Don't throw out the good with the bad, security gurus say
Cryptologists' faith in strong encryption has not wavered, even though terrorists and other malefactors can benefit from it.
'Infrastructure is used by good guys and bad guys,' said Bruce Schneier, chief technology officer of Counterpane Internet Security Inc. of Cupertino, Calif. 'There are so many more good guys than bad that we're better off with the infrastructure than without it.'
Schneier and Philip Zimmermann, creator of Pretty Good Privacy, talked about cryptography and security at the Black Hat Briefings last month in Las Vegas.
Zimmermann said he started working on PGP 'as a human rights project. I got the idea in the 1980s when I was a peace activist.'
PGP, a public-key encryption scheme for e-mail, works without a supporting infrastructure of certificates and authorities. As a standalone product, it depends on trust between users. The idea originally was to protect the privacy of activists who feared persecution by their governments.
But Zimmermann ran afoul of the U.S. government and faced a three-year battle over export restrictions when he tried to commercialize PGP in the 1990s.
'At no time did I deny that criminals would use PGP,' he said. 'That was the central argument in the debate. But we came to the decision that society is better off with strong encryption than without it, even though criminals would use it.'
Despite what he called an erosion of civil liberties in the name of security since Sept. 11, 2001, Zimmermann said he doubts government will restrict public use of strong encryption.
'I don't think that is going to reach critical mass in Congress,' he said. 'Things have changed too much.'
Schneier called concerns about the threat of strong encryption misguided. 'Most people are good,' he said, 'but there is a lot of bad security out there.'
William Jackson is a senior writer of GCN and the author of the CyberEye blog.