0465039146-RM

12/5/06

12:31 AM

Page 353

notes to chapter four

Texas
Utah
Virginia
Washington
West Virginia
Wisconsin
Wyoming

353

Tex. Penal Code 32.51

Utah Code Ann. 766-11011104
Va. Code Ann. 18.2186.3
Wash. Rev. Code 9.35.020
W. Va. Code 613-54
Wis. Stat. 943.201
Wyo. Stat. Ann. 63-901

11. Stewart A. Baker and Paul R. Hurst, The Limits of Trust: Cryptography, Governments,
and Electronic Commerce (Boston: Kluwer Law International, 1998), xv.
12. Ibid.
13. See Hal Abelson et al., The Risks of Key Recovery, Key Escrow, and Trusted ThirdParty Encryption, World Wide Web Journal 2 (1997): 241, 245: Although cryptography has traditionally been associated with confidentiality, other cryptographic mechanisms, such as
authentication codes and digital signatures, can assure that messages have not been tampered
with or forged.
14. Whitfield Diffie and Martin E. Hellman, New Directions in Cryptography, IEEE
Transactions on Information Theory it22 (November 1976): 2940. The idea had apparently
been discovered earlier by James Ellis at the British Government Communication Headquarters, but it was not then published; see Baker and Hurst, The Limits of Trust, xviixviii.
15. Even if the wires are tapped, this type of encryption still achieves its magic. We can get
a hint of how in a series of cases whose accumulating impact makes the potential clear.
A. If I want to send a message to you that I know only you will be able to read, I can take
your public key and use it to encrypt that message. Then I can send that message to you knowing that only the holder of the private key (presumably you) will be able to read it. Advantage:
My message to you is secure. Disadvantage: You cant be sure it is I who sent you the message.
Because anyone can encrypt a message using your public key and then send it to you, you
have no way to be certain that I was the one who sent it. Therefore, consider the next example.
B. Before I send the message I have encrypted with your public key, I can encrypt it with
my private key. Then when you receive the message from me, you can first decrypt it with my
public key, and then decrypt it again with your private key. After the first decryption, you can
be sure that I (or the holder of my private key) was the one who sent you the message; after the
second decryption, you can be sure that only you (or other holders of your private key) actually
read the content of the message. But how do you know that what I say is the public key of Larry
Lessig is actually the public key of Larry Lessig? How can you be sure, that is, that the public key
you are using is actually the public key it purports to be? Here is where the next example
comes in.
C. If there is a trustworthy third party (say, my bank, or the Federal Reserve Board, or the
ACLU) with a public key (a fact I am able to verify because of the prominence of the institution), and that third party verifies that the public key of Larry Lessig is actually the public key
of Larry Lessig, then along with my message sent to you, encrypted first in your public key and
second in my private key, would be a certificate, issued by that institution, itself encrypted
with the institutions private key. When you receive the message, you can use the institutions
public key to decrypt the certificate; take from the certificate my public key (which you now are
fairly confident is my public key); decrypt the message I sent you with the key held in the certificate (after which you are fairly confident comes from me); and then decrypt the message
encrypted with your public key (which you can be fairly confident no one else has read). If we
did all that, you would know that I am who I say I am and that the message was sent by me; I
would know that only you read the message; and you would know that no one else read the
message along the way.