• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


Phil Zimmermann - (Zimmermann, Philip R)

Page history last edited by Jack Daniel 2 years, 7 months ago



PRZ closeup cropped


Wikipedia: http://en.wikipedia.org/wiki/Phil_Zimmermann

Phil Zimmerman's personal homepage: https://www.philzimmermann.com/EN/background/index.html

Essay, "Why I wrote PGP": http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html


Inducted into the (US) National Cyber Security Hall of Fame 2014 http://www.cybersecurityhalloffame.com/

From the Cyber Security Hall of Fame page:

Creator of Pretty Good Privacy (PGP)

"Philip R. Zimmermann is the creator of Pretty Good Privacy (PGP), the most widely used email encryption software in the world. He is also known for his work in VOIP encryption protocols, notably ZRTP and Zfone."


From Rob Slade:
Phil Zimmerman is the subject of one of my upcoming columns in the ISSA Journal:
The Cryptic Curmudgeon (December 2021)
Phil Zimmermann
This year I finally got to speak at the same conference as Phil Zimmermann https://philzimmermann.com/EN/background/index.html, which was a big deal for me.  For those who don’t know, Phil created the PGP, or Pretty Good Privacy, encryption program.  For the more than two decades that I’ve been teaching CISSP seminars, I’ve used Phil’s story to make four important points about cryptography.
The first thing about Phil is that he’s not a cryptographer.  He’s more of a political activist.  When he first decided to create PGP, he felt he could create a cryptographic algorithm that nobody else could break, as so many smart people have in the past.  And then he ran smack into the reason for Kerckhoff’s Law.
His first couple of attempts were broken with embarrassing ease.  And, very much to his credit, he quit.  (If at first you don’t succeed, quit.  Don’t be a durn fool about it.  The definition of insanity is trying the same thing over and over again, and expecting a different result.)  Phil realized that the best thing to do was to use known algorithms that had been thoroughly studied, tested, and found, by people who knew what they were doing, to be reasonably strong.
We’ve got a big division in the crypto world between symmetric and asymmetric algorithms.  We’ve been using symmetric algorithms for four thousand years.  Symmetric algorithms use the same key, a single key, for both encryption and decryption, and therefore we have to share the key between both the sender and the receiver, and, at the same time, keep the key secret.  Key management, therefore, becomes a non-trivial task.  We’ve got good, strong, fast, symmetric crypto algorithms, but what do we do about the keys?  Then, about fifty years ago, came the biggest development in cryptography in four thousand years.  We realized that you could use asymmetric encryption: two, different but mathematically related, keys, one used for encryption, and one used for decryption.  And one that had to be kept secret, but could be kept secret from everyone, while the other could be public, and broadcast to the entire world if you wanted to.
(The story of the invention of asymmetric encryption is another one of those stories of the history of encryption that demonstrates that smart people can make really dumb mistakes.  But that’s a different story, and this is Phil’s story.)
With all that math involved, asymmetric encryption may solve the key management problem, but in operation, when doing the encryption and decryption, it’s pig slow (and that may be disrespectful to pigs).  So Phil realized that, for PGP, he should use hybrid encryption: do the bulk data encryption with symmetric encryption, and protect the symmetric key, which is only a short piece of data, with asymmetric encryption.  Saves time, deals with the key management problem, provides pretty good privacy.  And so it was.
Now about this time, off in a strange land of fantasy, called Washington, The Authorities (particularly law enforcement and the military) decided to engage in another round of the ongoing crypto wars.  The Authorities, knowing neither information science, nor cryptography, nor mathematics, decided that cryptography was not a set of ideas, but a munition, and therefore could be subject to Export Controls.  And, since PGP, as an open source program, had been released onto the Internet, they threatened to throw Phil into jail.  This made life very uncomfortable for Phil for some time.  Eventually, The Authorities decided not to throw Phil into jail, possibly because American businessmen told them that lots of people in other countries were building good crypto systems and all that Export Controls did was limit he market for American developers, and possibly because MIT Press published the source code for PGP as a book, which, since it was protected by the First Amendment, you could even sell to the Libyans and North Koreans and nobody could do anything about it.  (That made The Authorities look pretty silly.)
Asymmetric encryption doesn’t completely solve the key management problem, of course.  You still have to prove that a certain public key belongs to a certain person.  So most people build a Public Key Infrastructure with certification, and certification authorities, and a certification hierarchy which might end up with The Authorities at the top of it.  Phil, foreseeing this possibility, built a different system into PGP.  With PGP I can certify my friends and colleagues whom I know to be competent in key management.  And they, in turn, can certify others.  And when I contact one of those others, certified by someone certified by me, they can automatically be added to my Web of Trust.  And I can set it to be as paranoid as I like.  I can require that this new person be certified by one person that I have certified, or two people, or ten people.  And, without any hierarchical certification authority, or Authority, I can build my own Web of Trust, to my standards and specification.

Comments (0)

You don't have permission to comment on this page.