Short Assignment: Book Review
Crypto: how the code rebels beat the government, saving privacy
in the digital age, by Stephen Levy
by Anne Bauers for INLS
187
February 26, 2003
Cryptology and Politics
Crypto's History, in Brief
Bob and Alice Deserve More
"This book tells the story of
the people who...created a revolution in the field that is destined to change
all our lives. It is also the story of those who did their best to make the
questions go away. The former were nobodies: computer hackers, academics, and
policy wonks. The latter were the most powerful people in the world: spies,
and generals, and presidents. Guess who won."
-- Stephen Levy, Crypto, p. 2
"I described a mathematical
utopia: algorithms that would keep your secrets safe for millenia, protocols
that could perform the most fantastical electronic interactions...safely and
securely... It's just not true. Cryptography can't do any of that."
-- Bruce Schneier, Secrets and Lies, p. xi
Steven Levy’s Crypto recounts developments in the field of cryptography in the United States from the 1970's to 2000. During this time, the field evolved from one tightly controlled by the National Security Agency (NSA) and other intelligence agencies to a technology that makes mainstream Internet transactions possible. This transition wasn't an easy one - in fact, it was characterized by confrontations between government agents and citizens interested in crypto - and Crypto outlines these challenges in detail. The book covers wide historical ground, draws heavily on Levy’s interviews with the actual participants involved, and manages to still be a fun read. However, Crypto’s subtitle, how the code rebels beat the government, saving privacy in the digital age, should clue in potential readers to Levy's somewhat one-sided political interpretation of events. Levy frames the story of crypto’s development almost exclusively as a battle between shadowy government "spooks" and dedicated researchers interested only in the public good. This interpretation fails to explore the sometimes very contentious relationships between the crypto pioneers themselves and completely ignores very real questions about the effectiveness of crypto as a protection in the real world. In my opinion, Levy’s stilted interpretation of crypto’s development ultimately undermines the careful examination of cryptology as one of many tools potentially effective within the information security world.
Levy begins his exploration of crypto in the early 1970's. Whit Diffie, who Levy describes as "an iconographic figure with his shoulder-length blond hair, Buffalo Bill beard, and his bespoke suits cut by London tailors" (p. 3-4), took an interest in the field of cryptography. Because the NSA regarded cryptography as its private domain, believing that a public study of the subject would threaten its ability to gather and analyze security data, almost all information on mondern cryptography was classified. The stubborn Diffie commenced a Quixotic search for crypto knowledge. Eventually Diffie met an assistant professor at Stanford named Marty Hellman; the two men invented and eventually patented public-key cryptography (pkc), much to the NSA's chagrin.
Levy's story broadens to describe how IBM managed to develop the Data Encryption Standard (DES) to conform to strict export regulations mandated by the NSA, inspiring controversy among the academic crypto community for many years. In other developments, Ron Rivest, Leonard Adleman, and Adi Shamir invented the RSA algorithm, which put public-key cryptography into practical use by exploiting factoring to create encrypted public keys. This development realized the potential of pkc, enabling message encryption without parties having to communicate beforehand as well as digital signatures and authentication. Adleman, Rivest and Shamir started RSA Data Securities, Inc., to take advantage of their patented invention. Levy details the difficulties the fledgling company encountered, and how marketing guru Jim Bidzos struck a deal with Ray Ozzie of Lotus Notes to save the company.
Phil Zimmerman, a programmer who spent his undergraduate years at Florida Atlantic University, created a free email encryption program utilizing RSA's algorithms and released it as an open-source product to the world. This email program, named Pretty Good Privacy (PGP), proved to be enormously popular among crypto enthusiasts, self-described "cypherpunks." It als led both Bidzos' RSA and the U.S. government to file lawsuits against him, RSA because Zimmerman used the patented algorithm and the government because people in foreign countries had downloaded copies of the software.
At the dawn of the 1990's private industry began to demand the use of strong cryptography in software products. As this demand grew more critical for business operations, industry and government dissention about the export of crypto products came to a head. The Clinton administration, guided by the NSA, developed an alternative to the open export of crypto products: the Clipper Chip. This chip would enable the U.S. government to hold all private keys (for both domestic and exported encryption devices) in escrow. Private companies, civil liberties groups, and foreign governments all objected strenuously to the Clipper Chip initiative, and the Clinton administration was forced to drop the proposal. As the Internet came into wide use and e-commerce transactions became a fact of life, Congress at last began to believe that strong crypto was imperative to the health of the digital economy. Free and open encryption was approved for export.
Levy's epilogue reveals the man who truly invented public-key cryptology. James Ellis worked for the British government's Communications Electronics Security Group (CESG), the English equivalent to the NSA. Because all work for CESG was classified Ellis was not able to take advantage of his invention commercially. Levy ends the story describing a meeting between Ellis and Whit Diffie in which Ellis admitted, "You did more with it than we did" (p. 330).
Levy's wide-ranging story covers a great deal of historical ground. His extensive interview material with the participants involved lends the book an immediacy that strengthens his argument and makes it fun to read. Perhaps most importantly, the book is accessible to the crypto novice and provides a strong introduction to the importance of information security. Since there is no information here on actually applying crypto in any sort of practical fashion, Crypto seems primarily aimed at this novice reader. While Levy does take pains to explain the complex algorithms involved, his main thrust is political and historical.
Since Levy seems to be reaching out to the crypto novice, I find his very political slant to the story to be unfortunate. The government's hesitance to make crypto widely available is clear, and many of the measures the NSA instituted to stop crypto's spread were undeniably problematic. Levy's additional commentary on the issue seems unnecessary and caused me to wonder why he felt he had to embellish the point. For example, in one passage Levy recounts: "And so the NSA put its secrecy clamp down harder on IBM. 'They asked us to stamp all our documents confidential,' said Tuchman" (p. 55). In this instance I find a request to stamp documents to be a pretty far cry from a sinister 'secrecy clamp.'
Levy's political focus also marginalizes the relationships between crypto's players themselves, instead analyzing challenges from the government. Although he does reference disagreements between RSA's Bidzos and PGP's Zimmerman and discuss crypto pioneer David Chaum's problems making a profit off of his patents, the structure of the book as a confrontation between government and research fails to analyze these events in any meaningful way. Levy himself notes that the difficult evolution of crypto was not due entirely to bad governmental policy: "The problem hadn't been only the government or the export regulations, but the product itself. Public key cryptography was a mathematical marvel, but it had actually been born too soon. Twenty years ago, it was a solution whose problem hadn't fully materialized. No more. Not when every desktop had a computer on it and was connected to the internet" (p. 312). I think a closer analysis of the non-governmental elements of crypto's history would have proven enlightening and may have led to a pertinent analysis of whether crypto can actually "save privacy in the digital age," as Levy claims.
Although Crypto is a fun and informative story, Levy's insistence on a particular political analysis of crypto's history ultimately limits its accessibility. His interpretation would most likely appeal to the "cypherpunks" that he writes about, but his heavy-handed treatment of the subject matter may alienate crypto novices (as it did me). Crypto is an invaluable element of the modern electronic environment, and the subject deserves more measured scrutiny that Levy provides.
Levy, Stephen. Crypto: how the code rebels beat the government, saving privacy in the digital age. New York: Viking Penguin, 2001.
Schneier, Bruce. Secrets and Lies. New York: John Wiley & Sons, 2000.