| members]

advanced search
securitygeeks news
mail archives
  - Firewall 1
  - Firewalls
  - IDS
  - Bugtraq
tsg mailing lists
  - Software/Source Code
  - Online Tools
  - Literature
write secure code
global access wireless database

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Phil Zimmerman Profiled

Watch the word wrap:


(PGP Signature applied with appreciation to PRZ)

Meet Phil Zimmermann, creator of the Pretty Good Privacy (PGP) encryption
suite and one of the world's best-known cryptographers.

Published  October 04, 2000
By  Cameron Laird
Page 1 of 2     1  2

Programmers can be celebrities too. Just ask Philip (Phil) Zimmermann. He's
spent most of the last decade as a folk hero, and admits to having enjoyed
that status. Just this summer, he suffered the flip side of fame as wildly
inflated rumors circulated about his role in compromising the security of
the PGP encryption suite, and he watched his e-mail inbox fill with venom.

A Human Rights Project

He recognizes it comes with the territory. Zimmermann is probably the
world's best-known cryptographer. He created the Pretty Good Privacy (PGP)
encryption suite in 1991. Since then, it has come to dominate the market for
programming protection of online confidentiality. PGP has been heralded for
its role in protecting numerous political dissidents around the world, and
earned Zimmermann the prestigious Norbert Wiener Award for responsible use
of technology in 1996, as well as the 1995 Chrysler Award for Innovation in
Design, and a 1998 Lifetime Achievement Award from Secure Computing
Magazine, along with at least a dozen other distinctions. It also brought
him into highly public patent disputes with RSA Data Security Inc., and a
nightmarish multi-year criminal investigation by the United States

It began as a human rights campaign. As the '90s opened, Zimmermann was an
experienced programmer -- and a pretty good one by all accounts, including
his own -- specializing in data security and communications and real-time
embedded systems. Electronic communications technologies were becoming
widely available, and politically significant: combinations of underground
radio, video tapes, satellite news updates, and e-mail are generally
acknowledged to have been indispensable in the popular overthrow of Iran's
Shah, Eastern Europe's Bolsheviks, and several dictatorships throughout the
third world.

Technical challenges remained. How, for example, could human rights monitors
communicate their on-site findings without risking recrimination or
distortion? How might any citizen communicate freely and fearlessly over
channels subject to tapping?

One technical solution was encryption: "scrambling" a message so it was
unreadable except to the sender and intended receiver. Zimmermann had worked
on commercial encryption systems during the '80s, and he envisioned that it
could be applied more widely. He developed PGP as an "add-on" that any
e-mail user could install to ensure confidentiality.

A Response to Legislation

And it worked. It also became controversial, which brought more attention,
and encouraged even more users to experiment with it. Nowadays it's become
part of the popular culture of computing. It has been so widely disseminated
that even many industry participants who rely on it know nothing about
Zimmermann, and assume it was first created for the commercial
applications -- retail sales, banking, and so on-in which it is used today.

Zimmermann, however, emphasizes that for him it remains a human-rights

PGP was born in controversy. Zimmermann wrote version 1.0 as a response to
United States Senate Bill 266. If it had been passed, this legislation would
have required all communications vendors to embed "back doors" to permit
government agencies to tap their products. He rushed a release of 1.0 into
the hands of his computing friends, at least one of whom began to distribute
it on bulletin boards throughout North America. Its circulation meant that
any criminality resulting from passage of the bill would have been difficult
to enforce.

Code-sharing didn't stop at national borders, though, and there was nothing
hypothetical about it: export of PGP outside the U.S. (with possible
exceptions involving Canada) was definitely illegal. Everyone involved
agreed that the Office of Defense Trade Control's enforcement of the
International Traffic in Arms Regulations (ITAR) extended to cryptographic

Whom to Prosecute?

Whom could the US Department of Justice indict, though? Zimmermann just
programmed and talked; he was careful not to engage in any "munitions
exports" himself.

Despite these precautions, criminal charges were brought against him. The
programming and civil rights communities joined to create a legal defense
fund. After three years of what Zimmermann calmly categorizes as
"persecution," prosecutors dropped the case in early 1996 with as little
comment as they had earlier justified it.

Controversy didn't end there. Even before the criminal indictment, RSA
notified Zimmermann that it considered PGP an infringement of its patents.
Zimmermann had been careful to engage only in "educational use" of
applicable documents and inventions. He consistently emphasized in his
presentations that users were responsible for securing applicable licenses.

The RSA battle ended as undramatically as the ITAR one had. Zimmermann and
Public Key Partners (PKP), an RSA affiliate, signed an agreement that
Zimmermann would continue not to distribute RSA inventions and PKP would not
sue Zimmermann. RSA threatened Zimmermann and the Massachusetts Institute of
Technology (MIT) for various alleged infringements. Zimmermann programmed
around legal problems, and MIT shielded him from others in pursuit of its
own intellectual rights.

While the publicity around these disputes served as valuable marketing for
PGP, it also made it hard to move on. Hecklers continue to believe, for
example, that Zimmermann had secretly acquiesced to government demands and
somehow weakened PGP. Although it's hard to prove covert arrangements do not
exist, it's equally difficult to imagine how Zimmermann might contaminate
source code available for public review, which PGP was.

PGP Inc.

With the disposal of the government case, Zimmermann founded PGP Inc. in
1996 to finance maintenance and enhancement of PGP. Late the next year, he
sold the company to Network Associates (NAI), while agreeing to stay on as
senior fellow.

The programming fraternity continues to honor Zimmermann in its
characteristic ways: T-shirts are silk-screened with him as subject, he
speaks regularly at conferences and in the classroom, and people who haven't
met him often speculate on Usenet and other public forums about his motives
and interests. He is often addressed with the reverence accorded an
accomplished software engineer martyred for resistance to governmental
invasions of privacy.

PGP's Present and Future

So where are PGP and Zimmermann in the year 2000? He still has a full
schedule. Between his assignments with NAI and independent consulting, he
sometimes fails to make adequate time for sleep, let alone pack carefully
for his many professional travels. He does little coding these days.
However, he sees his contribution as critical, believing that "encryption
software architectural decisions must be made by knowledgeable
cryptographers, not software engineers." He has very firm opinions, for
example, about Gnu Privacy Guard (GnuPG), an open source competitor to PGP.
There's no doubt in Zimmermann's mind that GnuPG suffers for being managed
by programmers. He offers the Blowfish encryption method as an example: "I
would never, ever allow Blowfish to be implemented in PGP, because it's not
as good a design as Twofish; Twofish is superior. PGP 7 implements Two fish.
Yet we see GnuPG implemented Blowfish."

Even the Internet Engineering Task Force (IETF) makes cryptographic
mistakes, he says. Zimmermann asserts, "I would never allow El-Gamal
signatures to be put in PGP. I don't know how that got in" RFC 2440, which
defines the OpenPGP standard.

NAI still has a large backlog of serious technical work to do: integration
of new algorithms and functionality, ports to new architectures, and more.
Embedded systems -- encryption processing within telephones, automobiles,
and so on -- are likely to be particularly important during the next few
years. Also, the original RSA patent expired just a couple of weeks ago, and
NAI is already offering products that exploit this.

Minor controversies continue to dog PGP. Just within the last year, two
small faults in the released code were discovered. While experts agree that
neither one presented any practical danger to the security of PGP-based
communications, both sparked arguments about NAI's ability and even its
intentions. In the first case, a fault in a specific version for Unix could,
in principle, compromise a key generated by a method PGP had always
deprecated: automatically, without user input.

Then, in mid-August, German researchers spotted an error in PGP's Additional
Decryption Key (ADK) functionality. Like the key-generation error, it was
quickly fixed, and detailed investigations confirmed it was unlikely that
any real keys had ever been tampered with, let alone any messages cracked.
However, before all the facts came out, speculation erupted that Zimmermann
had personally installed a deliberate vulnerability, or perhaps allowed NAI
to do so.

Zimmermann promptly published an extensive personal statement through the
PGP Web site, and most observers now grant that, as he concludes there, "If
NAI tried to put a back door in PGP, all the engineers on the PGP team would
quit in a highly visible protest, and I would be talking to the press about
it. There is no way that I would let this happen."

The Future Is Busy

Zimmermann's personal scheduling often leaves him in what he calls
"decapitated chicken mode." Apart from the frustration of overload, he likes
what he does, and proudly regards it as important technically and
politically. He's just beginning to redevelop PGPphone on his own, outside
NAI: "I think it's a cool project." He continues to speak before university
and industry groups, often in Europe. However painful the name-calling and
conspiracy theorizing is to him, he plans many more contributions to
cryptography and computing.