0000: 54 68 65 20 54 72 75 73 74 20 50 72 6f 62 6c 65 The Trust Proble
0010: 6d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d m.==============
0020: 3d 3d 3d 0a 0a 43 72 79 70 74 6f 67 72 61 70 68 ===..Cryptograph
0030: 79 20 67 69 76 65 73 20 74 68 65 20 70 72 6f 6d y gives the prom
0040: 69 73 65 20 6f 66 20 70 72 69 76 61 63 79 2e 20 ise of privacy.
0050: 41 20 63 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 20 A communication
0060: 69 73 0a 73 65 63 72 65 74 20 66 6f 72 20 65 76 is.secret for ev
0070: 65 72 79 62 6f 64 79 20 65 78 63 65 70 74 20 74 erybody except t
0080: 68 6f 73 65 20 77 68 6f 20 68 61 76 65 20 74 68 hose who have th
0090: 65 20 6b 65 79 20 74 6f 20 64 65 63 72 79 70 74 e key to decrypt
00a0: 20 74 68 65 0a 6d 65 73 73 61 67 65 2e 20 53 6f the.message. So
00b0: 20 41 6c 69 63 65 20 61 6e 64 20 42 6f 62 2c 20 Alice and Bob,
00c0: 74 68 65 20 74 77 6f 20 63 6f 6d 6d 75 6e 69 63 the two communic
00d0: 61 74 69 6f 6e 20 70 61 72 74 6e 65 72 73 20 75 ation partners u
00e0: 73 65 64 20 69 6e 0a 63 72 79 70 74 6f 67 72 61 sed in.cryptogra
00f0: 70 68 79 20 65 78 61 6d 70 6c 65 73 2c 20 68 61 phy examples, ha
0100: 76 65 20 61 20 73 68 61 72 65 64 20 73 65 63 72 ve a shared secr
0110: 65 74 2c 20 77 68 69 63 68 20 74 68 65 79 20 75 et, which they u
0120: 73 65 20 74 6f 0a 65 78 63 68 61 6e 67 65 20 6d se to.exchange m
0130: 65 73 73 61 67 65 73 2e 20 45 76 65 2c 20 74 68 essages. Eve, th
0140: 65 20 65 61 76 65 73 64 72 6f 70 70 65 72 2c 20 e eavesdropper,
0150: 64 6f 65 73 20 6e 6f 74 20 6b 6e 6f 77 20 74 68 does not know th
0160: 69 73 20 73 65 63 72 65 74 2c 0a 61 6e 64 20 74 is secret,.and t
0170: 68 65 72 65 66 6f 72 65 20 63 61 6e 20 6e 6f 74 herefore can not
0180: 20 72 65 61 64 20 74 68 65 20 6d 65 73 73 61 67 read the messag
0190: 65 73 2c 20 6e 6f 72 20 6d 61 6e 69 70 75 6c 61 es, nor manipula
01a0: 74 65 20 74 68 65 0a 63 6f 6d 6d 75 6e 69 63 61 te the.communica
01b0: 74 69 6f 6e 20 77 69 74 68 6f 75 74 20 62 65 69 tion without bei
01c0: 6e 67 20 6e 6f 74 69 63 65 64 20 28 73 68 65 20 ng noticed (she
01d0: 63 61 6e 20 61 6c 77 61 79 73 20 73 74 6f 70 20 can always stop
01e0: 74 68 65 0a 63 6f 6d 6d 75 6e 69 63 61 74 69 6f the.communicatio
01f0: 6e 20 62 79 20 63 75 74 74 69 6e 67 20 74 68 65 n by cutting the
0200: 20 6c 69 6e 65 2c 20 61 6e 64 20 73 68 65 20 73 line, and she s
0210: 74 69 6c 6c 20 6d 61 79 20 62 65 20 61 62 6c 65 till may be able
0220: 20 74 6f 20 6b 6e 6f 77 0a 74 68 61 74 20 69 74 to know.that it
0230: 27 73 20 41 6c 69 63 65 20 61 6e 64 20 42 6f 62 's Alice and Bob
0240: 2c 20 77 68 6f 20 61 72 65 20 63 6f 6d 6d 75 6e , who are commun
0250: 69 63 61 74 69 6e 67 2c 20 62 79 20 6c 6f 6f 6b icating, by look
0260: 69 6e 67 20 61 74 20 74 68 65 0a 72 6f 75 74 69 ing at the.routi
0270: 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 6f ng information o
0280: 66 20 74 68 65 20 70 61 63 6b 65 74 73 20 73 68 f the packets sh
0290: 65 20 73 65 65 73 29 2e 0a 0a 4b 65 79 20 45 78 e sees)...Key Ex
02a0: 63 68 61 6e 67 65 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d change.---------
02b0: 2d 2d 2d 2d 0a 0a 4e 6f 77 2c 20 68 6f 77 20 64 ----..Now, how d
02c0: 6f 20 41 6c 69 63 65 20 61 6e 64 20 42 6f 62 20 o Alice and Bob
02d0: 65 73 74 61 62 6c 69 73 68 20 61 20 73 68 61 72 establish a shar
02e0: 65 64 20 73 65 63 72 65 74 3f 20 54 68 69 73 20 ed secret? This
02f0: 69 73 20 61 20 63 72 75 63 69 61 6c 20 70 72 6f is a crucial pro
0300: 62 6c 65 6d 0a 74 6f 20 63 72 79 70 74 6f 67 72 blem.to cryptogr
0310: 61 70 68 79 2c 20 74 68 65 20 5b 6b 65 79 0a 65 aphy, the [key.e
0320: 78 63 68 61 6e 67 65 5d 28 68 74 74 70 3a 2f 2f xchange](http://
0330: 65 6e 2e 77 69 6b 69 70 65 64 69 61 2e 6f 72 67 en.wikipedia.org
0340: 2f 77 69 6b 69 2f 4b 65 79 5f 65 78 63 68 61 6e /wiki/Key_exchan
0350: 67 65 29 2e 20 54 68 65 20 45 6e 67 6c 69 73 68 ge). The English
0360: 20 57 69 6b 69 70 65 64 69 61 0a 61 72 74 69 63 Wikipedia.artic
0370: 6c 65 20 74 65 6c 6c 73 20 79 6f 75 20 68 6f 77 le tells you how
0380: 20 74 68 65 79 20 63 6f 75 6c 64 20 64 6f 20 74 they could do t
0390: 68 61 74 3a 20 49 66 20 41 6c 69 63 65 20 61 6e hat: If Alice an
03a0: 64 20 42 6f 62 20 77 69 73 68 20 74 6f 20 65 78 d Bob wish to ex
03b0: 63 68 61 6e 67 65 0a 65 6e 63 72 79 70 74 65 64 change.encrypted
03c0: 20 6d 65 73 73 61 67 65 73 2c 20 65 61 63 68 20 messages, each
03d0: 6d 75 73 74 20 62 65 20 65 71 75 69 70 70 65 64 must be equipped
03e0: 20 74 6f 20 65 6e 63 72 79 70 74 20 6d 65 73 73 to encrypt mess
03f0: 61 67 65 73 20 74 6f 20 62 65 20 73 65 6e 74 20 ages to be sent
0400: 61 6e 64 0a 64 65 63 72 79 70 74 20 6d 65 73 73 and.decrypt mess
0410: 61 67 65 73 20 72 65 63 65 69 76 65 64 2e 20 54 ages received. T
0420: 68 65 20 6e 61 74 75 72 65 20 6f 66 20 74 68 65 he nature of the
0430: 20 65 71 75 69 70 70 69 6e 67 20 74 68 65 79 20 equipping they
0440: 72 65 71 75 69 72 65 20 64 65 70 65 6e 64 73 20 require depends
0450: 6f 6e 0a 74 68 65 20 65 6e 63 72 79 70 74 69 6f on.the encryptio
0460: 6e 20 74 65 63 68 6e 69 71 75 65 20 74 68 65 79 n technique they
0470: 20 6d 69 67 68 74 20 75 73 65 2e 20 49 66 20 74 might use. If t
0480: 68 65 79 20 75 73 65 20 61 20 63 6f 64 65 2c 20 hey use a code,
0490: 62 6f 74 68 20 77 69 6c 6c 20 72 65 71 75 69 72 both will requir
04a0: 65 0a 61 20 63 6f 70 79 20 6f 66 20 74 68 65 20 e.a copy of the
04b0: 73 61 6d 65 20 63 6f 64 65 62 6f 6f 6b 2e 20 49 same codebook. I
04c0: 66 20 74 68 65 79 20 75 73 65 20 61 20 63 69 70 f they use a cip
04d0: 68 65 72 2c 20 74 68 65 79 20 77 69 6c 6c 20 6e her, they will n
04e0: 65 65 64 20 61 70 70 72 6f 70 72 69 61 74 65 0a eed appropriate.
04f0: 6b 65 79 73 2e 20 49 66 20 74 68 65 20 63 69 70 keys. If the cip
0500: 68 65 72 20 69 73 20 61 20 73 79 6d 6d 65 74 72 her is a symmetr
0510: 69 63 20 6b 65 79 20 63 69 70 68 65 72 2c 20 62 ic key cipher, b
0520: 6f 74 68 20 77 69 6c 6c 20 6e 65 65 64 20 61 20 oth will need a
0530: 63 6f 70 79 20 6f 66 20 74 68 65 0a 73 61 6d 65 copy of the.same
0540: 20 6b 65 79 2e 20 49 66 20 61 6e 20 61 73 79 6d key. If an asym
0550: 6d 65 74 72 69 63 20 6b 65 79 20 63 69 70 68 65 metric key ciphe
0560: 72 20 77 69 74 68 20 74 68 65 20 70 75 62 6c 69 r with the publi
0570: 63 2f 70 72 69 76 61 74 65 20 6b 65 79 20 70 72 c/private key pr
0580: 6f 70 65 72 74 79 2c 0a 62 6f 74 68 20 77 69 6c operty,.both wil
0590: 6c 20 6e 65 65 64 20 74 68 65 20 6f 74 68 65 72 l need the other
05a0: 27 73 20 70 75 62 6c 69 63 20 6b 65 79 2e 20 46 's public key. F
05b0: 6f 72 20 74 68 65 20 63 61 73 65 73 2c 20 77 68 or the cases, wh
05c0: 65 72 65 20 62 6f 74 68 20 70 61 72 74 69 65 73 ere both parties
05d0: 20 6e 65 65 64 0a 74 68 65 20 73 61 6d 65 20 74 need.the same t
05e0: 68 69 6e 67 2c 20 74 68 65 79 20 6e 65 65 64 20 hing, they need
05f0: 61 20 73 65 63 75 72 65 20 63 68 61 6e 6e 65 6c a secure channel
0600: 20 74 6f 20 65 78 63 68 61 6e 67 65 20 74 68 69 to exchange thi
0610: 73 2e 20 4e 6f 77 2c 20 69 66 20 74 68 65 79 0a s. Now, if they.
0620: 61 6c 72 65 61 64 79 20 68 61 76 65 20 61 20 73 already have a s
0630: 65 63 75 72 65 20 63 68 61 6e 6e 65 6c 2c 20 74 ecure channel, t
0640: 68 65 79 20 6d 69 67 68 74 20 61 73 20 77 65 6c hey might as wel
0650: 6c 20 65 78 63 68 61 6e 67 65 20 74 68 65 20 6d l exchange the m
0660: 65 73 73 61 67 65 20 75 73 69 6e 67 0a 74 68 69 essage using.thi
0670: 73 20 73 65 63 75 72 65 20 63 68 61 6e 6e 65 6c s secure channel
0680: e2 80 94 74 68 65 20 6f 6e 6c 79 20 61 64 76 61 —the only adva
0690: 6e 74 61 67 65 20 63 72 79 70 74 6f 67 72 61 70 ntage cryptograp
06a0: 68 79 20 68 61 73 20 74 68 65 6e 2c 20 69 73 20 hy has then, is
06b0: 74 68 61 74 20 74 68 65 0a 73 65 63 75 72 65 20 that the.secure
06c0: 63 68 61 6e 6e 65 6c 20 6d 69 67 68 74 20 62 65 channel might be
06d0: 20 63 6f 73 74 6c 79 2c 20 6f 72 20 72 61 72 65 costly, or rare
06e0: 6c 79 20 61 76 61 69 6c 61 62 6c 65 20 28 65 2e ly available (e.
06f0: 67 2e 20 61 20 70 65 72 73 6f 6e 61 6c 20 6d 65 g. a personal me
0700: 65 74 69 6e 67 0a 69 73 20 72 65 71 75 69 72 65 eting.is require
0710: 64 20 74 6f 20 73 65 74 20 75 70 20 74 68 65 20 d to set up the
0720: 73 79 73 74 65 6d 29 2e 0a 0a 44 69 66 66 69 65 system)...Diffie
0730: 2d 48 65 6c 6c 6d 61 6e 0a 2d 2d 2d 2d 2d 2d 2d -Hellman.-------
0740: 2d 2d 2d 2d 2d 2d 2d 0a 0a 4e 6f 77 2c 20 77 69 -------..Now, wi
0750: 74 68 20 70 75 62 6c 69 63 20 6b 65 79 20 63 72 th public key cr
0760: 79 70 74 6f 67 72 61 70 68 79 2c 20 74 68 65 20 yptography, the
0770: 44 69 66 66 69 65 2d 48 65 6c 6c 6d 61 6e 0a 6b Diffie-Hellman.k
0780: 65 79 20 65 78 63 68 61 6e 67 65 20 70 72 6f 6d ey exchange prom
0790: 69 73 65 73 20 74 6f 20 73 6f 6c 76 65 20 74 68 ises to solve th
07a0: 69 73 20 70 72 6f 62 6c 65 6d 2e 20 54 68 65 20 is problem. The
07b0: 6b 65 79 20 69 73 20 73 70 6c 69 74 20 69 6e 74 key is split int
07c0: 6f 20 74 77 6f 20 70 61 72 74 73 2c 0a 6f 6e 65 o two parts,.one
07d0: 20 6f 66 20 77 68 69 63 68 20 63 61 6e 20 62 65 of which can be
07e0: 20 6d 61 64 65 20 70 75 62 6c 69 63 2c 20 62 75 made public, bu
07f0: 74 20 6f 6e 6c 79 20 77 68 65 6e 20 62 6f 74 68 t only when both
0800: 20 61 72 65 20 75 73 65 64 20 74 6f 67 65 74 68 are used togeth
0810: 65 72 2c 20 61 20 73 68 61 72 65 64 0a 73 65 63 er, a shared.sec
0820: 72 65 74 20 63 61 6e 20 62 65 20 65 73 74 61 62 ret can be estab
0830: 6c 69 73 68 65 64 2e 20 54 68 65 72 65 20 69 73 lished. There is
0840: 20 6f 6e 6c 79 20 6f 6e 65 20 64 72 61 77 62 61 only one drawba
0850: 63 6b 20 6f 66 20 74 68 65 20 44 69 66 66 69 65 ck of the Diffie
0860: 2d 48 65 6c 6c 6d 61 6e 0a 65 78 63 68 61 6e 67 -Hellman.exchang
0870: 65 3a 20 54 68 65 20 74 77 6f 20 70 61 72 74 69 e: The two parti
0880: 65 73 20 77 68 6f 20 77 69 73 68 20 74 6f 20 65 es who wish to e
0890: 73 74 61 62 6c 69 73 68 20 61 20 63 6f 6e 6e 65 stablish a conne
08a0: 63 74 69 6f 6e 20 64 6f 6e 27 74 20 6b 6e 6f 77 ction don't know
08b0: 20 74 68 65 69 72 0a 69 64 65 6e 74 69 74 79 2e their.identity.
08c0: 20 49 73 20 69 74 20 72 65 61 6c 6c 79 20 41 6c Is it really Al
08d0: 69 63 65 20 61 6e 64 20 42 6f 62 2c 20 6f 72 20 ice and Bob, or
08e0: 69 73 20 69 74 20 45 76 65 2c 20 77 68 6f 20 63 is it Eve, who c
08f0: 75 74 20 74 68 65 20 6c 69 6e 65 20 69 6e 20 74 ut the line in t
0900: 68 65 0a 6d 69 64 64 6c 65 2c 20 61 6e 64 20 61 he.middle, and a
0910: 74 74 61 63 6b 73 20 74 68 65 20 63 6f 6e 6e 65 ttacks the conne
0920: 63 74 69 6f 6e 20 62 79 20 70 65 72 66 6f 72 6d ction by perform
0930: 69 6e 67 20 61 20 4d 61 6e 2d 69 6e 2d 74 68 65 ing a Man-in-the
0940: 2d 6d 69 64 64 6c 65 20 61 74 74 61 63 6b 2c 0a -middle attack,.
0950: 70 72 65 74 65 6e 64 69 6e 67 20 74 6f 20 41 6c pretending to Al
0960: 69 63 65 20 74 68 61 74 20 73 68 65 27 73 20 42 ice that she's B
0970: 6f 62 2c 20 61 6e 64 20 70 72 65 74 65 6e 64 69 ob, and pretendi
0980: 6e 67 20 74 6f 20 42 6f 62 20 74 68 61 74 20 73 ng to Bob that s
0990: 68 65 27 73 20 41 6c 69 63 65 3f 20 54 6f 0a 73 he's Alice? To.s
09a0: 6f 6c 76 65 20 74 68 69 73 2c 20 76 61 72 69 6f olve this, vario
09b0: 75 73 20 61 74 74 65 6d 70 74 73 20 61 74 20 63 us attempts at c
09c0: 72 65 61 74 69 6e 67 20 61 20 50 4b 49 20 68 61 reating a PKI ha
09d0: 76 65 20 62 65 65 6e 20 73 74 61 72 74 65 64 2e ve been started.
09e0: 20 54 68 65 20 6d 6f 73 74 0a 77 69 64 65 6c 79 The most.widely
09f0: 20 75 73 65 64 20 50 4b 49 20 61 74 74 65 6d 70 used PKI attemp
0a00: 74 20 69 73 20 74 68 61 74 20 6f 66 20 53 53 4c t is that of SSL
0a10: 2c 20 61 6e 64 20 69 74 20 69 73 20 61 20 66 61 , and it is a fa
0a20: 69 6c 75 72 65 2e 20 49 20 6e 65 65 64 20 74 6f ilure. I need to
0a30: 20 65 78 70 6c 61 69 6e 0a 77 68 61 74 20 53 53 explain.what SS
0a40: 4c 20 64 6f 65 73 20 74 6f 20 65 6e 73 75 72 65 L does to ensure
0a50: 20 74 68 61 74 20 69 64 65 6e 74 69 74 69 65 73 that identities
0a60: 20 61 72 65 20 63 6f 72 72 65 63 74 3a 0a 0a 53 are correct:..S
0a70: 53 4c 27 73 20 50 4b 49 20 61 74 74 65 6d 70 74 SL's PKI attempt
0a80: 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d .---------------
0a90: 2d 2d 0a 0a 53 53 4c 20 75 73 65 73 20 43 65 72 --..SSL uses Cer
0aa0: 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 tificate Authori
0ab0: 74 69 65 73 20 28 43 41 73 29 20 74 6f 20 73 69 ties (CAs) to si
0ac0: 67 6e 20 70 75 62 6c 69 63 20 6b 65 79 73 2e 20 gn public keys.
0ad0: 54 68 65 20 6d 65 73 73 61 67 65 20 6f 66 0a 74 The message of.t
0ae0: 68 69 73 20 73 69 67 6e 61 74 75 72 65 20 69 73 his signature is
0af0: 20 22 73 6f 6d 65 6f 6e 65 20 67 61 76 65 20 75 "someone gave u
0b00: 73 20 73 6f 6d 65 20 6d 6f 6e 65 79 2c 20 74 6f s some money, to
0b10: 6c 64 20 75 73 20 68 65 20 68 61 73 20 74 68 69 ld us he has thi
0b20: 73 20 64 6f 6d 61 69 6e 2c 20 61 6e 64 0a 68 65 s domain, and.he
0b30: 20 67 61 76 65 20 75 73 20 74 68 69 73 20 70 75 gave us this pu
0b40: 62 6c 69 63 20 6b 65 79 2e 22 20 54 68 65 20 22 blic key." The "
0b50: 70 72 65 6d 69 75 6d 22 20 73 69 67 6e 61 74 75 premium" signatu
0b60: 72 65 73 20 75 73 75 61 6c 6c 79 20 6d 65 61 6e res usually mean
0b70: 20 22 68 65 20 67 61 76 65 20 75 73 0a 6d 6f 72 "he gave us.mor
0b80: 65 20 6d 6f 6e 65 79 22 2e 20 54 68 69 73 20 69 e money". This i
0b90: 73 20 62 69 67 20 62 75 73 69 6e 65 73 73 2c 20 s big business,
0ba0: 73 6f 20 79 6f 75 20 63 61 6e 20 65 78 70 65 63 so you can expec
0bb0: 74 20 74 68 61 74 20 74 68 65 20 6d 6f 73 74 20 t that the most
0bc0: 74 72 75 73 74 77 6f 72 74 68 79 0a 6d 65 6d 62 trustworthy.memb
0bd0: 65 72 73 20 64 72 6f 70 20 6f 75 74 20 65 61 72 ers drop out ear
0be0: 6c 69 65 73 74 e2 80 94 62 65 63 61 75 73 65 20 liest—because
0bf0: 73 6f 6d 65 6f 6e 65 20 70 61 69 64 20 74 68 65 someone paid the
0c00: 6d 20 61 20 6c 6f 74 20 6f 66 20 6d 6f 6e 65 79 m a lot of money
0c10: 20 28 4d 61 72 6b 0a 53 68 75 74 74 6c 65 77 6f (Mark.Shuttlewo
0c20: 72 74 68 20 73 6f 6c 64 20 54 68 61 77 74 65 2c rth sold Thawte,
0c30: 20 74 68 65 20 66 69 72 73 74 20 43 41 2c 20 66 the first CA, f
0c40: 6f 72 20 24 35 30 30 4d 20 74 6f 20 56 65 72 69 or $500M to Veri
0c50: 53 69 67 6e 20 69 6e 0a 31 39 39 39 29 2e 20 48 Sign in.1999). H
0c60: 6f 77 65 76 65 72 2c 20 74 68 65 20 61 63 74 75 owever, the actu
0c70: 61 6c 20 74 72 75 73 74 77 6f 72 74 68 79 6e 65 al trustworthyne
0c80: 73 73 20 6f 66 20 74 68 65 20 43 41 73 20 69 74 ss of the CAs it
0c90: 73 65 6c 66 20 69 73 20 6e 6f 74 20 74 68 65 20 self is not the
0ca0: 72 65 61 6c 0a 70 72 6f 62 6c 65 6d 2e 20 54 68 real.problem. Th
0cb0: 65 20 72 65 61 6c 20 70 72 6f 62 6c 65 6d 20 69 e real problem i
0cc0: 73 20 74 68 61 74 20 61 6e 79 20 43 41 20 63 61 s that any CA ca
0cd0: 6e 20 73 69 67 6e 20 61 6e 79 20 63 6f 6d 62 69 n sign any combi
0ce0: 6e 61 74 69 6f 6e 20 6f 66 20 64 6f 6d 61 69 6e nation of domain
0cf0: 0a 6e 61 6d 65 20 61 6e 64 20 70 75 62 6c 69 63 .name and public
0d00: 20 6b 65 79 2c 20 61 73 20 74 68 65 79 20 6c 69 key, as they li
0d10: 6b 65 2e 20 41 6e 64 20 61 6e 79 20 69 6e 74 72 ke. And any intr
0d20: 75 64 65 72 20 69 6e 74 6f 20 6f 6e 65 20 6f 66 uder into one of
0d30: 20 74 68 65 20 43 41 73 2c 20 77 68 6f 0a 67 65 the CAs, who.ge
0d40: 74 20 61 63 63 65 73 73 20 74 6f 20 74 68 65 20 t access to the
0d50: 73 69 67 6e 69 6e 67 20 73 63 72 69 70 74 20 63 signing script c
0d60: 61 6e 20 64 6f 20 74 68 65 20 73 61 6d 65 2e 20 an do the same.
0d70: 54 68 69 73 20 69 73 20 77 68 61 74 20 68 61 70 This is what hap
0d80: 70 65 6e 65 64 20 77 69 74 68 0a 44 69 67 69 4e pened with.DigiN
0d90: 6f 74 61 72 2e 20 41 6e 20 69 6e 74 72 75 64 65 otar. An intrude
0da0: 72 20 75 73 65 64 20 44 69 67 69 4e 6f 74 61 72 r used DigiNotar
0db0: 27 73 20 73 69 67 6e 69 6e 67 20 6b 65 79 20 74 's signing key t
0dc0: 6f 20 63 72 65 61 74 65 20 61 0a 60 5c 2a 2e 67 o create a.`\*.g
0dd0: 6f 6f 67 6c 65 2e 63 6f 6d 60 20 63 65 72 74 69 oogle.com` certi
0de0: 66 69 63 61 74 65 2e 20 49 72 61 6e 20 75 73 65 ficate. Iran use
0df0: 64 20 74 68 69 73 20 63 65 72 74 69 66 69 63 61 d this certifica
0e00: 74 65 20 74 6f 20 73 70 79 20 6f 6e 20 75 73 65 te to spy on use
0e10: 72 73 20 77 68 6f 0a 75 73 65 64 20 47 6f 6f 67 rs who.used Goog
0e20: 6c 65 2e 20 54 68 69 73 20 63 61 6d 65 20 74 6f le. This came to
0e30: 20 6c 69 67 68 74 2c 20 62 65 63 61 75 73 65 20 light, because
0e40: 47 6f 6f 67 6c 65 20 64 6f 65 73 20 6e 6f 74 20 Google does not
0e50: 72 65 61 6c 6c 79 20 74 72 75 73 74 20 74 68 65 really trust the
0e60: 20 53 53 4c 0a 73 63 68 65 6d 65 2c 20 61 6e 64 SSL.scheme, and
0e70: 20 43 68 72 6f 6d 65 20 68 61 73 20 61 20 70 72 Chrome has a pr
0e80: 69 6f 72 69 20 6b 6e 6f 77 6c 65 64 67 65 20 6f iori knowledge o
0e90: 76 65 72 20 74 68 65 20 67 6f 6f 67 6c 65 2e 63 ver the google.c
0ea0: 6f 6d 20 64 6f 6d 61 69 6e 0a 73 69 67 6e 61 74 om domain.signat
0eb0: 75 72 65 73 2c 20 77 68 69 63 68 20 61 72 65 20 ures, which are
0ec0: 73 69 67 6e 65 64 20 62 79 20 47 6f 6f 67 6c 65 signed by Google
0ed0: 27 73 20 6f 77 6e 20 43 41 2e 20 49 72 61 6e 20 's own CA. Iran
0ee0: 6e 65 65 64 65 64 20 74 6f 20 69 6e 74 72 75 64 needed to intrud
0ef0: 65 20 73 6f 6d 65 0a 6f 74 68 65 72 20 43 41 73 e some.other CAs
0f00: 20 6c 69 6b 65 20 44 69 67 69 4e 6f 74 61 72 2c like DigiNotar,
0f10: 20 62 65 63 61 75 73 65 20 74 68 65 79 20 64 6f because they do
0f20: 6e 27 74 20 68 61 76 65 20 74 68 65 69 72 20 6f n't have their o
0f30: 77 6e 20 43 41 2c 20 77 68 69 6c 65 20 65 2e 67 wn CA, while e.g
0f40: 2e 0a 43 68 69 6e 61 20 6f 72 20 74 68 65 20 55 ..China or the U
0f50: 53 41 20 68 61 76 65 20 6f 6e 65 2e 20 4e 6f 77 SA have one. Now
0f60: 20 79 6f 75 20 68 61 76 65 20 74 68 61 74 20 74 you have that t
0f70: 72 75 73 74 20 70 72 6f 62 6c 65 6d 20 61 67 61 rust problem aga
0f80: 69 6e 3a 20 59 6f 75 20 64 6f 6e 27 74 0a 6b 6e in: You don't.kn
0f90: 6f 77 20 77 68 69 63 68 20 6f 66 20 74 68 65 20 ow which of the
0fa0: 36 30 30 20 43 41 73 20 61 72 65 20 74 72 75 73 600 CAs are trus
0fb0: 74 77 6f 72 74 68 79 20 61 6e 64 20 77 68 69 63 tworthy and whic
0fc0: 68 20 61 72 65 20 6e 6f 74 2e 20 41 6e 64 20 69 h are not. And i
0fd0: 74 20 69 73 0a 73 75 66 66 69 63 69 65 6e 74 20 t is.sufficient
0fe0: 69 66 20 2a 2a 6f 6e 65 2a 2a 20 6f 66 20 74 68 if **one** of th
0ff0: 65 6d 20 69 73 20 6e 6f 74 2c 20 65 76 65 6e 20 em is not, even
1000: 77 68 65 6e 20 74 68 65 20 76 61 73 74 20 6d 61 when the vast ma
1010: 6a 6f 72 69 74 79 20 77 6f 75 6c 64 20 62 65 0a jority would be.
1020: 6f 6b 2e 20 4f 68 20 73 68 69 74 21 0a 0a 54 68 ok. Oh shit!..Th
1030: 65 20 42 72 6f 6b 65 6e 20 50 72 6f 6d 69 73 65 e Broken Promise
1040: 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d .---------------
1050: 2d 2d 2d 0a 0a 49 74 20 74 75 72 6e 73 20 6f 75 ---..It turns ou
1060: 74 20 74 68 61 74 20 74 68 65 20 70 72 6f 6d 69 t that the promi
1070: 73 65 20 6f 66 20 44 69 66 66 69 65 2d 48 65 6c se of Diffie-Hel
1080: 6c 6d 61 6e 20 64 6f 65 73 20 6e 6f 74 20 68 6f lman does not ho
1090: 6c 64 2e 20 54 6f 0a 76 65 72 69 66 79 20 74 68 ld. To.verify th
10a0: 65 20 69 64 65 6e 74 69 74 79 20 6f 66 20 79 6f e identity of yo
10b0: 75 72 20 63 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e ur communication
10c0: 20 70 61 72 74 6e 65 72 2c 20 79 6f 75 20 73 74 partner, you st
10d0: 69 6c 6c 20 6e 65 65 64 20 61 0a 73 65 63 75 72 ill need a.secur
10e0: 65 20 63 68 61 6e 6e 65 6c e2 80 94 74 68 69 73 e channel—this
10f0: 20 74 69 6d 65 20 69 74 27 73 20 61 20 63 68 61 time it's a cha
1100: 6e 6e 65 6c 20 41 6c 69 63 65 20 e2 87 94 20 43 nnel Alice ⇔ C
1110: 41 20 e2 87 94 20 42 6f 62 2c 20 77 68 69 63 68 A ⇔ Bob, which
1120: 0a 61 6c 6c 6f 77 73 20 41 6c 69 63 65 20 61 6e .allows Alice an
1130: 64 20 42 6f 62 20 74 6f 20 76 65 72 69 66 79 20 d Bob to verify
1140: 74 68 65 69 72 20 69 64 65 6e 74 69 74 69 65 73 their identities
1150: 2e 20 49 66 20 74 68 69 73 20 63 68 61 6e 6e 65 . If this channe
1160: 6c 20 77 61 73 0a 72 65 61 6c 6c 79 20 73 65 63 l was.really sec
1170: 75 72 65 2c 20 74 68 65 79 20 63 6f 75 6c 64 20 ure, they could
1180: 65 78 63 68 61 6e 67 65 20 74 68 65 69 72 20 6b exchange their k
1190: 65 79 73 20 64 69 72 65 63 74 6c 79 2c 20 77 69 eys directly, wi
11a0: 74 68 6f 75 74 20 74 68 65 0a 44 69 66 66 69 65 thout the.Diffie
11b0: 2d 48 65 6c 6c 6d 61 6e 20 6b 65 79 20 65 78 63 -Hellman key exc
11c0: 68 61 6e 67 65 2e 20 54 68 65 20 61 64 76 61 6e hange. The advan
11d0: 74 61 67 65 20 6f 66 20 74 68 65 20 53 53 4c 20 tage of the SSL
11e0: 61 70 70 72 6f 61 63 68 20 69 73 20 74 68 61 74 approach is that
11f0: 0a 74 68 65 20 43 41 73 20 61 72 65 6e 27 74 20 .the CAs aren't
1200: 69 6e 76 6f 6c 76 65 64 20 69 6e 20 74 68 65 20 involved in the
1210: 61 63 74 75 61 6c 20 6b 65 79 20 65 78 63 68 61 actual key excha
1220: 6e 67 65 2c 20 6f 6e 6c 79 20 69 6e 20 73 69 67 nge, only in sig
1230: 6e 69 6e 67 0a 74 68 65 20 70 75 62 6c 69 63 20 ning.the public
1240: 6b 65 79 73 2e 20 42 75 74 20 74 68 69 73 20 68 keys. But this h
1250: 61 73 20 74 6f 20 62 65 20 61 20 73 65 63 75 72 as to be a secur
1260: 65 20 63 68 61 6e 6e 65 6c 2e 0a 0a 4c 6f 6f 6b e channel...Look
1270: 69 6e 67 20 66 6f 72 20 61 20 53 6f 6c 75 74 69 ing for a Soluti
1280: 6f 6e 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d on.-------------
1290: 2d 2d 2d 2d 2d 2d 2d 2d 2d 0a 0a 4e 6f 77 2c 20 ---------..Now,
12a0: 68 6f 77 20 74 6f 20 73 6f 6c 76 65 20 74 68 61 how to solve tha
12b0: 74 20 70 72 6f 62 6c 65 6d 3f 20 53 6f 63 69 65 t problem? Socie
12c0: 74 79 20 61 6c 77 61 79 73 20 68 61 64 20 70 72 ty always had pr
12d0: 6f 62 6c 65 6d 73 20 77 69 74 68 0a 70 65 6f 70 oblems with.peop
12e0: 6c 65 20 6e 6f 74 20 62 65 69 6e 67 20 74 72 75 le not being tru
12f0: 73 74 77 6f 72 74 68 79 2c 20 61 6e 64 20 74 68 stworthy, and th
1300: 65 20 43 68 69 6e 65 73 65 20 61 70 70 72 6f 61 e Chinese approa
1310: 63 68 20 74 6f 20 74 68 69 73 20 70 72 6f 62 6c ch to this probl
1320: 65 6d 0a 69 73 20 63 61 6c 6c 65 64 20 22 e5 85 em.is called "
1330: b3 e7 b3 bb 22 20 28 70 69 6e 79 69 6e 3a 20 67 系" (pinyin: g
1340: 75 c4 81 6e 78 c3 ac 2c 20 52 65 6c 61 74 69 6f uānxì, Relatio
1350: 6e 73 68 69 70 29 2e 20 59 6f 75 20 64 6f 6e 27 nship). You don'
1360: 74 20 74 61 6c 6b 20 74 6f 0a 73 74 72 61 6e 67 t talk to.strang
1370: 65 72 73 2c 20 79 6f 75 20 6f 6e 6c 79 20 74 61 ers, you only ta
1380: 6c 6b 20 74 6f 20 70 65 6f 70 6c 65 20 79 6f 75 lk to people you
1390: 20 61 6c 72 65 61 64 79 20 6b 6e 6f 77 2e 20 54 already know. T
13a0: 6f 20 63 72 65 61 74 65 20 6e 65 77 0a 72 65 6c o create new.rel
13b0: 61 74 69 6f 6e 73 68 69 70 73 2c 20 79 6f 75 20 ationships, you
13c0: 6e 65 65 64 20 74 6f 20 75 73 65 20 22 63 6f 6e need to use "con
13d0: 6e 65 63 74 69 6f 6e 73 22 2c 20 69 2e 65 2e 20 nections", i.e.
13e0: 70 65 6f 70 6c 65 20 77 68 6f 20 6b 6e 6f 77 0a people who know.
13f0: 62 6f 74 68 20 79 6f 75 20 2a 2a 61 6e 64 2a 2a both you **and**
1400: 20 74 68 65 20 6f 74 68 65 72 20 73 69 64 65 2e the other side.
1410: 20 20 54 68 61 74 20 69 73 20 73 69 6d 69 6c 61 That is simila
1420: 72 20 74 6f 20 74 68 65 20 43 41 20 72 65 6c 61 r to the CA rela
1430: 74 69 6f 6e 0a 61 62 6f 76 65 2c 20 62 75 74 20 tion.above, but
1440: 74 68 69 73 20 74 69 6d 65 2c 20 74 68 65 20 74 this time, the t
1450: 72 75 73 74 20 6d 6f 64 65 6c 20 69 73 20 73 6c rust model is sl
1460: 69 67 68 74 6c 79 20 64 69 66 66 65 72 65 6e 74 ightly different
1470: 3a 20 59 6f 75 0a 64 65 6c 65 67 61 74 65 20 74 : You.delegate t
1480: 72 75 73 74 20 74 6f 20 74 68 65 20 70 65 6f 70 rust to the peop
1490: 6c 65 20 79 6f 75 20 6b 6e 6f 77 2e 20 20 46 6f le you know. Fo
14a0: 72 20 70 65 72 73 6f 6e 2d 74 6f 2d 70 65 72 73 r person-to-pers
14b0: 6f 6e 20 6d 65 65 74 69 6e 67 73 2c 0a 64 69 72 on meetings,.dir
14c0: 65 63 74 20 6b 65 79 20 65 78 63 68 61 6e 67 65 ect key exchange
14d0: 20 73 68 61 6c 6c 20 62 65 20 66 61 63 69 6c 69 shall be facili
14e0: 74 61 74 65 64 20 62 79 20 75 73 69 6e 67 20 51 tated by using Q
14f0: 52 2d 63 6f 64 65 73 20 61 6e 64 0a 73 63 61 6e R-codes and.scan
1500: 6e 65 72 73 20 28 73 6d 61 72 74 70 68 6f 6e 65 ners (smartphone
1510: 20 63 61 6d 65 72 61 73 29 20 61 6e 64 20 73 65 cameras) and se
1520: 61 72 63 68 20 66 6f 72 20 6b 65 79 20 70 72 65 arch for key pre
1530: 66 69 78 65 73 20 74 6f 20 61 76 6f 69 64 0a 68 fixes to avoid.h
1540: 61 76 69 6e 67 20 74 6f 20 74 79 70 65 20 69 6e aving to type in
1550: 20 74 6f 6f 20 6d 61 6e 79 20 63 72 79 70 74 69 too many crypti
1560: 63 20 63 68 61 72 61 63 74 65 72 73 2e 0a 0a 4d c characters...M
1570: 6f 72 65 20 69 6d 70 6f 72 74 61 6e 74 20 68 6f ore important ho
1580: 77 65 72 76 65 72 20 69 73 20 74 6f 20 64 69 72 werver is to dir
1590: 65 63 74 6c 79 20 75 73 65 20 74 68 65 20 70 75 ectly use the pu
15a0: 62 6c 69 63 20 6b 65 79 20 77 68 65 6e 65 76 65 blic key wheneve
15b0: 72 20 70 6f 73 73 69 62 6c 65 2e 0a 4e 65 74 32 r possible..Net2
15c0: 6f 20 75 73 65 73 20 74 68 65 20 70 75 62 6b 65 o uses the pubke
15d0: 79 73 20 61 73 20 68 61 6e 64 6c 65 73 2e 20 20 ys as handles.
15e0: 46 6f 72 20 68 75 6d 61 6e 20 72 65 61 64 61 62 For human readab
15f0: 69 6c 69 74 79 2c 20 74 68 65 73 65 20 6e 61 6d ility, these nam
1600: 65 73 20 61 72 65 0a 63 6f 6e 76 65 72 74 65 64 es are.converted
1610: 20 74 6f 20 6e 69 63 6b 2d 20 61 6e 64 20 70 65 to nick- and pe
1620: 74 6e 61 6d 65 73 20 28 6e 61 6d 65 73 20 79 6f tnames (names yo
1630: 75 20 68 61 76 65 20 61 73 73 69 67 6e 65 64 20 u have assigned
1640: 74 6f 20 6f 74 68 65 72 20 70 65 6f 70 6c 65 29 to other people)
1650: 20 77 68 65 6e 0a 64 69 73 70 6c 61 79 65 64 2e when.displayed.
1660: 20 20 49 6e 20 6d 61 6e 79 20 63 61 73 65 73 2c In many cases,
1670: 20 5b 5a 6f 6f 6b 6f 27 73 0a 54 72 69 61 6e 67 [Zooko's.Triang
1680: 6c 65 5d 28 68 74 74 70 73 3a 2f 2f 65 6e 2e 77 le](https://en.w
1690: 69 6b 69 70 65 64 69 61 2e 6f 72 67 2f 77 69 6b ikipedia.org/wik
16a0: 69 2f 5a 6f 6f 6b 6f 25 32 37 73 5f 74 72 69 61 i/Zooko%27s_tria
16b0: 6e 67 6c 65 29 20 74 68 65 6e 20 64 6f 65 73 6e ngle) then doesn
16c0: 27 74 0a 61 70 70 6c 79 2e 20 20 49 74 27 73 20 't.apply. It's
16d0: 64 65 63 65 6e 74 72 61 6c 69 7a 65 64 2c 20 61 decentralized, a
16e0: 73 20 79 6f 75 20 6d 61 6b 65 20 63 6f 6e 6e 65 s you make conne
16f0: 63 74 69 6f 6e 73 20 74 68 72 6f 75 67 68 20 70 ctions through p
1700: 65 65 72 73 2e 20 20 54 68 65 0a 63 6f 6e 6e 65 eers. The.conne
1710: 63 74 69 6f 6e 20 62 65 74 77 65 65 6e 20 6b 65 ction between ke
1720: 79 73 20 61 6e 64 20 6e 69 63 6b 2f 70 65 74 6e ys and nick/petn
1730: 61 6d 65 73 20 69 73 20 6c 6f 63 61 6c 2c 20 69 ames is local, i
1740: 6e 20 79 6f 75 72 20 22 61 64 64 72 65 73 73 20 n your "address
1750: 62 6f 6f 6b 22 2e 0a 4e 69 63 6b 2d 20 61 6e 64 book"..Nick- and
1760: 20 70 65 74 6e 61 6d 65 73 20 61 72 65 20 6d 65 petnames are me
1770: 6d 6f 72 69 7a 61 62 6c 65 2e 0a 0a 49 66 20 79 morizable...If y
1780: 6f 75 20 67 65 74 20 61 20 6b 65 79 2c 20 79 6f ou get a key, yo
1790: 75 20 61 72 65 20 61 62 6c 65 20 74 6f 20 6f 62 u are able to ob
17a0: 74 61 69 6e 20 61 20 6e 69 63 6b 6e 61 6d 65 20 tain a nickname
17b0: 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f corresponding to
17c0: 0a 74 68 61 74 20 6b 65 79 2c 20 73 65 6c 66 2d .that key, self-
17d0: 73 69 67 6e 65 64 2e 20 20 54 68 69 73 20 69 73 signed. This is
17e0: 20 73 65 63 75 72 65 2c 20 61 6e 64 20 73 74 69 secure, and sti
17f0: 6c 6c 20 68 75 6d 61 6e 20 6d 65 61 6e 69 6e 67 ll human meaning
1800: 66 75 6c 2e 0a 4d 61 6e 79 20 70 65 6f 70 6c 65 ful..Many people
1810: 20 63 61 6e 20 68 61 76 65 20 74 68 65 20 73 61 can have the sa
1820: 6d 65 20 6e 69 63 6b 6e 61 6d 65 2c 20 63 6f 6e me nickname, con
1830: 66 6c 69 63 74 73 20 61 72 65 20 72 65 73 6f 6c flicts are resol
1840: 76 65 64 20 62 79 0a 6e 75 6d 62 65 72 69 6e 67 ved by.numbering
1850: 20 74 68 65 20 6e 69 63 6b 6e 61 6d 65 73 3b 20 the nicknames;
1860: 79 6f 75 20 63 61 6e 20 63 68 6f 6f 73 65 20 70 you can choose p
1870: 65 74 6e 61 6d 65 73 20 74 6f 20 64 69 73 61 6d etnames to disam
1880: 62 69 67 75 61 74 65 2e 0a 0a 57 68 79 20 53 74 biguate...Why St
1890: 69 6c 6c 20 55 73 65 20 61 20 50 4b 49 3f 0a 2d ill Use a PKI?.-
18a0: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
18b0: 2d 2d 2d 0a 0a 57 68 61 74 20 61 64 76 61 6e 74 ---..What advant
18c0: 61 67 65 73 20 64 6f 65 73 20 61 20 70 75 62 6c ages does a publ
18d0: 69 63 20 6b 65 79 20 73 79 73 74 65 6d 20 73 74 ic key system st
18e0: 69 6c 6c 20 6f 66 66 65 72 3f 0a 0a 2a 20 49 6e ill offer?..* In
18f0: 20 74 68 65 20 63 6c 69 65 6e 74 2d 73 65 72 76 the client-serv
1900: 65 72 20 63 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e er communication
1910: 20 63 61 73 65 2c 20 69 74 20 69 73 20 73 75 66 case, it is suf
1920: 66 69 63 69 65 6e 74 20 74 68 61 74 20 74 68 65 ficient that the
1930: 20 63 6c 69 65 6e 74 0a 76 65 72 69 66 69 65 73 client.verifies
1940: 20 74 68 65 20 73 65 72 76 65 72 2c 20 74 68 65 the server, the
1950: 20 6f 74 68 65 72 20 77 61 79 20 72 6f 75 6e 64 other way round
1960: 20 64 6f 65 73 6e 27 74 20 6d 61 74 74 65 72 2e doesn't matter.
1970: 20 54 68 75 73 2c 20 77 68 69 6c 65 20 65 76 65 Thus, while eve
1980: 72 79 0a 63 6c 69 65 6e 74 20 73 68 6f 75 6c 64 ry.client should
1990: 20 76 65 72 69 66 79 20 74 68 65 20 69 64 65 6e verify the iden
19a0: 74 69 74 79 20 6f 66 20 74 68 65 20 73 65 72 76 tity of the serv
19b0: 65 72 2c 20 69 74 20 69 73 20 6e 6f 74 20 6e 65 er, it is not ne
19c0: 63 65 73 73 61 72 79 20 74 68 61 74 20 74 68 65 cessary that the
19d0: 0a 73 65 72 76 65 72 20 76 65 72 69 66 69 65 73 .server verifies
19e0: 20 74 68 65 20 69 64 65 6e 74 69 74 79 20 6f 66 the identity of
19f0: 20 74 68 65 20 63 6c 69 65 6e 74 2e 20 49 74 20 the client. It
1a00: 74 68 65 72 65 66 6f 72 65 20 61 6c 73 6f 20 64 therefore also d
1a10: 6f 65 73 20 6e 6f 74 20 6e 65 65 64 20 74 6f 0a oes not need to.
1a20: 73 74 6f 72 65 20 74 68 65 20 63 6c 69 65 6e 74 store the client
1a30: 27 73 20 69 64 65 6e 74 69 74 79 2c 20 61 6e 64 's identity, and
1a40: e2 80 94 74 68 61 74 20 69 73 20 6d 6f 72 65 20 —that is more
1a50: 69 6d 70 6f 72 74 61 6e 74 e2 80 94 6d 61 79 62 important—mayb
1a60: 65 20 74 68 65 20 63 6c 69 65 6e 74 20 77 61 6e e the client wan
1a70: 74 73 0a 74 6f 20 63 68 61 6e 67 65 20 69 74 73 ts.to change its
1a80: 20 70 72 65 73 65 6e 74 65 64 20 70 75 62 6c 69 presented publi
1a90: 63 20 6b 65 79 20 66 72 65 71 75 65 6e 74 6c 79 c key frequently
1aa0: 20 74 6f 20 61 76 6f 69 64 20 62 65 69 6e 67 20 to avoid being
1ab0: 74 72 61 63 6b 65 64 0a 28 61 6e 6f 6e 79 6d 69 tracked.(anonymi
1ac0: 74 79 29 0a 2a 20 57 68 65 6e 20 77 65 20 61 6c ty).* When we al
1ad0: 6c 6f 77 20 6f 6e 65 20 69 6e 64 69 72 65 63 74 low one indirect
1ae0: 69 6f 6e 20 69 6e 20 74 68 65 20 73 65 72 76 65 ion in the serve
1af0: 72 27 73 20 69 64 65 6e 74 69 74 79 2c 20 77 65 r's identity, we
1b00: 20 63 61 6e 0a 68 61 76 65 20 74 65 6d 70 6f 72 can.have tempor
1b10: 61 72 79 20 73 65 72 76 65 72 20 6b 65 79 73 2c ary server keys,
1b20: 20 73 69 67 6e 65 64 20 62 79 20 61 20 63 6f 6e signed by a con
1b30: 73 74 61 6e 74 20 69 64 65 6e 74 69 74 79 e2 80 stant identity
1b40: 94 74 68 69 73 20 61 6c 6c 6f 77 73 20 74 6f 0a this allows to.
1b50: 72 65 64 75 63 65 20 74 68 65 20 72 69 73 6b 20 reduce the risk
1b60: 74 68 61 74 20 61 6e 20 69 6e 74 72 75 64 65 72 that an intruder
1b70: 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 20 63 on the server c
1b80: 61 6e 20 73 74 65 61 6c 20 74 68 65 20 6b 65 79 an steal the key
1b90: 73 e2 80 94 74 68 65 79 20 61 72 65 0a 74 65 6d s—they are.tem
1ba0: 70 6f 72 61 72 79 2c 20 74 68 65 20 70 65 72 6d porary, the perm
1bb0: 61 6e 65 6e 74 20 6b 65 79 73 20 61 72 65 20 6f anent keys are o
1bc0: 6e 6c 79 20 6e 65 65 64 65 64 20 66 6f 72 20 6f nly needed for o
1bd0: 66 66 2d 6c 69 6e 65 20 73 69 67 6e 61 74 75 72 ff-line signatur
1be0: 65 73 2c 20 73 6f 20 61 6e 0a 69 6e 74 72 75 64 es, so an.intrud
1bf0: 65 72 20 63 61 6e 20 6e 6f 74 20 67 65 74 20 6d er can not get m
1c00: 6f 72 65 20 74 68 61 6e 20 68 65 20 63 61 6e 20 ore than he can
1c10: 67 65 74 20 61 6e 79 77 61 79 73 e2 80 94 74 68 get anyways—th
1c20: 65 20 64 61 74 61 20 77 68 69 6c 65 20 68 65 27 e data while he'
1c30: 73 20 69 6e 2c 0a 62 65 66 6f 72 65 20 68 65 27 s in,.before he'
1c40: 73 20 64 69 73 63 6f 76 65 72 65 64 2e 0a 2a 20 s discovered..*
1c50: 57 65 20 63 61 6e 20 65 61 73 69 6c 79 20 72 65 We can easily re
1c60: 70 6c 69 63 61 74 65 20 70 75 62 6c 69 63 20 6b plicate public k
1c70: 65 79 73 20 61 6e 64 20 73 74 6f 72 65 20 74 68 eys and store th
1c80: 65 6d 20 62 65 66 6f 72 65 20 77 65 20 65 76 65 em before we eve
1c90: 6e 0a 6e 65 65 64 20 74 68 65 6d 20 28 65 2e 67 n.need them (e.g
1ca0: 2e 20 62 61 73 65 64 20 6f 6e 20 70 6f 70 75 6c . based on popul
1cb0: 61 72 69 74 79 29 2c 20 72 65 64 75 63 69 6e 67 arity), reducing
1cc0: 20 74 68 65 20 63 6f 73 74 73 20 77 68 65 6e 20 the costs when
1cd0: 77 65 0a 61 63 74 75 61 6c 6c 79 20 6e 65 65 64 we.actually need
1ce0: 20 74 6f 20 63 72 65 61 74 65 20 61 20 63 6f 6e to create a con
1cf0: 6e 65 63 74 69 6f 6e 2e 0a 0a 53 75 6d 6d 61 72 nection...Summar
1d00: 79 0a 2d 2d 2d 2d 2d 2d 2d 0a 0a 49 6e 20 73 75 y.-------..In su
1d10: 6d 6d 61 72 79 3a 20 44 69 66 66 69 65 2d 48 65 mmary: Diffie-He
1d20: 6c 6c 6d 61 6e 20 64 6f 65 73 20 6e 6f 74 20 73 llman does not s
1d30: 6f 6c 76 65 20 74 68 65 20 6b 65 79 20 65 78 63 olve the key exc
1d40: 68 61 6e 67 65 0a 70 72 6f 62 6c 65 6d 2e 20 59 hange.problem. Y
1d50: 6f 75 20 73 74 69 6c 6c 20 6e 65 65 64 20 61 20 ou still need a
1d60: 73 65 63 75 72 65 20 63 68 61 6e 6e 65 6c 2c 20 secure channel,
1d70: 6e 6f 77 20 74 6f 20 76 61 6c 69 64 61 74 65 20 now to validate
1d80: 69 64 65 6e 74 69 74 79 2c 0a 6e 6f 74 20 74 6f identity,.not to
1d90: 20 65 78 63 68 61 6e 67 65 20 6b 65 79 73 2e 20 exchange keys.
1da0: 54 68 65 20 70 72 6f 62 6c 65 6d 20 68 6f 77 65 The problem howe
1db0: 76 65 72 20 72 65 6d 61 69 6e 73 20 74 68 65 20 ver remains the
1dc0: 73 61 6d 65 2e 20 54 68 65 0a 65 76 61 6c 75 61 same. The.evalua
1dd0: 74 69 6f 6e 2c 20 77 68 65 74 68 65 72 20 61 20 tion, whether a
1de0: 50 4b 49 20 69 73 20 73 65 63 75 72 65 20 6e 6f PKI is secure no
1df0: 77 20 69 73 20 69 64 65 6e 74 69 63 61 6c 20 74 w is identical t
1e00: 6f 20 65 76 61 6c 75 61 74 65 0a 77 68 65 74 68 o evaluate.wheth
1e10: 65 72 20 79 6f 75 20 63 61 6e 20 75 73 65 20 69 er you can use i
1e20: 74 20 74 6f 20 65 78 63 68 61 6e 67 65 20 73 79 t to exchange sy
1e30: 6d 6d 65 74 72 69 63 20 6b 65 79 73 2e 20 54 68 mmetric keys. Th
1e40: 65 72 65 20 61 72 65 20 73 74 69 6c 6c 0a 61 64 ere are still.ad
1e50: 76 61 6e 74 61 67 65 73 20 6f 66 20 70 75 62 6c vantages of publ
1e60: 69 63 20 6b 65 79 73 20 74 6f 20 6e 6f 74 20 61 ic keys to not a
1e70: 62 61 6e 64 6f 6e 20 74 68 65 6d 20 63 6f 6d 70 bandon them comp
1e80: 6c 65 74 65 6c 79 2e 0a letely..