Cong. Clay (MO) 02_26_08 Public Key Encryption letter.

Congressman Clay 625 North Euclid St., Suite 326 St. Louis, Missouri 63108 Robert Johnson 02/26/08 Dear Rep. Clay: You have introduced important legislation regarding peer to peer networks, and securing government computers against intrusion, in the form of H.R. 1047. Peer to peer networks are popular, and can be domesticated against malicious abuse. Peer to peer networks make use of available bandwidth and reduce demand on servers in their legitimate usage. As such, we do not want to throw out the baby with the bathwater, but we want to guard against a pyramid scheme devised to defraud copyright holders. If peer to peer networks were required to use public key encryption, then each serving entity would be required to encrypt the content uniquely for each client. I do not think the details are beneath you, so I enclose a relevant discussion of public key encryption as an attachment. An entity wishing to distribute the data free of charge would make a private key available to the audience of its choosing, and encrypt once with the single associated public key (expected to be a legitimate but uncommon use.) For later reference, this might be an activity that required licensing or this activity might need to be associated with a business license. An entity wishing to profit from its own Intellectual Property (IP) would encrypt many, with individual public keys provided by unique legitimate clients. There is enough "key space" in strong encryption for many applications. For example, 8,000,000 (SIC should be 8,000,000,000)is more than the population of Earth. This is less than 10 followed by 7 (sic should be 10) zeros. 2 exponent 1024 (our current standard for strong encryption,) is represented by 10 followed by 308 zeros. This allows for literally astronomical numbers of keys available for each person or computer in the world. Compare this to M(achine) A(ccess) C(ode) addresses available and required to be unique for each network card on the earth at present. There are around 16,000,000 of them, and we are running out, but there are many more than 16,000,000 keys available for each person on earth in 1024 bit encryption. A computer virus that is encrypted cannot be executed until it is deliberately launched. Any person that comes up with a virus on his or her computer after that will have necessarily provided a public key to the entity that encrypted the virus he decrypted, associated with his and only his private key. Intrinsic to this solution is the idea that applications that read the data must be updated to decrypt with the private key associated to the OS on each PC. For example PDF readers by Adobe might need to be updated to read encrypted PDFs; encrypted JPG images would need an updated Fax Viewer; encrypted MP3s would need an updated MP3 player. I am pretty sure that the problem does not stem from Word DOC files or Excel XLS files, however to be consistent, these too would need readers to read an encrypted source. If Microsoft does not choose to accommodate the Government (as they chose not to accommodate Massachusetts in the matter of ODF [open data format] files,) there are patriotic citizens at SourceForge.net who would write relevant software that would read the data for a minimum of expenditure. They are usually more concerned about code scrutiny and stability than soaking the Federal government for all the taxpayer is worth. The integrity of this process is that these readers MUST NOT be able to "save" or modify the data. If the above solution were implemented, enforcement would become a different problem. If the law were deliberately circumvented (i.e. an individual circulated a private key publically for purposes of making the relevant pornography or mp3s widely available,) the private key would be isolated to the relevant I(nterent) P(rotocol) address. In this case the offender would probably be identifiable, but if not, he would be held responsible by his peers for the sanitary condition of his illicit product. If he used a business license for the purpose of making the private key widely available the holder of the relevant business license would be the person to prosecute. In the case of legitimate pornography, the original copyright holder (or her pimp) would be the ultimate beneficiary. In the middle, Yahoo, Google, Microsoft Search and Wikia could deliver as many encrypted images associated with sexually explicit names as a creative minor could dream up... these images would not be viewable except by the private key holder. If all purchased content were restricted to an encrypted DATA VAULT (TM) type portion of the hard disk drive (HDD,) then school textbooks could be distributed much more cheaply, without fear of students passing them between each other. Printed textbooks would compete for readability, while students could print passages at personal expense if necessary, providing them either for their own use away from the PC OR for their importune friends. Fee based MP3 providers would benefit, and the Apple iPod itself would require almost no modification... iTunes would simply incorporate private key decryption for reading that portion of the HDD that represented purchased content. Personally "ripped" MP3s from personal CDs would remain unencrypted. A person burning copies of CDs would be burdened by the cost of media. If he charged for the media, the crime is evident; tax evasion if nothing else. In a world where this solution was extrapolated to absurdity, by everyone co-operating together, the relatively old device the "programmable read only memory" (PROM) could serve to hold a private key for each music player or digital picture frame. This private key would be entered once, rather like the SIM card of today's cell phone. Legitimate fair use would be accomplished by supplying the "manufacturer," with your public key, and proving by a token system that you had purchased the song from them in fact. At that point they should happily provide a new copy encrypted with the relevant public key. This new copy would be useful ONLY to the holder of the associated private key. Thieves would be reduced to collecting illicit private keys, each of which would lead back to a business license if it were to be distributed. Apprehending them might be difficult, but it would happen like other arrests, and the effort required to collect illicit copyrighted material would make it inconvenient - each song or picture would require a separate entry of a password. These passwords would need to be organized and maintained without a real payoff in convenience - thieves are not known for their industry either. Purchase would be convenient, and fair use can be accomplished by buying the CD and using it in any legitimate player, or printing/photocopying graphic data. The internet already has a public key repository, although I have never used it. As I have already informed Rep. Sessions (my own Congressman,) in a letter about copyright law, Canada even subsidizes artists and those who generate original content (intellectual property,) with a fee assessed on blank media. Businesses, who distribute their IP widely at their own expense (those who register a private key for distribution,) might also apply to be exempt from these fees or be subsidized by them. This incentive would tantalize the criminal element and would need special supervision. Another aspect of employing encryption in this manner is that "kiddie porn" and terrorist steganography would become less obvious to law enforcement. In balance to this unquestionable contra-indicator of this solution, I can only offer that the same principles can be used to make money harder to counterfeit and ATM cards more secure. At the moment I feel more oppressed by the efforts to impede terrorists than I think even the terrorists do. I have written the Dallas office of the FBI on 12/28/07 as to how people who use encryption wrongfully can be investigated, with some details provided in the attachment. When necessary, peer to peer could be prosecuted under current anti-pyramid scheme laws. Thank you for your time and service to the country, Robert Johnson CC: Congressman Pete Sessions Park Central VII 12750 Merit Drive, Suite 1434 Dallas, Texas 75251-1229 CC:Central Intelligence Agency Office of Public Affairs Washington, D.C. 20505 CC: FBI Dallas One Justice Way Dallas, Texas 75220 *****NOTE***** Here is the rest of what I know about Encryption as it relates to regulating the internet.*****Attachment as follows:The case for Public Key encryption is made as follows: In place of complicated mathematical algorithms (available in books like Applied Cryptography, by Bruce Schneier,) we will allude to the illustration of Simon Singh in his book called "The Code Book." I have substituted combination locks for the conventional keyed lock of the book. A public key/ private key pair is similar to a combination lock and its combination. Even though the lock portion is a lock, the cryptographic community calls it a PUBLIC key. The combination to the Public key (lock,) is the PRIVATE key. The PUBLIC key cannot be used to open anything. It can only do two things: It can lock, and it can be used to "sign" a document. The sender "buys" a lock with a combination (actually you would purchase encryption software, and generate only one private key for your own use,) and provides the Public Key repository with any number of copies of this lock (public key,) all open. Mathematically this is trivial to do, although it might be complicated. Alice goes to the Public Key repository and picks up an open "Bob" lock. She signs her message with her own public key, which can likewise be looked up at the public key repository, and locks it in the box, and sends it to Bob, and he opens it because he knows his own combination. The key point to understand is this: because of the mathematical requirement that a very large number be factored in order to break the combination, the lock cannot be opened by the casual interloper. If Eve pretends to be Alice, Bob finds out the minute he checks the signature. We have a paradoxical view in the USA that a 2GB database should be securable if it is sensitive but that a 160 char text message represents a pirate threat because it can be used to send the instruction to start an attack. This makes the discussion similar to gun control, and the Federal Government has called strong encryption a munition. I cite http://www.washingtonpost.com/wp-srv/politics/special/encryption/encryption.htm from 1998. Public key encryption is remarkable because it solves an age old problem of key distribution and management. Now anyone in the world who wants to send a secret message to the CIA can simply look up their public key at the public key repository, and send it to them encrypted. Please see that above link for detractors' arguments (stored as 1998 encryption news.). Some people sensationalize the problem... I do not really believe that the NSA would resist encryption for the public if it could be trivially compromised. (see Visio file attached, found at .) Nevertheless, there is good reason to believe that 1024 bit encryption is not too much to ask (see May 21, 2007 307digit_number http://www.schneier.com/blog/archives/2007/05/307digit_number.html .) It takes less than 11 months. If law enforcement is particularly paranoid, they may contemplate that freezing the integrated circuits of a relevant computer can make even encrypted drives mathematically trivial IF you have physical access to the computer in question (see cold_boot_attack. http://www.schneier.com/blog/archives/2008/02/cold_boot_attac.html .) In the mean time certain among law enforcement hide behind the difficulties of brute force encryption analysis because they have no one to arrest or whose computer they would like to analyze. Drug dealers and spies can be caught by other means too, as can kiddie porn consumers and terrorists, and I have written the Dallas office of the FBI on 12/28/07 as to how this can be accomplished.