At 10:48 AM 7/24/94 -0400, tim werner wrote:
From: tcmay@netcom.com (Timothy C. May) Date: Sat, 23 Jul 1994 11:40:19 -0700 (PDT)
But I do like the explicit emphasis of the connection between encyption and free speech; this is the line I use with people. To wit, "Nobody can tell me what language I have to write or speak in."
This is a neat way of expressing a good idea, but I wouldn't count on it. A language can probably be construed as something that can be understood by anyone who learns it. Even though I speak PGP, I still can't understand what you say without a key.
SophistMode(on) Hate to pick nits here, but isn't the acquisition and use of a public key "teaching" your machine to read Tim's "language"? Holmes and Blackstone are probably spinning in their graves (in counterrotation, to boot). Bob ----------------- Robert Hettinga (rah@shipwright.com) "There is no difference between someone Shipwright Development Corporation who eats too little and sees Heaven and 44 Farquhar Street someone who drinks too much and sees Boston, MA 02331 USA snakes." -- Bertrand Russell (617) 323-7923
Hate to pick nits here, but isn't the acquisition and use of a public key "teaching" your machine to read Tim's "language"? I agree. Each public key creates a different encoding, or a different language, as it were. These encodings/languages are all related, but mutually incomprehensible. Encryption software has the capability to read any of these languages because it is multi-purpose software. Because the software is multipurpose, however, there is a greater need for forward secrecy. Forward secrecy is the property that an intercepted communication cannot be read because the secret keying material, however generated, has been destroyed by the time such keying material is sought after. For example, in a secure telephone, forward secrecy begins when you hang up the phone, because the key inside it, generated, say, by a D-H key exchange, is destroyed when you put down the receiver. For PGP and PEM, forward secrecy begins when you destroy all copies of your private key. This will leave you without a private key, of course, and so should be done only after a key change. The forward secrecy also applies to the (previous) holder of the private key. If your only copy of encrypted email, for example, that you have after you destroy your private key is just the encrypted email, then you won't be able to read your own mail. Therefore, all old traffic addressed to a public key needs to be re-encrypted or kept in plaintext. This is one of the main reasons for periodic key changes, to achieve forward secrecy for email. After I change keys and destroy my old private key, now the _only_ way to decrypt the messages is to derive the private key from the public key--in RSA, to factor the modulus. This is computational forward secrecy. Diffie-Hellman key exchange also yields computational forward secrecy, because the session key generated can be derived assuming a device to, say, take discrete logs on the order of the size of the modulus. If messages have been intercepted and logged, no seizure of equipment will yield the private key. Forward secrecy protects you, therefore, from violence, be that the procedurally mitigated violence of the courts or the arbitrary violence of another party. Here, then, is the connection back to the original issue. The courts distinguish between acts of speech (fifth amendment protection) and supplying objects, such as a subpoena provide the key to a safety deposit box. As Marc Rotenberg once put it to me, the court cannot require you to incriminate yourself, but they can require you to participate in your own downfall. Forward secrecy protects you against court order, because you cannot be held in contempt of court for not providing something that doesn't exist. If you destroy your keys in a timely fashion, your exposure is limited to the time since the last key change. Needless to say, there's no real standard software support for forward secrecy for email. A good cryptographic system should store the plaintext of an encrypted communication in a separately encrypted place. On Unix, one can use Matt Blaze's CFS to keep all of one's mail on, but even then there's no support for keeping encrypted mail around in such a way that allows you to prove, _without using the private key_, which will be destroyed at some time, that a particular ciphertext matches any particular plaintext. Consider PGP, where the outer wrapper can only be decrypted with a private key. Once that public key is gone, that message is now useless even as verification for anything, unless the session key is also stored separately. If you have the session key, the encrypted session key can be generated by an application of the public key, and verified to match. Assuming you have the public key, that is. If the public key has been published, then you can safely assume that it can be retrieved. To achieve unconditional forward secrecy, however, requires that the public key _never_ be published, but only given to correspondents. In this situation, one achieves unconditional forward secrecy when you destroy both private and public keys and all your correspondents destroy the public keys. An aside: in a two cipher system, you only get the unconditional security with respect to the public key cipher. The secret key cipher (like IDEA) is still only computationally protected, since the entropy of the plaintext is not maximal. This, however, is still an advantage, since there's more uncertainty about the long term security of the algebraically based public key ciphers than there is about the secret key ciphers. Now, as far as I know, there's _NO_ support anywhere for preventing the correspondent to publishing the private key. Even software which was not informationally secure, which simply flagged a public key as "not for further distribution", would be a help, since it would then require custom software in order to distribute. At the very least it would allow mutually trusted parties to prevent accidents. Another technique would be to develop a keying system in which distribution of public keys were tied to the public keys of the correspondent. This might not prevent (informationally) the key from being distributed, but one would want to it identify the distributor. Eric
I agree. Each public key creates a different encoding, or a different language, as it were. These encodings/languages are all related, but mutually incomprehensible. Encryption software has the capability to read any of these languages because it is multi-purpose software.
One possible hole here is that since they share a commen algorith then the algorithm is the 'language' and not the actual messages. This would mean that you are each using the same language. There is also the aspect of once discovered you could be charged with obstructing justice which has very stiff penalties.
Here, then, is the connection back to the original issue. The courts distinguish between acts of speech (fifth amendment protection) and supplying objects, such as a subpoena provide the key to a safety deposit box. As Marc Rotenberg once put it to me, the court cannot require you to incriminate yourself, but they can require you to participate in your own downfall. Forward secrecy protects you against court order, because you cannot be held in contempt of court for not providing something that doesn't exist. If you destroy your keys in a timely fashion, your exposure is limited to the time since the last key change.
They make you participate by giving you immunity in which case you have no choice but to reveal it or go to jail. Either way somebody is going to jail. As to self-incrimination, gee, I thought that was the whole purpose of calling witnesses and such, either to discredit themselves (which is equivalent to incriminating oneself if you are the defendant) or to incriminate others (and here we are back to immunity). While it is true you can't be held in contempt of court for not providing something that doesn't exist they can get you for destroying evidence.
One possible hole here is that since they share a commen algorith then the algorithm is the 'language' and not the actual messages. The algorithm does _not_ completely specify the encoding of plaintext into ciphertext. Therefore the algorithm cannot be considered a language, since it's incomplete. There is also the aspect of once discovered you could be charged with obstructing justice which has very stiff penalties. I am baffled as to what you could possibly mean here. It sounds ridiculous to me. They make you participate by giving you immunity in which case you have no choice but to reveal it or go to jail. This is not what immunity is. Immunity is given for testimonial evidence that would be self-incriminating. By immunizing the witness before testimony, the testimony, which would then be tantamount to a confession, is no longer incriminating, that is, the testimony no longer turns the witness into a criminal in the eyes of the law. With the presumption of innocence, it is _conviction_ that makes one a criminal, not commission of a criminal act. While it is true you can't be held in contempt of court for not providing something that doesn't exist they can get you for destroying evidence. "Destroying evidence" only happens when the materials are destroyed after they are considered evidence. If you shred papers that contain incriminating conversations before anybody asks for them, that's not destroying evidence, because at the time of destruction the papers weren't evidence. This is true even if you think you are under investigation. You have no responsibility to cooperate in advance. Since court proceedings are a highly structured form of social epistemology (finding out the truth), if there is no proof that destruction occurred, or insufficient proof that you did the destruction, there is no conviction. Consider Sandy's "little brother inside" idea. What he left out was the two-hour UPS battery, also inside, so that when seizure happens the machine can't be turned off. You'd have to disable the off switch, of course. Now, immediately after seizure, you call up the pager inside and instruct the computer to start wiping disk. This would be considered destruction of evidence were it able to be proved that there was data on it when it left your house, but not when it arrived at the station. Since when the disk is _first_ looked at, it will be completely random, there's no proof of alteration. "What was all that disk activity the whole time?" "Oh, factoring numbers takes large amounts of scratch space." Eric
participants (3)
-
hughes@ah.com -
Jim choate -
rah@shipwright.com