From George Foot georgefoot@oxted.demon.co.uk November 23rd. 1994 There are hazards for society in considering technical advances in isolation from their applications: It is desirable sometimes to examine progress from a broader viewpoint. I hope that thinking people whether or not technically qualified in cryptographic theory will all contribute to a debate on Social Cryptography and redress any imbalance in this presentation which they feel to exist. SOCIAL CRYPTOGRAPHY My aim is to promote a debate on "Social Cryptography" with the object of obtaining a better understanding of the repercussions on society and the changes in social behaviour which would result if cryptography came into general use on a large scale. Too often innovations are introduced and promoted by commercial interests without adequate consideration of the social changes which will follow and the consequences -- good and bad -- which will be the outcome. An example is Television which has progressed from a laboratory curiosity to become a force responsible for profound changes in the lives and cultures of peoples throughout the world -- a development neither foreseen nor imagined at the time of its introduction as an entertainment novelty. There are indications that restrictions on the use of cryptography which many Governments might wish to impose will be swept aside and that we are approaching the critical point from which a rapid and pervasive expansion in the use of cryptography may be anticipated. However, there are also indications that cryptography could bring about substantial changes in social outlook and social relationships: Such possibilities have received little attention to the present time and have been disregarded altogether by researchers concerned solely with the technicalities of various cryptographic systems. The subject of Social Cryptography is wide ranging: To launch a discussion, I have prepared notes on several TOPICS which have cryptography as the thread and are therefore related. The connection between them will be apparent although I have not at this stage made any attempt to draw them together. TOPIC ONE: I shall only provide a skeleton introduction to our subject as I shall make the assumption that readers have a background in cryptography. Encryption of messages for the purpose of maintaining privacy during transmission has been practised from times far back into history. Until recently, cryptography has been used principally for military purposes and has been regarded as a prerogative of Governments. This attitude is breaking-down by reason of the enormous expansion in electronic transmission of information for commercial and financial purposes and the need which has arisen for cryptography to ensure privacy and protection from fraud. Commonly, the methods employed have utilized a Key (known to the Sender of a message) for the purpose of the encryption of the message and have used the same Key (which was also in the possession of the Receiver) for decryption after the arrival of the encrypted message. A departure from previous practice became possible with the introduction of Public Key Cryptography which has the merit that information can be passed with security but without the need for a previous communication between the parties concerned. It is distinguished by the use of two keys, one of which is Public in the sense that it can be published and the other is Private and is never disclosed. Note that in the following discussion the term Public Key Cryptography has been used to denote a cryptosystem using two keys only one of which has to be kept Private: The other, the Public Key, may or may not be published as the user wishes. The Public Key Cryptosystem proposed by Rivest. Shamir and Adleman in April 1977 (which has become to be known as RSA) is considered to be the strongest cryptosystem of this character. TOPIC TWO: Innovations in cryptosystems for commercial and financial purposes have been promoted and confident assurances of the reliability and infallibility of the methods employed have been given: Nevertheless, all too frequently, these assurances have later been demonstrated to be presumptuous and completely unjustified. The ingenuity of fraudsters, the carelessness and negligence of operators, the lapses of vigilance by supervisors, the ignorance of computer technology on the part of administrators and the exposure of defects in computer systems which were acclaimed as perfect by technicians, have all combined to produce lamentable shortcomings in overall performance notwithstanding the intrinsic strength of the cryptosystem employed. As regards the general public, the most striking examples of failure of cryptosystems to protect their interests relate to the withdrawal of money from Banks by means of ATMs (Automatic Teller Machines) and by use of the Cards provided by Banks for that purpose. No more striking example could be provided than the case of apoliceman returning from a holiday abroad who discovered debits in his bank account for which he declared he was not responsible. On drawing the attention of the Bank to this situation, he was charged with fraud and attempting to get money from the bank by false pretences. He was tried and found guilty and thus placed in jeopardy of discharge from the police force and loss of pension. His ordeal persisted for a year until an appeal was heard which revealed the poor foundations for almost the whole of the technical evidence presented at the trial. The case continues and the tribulations of the defendant and his family are not ended. Technology has outpaced the Law and the lives of innocent people may be ruined because of convictions for criminal fraud of which they are totally innocent. It is demonstrable that the courts and the jurors are capricious in their judgments because most frequently they have little understanding of the background to the new technologies. It is urgently necessary that well tried principles of law and justice developed over many years be applied in legal processes involving advanced technology and that the declarations of technocrats be subjected to rigorous legal examination. TOPIC THREE: It is my contention that the methods employed to establish confidence in business and private transactions which have evolved over centuries and are time-tested should be the foundation for creating confidence in "electronic transactions" of the future. Confidence between parties does not develop instantly but matures after a period of satisfactory experiences in mutual trading and shared activities. There is no instant substitute for a trust which has built up over a period of acquaintance involving a progressively closer relationship. One should apply these precepts particularly when seeking to authenticate the cryptographic key of a person previously unknown in order to communicate electronically with him. It has been proposed to establish Key Agencies which would hold a register of Keys which they would make available on demand and that reliance could be placed on keys issued in this manner because of the recognized trustworthiness of the Key Agency. The advance publication and distribution of millions of public keys on a worldwide scale whether in printed form or by Key Agencies and the daily annulment and replacement of many keys which have become suspect would be a logistic problem of nightmare proportions which was open to abuse of every kind including the destructive efforts of people introducing false and forged keys for malicious purposes. It would be unworkable in practice. The publication of public keys in advance is an unnecessary and an unwarranted complication and any advantage this provides is illusory. One part of the illusion is that a public key can be permanently associated with a particular person or company or other organisation: This is not possible. In the first place it is very difficult to ensure that a private key is totally safeguarded especially in a commercial environment. The private key will become known to employees and amongst their number will be those who are careless and those who are implanted by opposing interests specifically to gain access to private keys. If there were extensive use of public key cryptography in any large organization it will not be long before the private keys were compromised or suspect of being compromised. The need for periodic replacement of keys would become apparent. But to change a public key at short notice because it is known to be suspect is not a simple matter: That key will have become known throughout the world and will have been registered in various ways in different locations. Inevitably the use of the discredited key will continue for some time and on occasions it will appear long after it is thought to have been cancelled. An approach to communication employing private key cryptography whereby the two parties concerned make direct contact with each other is altogether more practical and sensible than any idea of a universal register of keys. It is also in line with usual business practice and that alone adds greatly to its merit. A direct contact does not exclude from the beginning, if desired, a reference to a third party known to both the principals in support of their credentials just as one would ask for a reference (for example a banking reference) in commencing business with any unknown company. It is likely that the first transactions will be limited in scope but as business confidence grows so the value and number of the messages exchanged will increase -- perhaps to many each day. Under these conditions the keys in use will be fully authenticated. TOPIC FOUR: The explanation is often given without further discussion that the difficulty of breaking RSA is the difficulty of factoring the modulus. It is not usually emphasized sufficiently in my view that a notable weakness in a public key system such as RSA is that the modulus is published in advance of message transmission so that there is an indefinite time available for an enemy to attempt factorization -- and by trying hard enough and long enough he may succeed. With cunning he may make use of this extended period to devise aids to decryption when messages are transmitted. A modulus and a public key are "keys" in the lay sense that they hold the information required for decryption. It seems illogical to me to publish those "keys" in advance of using them to transmit a message and thus to expose them to prolonged and determined efforts to uncover them. The convention is that an encrypted message is sent by Bob and received by Alice: The manner in which RSA should be employed, in my opinion, is for Bob to communicate in clear with Alice and to ask Alice for a RSA key. Alice will then send a "session" public RSA key to Bob (that is a key which will be used on one occasion only) and Bob uses this session key for his message to Alice. Alice decrypts the message with the RSA "private" key she has retained. That session key is then abandoned and never used again. I am convinced that this is a much simpler, safer and more practical method of operating RSA than the proposed method of publishing public keys in advance. The difficulties mentioned above are greatly reduced if session keys alone are used for message transmission and I fail to see that it is feasible or desirable to proceed in any other way in establishing a broadly based public key system operating internationally. In practice the request and supply of a session key would be automated and would present no difficulty, extra work or loss of time. TOPIC FIVE: "What about the vaunted value of digital signatures ?" you may enquire ..... It should be realized that for the great majority of communications a digital signature is not required. Take note of the enormous daily traffic in fax messages which takes place successfully without any provision for signature verification. The vigilance of the parties concerned is always by far the best method of detecting fraud. It would be very unwise for someone to despatch valuable cargoes to unknown persons on the strength of a computer generated digital signature which may have been ingenuously falsified. Within the framework of a public key system employing session keys, there is ample opportunity to develop digital signatures which are respected and accepted. It is necessary to make the point that the validity of a digital signature as a proof of authenticity in a case of alleged fraud depends entirely on the proof that the private key concerned has never been disclosed or come into the possession of any other person at any time other than the person originating the message. This is a very difficult thing to ensure in a business environment and could be exceedingly difficult to prove in a court of law. TOPIC SIX: The US Government has proposed to introduce the Clipper system which is a cryptosystem intended for general use throughout the USA in which the keys employed are made known in advance to the US Government so that the Government can intercept and decrypt surreptitiously any message or conversation electronically transmitted within the USA. The limitation is that a court order would be required for a legal intercept. It is proposed that two keys will be needed for decryption and each will be separately escrowed with a different US Government Department and made available only on production of the court order. Advocates of the system say that it is necessary for crime prevention and that the escrow method will prevent any abuse or possibility that the keys are misused. Other people would not give those opinions a moment's credence. Humans and hence human systems are fallible and the humans who constitute any system do not all have the same high minded attitude to their obligations under law -- in fact some have scruples which vanish when money is mentioned, some have no scruples at all and some will be intent on subversion. Apart from all this, public and government sentiments drift with time and each generation will have a modified attitude. One may take the view that any data which should be kept confidential, should never be transmitted via an escrowed system -- that would mean trusting it to people one does not know, whose credentials one cannot examine and whom one cannot bring to account. In fact, it is difficult to believe that any of the people advocating an escrowed system have a belief in it themselves (except perhaps the naive) and their motives when all the smooth talk is stripped away is to maintain the status quo and their own power from which their own employment derives. In any case, the worldwide escrowed system which would be required fully to satisfy commercial requirements is nothing but a dream. TOPIC SEVEN: There is no privacy available for an un-encrypted message except the social convention that one respects the mail of other persons when it is sealed and in polite society one moves out of earshot of telephone and other private conversations. Some Governments will examine mail and electronic communications without compunction: other Governments will be scrupulous in following the procedures to which they are supposed to adhere. But, compliance with due legal process does not alter the fact that surveillance has been conducted surreptitiously. Restraints such as regulations against bugging have little deterrent effect on private agencies who make a living by such practices or by selling the equipment for do-it-yourself interception. The motives of Government are primarily self-preservation and this objective is dominant although it is not automatically to be condemned -- a Government which is unstable is not very satisfactory. Moreover the dilemma arises that there are circumstances in which it may be the duty of Government to be informed in order to protect the citizenry. Undercover Police and Secret Police have different connotations but the distinction may not be observed. The only safeguard against ruthless suppression is pressure of (enlightened) public opinion in a democracy. A general proposition that the Government knows best is untenable. Why then should the views held by Government be regarded in any way as sacrosanct or even to be considered as well informed ? One is better advised to submit new thinking to an independent examination. TOPIC EIGHT: The privacy of two people who converse and exchange views when they are alone and in close proximity is held in proper respect because such exchanges occur continuously and cannot be supervised. This does not mean that such an exchange is more truthful or accurate than a statement made in public -- although it may be -- but simply that human society operates in this fashion. The concept that the equivalent of a private exchange between two people can take place when they are far apart is new and unrecognized. As a result of new technology, people who are closely related in their views or their occupations are now often widely dispersed. Members working in a team will suddenly be split and re-located on different sites for commercial convenience. Others may be encouraged to work from home and given the facilities necessary for this purpose; an arrangement which is becoming indispensable for some people. Consider the case of two engineers working together who discuss the details of a design project of great importance to the company which engages them. The ideas they pass to each other may have a direct bearing on the outcome of the project and be of enormous value. The next day they may be miles apart in different company locations but have need for further discussions. The question is should they be regarded as having the same right to a private conversation as they had the previous day when they were together. The present position is that the conversation which took place when the people were together is regarded as legitimate and private. But the privacy of the equivalent conversation taking place when the parties were separated is qualified because the Government insists that it is necessary for the Government to have the facility to access that conversation under conditions which in essence they choose. The issue is brought into much stronger focus under conditions to-day when new communication methods allow a degree of close consultation whatever the separation involved and most particularly when the structure of society is changing to make separation a common feature of modern life. There is little doubt that an exchange of views when two parties are certain they they cannot be overheard is different from what will be said with the uneasy knowledge that it may be recorded and possibly be used secretly to their detriment. But, the right of Government to be privy to an exchange at a distance is not axiomatic and the excuse for doing so that criminals may be detected is hollow and no more convincing than the opposite view that society will benefit from "privacy at a distance" -- only experimental evidence could provide an answer and the experiment has not been made. Social conventions are only acceptable for the period in which they are current. The conventions of yesterday are held to be mistaken or ridiculous. Popular views change as time passes and this process will continue. A case exists for the recognition that society is entitled to "privacy at a distance" and that this is becoming of increasing importance. It may not be convenient for Government to accept this idea; but is that the prime consideration ? TOPIC NINE: I hope that it will be accepted that the introduction of cryptography could have consequences for society of significance and importance. Is it the freedom of the individual or the preservation of the power of the State which is under threat ? Some of the statements made above are irreconcilable one with another. Who is to determine which is right and which is wrong ? Who is to compromise ? Who is take a decision on such issues ? The subject of Social Cryptography has been introduced. I believe that it is worthy of serious debate. George Foot georgefoot@oxted.demon.co.uk November 23rd. 1994.