Interest in encryption arises from a history of technology transforming commerce. The need for secure communications has propagated the development of encryption schemes to protect the integrity of information as it is transferred electronically. There are a number of security services involved in encryption outside of the issue privacy: confidentiality--assurance that the parties involved in a communication have exclusive knowledge of the message; authentication--assurance that the parties involved are who they say they are; non-repudiation--proof of which party sent the message or which party received it; and time-date stamping--proof of when the message was created, sent and received. The encryption scheme itself can be classified as single-key or public-key based on its implementation.
Single-key encryption
The idea behind single key encryption is to encrypt a block of data using an encryption algorithm and a number called the "key," which is known only to the sender and the recipient. The key controls how the message is encrypted and every key does it differently. Thus, even it is known that a message has been encrypted using a specific algorithm such as DES, the Data Encryption Standard algorithm invented by IBM, it is impossible to decrypt the message without knowing the key as well.
An example of single-key encryption is a password on a word processing document or a PIN number on an ATM account. Single-key encryption is also called symmetric encryption, since the same key is used to encrypt a message from plaintext into ciphertext and to decrypt the ciphertext back into plaintext again. The key itself is a randomly-generated stream of bits of a specified length.
No matter how secure the encryption algorithm used to generate the key to encode the information, the single-key encryption system has two inherent security weaknesses. First, the sender and the recipient of the message need to share knowledge of the same secret key--meaning that each must trust the other not to compromise knowledge that is exclusive to them. This also makes anonymity almost impossible. Second, the communications channels used to exchange keys must be independently secured to prevent fraud.
Public-key encryption
Public-key encryption, also known as asymmetric encryption, solves both shared key risk and the distribution key problem. Instead of a single key, the public-key encryption system uses a pair of keys which are mathematically linked to each other--one of which is kept secret and the other which is transmitted. Each user possesses a private and public key pair which cannot practically be derived from each other.
With public-key encryption, only one key is needed to encrypt a message; the other is used for decrypting the message. A sender with a recipient's public-key can thus encrypt a message which only the recipient can decrypt using his private key. Likewise, a sender can encrypt a message with his private key which can be decrypted by anyone with the matching public key. In this way, a recipient with the sender's public key can verify that it was indeed the sender who originated the message. This is called a digital signature. Public-key encryption thus provides for both confidentiality and authentication.
The benefits of public-key encryption are clear. The sender and recipient no longer need to communicate previously, nor do they need to exchange private keys to send a communication that is signed and secure. They only need to exchange public keys, which can be done over open communication lines. Public-key encryption thus offers the possibility of a much more cost-efficient technology for securing communications.
The idea behind public-key crytography was invented by Whitfield Diffie, a mathematician and computer scientist from MIT, in 1975. His big realization was understanding how to build a cryptographic system in which each communication was controlled by two keys instead of one. In addition, if the two keys were related, anything encrypted by one could then be decrypted by the other. However, Diffie did not solve the problem of designing mathematically-related keys that could not be derived from each other until he got together with Stanford Professor Martin Hellman. From 1975 to 1978, Diffie and Hellman co-authored a series of now-classic papers on public-key cryptography.
Several public-key encryption techniques now exist, subject to patents. Among them is the method pioneered by Massachusetts Institute of Technology professors Ronald L. Rivest, Adi Shamir and Leonard Adleman, known as RSA encryption. The mathematics behind RSA's asymmetric encryption is based on the notion of one-way functions. For instance, the product of two prime numbers, 31 and 97, is simple to calculate (=3007), but difficult to factor (=31 and 97). Likewise, raising numbers to powers is much simpler than taking roots; it takes a few seconds to find 2^12 (=4096), but longer to calculate the twelfth root of 4096 (=2).
RSA, which to date is the most successful public-key cryptographic system, combines the fact that raising numbers to powers is a one-way function relative to extracting roots and multiplying prime numbers is a one-way function relative to factoring. With the latter, if the product is large enough and no one but one person knows its factors, it constitutes a trapdoor that allows only that person to decrypt messages. For example, using cryptographic equipment, one can generate two large primes, each 300 digits long, whose product is 600 digits. This number is huge; the number of particles in the universe, for instance, is estimated to be less than 100 digits long. The 600-digit product is then made public, unfactorable by anyone except the originator. In fact, the largest number of this type that has been factored--129-digits--was initially proposed in the '70s and just solved last year.
The theoretical limits of public-key encryption rest with the need to maintain the secrecy of the private key. Before transmitting the public key, a sender must first generate his own public-private key pair on a computer or other medium that can be kept secure from discovery. Thereafter, the sender only needs to publish his public key to enable others to send encrypted messages that only he can read.
Before using the key, however, any recipient needs assurance that the key is indeed the sender's public key and has not been erroneously generated, fraudulently generated or changed. To accomplish this, clients of public-key encryption support a class of trusted third parties, called certification authorities. These authorities certify the authenticity of a public key as a match to the private key held by the sender. They are the mechanism by which the identity of the parties involved in a communication is verified.
Certification authorities are divided into several levels, each certifying a public key with a fixed level of assurance, resulting in a precise degree of liability for error. At the highest level, the authority assumes all risks associated with verifying the identity of both parties while certifying the validity and enforceability of the transaction. Along these lines, a cryptosystem can only be trusted as much the certification provided by the authorities.
Certification authorities may charge a fee for their services to cover their costs and risks. The system actually requires trust rather than creating it, however. For instance, suppose the sender meets with an authority or else indirectly obtains all the information needed to issue a key-pair certificate. The certificate consists of sender's public key encrypted with the authority's own private key and thus, securely signed. The certificate is then stored on the sender's own computer system.
To prove his identity to a recipient, the sender encrypts a message with his private key as a digital signature and then appends his public key without encryption along with the certificate. The recipient can then use the authority's public key to verify that the appended public key is the same as the one encrypted by the authority's private key. Either public key can then be used to decrypt the original message.
Note that the requirement that the authority and the recipient must meet or have a trusted exchange obviates one of the principal advantages of public-key encryption--anonymity. In every encrypted transaction, the value places on anonymity must be balanced relative to the level of trust required. In addition, certification is only as trustworthy as the information given to the authorities. Errors or false generation of authority keys also create a trust problem. The solution to this is a hierarchical approach to key management, which an authority's key is certified by a higher level and attached.
Certification hierarchies tend to work well in structured organizations such as corporate networks. But for this scheme to be used in communications among different organizations, they must agree on a certification authority that can be trusted by all. This is not necessarily easy--for example, corporate users may not trust certificates signed by the certification authority of a competing company. The alternative to certification hierarchies is a web of trust where users decide for themselves which keys are valid. In other words, users will trust keys which come from a trusted source and arrive via a reasonably secure route--for instance, a worker may trust a key sent by another co-worker arriving via a secure private network vs. a key from purporting to be from an employee at another company arriving via the Internet. The certification hierarchy model can be thought of as a continuous client-server approach while the web of trust is a more distributed peer-to-peer approach.
The big advantage of the certification hierarchy model is that it is fairly easy to enforce a consistent policy within a large organization. On the downside, organizations that want to control who gets authenticated will need to set up and maintain their own certification authority, a process that requires specialized administration. The web of trust model, on the other hand, tends to offload many administrative headaches to end-users. Experienced users are likely to feel more in control since they are in control, but the key management process can also be quite a challenge.
Future Issues
There is an economic risk that transaction costs will rise as other types of assurance are required to provide new types of service such as secure key exchange, secure time-stamping and archiving, key escrow and secure networks for third-party certification as to a signer's level of corporate signing authority. In addition, the system makes the need for higher certification, with attendant security risks, greater in proportion to the degree of security required.
Encryption scheme vendors are constantly looking for areas of innovation for securing transaction systems. Such an area involves technological methods for ensuring trust. Another is the creation of security measures using cryptosystems in which security bears a relationship to the importance of the information being handled and the anonymity desired by the parties involved. Given the commercial interest in electronic commerce and the use of the Internet as a mechanism for disseminating information, these problems should attract a great deal of intellectual attention in the years to come.
Further systems are also needed to ensure that unwanted messages encrypted with the recipient's one public key are managed, perhaps replacing the exchange of encrypted messages with encrypted keys. If these fall into place, then a reliable system for secure message transmission and private communication can be made possible, and with a greater level of anonymity than is currently practiced on most on-line systems. From this, one may conclude that encryption techniques may beef up communal policies for managing communications and identifying abuses in the system.
Encryption development could affect decisions concerning the liability of on-line services or bulletin board systems (BBS) for disseminating unauthorized or unlawful material such as pirated software or pornographic material. For instance, a BBS that supports messages privately encrypted by its users creates a shield against liability for itself since the BBS operator can no longer exercise editorial control. Part of the problem in the past is the uncertainty of local jurisdiction and federal authority over on-line communications. The problem might be alleviated if all transmissions were encoded so that content were truly personalized. In addition to encoding a message in a form that enables its transmission, encryption also designates the assent of the viewer and ensures that only the holder of an authorized public key can read the information. In this way, private communication would be managed by private control rather than federal law.
Standardization and increased availability of encryption may also raise the standard for protecting proprietary information in the age of perfect digital reproduction. The heavy demands placed on copyright law to prevent unauthorized duplications may be eased dramatically if encryption is combined with on-line publication. The reason is simple: the decryption of a message encrypted with another person's key requires a computational act, which would be a significant factor in establishing criminal intent. Many states have already enacted computer crime laws to complement federal statutes that make unauthorized interception of electronic communications illegal. An unauthorized act of decryption is a sign of intent to seek illegal access to private communications and most likely will prove a point of great significance in criminal prosecution of interception and copying on-line in years to come.
Ethical Implications
As encryption becomes more widely available, lawyers have begun to provide guidance on the implications of its use, from the formation of contracts to criminal liability. Likewise, there has been recent litigation and government interest in legal standards for network security. Public-key encryption by itself has already spawned commercial and legal changes, including redefining terms such as "signature," "original" and "writing." 1
California itself has recently announced a "digital signature" statute to govern on-line transactions, defining legal requirements for a digital signature "intended by the party using it to have the same force and effect as the use of a manual signature." 2
The legal field must be involved in providing guidance on legal standards for encrypted electronic communications. Many secured transactions will shape security according to laws ranging from contract formation to criminal liability. The converse is also true, as the establishment of a standard fro commercial public key crytography will provide a foundation for addressing related legal standards.
Encryption is entirely legal for use inside U.S. borders. Yet encryption technologies, long used for protecting secret military and government communications, are legally regarded as munitions-- the same classification as a truck full of artillery shells--so are subject to strict export control. When PGP was anonymously posted to the Internet in 1993, for instance, inventor Phil Zimmermann became the target of a three-year criminal investigation that ended only early this year. Government security specialists fear that the widespread use of encryption could protect information involving criminal activities such as terrorism or drug trafficking. The government this restricts the export of all sophisticated cryptography in the interest of national security. Industry also has a vested interest in limiting encryption. Companies fear that disgruntled employees could encrypt corporate databases and throw away the key or hold them hostage.
Adoption of encryption appears to be proceeding more quickly for authentication than for privacy purposes, perhaps in part because products for authentication are not subject to the same export restrictions as those for privacy. However, the encryption industry is working hard to convince the federal government of its importance to U.S. export growth. Representatives argue that the government's policies are hampering the computing industry's global competitiveness. A report commissioned by the NSA and administered by the Bureau of Export Administration of the U.S. Department of Commerce determined that the U.S. market share for encrypted products in 1994 declined significantly in Britain, Denmark and Switzerland. In addition, sources in 14 countries told researches that U.S. export controls have limited the availability of sophisticated U.S.-made software for purchasing.
Currently, several industry coalitions are pressing for immediate action by the Clinton Administration to ease restrictions. One such group, composed of Apple Computing Corp., AT&T Corp., the Center for Democracy and Technology, the Electronic Frontier Foundation, Lotus Development Corp., MCI Communication Corp. and Tandem Computer, is asking the Administration for a policy that balances the issues of security enhancement, international interoperability, freedom for users to choose the method of encryption, marketplace acceptance, privacy protection and respect for the legitimate needs of law enforcement.
Meanwhile, the government is moving ahead with plans to enhance its existing Escrowed Encryption Standard (EES) to cover federal data communications. The government also touted the development of a private-sector alternative to EES, called the Clipper Chip, which would provide a standardized mechanism for encryption but also a backdoor that permits the government to eavesdrop on network and telecommunications.
Attracting consumers to the Internet is proving to be an uphill struggle, in part because of security concerns. Potential merchants of the Internet point out that 100 percent security cannot be guaranteed even in the real world. The issue is not so much about commerce than it is about privacy, however. Consumers have been especially wary of venturing into cyberspace for fear the personal information transferred and stored electronically will not be safe from hackers and cheats. In any case, paperless electronic commerce will not succeed until the security of on-line open systems is engineered to at least equal the level of security offered by traditional paper-based systems.

hEwDY5eaKu5+VqUBAfwNZZCOfX66 ZXQVgKyvgGZ01Qd6D8DFq 7NIltXtb4Zf3DkPCzMJ+qsBXJotxkzdHn3dBJQYU0D+II651R kPmtApgAAAD05nOW7GK1t Auy6BGnGGwOZB2K2qVVCi - 4FEQOGRQxy TbyVGWQVT7nv5ae X88s513PW+or1rtQd5E N76jp8=Qh5W

That's "Hello. You look marvelous," spoken in PGP.
PGP or "Pretty Good Privacy," a program written by self-taught cryptography expert Phil Zimmermann, is the best-known and most popular encryption software available. In establishing PGP as an encryption standard for the masses, Zimmermann has earned folk-hero status among the growing cypherpunk subculture. PGP and Zimmermann's outspoken views on free speech have in many ways come to symbolize the debate over cryptography for the masses.
Phil Zimmermann, a product of 70s-era anti-nuke political action, has always held a fascination with cryptography. When he first heard about the public-key cryptography scheme developed by Diffie and Hellman, he toyed with the idea of implementing such a scheme for the personal computer platform. Zimmermann's philosophy about the public's right to cryptography is best related in his own words, from the product documentation he wrote for PGP:
"You may be planning a political campaign, discussing your taxes, or having an illicit affair. Or you may be doing something that you feel shouldn't be illegal, but is. Whatever it is, you don't want your private electronic mail or confidential documents read by anyone else. There's nothing wrong with asserting your privacy. Privacy is as apple-pie as the Constitution... If privacy is outlawed, only outlaws will have privacy. Intelligence agencies have access to good cryptographic technology. So do the big arms and drug traffickers... but ordinary people and grass-roots political organizations mostly have not had access to affordable military grade public-key encryption technology. Until now."
Zimmermann began work on the project in 1984, having never had any formal training in cryptography. Instead of trying to come up with a completely new encryption algorithm, he decided to leverage off RSA, a public-key algorithm patented by RSA Data Security. The process was a slow one: Zimmermann completed his RSA implementation in 1986, but it was 1991 before his first version of Pretty Good Privacy was ready for release. It was a major accomplishment: effective, yet faster than any other encryption scheme on the market.
Although he had dedicated seven years of his life and had emptied his savings account in order to complete the project, Zimmermann made a surprising move: he decided to give the program away. He decided against charging a fee (as he had originally intended), because he was worried that the government would soon outlaw encryption altogether. By allowing PGP to propagate as widely as possible, Zimmermann hoped to ensure that the tools for privacy were well in place by then. PGP did indeed spread like wildfire: within hours of its release, it had been downloaded by people from all over the world.
Pretty Good Privacy's popularity has transformed Phil Zimmermann into a poster boy for the "cryptography for the masses" cause. Zimmermann's theology is passionate, interesting, and in the opinion of many, paranoid. In support of his ideas, Zimmermann draws an analogy to Americans' use of the US Postal Service. He poses the question, "What if everyone believed that law-abiding citizens should use postcards for their mail?" If this were the case, anyone sending their mail in an envelope would be subject to suspicion that they were hiding something. The reason using an envelope to send your mail through the postal system doesn't attract suspicion is the fact that most people use them, whether or not what they're sending is meant to be completely confidential. Envelopes, then, are an accepted means of asserting a right to privacy which, according to Zimmermann, is "as apple pie as the Constitution." Zimmermann suggests that many people use envelopes because they consider what they write to be nobody's business but their own, and they know that mail passes through many hands before arriving at its destination. Envelopes make it less feasible and more expensive for people to read your personal mail: about the only way to read sealed letters without leaving much evidence of the invasion is to painstakingly steam them open. Zimmermann argues that cryptography is simply the extension of this same privacy to the growing field of e-mail. In many ways, privacy is far less sure in e-mail than it is in a sealed letter: it is easy to intercept e-mail, undetected, at any of a number of points during its transmission. Once an e-mail transmission path is compromised, very efficient snooping is possible: while a conventional mail snooper might have to open hundreds of letters before finding one containing valuable information, an e-mail snooper can easily create a program to scan for and retrieve only those messages containing "key words" representative of messages that might interest them -- like "bomb," "illegal," "VISA" or "confidential." This makes e-mail monitoring feasible on a grand scale, in ways standard mail could never be. In fact, the NSA already routinely scans international cablegrams in this way!
Zimmermann has also been a vocal opponent of US Governement attempts to establish "key-escrow" data encryption standards like the so-called Clipper chip. In "key-escrow" systems, a trusted third party is effect given a copy of each chip's private key. This is done so that law-enforcement agents can be ensured access to encrypted information, provided they can procure if a warrant for the information. Zimmermann has a point when he says that the next logical step, critical to making key-escrow systems effective, would be to outlaw all other forms of cryptography. The implementation of a key-escrow scheme for all encrypted communication would make such communications only as secure as the third-party key holder is trustworthy... which was the very reason why Diffie developed the public-key concept in the first place. Electronic Frontier Foundation co-founder John Perry Barlow well-represented the seriousness with which cypherpunks protect their private keys when he said, "You can have my encryption algorithm... when you pry my cold dead fingers from my private key." Diffie did not intend private keys to be shared with anybody -- not collegues, not friends, not spouses, and certainly not unknown, self-interested key registry employees who would release keys at the first flash of a badge or warrant. Additionally, there is nothing to guarantee that a key obtained from a key registry will be used only for its intended pupose. A crooked law-enforcement agent could make a great deal of money by making digital copies of private keys from companies under investigation, carrying them out on a diskette, and selling the keys to competitors eager for market advantages.
Legal Issues
The legal issues surrounding PGP are numerous and complicated. The RSA public key cryptosystem, which Zimmermann used as the basis for the public-key technology in PGP, was developed at MIT, which holds a patent on it dating from 1983. The exclusive commercial license for the sale and sub-licensing of RSA is held by company named Public Key Partners (PKP). Thus, when PGP was originally released, PKP cried foul, charging that Zimmermann was blatantly violation U.S. law by using a patented, unlicensed algorithm in his product. Zimmermann countered that the program was a "research project," for which he was recieving no financial compensation, and was therefore not a violation of commercial copyright laws.
In order to dodge further legal hassles, PGP 2.0 was released by an international team of software engineers under Zimmermann's guidance. In a particularly witty move, the new version was released by Peter Gutmann in New Zealand, where RSA patents do not apply. Although it was released only in Europe and New Zealand, "it spontaneously spread to the USA without help from [Zimmermann] or the PGP development team," according to Zimmermann. Zimmermann and his associates obviously planned the release with this result in mind: although it is illegal to export powerful encryptioni technology, there is no law against importing it.
The freeware version of PGP is distributed by MIT, under the terms of the RSAREF license from RSA Data Security, Inc. (RSADSI). RSAREF is a subroutine package from RSADSI that implements the RSA algorithm. The RSAREF license allows for unlimited non-commercial distribution within the U.S. of programs using the package.
Technical Aspects
In order to speed encryption and decryption, PGP only uses the slower RSA technology for the public- and private-key components of the program. The main bulk of the encryption is done using IDEATM, which is conventional cipher covered by a European patent. Ascom-Tech AG, the patent-holder, has granted permission for royalty-free, interational use of IDEA in all non-commercial versions of PGP. Commercial and Government users must obtain the $99 licensed version released by ViaCrypt.
Although PGP is the reigning standard among encryption programs, its existing implementation is not very user friendly. Instead of operating in tandem with the mail readers users are most familiar with, PGP commands are executed by entering any of a number of command-line switches. Although there are a number of front-end interfaces available to simplify the encryption/decryption process, none of them hides the implementation to the point where a novice computer user could use it confidently. PGP, therefore, circulates primarily among more experienced computer users.

E-mail Encryption Protocols
Although e-mail encryption protocols differ in particulars, any such protocol must provide two things: confidentiality and authentication. Confidentiality indicates that only the authorized recipient of a message can read it. Authentication is the guarantee that the message is really from its stated originator.
To provide these services, all primary protocols for encrypting e-mail rely on single-key encryption to encrypt the message, public-key encryption to encrypt the secret key, and a hash function to provide authentication.
With single-key encryption, both the sender and the recipient must know the key ahead of time--a logistical challenge if the two have never exchanged e-mail before. On the other hand, public-key encryption is not practical for use in encrypting entire messages since it is computationally expensive. Thus, typical e-mail protocols use single-key encryption to encrypt the e-mail message and then public-key encryption to encrypt the key used in encrypting the message.
Public-key encryption also works in conjunction with a hash function to provide authentication. Essentially, a hash code, also called a message digest, is a small chunk of data unique to a particular message but much shorter than the message itself. The hash code is like a digital fingerprint--each is so unique that it makes it possible to distinguish one message from another even if the two differ by only one bit.
To provide authentication, an encryption protocol extracts a hash function from the message, encrypts it with the sender's private key, and appends the encrypted hash code to the message. Although the hash code can be decrypted by anyone who knows the public key, a successful decryption verifies the identity of the originator.
Key Management
One of the key differences among the primary protocols is the size of the key used in encryption. Key size is an extremely important factor in ensuring cryptographic soundness. Since larger keys are computationally more difficult to break, larger keys imply stronger encryption. Many encrypting algorithms are considered cryptographically sound if and only if they are used with fairly large keys.
Key management is another important issue in protocol design. The way e-mail security schemes keep track of keys helps determine how much protection they ultimately provide. With a public-key system, key management must fulfill two parts: obtaining the public-key of a communications partner and verifying that the key belongs to that party.
Consider the so-called man-in-the-middle attack, in which an intruder inserts a relay process into the network between communications parties, pretending to be both of them. Thus, when one party sends a message to the other asking for his public key, the intruder intercepts the message and returns his own public key instead. If he does the same with the recipient, the intruder can intercept and decrypt encrypted messages from both sides and then re-encrypt or substitute his own message. Meanwhile, each side continues to believe it is communicating with the other.
Avoiding such attacks is one of the goals of key management. This is where the certification authority comes in. Physically, the certification authority can be many things, including dedicated hardware or software running on a server. In practice, however, for most secure e-mail applications, the certifications authority is likely to be software running on the mail server.
Regardless of the certification mechanism, the problem of bootstrapping trust remains. At some point, whether the mechanism is a hierarchy or a web of trust, the local e-mail client must be configured to specify which certification authorities and users should be trusted and which should not be.
In the certification authority, a single root authority is hard-wired into the client. The client software is then pre-configured to use a particular certification authority or a set of users which cannot be changed by the users. Thus, when a user first installs his e-mail package, the software already "knows" who to trust. Recently, however, it has become clear that a single root authority is not flexible enough. The answer is configurable certification authorities which allow users to choose certification authorities after verifying the authorities through some reliable channel.
The certification hierarchy most commonly used by secure e-mail schemes is the X.509 spec from the International Telecommunication Union-Telecommunications Standards Sector (ITU-TSS). The X.509 spec, which defines the relationship of the certification authorities, is part of a X.500 series of recommendations for a global directory structure using "distinguished names" to track users and other objects stored in a directory.
Protocol Types
Standards bodies and individual implementors have developed five primary protocols for e-mail encryption. Although the purpose of the schemes are the same--to protect e-mail as it travels over the Internet--they different encryption algorithms and authentication techniques. They also take different approaches to issues such as key management--issues which are just as important as encryption in ensuring the integrity of data. Finally, the design decisions vendors make to implement these protocols can determine how easy they are to use and administer, especially on a large network.
Secure Multipurpose Internet Mail Extensions (S/MIME)
Because it supports the encryption of multimedia data as well as plain text, S/MIME is considered one of the most fully featured secure e-mail protocols and is likely to become an Internet Engineering Task Force (IETF) standard. S/MIME guarantees interoperability between any two implementations while rival protocols only allow implementors to choose non-interoperable encryption options. Many Internet mail vendors plan to support the scheme, although commercial versions of S/MIME are not available yet. S/MIME is being developed by a group of companies led by RSA Data Security, Inc.
One potential drawback with S/MIME is that it permits the use of keys that are too small to ensure adequate security. All S/MIME implementations must include RC2, a proprietary crytographic algorithm from RSA with a 40-bit key. Because RC2 represents the lowest common denominator, any two S/MIME implementations can communicate with each other using RC2 as the default algorithm. The trade-off is security, however, since the 40-bit RC2 is not unbreakable. In fact, in a presentation at a Business Software Alliance conference last November, a panel of security experts maintained that 40-bit keys offer virtually no protection. They claimed that a hacker could easily crack a single 40-bit message in a weekend using borrowed computer time. According to the panel, a corporate engineering department with a $300,000 budget could build a machine that could crack five messages a second. Thus, any encryption scheme that operates with 40-bit keys should not be considered completely secure. However, S/MIME also supports two different versions of DES that use 56- and 168-bit keys.
Another cryptographic weakness of S/MIME, one that also affects MSP but not other schemes, is that eavesdroppers can distinguish between encrypted and signed-and-encrypted messages. More importantly, they can also tell who signed the message. If, for example, Marc Andreesen and Bill Gates were to exchange a number of signed messages, an eavesdropper might draw conclusions that Netscape and Microsoft were forging a business relationship.
S/MIME's key management scheme users the hierarchical structure defined in the latest update of X.509--Version 3, the most flexible up to date. This explicitly allows certification paths to start in the local security domain--the authorities controlled by an organization, for instance--of the public-key user system. The other notable feature of X.509 Version 3 is its ability to bind keys directly to e-mail addresses as opposed to only the X.500 distinguished names.
S/MIME's key management model is somewhat of a hybrid between certification hierarchy and the web of trust. Network manages must configure their own list of trusted keys--usually, the keys of trusted certification authorities. Full certificates are then included with every S/MIME signed message. Although this makes every message a few hundred bytes larger, this also makes key management a little easier. Whenever a user receives a signed message, the key of the signatory goes into the local key database where all keys are stored. If the key is signed by a trusted authority, trust is then established for that key and it can be used in the future without reverification.
Developed by Zimmermann in 1991, PGP has since become the de facto standard for mail encryption on the Internet. PGP is already commercially available via Viacrypt and other software companies. Version 3.0 will be released this year.
PGP's underlying cryptography is quite sound. For message encryption, it uses the International Data Encryption Algorithm (IDEA) with a 128-bit key. In fact, there is no mode of operation with a smaller key size, which makes PGP exceptionally safe.
Zimmermann designed PGP with the web of trust model for key management. This tend to be one of the scheme's biggest drawbacks, especially in business settings. Overall, PGP's key management is hard to learn, time-consuming, and dependent on a great deal of manual intervention. Every time a new key is needed either for checking a signature or encrypting e-mail, users must perform several manual operations. First, they must obtain the key, which maybe a remote operation. Next they must put the key into the local PGP key database, called a keyring in PGP terminology. Finally, they need to check if the key is valid. In PGP's current implementation, these steps require fairly complex command lines. However, key management may eventually become easier since this complexity is not inherent in PGP.
One of PGP's biggest drawbacks is in its inability to handle multimedia data. PGP/MIME attempts to solve the problem by adding the ability to handle MIME objects. The spec is currently wending its way through the IETF standards process. There are currently two implementations of the PGP/MIME draft: premail and the PGP/MIME reference implementation. Neither has been sold commercially.
MIME Object Security Services (MOSS)
Another attempt to encrypt multimedia data is MOSS, currently defined in Requests for Comment 1847 and 1848. Although no full-fledged commercial implementations have been available to date, there is broad support for adapting some parts of MOSS for use with other crytographic protocols, particularly the multipart/signed format which allows different parts of a message to be individually encrypted and signed.
MOSS is generally cryptographically sound, but since it does not mandate the choice of encryption algorithm nor key size, it could possibly operate with a small (not secure) key size. Also, choosing a different encryption algorithm can cause MOSS to fail to interoperate with other MOSS applications.
MOSS supports two modes of key management: X.509 and manual, using the web of trust. Users get more options, but a missing feature is the crytographic hash of the public key. Without it, users must either blindly trust the mechanism delivering the key or examine the entire key for signs of tampering, which can be cumbersome.
Message Security Protocol (MSP)
MSP attempts to revamp the secure e-mail protocols developed by NSA for its Defense Secure Data Networking Systems for use with Internet and MIME mail. The underlying protocol is standardized in the SDN.700 series of documents from the National Institutes of Standards and Technology while MIME integration is an IETF Internet draft. Although MSP has been around for a while, especially in X.400 environments, specifications and implementations for e-mail have emerged only recently.
MSP contains two features that no other protocol does. The first is a cryptographically strong signed-receipt capability, also known as a non-repudiation of receipt, which offers proof that the recipient actually received a message and that the message received is identical to the message sent. The second feature is the ability to classify messages--as "top secret," for example. An MSP client rejects messages if users do not have the appropriate authorization to read them.
One problem with MSP is that different implementations are not guaranteed to interoperate since two implementations may choose different and non-overlapping sets of algorithms. Before communication is possible, users must agree on both the MSP protocol and a specific algorithm set. The two main algorithm suites implemented for MSP are the Mosaic suite--same as the encryption used with the Clipper chip--and RSA with DES. A few implementations of MSP are already shipping, with several more in progress. MSP is a good choice for interactions with the government.
The key management of MSP, based on the X.509 certification hierarchy, closely resembles S/MIME's. Thus, it raises similar issues about signed message formats. At present it is still not clear whether MSP will be implementing the X.509 extensions that make handling of certification more flexible.
A major issue with all of these schemes is how they will be integrated with mail packages. In some cases, the encryption scheme is an additional application--for example, PGP is packaged in a single application that can work with existing mail packages, which is a large factor in its popularity. In general, however, these schemes are best integrated directly into the mail package. One reason for this approach is because integration makes it possible to integrate key management and the users' address books. If the encryption protocol is not integrated with the mail application, two address books are required: one to select e-mail address, the other to map e-mail addresses to keys. Because this requires users to keep track of two separate databases, this approach can be cumbersome.

1 Art 4A of the Uniform Commercial Code ; regulations E and Z of the board of governors of the Federal Reserve System, 12 C.F.R. 205, 225.
2 A.B. 1577, An Act to Add Sec. 16.5 to the Government Code, Relating to Digital Signatures (1995).