Free Life 18, May 1993, Sean Gabb Reviews Pretty Good Privacy (PGP Encryption Software)

From Free Life, Issue 18, May 1993
ISSN: 0260 5112

Pretty Good Privacy
(computer programme)
Philip Zimmermann
1992

The purpose of this MSDOS programme is to ensure so far as possible that one's private data and electronic mail shall remain private. Using either conventional or public key encipherment facilities, the programme is claimed to create a cipher that at best cannot be broken at all, and at worst will be so expensive to break that only a very rich government with a very good reason will be able even to consider breaking it.

I must confess that the mathematics on which the programme is based evade me. Therefore, for those whom these things interest, I quote from a document by a Mr Chuck Hammill supplied on the disk:

[The security of the RSA algorithm, named after Messrs Rivest, Shamir, and Adleman who jointly created it] derives from the fact that, if a very large number is the product of two very large primes, then it is extremely difficult to obtain the two prime factors from analysis of their product. "Extremely" in the sense that if primes p and q have 100 digits apiece, then their 200-digit product cannot in general be factored in less than 100 years by the most powerful computer now in existence.

The "public" part of the key consists of (1) the product pq of the two large primes p and q, and (2) one factor, call it x, of the product xy where xy = {(p-1) * (q-1) + 1}. The "private" part of the key consists of the other factor y.

Each block of the text to be encrypted is first turned into an integer – either by using ASCII, or even a simple A=01, B=02, C=03… Z=26 representation. This integer is then raised to the power x (modulo pq) and the resulting integer is then sent as the encrypted message. The receiver decrypts by taking this integer to the (secret) power y (modulo pq). It can be shown that this process will always yield the original number started with.

What makes this a groundbreaking development, and why it is called "public-key" cryptography," is that I can openly publish the product pq and the number x, while keeping secret the number y – so that anyone can send me an encrypted message, namely

ax (mod pq)

but only I can recover the original message a, by taking what they send, raising it to the power y and taking the result (mod pq). The risky step (meeting to exchange cipher keys) has been eliminated. So people who may not even trust each other enough to want to meet, may still reliably exchange encrypted messages – each party having selected and disseminated his own pq and his x, while maintaining the secrecy of his own y.

Another benefit of this scheme is the notion of a "digital signature," to enable one to authenticate the source of a given message. Normally, if I want to send you a message, I raise my plaintext a to your x and take the result (mod your pq) and send that.

However, if in my message, I take the plaintext a and raise it to my (secret) power y, take the result (mod my pq), then raise that result to your x (mod your pq) and send this, then even after you have normally "decrypted" the message, it will still look like garbage. However, if you then raise it to my public power x, and take the result (mod my public pq), so you will not only recover the original plaintext message, but you will know that no one but I could have sent it to you (since no one else knows my secret y).

My readers must decide for themselves if the programme really is so good as Mr Hammill claims. However, I can say that it is quite easy to use. Within half an hour of reading the very full documentation provided, I was happily ciphering and unciphering various test documents. I understand, moreover, that equally friendly programmes are now available to protect voice and picture communications.

This being said, I turn to the moral implications raised by the availability of the programme. Its potential for genuinely criminal uses I will ignore. Attacks on life and property are quite easily dealt with, and do not require the authorities to go spying on people or seizing their papers. Its real value is for concealing evidence of those acts that hurt no one at all, or no one except the Government – for example, drug trafficking, the transmission of pornography, the manipulation of financial markets, tax evasion, money laundering, and so forth. So far as this programme works, and becomes widely used, these activities will become uncontrollable by the Government.

Now, there are people who say that we must always obey the law, no matter oppressive it may be. A hundred years ago, when bad laws formed a small proportion of the whole, this was for many purposes a useful doctrine. Today, it is little more than an invitation to self-abasement before a corrupt and arbitrary police state. It is more useful now to discuss when and how to exercise the right of resistance that both liberal ideology and the fundamental laws of this country proclaim.

As on the obligation to obey, much nonsense is preached on the right to resist. According to the orthodox view, the right exists only where no elections are allowed. Then, for the most part, the governed are expected to suffer passively until the last freak of despotism justifies an explosion of outrage that tears down the whole system. This view, of course, is highly convenient to our own rulers. They shelter behind the fiction of democratic consent; and almost never do they push their misrule to the point where armed violence is better than putting up with the existing state of affairs. Such risings as do occur either are or can be portrayed as mindless terrorism.

In fact, we ought neither always to obey nor to resist only by throwing bombs at the government. Selective disobedience is far easier personally and far more beneficial generally. If the Government is trying to stop the recreational use of drugs or whatever, or is stealing more of our money than we feel inclined to hand over with a semblance of good grace, we do well simply to regard the laws in question as of no binding force. If enough of us do this – or a significant few of us do it well enough – the Government may decide on at least a partial retreat. Never forget, after all, that American Prohibition was defeated not by impassioned libertarian argument, nor even by big business lobbying – but by the sheer inability of the Federal Government to enforce its will on the ten or twenty million people who felt that their right to drink came before any obligation of obedience.

On moral grounds, then, I entirely welcome the publication of this software, and invite my readers to do likewise. Without doing much to assist the commission of real crimes, it may put an invaluable weapon into the hands of anyone who wishes, for whatever reason, to violate an oppressive law.

Anthony Furlong


Editor's Note

I must explain that neither Mr Furlong nor Free Life recommends the breaking of any specific law. The above review states a case for the right of resistance in purely abstract terms.

I must also say that while Mr Furlong finds no moral objections to the fullest distribution of the PGP software, there may be certain legal difficulties that he has not chosen to consider.

The criminal law seems as yet to be silent. The Home Office, I know, was a few years ago thinking of making it an offence to distribute encryption software that did not have written into it some means of being broken by the authorities. But, so far as I can tell, it is still not illegal to use or distribute this software within the United Kingdom.[1]

Nor usually is it possible yet for an accused to be compelled to deliver up the means of reading enciphered material. If I set up as a distributor of child pornography and am caught, there is still no law to make me decrypt my mailing list – or, assuming I am clever enough to have bothered – any of my encrypted text or high-resolution graphics files.

This protection only fails if I am investigated by the Serious Fraud Office. Under s2 of the Criminal Justice Act 1987, I can be made to deliver up all documents requested of me, and most information so gained can be used against me in court. In the case of encrypted documents, I can be made to deliver up the key or copies of the plaintext. If I refuse, I am committing a criminal offence.

Then there is the law protecting intellectual property rights. The RSA public key cryptosystem was developed in America with grants from the National Science Foundation and the Navy. It is patented by MIT (U.S. patent #4,405,829, issued 20 Sept 1983). A company in California called Public Key Partners (PKP) holds the exclusive commercial licence to sell and sub-license the RSA public key cryptosystem. Unfortunately, PKP will not license its patent for private use.

Moreover, not only did PKP acquire the exclusive patent rights for the RSA cryptosystem, but it also acquired the exclusive rights to three other patents covering rival public key schemes invented by others. It is even claiming patent rights on the very concept of public key cryptography, regardless of what clever new original algorithms are independently invented by others. PKP does not actually develop any software – it lacks an engineering department – but is essentially a litigation company.

Therefore, the distribution of PGP software is effectively illegal in the United States, by virtue of the fact that any distributor is violating a PKP patent. Anyone who works or has assets within the jurisdiction of an American court, and who uses a copy of the PGP software that can be shown to have been published to him within that jurisdiction, is liable to an action for infringement of the PKP patent.

The software is not patented in the United Kingdom or the Irish Republic. But it is always possible for PKP to sue a distributor in these country for breach of copyright. By s3 of the British Copyrights Designs and Patents Act 1988 – a section which the Irish law duplicates – a literary work subject to copyright protection is defined to include a computer programme. If PKP can prove to a court's satisfaction that PGP software contains enough of its coding, a defendant will be liable to the usual civil remedies of damages and an injunction to prevent future use.

I ought also to mention that here, unlike in America, the costs of both parties are normally paid by the loser. This allows PKP, should it take an interest in England, to ruin a small defendant simply by getting an interlocutory injunction together with its costs in any event.

Making all allowances for differences of legal systems, much the same can be said of the other jurisdictions within the European Community, and of any other jurisdiction where the government is applying for membership of the Community, and is therefore bringing its laws into line with those of the Community.

Perhaps PKP has better things to do than chase individuals through the courts of a foreign country. On the other hand, the Home Office may at any moment decide that its best protection at the moment is secretly to finance PKP actions for breach of copyright.

For all these reasons, I declare that Free Life does not use, nor does it advocate the use or distribution of, PGP software – especially not for any of the illegal uses for which it seems so eminently to be suited. Mr Furlong's review is published strictly for informational purposes.

For all further information, the reader is recommended to contact the software's author, Mr Philip Zimmermann, at:

Boulder Software Engineering
3021 Eleventh Street
Boulder
Colorado 80304
United States of America
Phone 303-541-0140 (voice or FAX)

Mr Zimmerman does not himself distribute the software. But he is willing to answer any questions that do not require too much of his time.

Notes

1. I am told, however, that it is an offence to send encrypted material into or through France that cannot be read by the French Government. Also, I quote from a recent newspaper article: "The [new portable telephone] standard is a European one, introduced so that suppliers of equipment and makers of calls can take advantage of the single market. "It also means clearer calls, more intellegent handsets, and in theory offers secure encryption of every call – though Government objections to any system which its electronic snoopers couldn't monitor have led to the technology being amended so that while radio amateurs won't be able to eavedrop, security agencies still will" ("Competition hots up in the phoney war", The Daily Telegraph, 24th February 1993). The capitalisation indicates that our own Government was at least among the objectors. Back to document

© 1993 – 2015, seangabb.

Thanks for reading this. If you liked it, please consider doing one or some or all of the following:

1. Share it on social media – see buttons below;
2. Like my Facebook page;
3. Subscribe to my YouTube channel;
4. Sign up for my newsletter;
5. Click on a few of the discreet and tastefully-chosen advertisements that adorn this article;
6. Check out my books – they are hard to avoid.

Best regards,
Sean

Oh, and for those who may feel inclined to leave some small token of regard, here is the usual begging button:

Additional Related

One thought on “Free Life 18, May 1993, Sean Gabb Reviews Pretty Good Privacy (PGP Encryption Software)

Comments are closed.