Are cryptography tools really only for crooks?
I WAS THINKING ABOUT cryptography the other day while reading about the rift between Phil Zimmerman and Network Associates over just how much of the PGP (Pretty Good Privacy) source code will be published. For crypto fans, this is the equivalent of Martin Luther nailing his Theses to the cathedral door. For the rest of us, it's just another corporate fight. But bigger questions in my head won't go away. Why haven't we taken more interest in encryption and digital signing of e-mail? More importantly, why aren't we using the tools we already have? Even I, your Security Watch guru, can't be bothered to use the crypto and signing features of my e-mail.
Although the stories contained in crypto books are ancient history in Internet time, the peoples' squeamishness about crypto remains. When the Feds -- be they CIA, FBI, NSA, or Treasury Department -- discuss crypto, they make it sound as if anyone using it must be a child pornographer, drug smuggler, or terrorist. This attitude pervades mainstream media, despite the observation that journalists might be more interested than others in acquiring secure communication tools. I wonder if the various governmental smear campaigns against crypto are achieving their goals.
Not that these tools are hard to come by. On Windows, crypto and signing are included in the bundled Outlook Express, and more advanced features can be had for little or no cost or effort from a number of vendors. Of course, in countries other than the Land of the Free and the Home of the Braves, there are restrictions on what you can use. Even if you don't use PGP, having Netscape Navigator or Windows 2000 can be enough to get a traveler into hot water with another country's customs service. I'm planning to leave my laptop at home when I visit the West Indies next month, in part to avoid the possibility of a hassle with U.S. Customs.
It seems that few people are taught how to enable crypto, perhaps because many IT shops just don't want to deal with the backlash from users inconvenienced by the extra resources that a PC uses during encryption and decryption routines or by the problems of lost keys and unreadable messages.
In today's flood of e-mail messages, encrypted traffic sticks out like a sore thumb. If I were investigating a criminal enterprise, I'd be tempted to assume that when folks are using crypto, they must be hiding something. But this contradicts casual observations that underground organizations often prefer low-tech, but proven methods of communication. The slogan "When crypto is outlawed, only outlaws will have crypto" may ring true, but I expect that outlaws prefer to use more open channels and hide in the crowd.
Another problem with many crypto offerings is that they can leave you vulnerable to forensic-grade tools that can pull data from supposedly deleted files, including the temporary files that your e-mail application uses as a placeholder for the message before it's encrypted. It seems to me that the only way to get a truly secure solution is to write a mail application that has the encryption built in at the most fundamental level, so that even if temporary files are recovered, they may be rendered useless.
At the same time, I don't want to think about how many people are using weak passphrases -- a sequence that is hashed with random numbers to produce the encipherment key -- which might be easy to remember, but won't stand up under a brute-force attack. It's kind of like buying the best deadbolt available, only to leave the key under a flowerpot on the front porch.
Are there crypto success stories out there? I suspect that the kinds of shops using crypto are also the kinds of shops that don't talk about their work, but I hope some of you will write and tell me that crypto is working for your company, and how so. Until I'm convinced otherwise, I have to stick with the position that crypto is just more trouble than it's worth, and that it's likely to lull you into a false sense of security.