Fighting the good fight By SUELETTE DREYFUS Page 1 Tuesday 02/09/1999 Tuesday, 9 February 1999 EXPORT bans on strong encryption will disappear in the near future, according to crypto expert Phil Zimmermann. But the author of the popular PGP encryption software, currently in Australia to promote Network Associates’ commercial PGP line, admitted he has been wrong about this prediction in the past. In early 1996, the US government finally dropped its three-year grand jury investigation into Zimmermann for allegedly illegally exporting PGP. Filled with hope that his personal victory was a sign of change on a larger scale, Zimmermann made a bet with one of the fathers of public key cryptography, Whitfield Diffie, that export controls would be gone by the end of the year. "I was wrong. I had to pay up my 25 cents," he said. How could the world’s most famous cryptographer have been so wrong? That was easy to answer. "Engineers are pathologically optimistic," he said. Yet, he warned that when it comes to encryption key certification authorities (CAs), the public should avoid falling into the same trap of infinite optimism. A scheme by Australia Post, in which the government generates people’s encryption keys, was dangerous, he said. People should generate their own keys. Similarly, a British Government scheme, which called for centralised, government-approved CAs, was unworkable, said Zimmermann. The British model, in which people must leave copies of their private keys with approved CAs before they can do business with the government on-line, was easy to circumvent using PGP, he said. Recent versions of PGP could be used to deprive the CA - and, presumably, the government - of the ability to break open an encrypted message easily. The software generates two sets of keys, a public-private key pair for encryption and a signature pair. After surrendering the private key to the CA, a PGP user could simply create a new public-private key pair while still enjoying the benefits of using the signature key signed by the government. A master of the artful analogy, Zimmermann explained this complicated escape method using lizards. "When I was kid in South Florida, I used to catch lizards in my back yard,” he said. "They were real fast. Sometimes you could grab them by the tail - but they would break their tail off and escape. You were left holding this wiggling tail. The lizard grew a new one. "So, the British government is left holding this key,” he said. The real encryption keys - the lizards - are free. PGP’s lizard-tail design was no accident: Zimmermann had years of experience in resisting government controls. HE spent much of the 1980s fighting the US Government’s nuclear weapon policies. He helped organise a protest in which 17,000 people encircled the contaminated Rocky Flats nuclear bomb plant in Colorado. Later, he was arrested with Carl Sagan and Martin Sheen at a Nevada test site. Although Zimmermann has since traded in his civil disobedience for a suit, braces and a corner office in NA’s Silicon Valley glass tower, he still likes to fight the good fight. He followed the shifting battle ground from sneaking through wire fences at nuclear test sites, to finding legal ways of fighting against crypto-export laws in the mid-1990s, to CA infrastructures in the late 1990s. “We found a way to legally export strong crypto from the US without Government approval - we print it in books,” he said. “That’s how it got to Australia.” The US Constitution might protect freedom of speech against Government bans, but, it seems, nothing could save the PGP book from the OCR program used to scan in the pages once the book arrived safely in Europe. It took 1000 hours to translate the 6000 pages of source code from paper to working program. The OCR software tore through the code deleting every */ - the characters which close all programmer comments in the C programming language. Then it ripped out all the - characters and plugged in the minus symbol instead. A parenthesis turned into the letter C. The list went on. It was almost unscannable, Zimmermann said. The PGP team hammered out some solutions. By the second effort to scan in a new PGP version, it took only 30 hours to transform a 7500-page book into code. While the war to dump strong crypto export bans was now nearly won, it was not quite over, he said. Zimmerman is clearly still on the campaign trail. Last week, he met with Opposition IT spokeswoman, Senator Kate Lundy, to discuss the recent Wassenaar Arrangement, a non-binding understanding between 33 countries which continues export restrictions on strong cryptography. Australia signed the arrangement, but Zimmermann said the Government could choose not implement it - a tactic he predicts many European countries will follow. As countries such as France move to loosen their once stifling crypto-controls, Zimmermann is warming up to the next big battle: who will control the infrastructures people use to store their encryption keys and verify their identities on the Net. Zimmermann sees two opposing structures warring for dominance. The first is a hierarchy in a highly centralised CA structure, which, he said, was supported by competitor RSA through its S/MIME product and by various government schemes around the world. This sort of structure could easily be abused by law enforcement agencies, he said. The second is the more democratic structure of PGP, which can be either a hierarchy or a flat structure relying on a web of trust. CAPTION: Photo: Phil Zimmermann: pathologically optimistic. © The Age 1999. Unauthorised use including reproduction, storage or transmission of any material is prohibited.