Home | Forums | Article Search | Subscribe & Shop | Contact Us | Log Out Open Sauce Email This Print This View My Personal Library Loading Zone August 2006 • Vol.6 Issue 8 Page(s) 80 in print issue Add To My Personal Library Open Sauce Secrets & Secrecy Jump to first occurrence of: [PGP] [LUCAS] Aside from corporate shuffling over the past decade, the Pretty Good Privacy (pgp.com) encryption program has been pretty stable, as has its open-source doppelganger, Gnu Privacy Guard (gnupg.org). PGP is commercial, GPG is free, and both are mature applications implementing the Internet standards track OpenPGP specification published as RFC 2440 “OpenPGP Message Format” in 1998 (rfc.net/rfc2440.html). Books written about PGP over a decade ago are still useful, even if their treatments of PGP applications are woefully outdated. Old stuff, right? Maybe not. There’s the publication of a new book about PGP, the first in years, “PGP & GPG: Email for the Practical Paranoid,” by Michael W. Lucas. Lucas introduces basic cryptographic concepts like symmetric and asymmetric cryptography, authentication, non-repudiation, public key encryption, and digital signatures; explains how they form the basis of OpenPGP implementations PGP and GPG; and shows how to authenticate and encrypt your email. Philip Zimmermann first released PGP in 1991 with source code under a free-for-noncommercial-use license. It was the first transparent and strong encryption software for the masses, and with access to source code you didn’t have to trust vendors’ claims about how secure their software was. And you could confirm that there were no backdoors through which third parties could gain access to sensitive data. In 1991, encryption software was considered a munition with limits on export, and Zimmermann faced serious federal charges for a while. But he has always maintained that true freedom of speech requires that you be able to converse without fear that some third party is listening. That’s why you can download the core source code of the otherwise proprietary PGP, and that’s why Zimmermann modified the PGP specification so it could go on the Internet standards track as RFC 2440. Opponents to strong encryption ask: What have you got to hide? If you can use it, so can drug dealers, pedophiles, terrorists, and other evildoers. How do we catch them if we can’t listen in on their communications? Very briefly, that’s just the price we pay to insure honest citizens have the right to maintain their privacy. Those evildoers use a lot of other technologies, like automobiles and cameras and even box cutters, to do their evil, but we still permit their free use. Why not put in backdoors so the authorities can listen in? Can all authorities be trusted not to abuse their access? Anyone with access to a backdoor becomes a target for bribery or extortion; we always seem to have a few bad apples in government service. Even if we trust our government not to monitor political opponents, there are many repressive regimes that do not respect human rights. Dissenters risk their lives to express opinions, and encryption with a backdoor isn’t good enough for them. Even here, witnesses who’ve been threatened by criminals, women and children escaping from abusive family members, whistleblowers, and others find that strong encryption protects them—and benefits society by keeping them safe. Here’s the real news: Zimmermann has just released a public beta of Zfone, which secures VoIP conversations using an open specification called ZRTP. Although phone companies and ISPs may or may not be listening, your conversations are private if you use Zfone with an Internet calling service. Not yet clear is whether Zfone use will be permitted under CALEA (Communications Assistance for Law Enforcement Act), which requires telecommunications companies to provide backdoors to simplify monitoring conversations. Zfone encrypts data before it enters the network and decrypts it after it arrives at its destination. (ED: See this month’s “X-Ray Vision” on page 42 for more info.) Technically, one could argue that Zfone-protected conversations can still be monitored; they would just be gibberish. Also, Zfone protects only data streams, so conversations can still be monitored the old-fashioned way with bugs planted in suspects’ telephones. Zfone conversations just can’t be monitored automatically through backdoors at communication service providers’ facilities. Is Zfone legal? Absolutely—for now. Will the government eventually move to restrict it? I hope not. I don't have anything to hide, either. For a comprehensive discussion of the merits of strong and transparent encryption, see Zimmermann’s Web site at philzimmermann.com. You can get saucy with Pete at pete@cpumag.com. Pete Loshin, former technical editor of software reviews for Byte Magazine (print version), consults and writes about computing and the Internet. He also runs www.linuxcookbook.com. He owns shares of both Microsoft and Red Hat and believes that Windows isn't for everyone, but neither is Linux. Want more information about a topic you found of interest while reading this article? Type a word or phrase that identifies the topic and click "Search" to find relevant articles from within our editorial database. Enter A Subject (key words or a phrase): ALL Words (‘digital’ AND ‘photography’) ANY Words (‘digital’ OR ‘photography’) Exact Match ('digital photography'- all words MUST appear together) Home      Copyright & Legal Information      Privacy Policy      Site Map      Contact Us Copyright © 2010 Sandhills Publishing Company U.S.A. All rights reserved.