Argomenti trattati: privacy, controllo, matching, crittografia, denaro elettronico, PGP, public-key, ARA, pseudonimi digitali, crypto-hacker


Di Hal Finney
Testo tratto dalla rivista "Extropy", #10, vol.4, n.2, Winter/Spring 1993, Los Angeles, CA, USA

How can we defend our privacy in an era of increased computerization? Today, our lives are subject to monitoring in a host of different ways. Every credit card transaction goes into a database. Our phone calls are logged by the phone company and used for its own marketing purposes. Our checks are photocopied and archived by the banks. And new "matching" techniques combine information from multiple databases, revealing even more detail about our lives. As computer databases grow, as more transactions take place electronically, over phone systems and computer networks, the possible forms of monitoring will grow with them (1).
Predictably, most proposed solutions to this problem involve more government. One suggestion is to pass a set of laws designed to restrict information usage: "No information shall be used for a purpose different from that for which it was originally collected." Thus, income data collected by a bank through monitoring checking account activity could not be made available to mailing list companies; phone records could not be sold to telemarketing agencies, etc.
But this is a bad solution, for many reasons. The government is notoriously inefficient at enforcing existing laws, and the ease of collecting and using information suggests that it would be almost impossible to successfully enforce a law like this. The government also has a tendency to exempt itself from its own laws. It's unlikely that the IRS, for example, will happily give up the use of database matching, which it uses to track down tax evaders. And, of course, the very notion of trying to restrict the uses of information requires strict restrictions on the private actions of individuals which Extropians will find unacceptable.
But there is another solution, one advocated force fully by computer scientist David Chaum of the Center for Mathematics and Computer Science in the Netherlands. While most people concerned with this problem have looked to paternalistic government solutions, Chaum has been quietly putting together the technical basis for a new way of organizing our financial and personal information. Rather than relying on new laws and more government, Chaum looks to technical solutions. And these solutions rely on the ancient science devoted to keeping information confidential: cryptography.
Cryptography, the art of secret writing, has undergone a revolution in the last two decades, a revolution sparked by the invention of "public-key'' cryptography. Seizing on this new technology, computer scientists have branched out into dozens of directions, pushing the frontiers of secrecy and confidentiality into new territory. And it is these new applications for cryptography which offer such promise for avoiding the dangers described above.
Chaum's approach to the protection of privacy can be thought of as having three layers. The first layer is public-key cryptography, which protects the privacy of individual messages. The second layer is anonymous messaging, which allows people to communicate via electronic mail ("email") without revealing their true identities. And the third layer is electronic money, which allows people to not only communicate, but to transact business via a computer network, with the same kind of privacy you get when you use cash. If you go into a store today and make a purchase with cash, no records are left tying you personally to the transaction. With no records, there is nothing to go into a computer database. The goal of electronic cash is to allow these same kinds of private transactions to take place electronically.
(Be aware that there are other proposals for "electronic money" which are not nearly so protective of individuals' privacy. Chaum's proposals are intended to preserve the privacy attributes of cash, so the term "digital cash" is appropriate. But other electronic replacements for cash not only lack its privacy, but would actually facilitate computer monitoring by putting more detailed information into databases, and by discouraging the use of cash. If you see a proposal for an electronic money system, check to see whether it has the ability to preserve the privacy of financial transactions the way paper money does today. If not, realize that the proposal is designed to harm, not help, individual privacy.)

Public-Key Cryptography

The first of the three layers in the privacy protecting electronic money system is public-key cryptography. The basic concept of public-key cryptography, invented in 1976 by Diffie and Hellman (2), is simple. Cryptographers have traditionally described an encryption system as being composed of two parts: an encryption method and a key. The encryption method is assumed to be publicly available, but the key is kept secret. If two people want to communicate, they agree on a secret key, and use that to encrypt and decrypt the message.
Public key cryptography introduced the idea that there could be two keys rather than one. One key, the public key, is known to everyone, and is used to encrypt messages. The other key, the secret key, is known only to you, and is used to decrypt messages. Public and secret keys are created in pairs, with each public key corresponding to one secret key, and vice vesa.
So, to use a public-key system, you first create a public/secret key pair. You tell all your friends your public key, while keeping your secret key secret. When they want to send to you, they encrypt the message using your public key. The resulting encrypted message is readable only by using your secret key. This means that even the person who encrypted the message can't decrypt it! If he forgets whath is original message said, and he deleted it, he has no chance of reconstructing the original. Only you can do that. This is the paradox of public key cryptography - that a person can transform a message in such a way that they can't un-transform it, even though they know the exact formula used to make the transformation.
Figure 1 illustrates the steps involved in using a public-key system. (The keys and messages are based on actual output from Phillip Zimmermann's free public key program, PGP .) Alice, on the left, firs t creates a public and secret key pair, the top two boxes on that side. The top box, the public key, she sends to her friend Bob, on the right. The second box is her secret key, which she keeps private. Bob, on the right, receives and saves Alice's public key. Then, when he wants to write to her, he composes a message, shown in the second box on that side. With a public-key encryption program like PGP, he encrypts the message using Alice's public key, producing output such as the third box on the right. This encrypted message is what he sends to Alice, as shown in the arrow leading back to the left side. Alice uses her saved secret key to decrypt the message from Bob, allowing her to reconstruct Bob's original message, shown as the last box on the left side.
There is no longer any need for public-key cryptography to be mysterious. There are now public-domain software packages which will let you experirnent with public-key cryptography on your own computer, including Zimmerrnann's PGP and others. See the "Access" box for information on how to get them.

Anonymous Messages

Public-key cryptography allows people to communicate electronically with privacy and security. You can send messages safe from prying eyes using these techniques. But this is )ust a step towards the solution to the privacy problems we face. The next step provides the second layer of privacy: anonymous messages - messages whose source and destination can't be traced.
This is necessary because of the goal of providing in an electronic network the privacy of an ordinary cash transaction. Just as a merchant will accept cash from a customer without dernanding proof of identity, we also want our electronic money system to allow similar transactions to take place, without the identity of the people involved being revealed to each other, or even to someone who is monitoring the network.
There are problems with providing anonymous messaging in current email systems. The national email networks are composed of thousands of machines, interconnected through a variety of gateways and message-passing systems. The fundamental necessity for a message to be delivered in such a system is that it be addressed appropriately. Typically an email address consists of a user's name, and the name of the computer system which is his electronic "home". As the message works its way through the network, routing information is added to it, to keep a record of where the message came from and what machines it passed through en route to its destination. In this system, all messages are prominently stamped with their source and destination. Providing anonymous messages in such a system at first appears impossible.
Chaum has proposed two separate systems for overcoming this problem (3). I will focus here on what he calls a "Mix" as it is simpler and more appropriate for the application of anonymous electronic mail. The notion of a Mix is simple. It is basically a message forwarding service. An analogy with ordinary paper mail maybe helpful. Imagine that you want to send a letter to a friend, but in such a way that even someone monitoring your outgoing mail would not know that you were doing this. One solution would be to put your letter into an envelope addressed to your friend, then to place this envelope insidea larger envelope which you would send to someone else, along with a note asking them to forward the letter to your friend. This would hide the true destination of your mail from someone who was watching your outgoing envelopes.
Chaum's Mixes use this basic idea, but applied to email and improved with public-key cryptography. A Mix is a computer program capable of receiving email. It receives messages which contain requests for remailing to another address, and basically just strips off these remailing instructions and forwards the messages as requested. Chaum adds security by having a different public key for each Mix. Now, instead of just sending the message with its forwarding request, the message plus forwarding info is encrypted with the Mix's public key before being sent to the Mix. The Mix simply decrypts the incoming message with its secret key, revealing the forwarding information, and sends the message on.
To protect the privacy of the sender, the Mix removes information about the original sender of the message before sending it. For even greater security, it's possible for the original sender to specify a "Cascade" of Mixes, a whole chain of Mixes that the message should go through before finally being sent to its destination. That way even if one of the Mixes is corrupt, it still can't determine who is sending to whom.
Using Mixes, then, the basic requirement for anonymous mail is met. A message en route in the network does not have to reveal its source and destination. It rnay be coming from a Mix, going to a Mix, or some combination of these.
Figure 2 shows an example of an anonymous message as it is forwarded through a Mix, using public-key cryptography to protect its privacy. As In Figure 1, Bob wants to send his encrypted message to Alice, but this time he wants to use a Mix to provide more confidentiality. Starting with the encrypted message from Figure 1, Bob (on the left, this time) first adds remailing instructions which will be interpreted by the Mix. These will include Alice's email address in some form at specified by the Mix. (This example uses a simplified form of commands currently being used in experimental remailers.) Then he encrypts the whole message with the Mix's public key and sends it to the Mix.
Upon receipt, the Mix reverses the steps which Bob applied. It decrypts the message using its own secret key, then strips off the remailing instructions which Bob added. The resulting message (which the Mix can't read, being encrypted using Alice's secret key) is then forwarded to Alice as specified in the remailing instructions. As before, Alice receives and decrypts the message using her secret key. But this time, the message path has been protected by the Mix, and the fact that Alice and Bob are communicating is kept confidential.

Anonymous Return Addresses

We need something more advanced than message anonymity for truly private messaging, though. These anonymous messages are basically "one-way". I can send you a message, with the source and destination hidden, and when you receive the message you won't have anyway of knowing who sent it. This means that you can' t reply to me. We need the ability to have such replies.
Here, we have a seemingly paradoxical requirement: being able to reply to someone without knowing either who they are or what their email address is. Chaum shows how this can be solved using public-key cryptography and Mixes. The basic idea is what Chaum calls an Anonymous Return Address (ARA). In its simplest form, I create an ARA by taking my regular email address and encrypting it with the public key of a particular Mix - call it MixA for this example. I send this resulting block of encrypted text along with my message to you, through a Cascade of Mixes.
Now, when you receive the message, you see no return address, but you do see the blockof text that is the ARA. You can reply to me without knowing who I am by sending your reply back to MixA, alon
with the ARA itself. MixA decrypts the ARA using its secret key, getting back my original ernail address that I encrypted. Using this email address, it is able to forward the rnail to me. I was able to receive this message from you, although you have no knowledge of my true identity.
Figure 3 shows this process graphically. Bob, in the upper left, aeates his ARA by encrypting a remailing command, similar to what was used in Figure2, with the Mix's public key. He then includes this ARA in messages which he anonymously sends or publically posts. In the example, Alice sees Bob's ARA and wishes to respond to him, even though she doesn't know his email address. She composes her message, in the second box on the right, then combines her message with Bob's ARA. The combined message is sent to the Mix. The Mix now uses its secret key to decrypt the ARA portion of the message, revealing the remailing instructions which Bob encrypted to create the ARA. The remainder of the process is just as in Figure 3. The Mix strips off the remailing request and forwards the message to Bob's address, as shown.
These tools open many possibilities. With Mixes, Cascades, and ARAs, people can communicate without knowing other people's true identities. You can make an anonymous posting to a public message board, include your ARA, and recehe replies from scores of people who don't know who you are. Some of them may repIy anonymously and include their own ARAs. People can end up communicating with each other with none of them knowing the true identity of any of the others.
(Some "Chat" or "CB Simulator" systems today offer the illusion of such anonymous communication, but in most cases the system operators can easily break through the cover of handles and pseudonyms and discover true identities. With a Cascade of Mixes, no single Mix can establish this relationship. As long as even one Mix of the Cascade remains uncorrupted, your identity is safe.)

Digital Pseudonyms

Anonymous messages bring forth the usefulness of "digital pseudonyms," another concept from Chaum. With no identification of the source of messages, there would seem to be no way of verifying that two messages came from the same person. There could be a problem with imposters pretending to be other people, resulting in utter confusion. To solve this problem, we need another concept from public-key cryptography: the "digital signature."
As described above, public-key cryptography allows messages encrypted with my public key to be decrypted with my secret key. However, it works the other way around as well. Messages can be encrypted with my secrct key and then decrypted only with my public key. This property is what is used to implement the digital signature. If I encrypt a document with my secret key, anyone can decrypt it with my public key. And since my secret key is secret, only I can do this type of encryption. That means that if a document can be decrypted with my public key, then I, and only I, must have encrypted it with my secret key. This is considered a digital signature, in the sense that it is a proof that I was the one that "signed" (that is, encrypted) the document.
The digital signature concept can be used to solve the imposter problem by allowing for "digital pseudonyms." My digital pseudonym is simply a public/ secret key pair, where, as usual, I let the public part be known. Typically, I'd publicize it along with my ARA. Now, to prove that a given message is from me and no one else, I sign the message using the secret key of my digital pseudonym. Any set of messages signed by that same digital pseudonym is therefore known to come from me, because only I know the secret key. People may not know who I am, but I can still maintain a stable public persona on the computer nets via my digital pseudonym. And there is no danger of anyone else successfully masquerading as me.
With public-key cryptography, Mixes, and digital pseudonyms, we have all we need for a networkof people communicating privately and anonymously. Now, we need a way for them to transact business while maintaining these conditions.