PGP: Pretty Good After All These Years
I met up with PGP President Phil Dunkelberger in the lobby of the Burlington (Mass.) Marriott recently as he was getting ready to head down to New York City on the Acela high-speed train. He was in town a couple weeks ahead of the big RSA security conference coming up in San Fransciso and was talking up some of the upcoming new products including Windows CE support and a further opening of the company's application programming interfaces.
Last year was a year of contrasts for security. In a release, Dunkelberger had contended that 2007 marked the turn from securing individual point solutions to a suite, holistic approach. Meanwhile, I noted that data breaches hadn't shown any sign of diminishing. He agreed and noted that he had received a notification from T.J. Maxx relating to that company's massive data loss.
As president, Dunkelberger is rightly focused on key management as the enabler for the holistic (the company's words) approach to security, in my opinion. When I hear CIOs or security execs talking about how they have shifted their security thinking from protecting devices to protecting data, I think they are only half right in their changed direction. Key management is one of those thorny corporate problems that if not resolved, you will never get to the data security nirvana you desire.
And key management is not a new problem. As Wikipedia notes, "In cryptography, Kerckhoffs' principle (also called Kerckhoffs' assumption, axiom or law) was stated by Auguste Kerckhoffs in the 19th century: a cryptosystem should be secure even if everything about the system, except the key, is public knowledge." Integrating key management into the regular IT process of rights and permissions has been a, well, key to PGP's success and will become more important as the need for encrypted, assured communications continues to grow between customers, countries and individuals around the world.
Which got me to my question about China. The present PGP company is the mature sibling of Phil Zimmerman's 1991 Pretty Good Privacy free software product. Zimmerman's efforts were more than pretty good, which led to all sorts of complications including a government investigation which, as far as I know, never went beyond the investigation stage. PGP from the security folks I speak with remains pretty much uncrackable.
But uncrackable does not mean undetectable. A recent Washington Post article noted that, "Human rights and pro-democracy groups sympathetic to anti-China demonstrators in Tibet are being targeted by sophisticated cyber attacks designed to disrupt their work and steal information on their members and activities." Those attacks, if true, may be one of the first examples of a user's system being targeted not for what the system's content reveals, but because a PGP encrypted system indicates to a cracker that you may be trying to hide some information.