The primary advantage of public-key cryptography is increased security and convenience: private keys never need to be transmitted or revealed

to anyone. In a secret-key system, by contrast, the secret keys must be transmitted (either manually or through a communication channel) since the same key is used for encryption and decryption. A serious concern is that there may be a chance that an enemy can discover the secret key during transmission. Another major advantage of public-key systems is that they can provide digital signatures that cannot be repudiated. Authentication via secret-key systems requires the sharing of some secret and sometimes requires trust of a third party as well. As a result, a sender can repudiate a previously authenticated message by claiming the shared secret was somehow compromised (see Question 4.1.2.3) by one of the parties sharing the secret. For example, the Kerberos secret-key authentication system (see Question 5.1.6) involves a central database that keeps copies of the secret keys of all users; an attack on the database would allow widespread forgery. Public-key authentication, on the other hand, prevents this type of repudiation; each user has sole responsibility for protecting his or her private key. This property of public-key authentication is often called non-repudiation. A disadvantage of using public-key cryptography for encryption is speed. There are many secret-key encryption methods that are significantly faster than any currently available public-key encryption method. Nevertheless, public-key cryptography can be used with secret-key cryptography to get the best of both worlds. For encryption, the best solution is to combine public- and secret-key systems in order to get both the security advantages of public-key systems and the speed advantages of secret-key systems. Such a protocol is called a digital envelope, which is explained in more detail in Question 2.2.4. Public-key cryptography may be vulnerable to impersonation, even if users' private keys are not available. A successful attack on a certification authority (see Question 4.1.3.14) will allow an adversary to impersonate whomever he or she chooses by using a public-key certificate from the compromised authority to bind a key of the adversary's choice to the name of another user. In some situations, public-key cryptography is not necessary and secret-key cryptography alone is sufficient. These include environments where secure secret key distribution can take place, for example, by users meeting in private. It also includes environments where a single authority knows and manages all the keys, for example, a closed banking system. Since the authority knows everyone's keys already, there is not much advantage for some to be "public" and others to be "private." Note, however, that such a system may become impractical if the number of users becomes large; there are not necessarily any such limitations in a public-key system. Public-key cryptography is usually not necessary in a single-user environment. For example, if you want to keep your personal files encrypted, you can do so with any secret key encryption algorithm using, say, your personal password as the secret key. In general, publickey cryptography is best suited for an open multi-user environment. Public-key cryptography is not meant to replace secret-key cryptography, but rather to supplement it, to make it more secure. The first use of public-key techniques was for secure key establishment in a secret-key system [DH76]; this is still one of its primary functions. Secret-key cryptography remains extremely important and is the subject of much ongoing study and research. Some secret-key cryptosystems are discussed in the sections on block ciphers and stream ciphers.

Dr. Burt Kaliski is chair of the office of the CTO and vice president of research at RSA Security, the security division of EMC. He is also chief scientist of its research center, RSA Laboratories. He joined RSA Data Security in 1989 and helped launch RSA Laboratories as an academic environment within RSA Data Security in 1991. Through the years he has been involved extensively in the development of cryptographic standards. He sat down with Senior News Writer Bill Brenner before moderating the popular cryptographers' panel at last year's RSA. You're planning to give a presentation on Symmetric Key Infrastructures (SKI) and how it will likely play an even more important role in IT security than Public Key Infrastructures (PKI) in the years ahead. Talk about the differences between PKI and SKI and why SKI may grow in importance going forward.

Kaliski: Both PKIs and SKIs are concerned with full lifecycle management for cryptographic keys: creation and distribution, archive and recovery, revocation and deletion. In SKIs, the keys must be kept secret. A key needs to be available either to a single principal or a small group of principals who share the key. Public keys in PKIs, of course, can be made public and available to everyone. Private keys in PKIs, on the other hand, must be kept secret. A private key generally needs to be available only to a single principal, and is not shared.

Most of the application of cryptography to date has been for data "on the fly"--over networks or via email. Here, the encryption and decryption typically happen when the data is sent or received, or the message is sent or opened. The keys are identified and already available to the principals involved in the process. The data is typically encrypted with a symmetric key, where the symmetric key is conveyed using public-key techniques. However, the symmetric key itself does not need to be managed explicitly. The only long-term secret that needs to be managed is usually a PKI private key, and it generally needs to be available only to a single principal.

The renaissance of SKIs is due to the emerging emphasis on applying cryptography to data "at rest"--in a database or on a disk or tape. Here, the decryption might happen a long time after the encryption, and by a principal not involved when the data was originally encrypted. The symmetric key in this case typically does have to be managed explicitly. Furthermore, the key may need to be available to more than one principal. Managing these keys thus requires a richer and more complex infrastructure than for PKI private keys.

What are some concrete aspects of SKI that could help IT professionals secure their companies against today's threats? How could the features make the business of security easier on them?

Kaliski: If data compromise is the threat, encryption is a countermeasure -- but it's only effective if the decryption keys are available when needed to the parties that need them, and available only to them and no one else. In this sense, decryption keys are another information asset that IT professionals need to manage. SKIs can help IT professionals manage them more easily and effectively. Your company's management and your customers may be telling you, "Encrypt the data." It's a lot easier to do so if you have an infrastructure for managing the keys.

What do you expect to be some of the highlights at the RSA show in terms of speakers and topics?

Kaliski: As usual, I'm expecting the show to be an informative event that gives motivation for the year ahead. Innovation has always been an underlying theme for the conference, but the 2007 event is bringing it to the forefront with a lineup of keynote speakers. In addition to senior executives from major IT companies, Gen. Colin Powell, Ray Kurzweil and IDEO's Tom Kelley will be presenting their expert perspectives on innovation in today's world. Additionally, the RSA Conference has added an entire track on consumer protection to address the increasing need for the information security industry to approach applications from the consumer's standpoint. I'll be moderating the cryptographers' panel once again. Finally, for the more technically oriented, we continue the cryptographers' track, an academic research workshop within the conference, chaired by Masayuki Abe of NTT.

A few years ago, the phrase crypto anarchy was coined to suggest the impending arrival of a Brave New World in which governments, as we know them, have crumbled, disappeared, and been replaced by virtual communities of individuals doing as they wish without interference. Proponents argue that crypto anarchy is the inevitable -- and highly desirable -- outcome of the release of public key cryptography into the world. With this technology, they say, it will be impossible for governments to control information, compile dossiers, conduct wiretaps, regulate economic arrangements, and even collect taxes. Individuals will be liberated from coercion by their physical neighbors and by governments. This view has been argued recently by Tim May [1].

Behind the anarchists' vision is a belief that a guarantee of absolute privacy and anonymous transactions would make for a civil society based on a libertarian free market. They ally themselves with Jefferson and Hayek who would be horrified at the suggestion that a society with no government control would be either civil or free. Adam Ferguson once said "Liberty or Freedom is not, as the origin of the name may seem to imply, an exemption from all restraints, but rather the most effectual applications of every just restraint to all members of a free society whether they be magistrates or subjects." Hayek opens The Fatal Conceit, The Errors of Socialism (The University of Chicago Press, 1988, ed. W.W. Bartley III) with Ferguson's quote.

Although May limply asserts that anarchy does not mean lawlessness and social disorder, the absence of government would lead to exactly these states of chaos.

I do not want to live in an anarchistic society -- if such could be called a society at all -- and I doubt many would. A growing number of people are attracted to the market liberalism envisioned by Jefferson, Hayek, and many others, but not to anarchy. Thus, the crypto anarchists' claims come close to asserting that the technology will take us to an outcome that most of us would not choose.

This is the claim that I want to address here. I do not accept crypto anarchy as the inevitable outcome. A new paradigm of cryptography, key escrow, is emerging and gaining acceptance in industry. Key escrow is a technology that offers tools that would assure no individual absolute privacy or untraceable anonymity in all transactions. I argue that this feature of the technology is what will allow individuals to choose a civil society over an anarchistic one. I

will review this technology as well as what it will take to avoid crypto anarchy. First, however, I will review the benefits, limitations, and drawbacks of cryptography and current trends leading toward crypto anarchy.

Cryptography's Benefits, Limitations, and Drawbacks

The benefits of cryptography are well recognized. Encryption can protect communications and stored information from unauthorized access and disclosure. Other cryptographic techniques, including methods of authentication and digital signatures, can protect against spoofing and message forgeries. Practically everyone agrees that cryptography is an essential information security tool, and that it should be readily available to users. I take this as a starting assumption and, in this respect, have no disagreement with the crypto anarchists.

Less recognized are cryptography's limitations. Encryption is often oversold as the solution to all security problems or to threats that it does not address. For example, the headline of Jim Warren's op-ed piece in the San Jose Mercury News reads "Encryption could stop computer crackers" [2]. Unfortunately, encryption offers no such aegis. Encryption does nothing to protect against many common methods of attack including those that exploit bad default settings or vulnerabilities in network protocols or software -- even encryption software. In general, methods other than encryption are needed to keep out intruders. Secure Computing Corporation's Sidewinder[TM] system defuses the forty-two "bombs" (security vulnerabilities) in Cheswick and Bellovin's book, Firewalls and Network Security (Addison Wesley, 1994), without making use of any encryption [3].

Moreover, the protection provided by encryption can be illusory. If the system where the encryption is performed can be penetrated, then the intruder may be able to access plaintext directly from stored files or the contents of memory or modify network protocols, application software, or encryption programs in order to get access to keys or plaintext data or to subvert the encryption process. For example, PGP (Pretty Good Privacy) could be replaced with a Trojan horse that appears to behave like PGP but creates a secret file of the user's keys for later transmission to the program's owner much like a Trojan horse login program collects passwords. A recent penetration study of 8932 computers by the Defense Information

Systems Agency showed 88% of the computers could be successfully attacked. Using PGP to encrypt data transmitted from or stored on the average system could be like putting the strongest possible lock on the back door of a building while leaving the front door wide open. Information security requires much more than just encryption -- authentication, configuration management, good design, access controls, firewalls, auditing, security practices, and security awareness training are a few of the other techniques needed.

The drawbacks of cryptography are frequently overlooked as well. The widespread availability of unbreakable encryption coupled with anonymous services could lead to a situation where practically all communications are immune from lawful interception (wiretaps) and documents from lawful search and seizure, and where all electronic transactions are beyond the reach of any government regulation or oversight. The consequences of this to public safety and social and economic stability could be devastating. With the government essentially locked out, computers and telecommunications systems would become safe havens for criminal activity. Even May himself acknowledges that crypto anarchy provides a means for tax evasion, money laundering, espionage (with digital dead drops), contract killings, and implementation of data havens for storing and marketing illegal or controversial material. Encryption also threatens national security by interfering with foreign intelligence operations. The United States, along with many other countries, imposes export controls on encryption technology to lessen this threat.

Cryptography poses a threat to organizations and individuals too. With encryption, an employee of a company can sell proprietary electronic information to a competitor without the need to photocopy and handle physical documents. Electronic information can be bought and sold on "black networks" such as Black-Net [1] with complete secrecy and anonymity -a safe harbor for engaging in both corporate and government espionage. The keys that unlock a corporation's files may be lost, corrupted, or held hostage for ransom, thus rendering valuable information inaccessible.

When considering the threats posed by cryptography, it is important to recognize that only the use of encryption for confidentiality, including anonymity, presents a problem. The use of cryptography for data integrity and authentication, including digital signatures, is not a threat. Indeed, by strengthening the integrity of evidence and binding it to its source, cryptographic tools for authentication are a forensic aid to criminal investigations. They also help enforce

accountability. Because different cryptographic methods can be employed for confidentiality and authentication, any safeguards that might be placed on encryption to counter the threats