We need pervasive encryption as the public key infrastructure (PKI) is generally “a bad idea” and something we should move away from.
According to cryptographer Phil Zimmermann, we need a new form of pervasive encryption and we need to create pervasive crypto and cause a legislative environment to push back and make a change. Speaking at the Def Con event in Las Vegas, Zimmermann said that the crypto wars were won in the 1990s as “we got everyone to participate in a public policy debate and we we won and we got the export controls back”, and said “we can do the same thing here”.
Speaking on the rollout of his new venture Silent Circle, he made the analogy that in the United States in the 19th century, people would not eat tomatoes as it was assumed that they were poisonous, and now phone companies think that they cannot break away from the culture of wiretapping and surveillance. “The CISO of Dutch telecommunications provider KPN has been working with us and want to offer their customers real privacy so pople can call and whisper in each others ears without anyone intercepting the conversation,” he said. “I hope other phone companies will follow suit and others are talking to us about doing the same thing.”
He admitted that the decision to offer secure communications was partly influenced by surveillance revelation by Edward Snowden, and also by a demand for change, while phone companies feel the market pressure of users. “Soon it will be possible to whisper in ears from 1000 miles away and that will be the new normal,” he said.
Asked why he felt strong encryption was not used ubiqutously,.Zimmermann said it was necessary to understand how it works and understand what it mans to have persistent public and private keys, but we do not worry about that with phone calls. “With calls you don’t need PKI as generally a bad idea and you can use common sense to see if they match and if they do not, there is a wiretapper,” he said.
Referring to the Comodo Hacker who hacked into the certificate authority DigiNotar and gave certificates to the Iranian government, Zimmermann said it was “hard to imagine a more spectacular failure of PKI than that”, and said that even if you were writing fiction, “it is hard to concoct a more spectacular indictment of PKI than that”.
Zimmermann said that in the 1990s we fought in the “crypto wars” andhad to justify using strong crypto, but fast forward to today in the legislative environment where have to justify yourself if you are NOT using strong crypto.
He said: If you leave a laptop with 200,000 records on the disc, you better hope it is encrypted, or you have to go public and announce you lost 200,000 names. I don’t see people using strong crypto; we fought for it in 1990s and cannot fight back, after 9/11 I thought it would be rolled back but it was not, and then Attorney General John Ashcroft did not remove it either.”