 
            > You can't even solve the problem with DH key exchange -- you are > subject to "man in the middle" attacks. You must share SOME > information via a secure channel in order to have both authenticatio n > and privacy on a channel. However, the information exchanged could b e > small and fairly one-time -- like the public key of a trusted entity > that signs other public keys. How do STU-III phones work then? Do they have some key in rom? RAM, actually. The phones are keyed for some set of individuals; these keys are tied to ``crypto ignition keys'' possessed by these individuals. When you insert your key, the phone knows who you are, and transmits a certificate containing your public key to the far end. Other information in the certificate includes your security clearance, and (I think) your name. On some models at least, the key storage can be erased instantly by pressing a single button. The uses for that feature are obvious... I highly commend this paper to the cypherpunks readership: @article{Diffie88, author = {Whitfield Diffie}, journal = {Proceedings of the IEEE}, month = {May}, number = {5}, pages = {560--577}, title = {The First Ten Years of Public Key Cryptography}, volume = {76}, year = {1988} }