encryption is doomed
                  to failure
             - Protecting home videos--several cases of home burglaries
                where private x-rated tapes of stars were taken, then
                sold (Leslile Visser, CBS Sports)
           - these general reasons will make encryption more common,
              more socially and legally acceptable, and will hence make
              eventual attempts to limit the use of crypto anarchy
              methods moot
           + Digital Signatures and Authentication
             + for electronic forms of contracts and digital
                timestamping
               - not yet tested in the courts, though this should come
                  soon (perhaps by 1996)
               + could be very useful for proving that transactions
                  happened at a certain time (Tom Clancy has a situation
                  in "Debt of Honor" in which all Wall Street central
                  records of stock trades are wiped out in a software
                  scheme: only the records of traders are useful, and
                  they are worried about these being fudged to turn
                  profits...timestamping would help immensely)
                 - though certain spoofs, a la the brilliant penny scam,
                    are still possible (register multiple trades, only
                    reveal the profitable ones)
             - negotiations
             - AMIX, Xanadu, etc.
             + is the real protection against viruses (since all other
                scanning methods will increasingly fail)
               - software authors and distributors "sign" their
                  work...no virus writer can possibly forge the digital
                  signature
           + Proofs of identity, passwords, and operating system use
             - ZKIPS especially in networks, where the chances of seeing
                a password being transmitted are much greater (an obvious
                point that is not much discussed)
             + operating systems and databases will need more secure
                procedures for access, for agents and the like to pay for
                services, etc.
               - unforgeable tokens
             + Cyberspace will need better protection
               - to ensure spoofing and counterfeiting is reduced
                  (recall Habitat's problems with people figuring out the
                  loopholes)
               + if OH is also working on "world- building" at Los
                  Alamos, he may be using evolutionary systems and
                  abstract math to help build better and more "coherent"
                  worlds
                 - agents, demons, structures, persistent objects
                 - encryption to protect these structures
                 + the abstract math part of cyberspace: abstract
                    measure spaces, topologies, distance metrics
                   - may figure in to the balance between user
                      malleabilty and rigidity of the space
                 - Chaitin's AIT...he has obtained measures for these
           + Digital Contracts
             - e-mail too easily forged, faked (and lost, misplaced)
             + Anonymity
               - remailing
               - law avoidance
               - samizdats,
           - Smart cards, ATMs, etc.
           - Digital Money
           - Voting
           + Information Markets
             - data havens, espionage
           + Privacy of Purchases
             - for general principles, to prevent a surveillance society
             + specialized mailing lists
               - vendors pay to get names (Crest labels)
               - Smalltalk job offers
               - in electronic age, will be much easier to "troll" for
                  specialized names
               - people will want to "selectively disclose" their
                  interests (actually, some will, some won't)
    6.3.4. "What may limit the use of crypto?"
           + "It's too hard to use"
             - multiple protocols (just consider how hard it is to
                actually send encrypted messages between people today)
             - the need to remember a password or passphrase
             + "It's too much trouble"
               - the argument being that people will not bother to use
                  passwords
               - partly because they don't think anything will happen to
                  them
           + "What have you got to hide?"
             - e.g.,, imagine some comments I'd have gotten at Intel had
                I encrypted everything
             - and governments tend to view encryption as ipso facto
                proof that illegalities are being committed: drugs, money
                laundering, tax evasion
             - recall the "forfeiture" controversy
           + Government is taking various steps to limit the use of
              encryption and secure communication
             - some attempts have failed (S.266), some have been
                shelved, and almost none have yet been tested in the
                courts
             - see the other sections...
           + Courts Are Falling Behind, Are Overcrowded, and Can't Deal
              Adequately with New Issues-Such as Encryption and Cryonics
             - which raises the issue of the "Science Court" again
             - and migration to private adjudication (regulatory
                arbitrage)
           - BTW, anonymous systems are essentially the ultimate merit
              system (in the obvious sense) and so fly in the face of the
              "hiring by the numbers" de facto quota systems now
              creeeping in to so many areas of life....there may be rules
              requiring all business dealings to keep track of the sex,
              race, and "ability group" (I'm kidding, I hope) of their
              employees and their consultants
    6.3.5. "What are some likely future uses of crypto?"
           - Video conferencing: without crypto, or with government
              access, corporate meetings become public...as if a
              government agent was sitting in a meeting, taking notes.
              (There may be some who think this is a good idea, a check
              on corporate shenanigans. I don't. Much too high a price to
              pay for marginal or illusory improvements.)
           - presenting unpopular views
           + getting and giving medical treatments
             - with or without licenses from the medical union (AMA)
             - unapproved treatments
           - bootleg medical treatments
           - information markets
           + sanctuary movements, underground railroads
             - for battered wives
             - and for fathers taking back their children
             - (I'm not taking sides)
           - smuggling
           - tax evasion
           - data havens
           - bookies, betting, numbers games
           - remailers, anonymity
           - religious networks (digital confessionals)
           - digital cash, for privacy and for tax evasion
           - digital hits
           - newsgroup participation -- archiving of Netnews is
              commonplace, and increases in storage density make it
              likely that in future years one will be able to purchase
              disks with "Usenet, 1985-1995" and so forth (or access,
              search, etc. online sites)
    6.3.6. "Are there illegal uses of crypto?"
           - Currently, there are no blanket laws in the U.S. about
              encryption.
           + There are specific situations in which encryption cannot be
              freely used (or the use is spelled out)
             - over the amateur radio airwave...keys must be provided
           + Carl Elllison has noted many times that cryptography has
              been in use for many centuries; the notion that it is a
              "military" technology that civilians have some how gotten
              ahold of is just plain false.
             - and even public key crypto was developed in a university
                (Stanford, then MIT)
  

Next Page: 6.4 Protection of Corporate and Financial Privacy
Previous Page: 6.2 SUMMARY: The Need For Strong Crypto

By Tim May, see README

HTML by Jonathan Rochkind