Cryptography has a long and interesting history, and has been the subject of considerable political controversy.
The classic book on the history of cryptography is David Kahn's The Codebreakers. It traces codes and codebreaking from ancient Egypt to the 20th century.
Diffie and Landau Privacy on the Line: The Politics of Wiretapping and Encryption covers the history from the First World War to the 1990s, with an emphasis on the US.
There are many books on this period. See our bibliography for a few, or try a (web or library) search on "Ultra" and "Enigma". Two books I particularly like are:
Bletchley Park, where much of the Ultra work was done, now has a museum and a web site.
The Ultra work introduced three major innovations.
So by the end of the war, Allied code-breakers were expert at large-scale mechanised code-breaking. The payoffs were enormous.
America's NSA, for example, is said to be both the world's largest employer of mathematicians and the world's largest purchaser of computer equipment. Such claims may be somewhat exaggerated, but beyond doubt the NSA -- and similar agencies in other countries -- have some excellent mathematicians, lots of powerful computers, sophisticated software, and the organisation and funding to apply them on a large scale. Details of the NSA budget are secret, but there are some published estimates.
Changes in the world's communications systems since WW II have provided these agencies with new targets. Cracking the codes used on an enemy's military or diplomatic communications has been common practice for centuries. Extensive use of radio in war made large-scale attacks such as Ultra possible. Modern communications make it possible to go far beyond that. Consider listening in on cell phones, or intercepting electronic mail, or tapping into the huge volumes of data on new media such as fiber optics or satellite links. None of these targets existed in 1950. All of them can be attacked today, and almost certainly are being attacked.
The Ultra story was not made public until the 1970s. Much of the recent history of codes and code-breaking has not been made public, and some of it may never be. Two important books are:
Note that these books cover only part of what is actually going on, and then only the activities of nations open and democratic enough that (some of) what they are doing can be discovered. A full picture, including:
might be really frightening.
In recent years, that has changed a great deal. With computers and networking becoming ubiquitous, cryptography is now important to almost everyone. Among the developments since the 1970s:
This has led to a complex ongoing battle between various mainly government groups wanting to control the spread of crypto and various others, notably the computer industry and the cypherpunk crypto advocates, wanting to encourage widespread use.
Steven Levy has written a fine history of much of this, called Crypto: How the Code rebels Beat the Government -- Saving Privacy in the Digital Age.
The FreeS/WAN project is to a large extent an outgrowth of cypherpunk ideas. Our reasons for doing the project can be seen in these quotes from the Cypherpunk Manifesto:
Privacy is necessary for an open society in the electronic age. ...To quote project leader John Gilmore:We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. It is to their advantage to speak of us, and we should expect that they will speak. ...
We must defend our own privacy if we expect to have any. ...
Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can't get privacy unless we all do, we're going to write it. We publish our code so that our fellow Cypherpunks may practice and play with it. Our code is free for all to use, worldwide. We don't much care if you don't approve of the software we write. We know that software can't be destroyed and that a widely dispersed system can't be shut down.
Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act. ...
For privacy to be widespread it must be part of a social contract. People must come and together deploy these systems for the common good. ...
We are literally in a race between our ability to build and deploy technology, and their ability to build and deploy laws and treaties. Neither side is likely to back down or wise up until it has definitively lost the race.
If FreeS/WAN reaches its goal of making opportunistic encryption widespread so that secure communication can become the default for a large part of the net, we will have struck a major blow.
Things various governments have tried or are trying include:
The government believes not only the governments associated with Echelon are able to intercept communication systems, but that it is an activity of the investigative authorities and intelligence services of many countries with governments of different political signature.Even if they have nothing on the scale of Echelon, most intelligence agencies and police forces certainly have some interception capability.
Of course governments are by no means the only threat to privacy and security on the net. Other threats include:
One study enumerates threats and possible responses for small and medium businesses. VPNs are a key part of the suggested strategy.
We consider privacy a human right. See the UN's Universal Declaration of Human Rights, article twelve:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.Our objective is to help make privacy possible on the Internet using cryptography strong enough not even those well-funded government agencies are likely to break it. If we can do that, the chances of anyone else breaking it are negliible.
For more on these issues see:
There are several collections of crypto quotes on the net.
See also the bibliography and our list of web references on cryptography law and policy.
The remainder of this section includes two pieces of writing by our project leader
and discussions of:
and a section on press coverage of FreeS/WAN.
FreeS/WAN project founder John Gilmore wrote a web page about why we are doing this. The version below is slightly edited, to fit this format and to update some links. For a version without these edits, see his home page.
My project for 1996 was to secure 5% of the Internet traffic against passive wiretapping. It didn't happen in 1996, so I'm still working on it in 1997, 1998, and 1999! If we get 5% in 1999 or 2000, we can secure 20% the next year, against both active and passive attacks; and 80% the following year. Soon the whole Internet will be private and secure. The project is called S/WAN or S/Wan or Swan for Secure Wide Area Network; since it's free software, we call it FreeSwan to distinguish it from various commercial implementations. RSA came up with the term "S/WAN". Our main web site is at http://www.freeswan.org/. Want to help?
The idea is to deploy PC-based boxes that will sit between your local area network and the Internet (near your firewall or router) which opportunistically encrypt your Internet packets. Whenever you talk to a machine (like a Web site) that doesn't support encryption, your traffic goes out "in the clear" as usual. Whenever you connect to a machine that does support this kind of encryption, this box automatically encrypts all your packets, and decrypts the ones that come in. In effect, each packet gets put into an "envelope" on one side of the net, and removed from the envelope when it reaches its destination. This works for all kinds of Internet traffic, including Web access, Telnet, FTP, email, IRC, Usenet, etc.
The encryption boxes are standard PC's that use freely available Linux software that you can download over the Internet or install from a cheap CDROM.
This wasn't just my idea; lots of people have been working on it for years. The encryption protocols for these boxes are called IPSEC (IP Security). They have been developed by the IP Security Working Group of the Internet Engineering Task Force, and will be a standard part of the next major version of the Internet protocols (IPv6). For today's (IP version 4) Internet, they are an option.
The Internet Architecture Board and Internet Engineering Steering Group have taken a strong stand that the Internet should use powerful encryption to provide security and privacy. I think these protocols are the best chance to do that, because they can be deployed very easily, without changing your hardware or software or retraining your users. They offer the best security we know how to build, using the Triple-DES, RSA, and Diffie-Hellman algorithms.
This "opportunistic encryption box" offers the "fax effect". As each person installs one for their own use, it becomes more valuable for their neighbors to install one too, because there's one more person to use it with. The software automatically notices each newly installed box, and doesn't require a network administrator to reconfigure it. Instead of "virtual private networks" we have a "REAL private network"; we add privacy to the real network instead of layering a manually-maintained virtual network on top of an insecure Internet.
The US government would like to control the deployment of IP Security with its crypto export laws. This isn't a problem for my effort, because the cryptographic work is happening outside the United States. A foreign philanthropist, and others, have donated the resources required to add these protocols to the Linux operating system. Linux is a complete, freely available operating system for IBM PC's and several kinds of workstation, which is compatible with Unix. It was written by Linus Torvalds, and is still maintained by a talented team of expert programmers working all over the world and coordinating over the Internet. Linux is distributed under the GNU Public License, which gives everyone the right to copy it, improve it, give it to their friends, sell it commercially, or do just about anything else with it, without paying anyone for the privilege.
Organizations that want to secure their network will be able to put two Ethernet cards into an IBM PC, install Linux on it from a $30 CDROM or by downloading it over the net, and plug it in between their Ethernet and their Internet link or firewall. That's all they'll have to do to encrypt their Internet traffic everywhere outside their own local area network.
Travelers will be able to run Linux on their laptops, to secure their connection back to their home network (and to everywhere else that they connect to, such as customer sites). Anyone who runs Linux on a standalone PC will also be able to secure their network connections, without changing their application software or how they operate their computer from day to day.
There will also be numerous commercially available firewalls that use this technology. RSA Data Security is coordinating the S/Wan (Secure Wide Area Network) project among more than a dozen vendors who use these protocols. There's a compatability chart that shows which vendors have tested their boxes against which other vendors to guarantee interoperatility.
Eventually it will also move into the operating systems and networking protocol stacks of major vendors. This will probably take longer, because those vendors will have to figure out what they want to do about the export controls.
My initial goal of securing 5% of the net by Christmas '96 was not met. It was an ambitious goal, and inspired me and others to work hard, but was ultimately too ambitious. The protocols were in an early stage of development, and needed a lot more protocol design before they could be implemented. As of April 1999, we have released version 1.0 of the software (freeswan-1.0.tar.gz), which is suitable for setting up Virtual Private Networks using shared secrets for authentication. It does not yet do opportunistic encryption, or use DNSSEC for authentication; those features are coming in a future release.
The first prototype implementation of Domain Name System Security was funded by DARPA as part of their Information Survivability program. Trusted Information Systems wrote a modified version of BIND, the widely-used Berkeley implementation of the Domain Name System.
TIS, ISC, and I merged the prototype into the standard version of BIND. The first production version that supports KEY and SIG records is bind-4.9.5. This or any later version of BIND will do for publishing keys. It is available from the Internet Software Consortium. This version of BIND is not export-controlled since it does not contain any cryptography. Later releases starting with BIND 8.2 include cryptography for authenticating DNS records, which is also exportable. Better documentation is needed.
Because I can. I have made enough money from several successful startup companies, that for a while I don't have to work to support myself. I spend my energies and money creating the kind of world that I'd like to live in and that I'd like my (future) kids to live in. Keeping and improving on the civil rights we have in the United States, as we move more of our lives into cyberspace, is a particular goal of mine.
Would you like to help? I can use people who are willing to write documentation, install early releases for testing, write cryptographic code outside the United States, sell pre-packaged software or systems including this technology, and teach classes for network administrators who want to install this technology. To offer to help, send me email at gnu@toad.com. Tell me what country you live in and what your citizenship is (it matters due to the export control laws; personally I don't care). Include a copy of your resume and the URL of your home page. Describe what you'd like to do for the project, and what you're uniquely qualified for. Mention what other volunteer projects you've been involved in (and how they worked out). Helping out will require that you be able to commit to doing particular things, meet your commitments, and be responsive by email. Volunteer projects just don't work without those things.
From a message project leader John Gilmore posted to the mailing list:
John Denker wrote: > Indeed there are several ways in which the documentation overstates the > scope of what this project does -- starting with the name > FreeS/WAN. There's a big difference between having an encrypted IP tunnel > versus having a Secure Wide-Area Network. This software does a fine job of > the former, which is necessary but not sufficient for the latter. The goal of the project is to make it very hard to tap your wide area communications. The current system provides very good protection against passive attacks (wiretapping and those big antenna farms). Active attacks, which involve the intruder sending packets to your system (like packets that break into sendmail and give them a root shell :-) are much harder to guard against. Active attacks that involve sending people (breaking into your house and replacing parts of your computer with ones that transmit what you're doing) are also much harder to guard against. Though we are putting effort into protecting against active attacks, it's a much bigger job than merely providing strong encryption. It involves general computer security, and general physical security, which are two very expensive problems for even a site to solve, let alone to build into a whole society. The societal benefit of building an infrastructure that protects well against passive attacks is that it makes it much harder to do undetected bulk monitoring of the population. It's a defense against police-states, not against policemen. Policemen can put in the effort required to actively attack sites that they have strong suspicions about. But police states won't be able to build systems that automatically monitor everyone's communications. Either they will be able to monitor only a small subset of the populace (by targeting those who screwed up their passive security), or their monitoring activities will be detectable by those monitored (active attacks leave packet traces or footprints), which can then be addressed through the press and through political means if they become too widespread. FreeS/WAN does not protect very well against traffic analysis, which is a kind of widespread police-state style monitoring that still reveals significant information (who's talking to who) without revealing the contents of what was said. Defenses against traffic analysis are an open research problem. Zero Knowledge Systems is actively deploying a system designed to thwart it, designed by Ian Goldberg. The jury is out on whether it actually works; a lot more experience with it will be needed.
Notes on things mentioned in that message:
Various groups, especially governments and especially the US government, have a long history of advocating various forms of bogus security.
We regard bogus security as extremely dangerous. If users are deceived into relying on bogus security, then they may be exposed to large risks. They would be better off having no security and knowing it. At least then they would be careful about what they said.
Avoiding bogus security is a key design criterion for everything we do in FreeS/WAN. The most conspicuous example is our refusal to support single DES. Other IPsec "features" which we do not implement are discussed in our compatibility document.
Various governments have made persistent attempts to encourage or mandate "escrowed encrytion", also called "key recovery", or GAK for "government access to keys". The idea is that cryptographic keys be held by some third party and turned over to law enforcement or security agencies under some conditions.
Mary had a little key - she kept it in escrow, and every thing that Mary said, the feds were sure to know.A crypto quotes page attributes this to Sam Simpson.
There is an excellent paper available on Risks of Escrowed Encryption, from a group of cryptographic luminaries which included our project leader.
Like any unnecessary complication, GAK tends to weaken security of any design it infects. For example:
FreeS/WAN does not support escrowed encryption, and never will.
Various governments, and some vendors, have also made persistent attempts to convince people that:
Weak systems touted include:
The notion that choice of ciphers or keysize should be determined by a trade-off between security requirements and overheads is pure bafflegab.
For example, suppose public key operations use use 1% of the time in a hybrid system and you triple the cost of public key operations. The cost of symmetric cipher operations is unchanged at 99% of the original total cost, so the overall effect is a jump from 99 + 1 = 100 to 99 + 3 = 102, a 2% rise in system cost.
In short, there has never been any technical reason to use inadequate ciphers. The only reason there has ever been for anyone to use such ciphers is that government agencies want weak ciphers used so that they can crack them. The alleged savings are simply propaganda.
Mary had a little key (It's all she could export), and all the email that she sent was opened at the Fort.A crypto quotes page attributes this to Ron Rivest. NSA headquarters is at Fort Meade, Maryland.
Of course, making systems secure does involve costs, and trade-offs can be made between cost and security. There can be substantial hardware and software costs. There are almost always substantial staff or contracting costs:
For a fairly awful example, see this report. In that case over a million credit card numbers were taken from e-commerce sites, using security flaws in Windows NT servers. Microsoft had long since released patches for most or all of the flaws, but the site administrators had not applied them.
Compared to those costs, cipher overheads are an insignificant factor in the cost of security. Note, however, that choosing an insecure cipher can cause all your other investment to be wasted.
Our policy in FreeS/WAN is to use only cryptographic components with adequate keylength and no known weaknesses.
These decisions imply that we cannot fully conform to the IPsec RFCs, since those have DES as the only required cipher and Group 1 as the only required DH group. (In our view, the standards were subverted into offerring bogus security.) Fortunately, we can still interoperate with most other IPsec implementations since nearly all implementers provide at least 3DES and Group 2 as well.
We hope that eventually the RFCs will catch up with our (and others') current practice and reject dubious components. Some of our team and a number of others are working on this in IETF working groups.
Would you like to help? I can use people who are willing to write documentation, install early releases for testing, write cryptographic code outside the United States, sell pre-packaged software or systems including this technology, and teach classes for network administrators who want to install this technology. To offer to help, send me email at gnu@toad.com. Tell me what country you live in and what your citizenship is (it matters due to the export control laws; personally I don't care). Include a copy of your resume and the URL of your home page. Describe what you'd like to do for the project, and what you're uniquely qualified for. Mention what other volunteer projects you've been involved in (and how they worked out). Helping out will require that you be able to commit to doing particular things, meet your commitments, and be responsive by email. Volunteer projects just don't work without those things.
From a message project leader John Gilmore posted to the mailing list:
John Denker wrote: > Indeed there are several ways in which the documentation overstates the > scope of what this project does -- starting with the name > FreeS/WAN. There's a big difference between having an encrypted IP tunnel > versus having a Secure Wide-Area Network. This software does a fine job of > the former, which is necessary but not sufficient for the latter. The goal of the project is to make it very hard to tap your wide area communications. The current system provides very good protection against passive attacks (wiretapping and those big antenna farms). Active attacks, which involve the intruder sending packets to your system (like packets that break into sendmail and give them a root shell :-) are much harder to guard against. Active attacks that involve sending people (breaking into your house and replacing parts of your computer with ones that transmit what you're doing) are also much harder to guard against. Though we are putting effort into protecting against active attacks, it's a much bigger job than merely providing strong encryption. It involves general computer security, and general physical security, which are two very expensive problems for even a site to solve, let alone to build into a whole society. The societal benefit of building an infrastructure that protects well against passive attacks is that it makes it much harder to do undetected bulk monitoring of the population. It's a defense against police-states, not against policemen. Policemen can put in the effort required to actively attack sites that they have strong suspicions about. But police states won't be able to build systems that automatically monitor everyone's communications. Either they will be able to monitor only a small subset of the populace (by targeting those who screwed up their passive security), or their monitoring activities will be detectable by those monitored (active attacks leave packet traces or footprints), which can then be addressed through the press and through political means if they become too widespread. FreeS/WAN does not protect very well against traffic analysis, which is a kind of widespread police-state style monitoring that still reveals significant information (who's talking to who) without revealing the contents of what was said. Defenses against traffic analysis are an open research problem. Zero Knowledge Systems is actively deploying a system designed to thwart it, designed by Ian Goldberg. The jury is out on whether it actually works; a lot more experience with it will be needed.
Notes on things mentioned in that message:
Various groups, especially governments and especially the US government, have a long history of advocating various forms of bogus security.
We regard bogus security as extremely dangerous. If users are deceived into relying on bogus security, then they may be exposed to large risks. They would be better off having no security and knowing it. At least then they would be careful about what they said.
Avoiding bogus security is a key design criterion for everything we do in FreeS/WAN. The most conspicuous example is our refusal to support single DES. Other IPsec "features" which we do not implement are discussed in our compatibility document.
Various governments have made persistent attempts to encourage or mandate "escrowed encrytion", also called "key recovery", or GAK for "government access to keys". The idea is that cryptographic keys be held by some third party and turned over to law enforcement or security agencies under some conditions.
Mary had a little key - she kept it in escrow, and every thing that Mary said, the feds were sure to know.A crypto quotes page attributes this to Sam Simpson.
There is an excellent paper available on Risks of Escrowed Encryption, from a group of cryptographic luminaries which included our project leader.
Like any unnecessary complication, GAK tends to weaken security of any design it infects. For example:
FreeS/WAN does not support escrowed encryption, and never will.
Various governments, and some vendors, have also made persistent attempts to convince people that:
Weak systems touted include:
The notion that choice of ciphers or keysize should be determined by a trade-off between security requirements and overheads is pure bafflegab.
For example, suppose public key operations use use 1% of the time in a hybrid system and you triple the cost of public key operations. The cost of symmetric cipher operations is unchanged at 99% of the original total cost, so the overall effect is a jump from 99 + 1 = 100 to 99 + 3 = 102, a 2% rise in system cost.
In short, there has never been any technical reason to use inadequate ciphers. The only reason there has ever been for anyone to use such ciphers is that government agencies want weak ciphers used so that they can crack them. The alleged savings are simply propaganda.
Mary had a little key (It's all she could export), and all the email that she sent was opened at the Fort.A crypto quotes page attributes this to Ron Rivest. NSA headquarters is at Fort Meade, Maryland.
Of course, making systems secure does involve costs, and trade-offs can be made between cost and security. There can be substantial hardware and software costs. There are almost always substantial staff or contracting costs:
For a fairly awful example, see this report. In that case over a million credit card numbers were taken from e-commerce sites, using security flaws in Windows NT servers. Microsoft had long since released patches for most or all of the flaws, but the site administrators had not applied them.
Compared to those costs, cipher overheads are an insignificant factor in the cost of security. Note, however, that choosing an insecure cipher can cause all your other investment to be wasted.
Our policy in FreeS/WAN is to use only cryptographic components with adequate keylength and no known weaknesses.
These decisions imply that we cannot fully conform to the IPsec RFCs, since those have DES as the only required cipher and Group 1 as the only required DH group. (In our view, the standards were subverted into offerring bogus security.) Fortunately, we can still interoperate with most other IPsec implementations since nearly all implementers provide at least 3DES and Group 2 as well.
We hope that eventually the RFCs will catch up with our (and others') current practice and reject dubious components. Some of our team and a number of others are working on this in IETF working groups.
Would you like to help? I can use people who are willing to write documentation, install early releases for testing, write cryptographic code outside the United States, sell pre-packaged software or systems including this technology, and teach classes for network administrators who want to install this technology. To offer to help, send me email at gnu@toad.com. Tell me what country you live in and what your citizenship is (it matters due to the export control laws; personally I don't care). Include a copy of your resume and the URL of your home page. Describe what you'd like to do for the project, and what you're uniquely qualified for. Mention what other volunteer projects you've been involved in (and how they worked out). Helping out will require that you be able to commit to doing particular things, meet your commitments, and be responsive by email. Volunteer projects just don't work without those things.
From a message project leader John Gilmore posted to the mailing list:
John Denker wrote: > Indeed there are several ways in which the documentation overstates the > scope of what this project does -- starting with the name > FreeS/WAN. There's a big difference between having an encrypted IP tunnel > versus having a Secure Wide-Area Network. This software does a fine job of > the former, which is necessary but not sufficient for the latter. The goal of the project is to make it very hard to tap your wide area communications. The current system provides very good protection against passive attacks (wiretapping and those big antenna farms). Active attacks, which involve the intruder sending packets to your system (like packets that break into sendmail and give them a root shell :-) are much harder to guard against. Active attacks that involve sending people (breaking into your house and replacing parts of your computer with ones that transmit what you're doing) are also much harder to guard against. Though we are putting effort into protecting against active attacks, it's a much bigger job than merely providing strong encryption. It involves general computer security, and general physical security, which are two very expensive problems for even a site to solve, let alone to build into a whole society. The societal benefit of building an infrastructure that protects well against passive attacks is that it makes it much harder to do undetected bulk monitoring of the population. It's a defense against police-states, not against policemen. Policemen can put in the effort required to actively attack sites that they have strong suspicions about. But police states won't be able to build systems that automatically monitor everyone's communications. Either they will be able to monitor only a small subset of the populace (by targeting those who screwed up their passive security), or their monitoring activities will be detectable by those monitored (active attacks leave packet traces or footprints), which can then be addressed through the press and through political means if they become too widespread. FreeS/WAN does not protect very well against traffic analysis, which is a kind of widespread police-state style monitoring that still reveals significant information (who's talking to who) without revealing the contents of what was said. Defenses against traffic analysis are an open research problem. Zero Knowledge Systems is actively deploying a system designed to thwart it, designed by Ian Goldberg. The jury is out on whether it actually works; a lot more experience with it will be needed.
Notes on things mentioned in that message:
Various groups, especially governments and especially the US government, have a long history of advocating various forms of bogus security.
We regard bogus security as extremely dangerous. If users are deceived into relying on bogus security, then they may be exposed to large risks. They would be better off having no security and knowing it. At least then they would be careful about what they said.
Avoiding bogus security is a key design criterion for everything we do in FreeS/WAN. The most conspicuous example is our refusal to support single DES. Other IPsec "features" which we do not implement are discussed in our compatibility document.
Various governments have made persistent attempts to encourage or mandate "escrowed encrytion", also called "key recovery", or GAK for "government access to keys". The idea is that cryptographic keys be held by some third party and turned over to law enforcement or security agencies under some conditions.
Mary had a little key - she kept it in escrow, and every thing that Mary said, the feds were sure to know.A crypto quotes page attributes this to Sam Simpson.
There is an excellent paper available on Risks of Escrowed Encryption, from a group of cryptographic luminaries which included our project leader.
Like any unnecessary complication, GAK tends to weaken security of any design it infects. For example:
FreeS/WAN does not support escrowed encryption, and never will.
Various governments, and some vendors, have also made persistent attempts to convince people that:
Weak systems touted include:
The notion that choice of ciphers or keysize should be determined by a trade-off between security requirements and overheads is pure bafflegab.