The Gandi Community

Tech Fundamentals: Public Key Cryptography

The amazing explosion in modern computing, networking, and cryptography in the past eighty some years all grew out of collaborations between the miltary, academia, and ocassionally business contractors. As the three fields blossomed into new technology that would change the way humanity connects, it created friction between those in the military establishment who wanted to limit these fields to the security interests they represent and those who saw the potential for such technical advances to be used for lofty goals like human rights.

When Whitfield Diffie and Martin Hellman published “New Directions in Cryptography” in 1976, they noted in the introduction that computer communication would soon be connecting people around the world and that communication between individuals—not militaries or financial institutions—would need to be made secure.

This was their preamble to their solution to the age-old cryptographic riddle of secure distribution of ciphers. The system they went on to describe enables two people who have never met face-to-face to communicate with one another without third-parties listening.

They proposed using mathematical functions to create pairs of keys: one public, one private. A publicly visible key would be used to encrypt a message that only a privately-held key could decrypt.

Diffie and Hellman solved the problem of key exchange, but they left open the problem of implementing it using a one-way function.

This problem intrigued three researchers at MIT: Ron Rivest, Adi Shamir and Leonard Adleman.

They spent nearly a year trying to find a solution. Then, in April 1977, the trio spent Passover together, drinking wine and talking. That night Rivest developed a bad case of insomnia.

So he spent the night formalizing what would became the RSA algorithm, named for Rivest, Shamir and Adleman. After the trio verified and refined the system they’d invented, they published it in August 1977 and filed a patent through MIT in December.

Their patent became the basis of RSA Security, the company founded in 1982 by Rivest, Shamir and Adleman to market implementations of their RSA algorithm.

These developments, though, were not exactly welcomed by the military establishment. Cryptographic tools have long figured on the U.S. Munitions List and as early as July 1977, the NSA started signaling that they felt threatened by private developments in cryptography like public-key encryption and RSA.

Meanwhile, the 1980s brought computers and networking out of government and university laboratories and into homes and offices.

A bill in the House of Representatives which would have restricted public use of cryptography prompted Phil Zimmerman, an anti-nuclear protestor in Colorado, to start what he would later call a “human rights project,”: to apply public-key encryption to email communication.

Zimmerman thought the RSA algorithm was just be used for what he called “petri dish cryptography.” So he “borrowed” it to create a scrambling function he named Bass-O-Matic after an SNL skit.

Then in June 1991 he released “Pretty Good Privacy” or PGP version 1 which used the Bass-O-Matic function to encrypt emails.

In the documentation, Zimmerman wrote: “it would be nice if everyone routinely used encryption for all their e-mail, innocent or not, so that no one drew suspicion by asserting their e-mail privacy with encryption,” describing encryption as a “form of solidarity.”

Mere hours after posting it online, PGP went global.

Soon its distribution on the Internet got Zimmerman into trouble, both with US Customs and with RSA Security.

In the first case, because PGP was distributed outside of the US, posting PGP online made Zimmerman guilty of arms trafficking.

His solution to the first problem was unique: print the PGP source code in a hardcopy book through MIT Press, then sell and distribute it with First Amendment protection.

People who wanted a copy of PGP could buy the book, take out the pages and scan them in (or type it by hand).

It wasn’t until later that US courts would extend first amendment protection to all software source code but the US Customs case was eventually dropped.

In the second case, Zimmerman’s use of RSA violated RSA’s patent protection.

This proved harder to beat. PGP 3 abandoned RSA for the unpatented DSA and ElGamal algorithms.

The new PGP Inc. then merged with Viacrypt, who had an RSA license, but patent issues plagued PGP through multiple acquisitions.

In the meantime, another technology was being developed by Netscape using RSA.

Netscape’s case was a different problem than email encryption.

PGP is an application level solution. Netscape needed to provide Transport (or Socket) layer security. The solution that Netscape engineers developed was called Secure Socket Layer or SSL.

Version 1, never made it outside of Netscape. Version 2 was released in 1995 but due to serious security flaws, Netscape began working on version 3.

Netscape engineers Phil Karlton and Alan Freier worked with cryptographer Paul Kocher. While Kocher was a biology major at Stanford, he worked part-time with none other than Martin Hellman. The three soon released SSL version 3.

In 1997, Zimmerman took PGP to the Internet Engineering Task Force (IETF) to propose an OpenPGP standard.

Today, the patent on the RSA algorithm has been released and OpenPGP is an official internet standard.

The SSL protocol proposed as an Internet Standard in 1999 and renamed TLS.

Diffie and Hellman’s predictions about the future of networking played out and their revolutionary discovery inspired RSA. The raw potential of this discovery was enough to make the military powers-that-be nervous.

Yet, Phil Zimmerman’s desire to encrypt all email “in solidarity” still hasn’t come about. TLS-level security far outstrips email encryption in terms of adoption but TLS/SSL is far from universal.

Public key encryption continues to be an invaluable human rights tool. The battle between encryption-for-all and the more narrow interests of law enforcement and the military continue to make headlines. Encryption is far from universal and the conflict is far from resolved.