Information Technology Reference
In-Depth Information
Fig. 12.17. The mechanism of a digital
signature, an electronic signature that
can be used to authenticate the identity
of the sender of a message or the signer
of a document.
Encryption
Message verification
Message
Signature
Message
Decryption
Hashing
Encoding
Private key
Encoded message
Message digest
Message digest
Encryption
Comparing
Public key
Ciphertext
Verified message
hoped that the patent owner, Public Key Partners, would give him a free license
since PGP was intended for use by individuals and not for commercial use. It
was left to a group of cryptography researchers at MIT to make PGP legal by
removing Zimmerman's implementation of the RSA algorithm and replacing it
with a legal version with an appropriate RSA license.
The PGP software also incorporated
digital signature
authentication.
Digital signature technology addresses the problem that, without a handwrit-
ten signature, it is difficult to be sure who actually sent an email message.
Bob can use Alice's public key to send an encrypted message to her, but so
can Eve, masquerading as Bob. So how can Alice check that the message is
really from Bob? One way of verifying that the message was indeed sent by
Bob goes as follows. Bob first encrypts the message using his private key and
then does a second encryption, encrypting the resulting message using Alice's
public key. When Alice receives the message, she begins by decrypting it by
first using her private key and then uses Bob's public key to decrypt the still
encrypted message. This way she can verify that the message came from Bob
(
Fig. 12.17
).
In 1991, Zimmermann became worried that the U.S. Senate would pass a
bill that would outlaw the use of such encryption technology, so he arranged
for his PGP code to be posted on an Internet bulletin board. In response to this,
the U.S. government, concerned about its ability to decipher communications
between criminals or terrorists, accused Zimmermann of illegally exporting
weapons technology. After some difficult years for Zimmermann, the govern-
ment eventually dropped the case. Meanwhile, the code for the legal version of
PGP was published in a topic from MIT Press and could be legally exported from
the United States. Ron Rivest summarized the basic argument against prosecut-
ing Zimmerman as follows:
B.12.8. Phil Zimmermann is the
creator of PGP, an email encryp-
tion software package. Originally
designed as a human rights tool,
PGP was published for free on
the Internet in 1991. This made
Zimmermann the target of a three-
year criminal investigation by the
U.S. government, which held that
export restrictions for crypto-
graphic software were violated
when PGP spread worldwide.
It is poor policy to clamp down indiscriminately on a technology just
because some criminals might be able to use it to their advantage. For
example, any U.S. citizen can freely buy a pair of gloves, even though a
burglar might use them to ransack a house without leaving fingerprints.
Cryptography is a data-protection technology, just as gloves are a hand-
protection technology. Cryptography protects data from hackers, corporate
spies, and con artists, whereas gloves protect hands from cuts, scrapes,
heat, cold, and infection. The former can frustrate FBI wire-tapping, and
the latter can thwart FBI fingerprint analysis. Cryptography and gloves
Search WWH ::
Custom Search