A secure information network
This chapter will be to answer critics of the form "Everything can be hacked
- consider the Blue Card".
So we shall describe how to implement a network support for the
liberal system of powers which we described, that is best protected
from hackings.
This method relies on the techologies of encoding and especially of
electronic signature whose features I learned by reading the book "
Future Imperfect ".
Principle of the electronic signature
Here are the properties of the electronic signature: a computer, using
a generator of random numbers, produces a pair of two keys (sequences of
figures) A and B. By key A, one can encode a document which will be decoded
using the key B. Key A is private, key B is public. It is impossible to
calculate A starting from B (i.e. being given the complexity of the problem,
the probability of reaching that point in thousand years of calculations
of supercomputers is extremely low).
The coding of a document by key A is called the signature of the document.
Its decoding by B is the checking of this signature. Having only B, one
can only check the signature and not to produce it, because, according
to current knowledge in cryptography, it is impossible to carry out such
coding as verifiable by B if one does not know A. Precisely, without A,
one cannot in practice produce an alleged "signed document" whose reading
by B gives better than a succession of characters of random appearance
without significance. The fact of obtaining a meaningful document proves
that it was produced thanks to A.
How to date and sign
Initially, to date the documents, one can consider the following system
of "one day's signature". That is to say a machine online which each day
produces a new pair of keys (A,B). It publishes the key B and encodes by
all the documents that one sends to it. The day over, it deletes from its
memory the key A.
Now, to date and sign, one poses first the signature of the individual,
then the signature of the day. (This so that the individual cannot envisage
to require perhaps in the future to present such a document signed and
dated to today, that he would sign only later if he decides it). A signed
document dated this way proves that it was signed no later than the written
day. What misses with that? One can consider the risk that the signed document
is held by others who would make it date on a later date. With that, an
easy solution: let us suppose the date written explicitly in the document
before it is signed. Only the documents presenting a date in conformity
with that of the signature of the day would be valid. By seeking much,
one can see a last fault of safety there: "Sign for me this document dated
to the future D date, and the D-day I will make it validate if I want of
it". One can refuse to yield with such an injunction. But one can give
a technical solution of it:
it is enough to add to the document, before signing it, a number which
cannot be known before the day in question, such as for example the last
gaining combination of the Lotto (this to be less heavy than to make twice
date the document, once before and once after the signature).
Another "hardware" solution less absolutely reliable (but nevertheless
sufficiently) would be that the addition of the date would be an irremovable
functionality of the machine of electronic signature, which locks up secret
code A, unknown even of its owner, which will not want to disassemble his
instrument just to be able to yield with blackmails.
Material Securisation of the signature
One can imagine an electronic instrument called "passport" in the shape
of a watch or object attached to the belt, which secretly contains code
A of the signature. Such as it would be manufactured, it would be only
able to carry out operations of the following type:
It receives a document (by infra-red), it displays it on its screen,
then, if it receives the signal of agreement (keys pressed), it signs it
(encode) and sends the result outside.
If ever one detaches it from the body (watch detached from the wrist,
girdles detached), it is disabled until, once attached, a biometric system
or of code ensures to it that it is well again connected to its owner.
A signed document can comprise a division in files, certain files being
able to be documents signed by others, not displayed as such on the screen
but accompanied by the clear indication of the contents, which will be
displayed. (the passport of each one can have the functionality to check
the signature of documents of others).
General structure of the network
Consider a set of individuals members of the network, as well as a set
of Internet servers maintained each one by one or more individuals (preferably
charged with political legitimity, "root agents" = system administrators),
independent of the administrators of the other servers.
Anyone can install his own server independent of the others, in order
to self-proclaim political agent of his server. Anyway the extent of his
power will be defined by the extent to which the other people choose to
exchange information with him (and trust the informations from him)
For example if there are 500 members there can be for example 1 to 3
servers, and if there are 100.000 members there could be 10 to 40 servers.
Each server is in fact made up of two machines, one "passive" with the
fixed functionalities (nonreprogrammable, anyway the possibility of an
illicit reprogramming of a machine does not constitute a significant threat
for the whole of the network), and the other "active". The passive machine
will have as principal function to file the data definitively, while the
active machine will handle the current operations (markets and payments,
answers to the requests, etc).
Relative with each server, exist two kinds of individuals: "user agents"
being able to interact with the two machines as users, and the root agents
having moreover one right of root on the active machine (allowing to make
administrative operations), except that this right will be exerted only
according to the administration rule which we will describe further. Each
passive machine comprises the functionality to date the documents, following
its own code of the day independent of that of the other servers.
The interactions will be protected so that no third can observe nor
deteriorate information circulating between the machines (e.g. each server
is provided with a cryptographic key which makes it possible whoever to
send data to it that only this server will be able to decrypt).
User operations
Each individual is free to use (to be economic agent of) the servers he
wants.
The economic operations are of two types:
- interrogations, request posed by an economic agent with the active
machine. That is exactly the same thing as the ordinary Web servers which
answer the visitors (with maybe just a login of the user).
- the operations (declarations, contracts and payment orders): the
passive machine receives the document signed by its author, checks the
authenticity of it, then dates it and definitively stores it in its file
(signed and dated), and sends back a copy of it to its author ("acknowledgement
of delivery "= copy of the document signed by the current date) and to
the active machine. This machine can send it to other servers which will
date and file themselves a copy in an independent way.
In its operation, the active machine can constantly consult the files
stored in the passive machine and add new data to it to be filed, but cannot
give the order to erase data. The active machine does not contain itself
all the current data but only the data which are currently operational,
that are able to have effective consequences on the economic operations.
Root operations: administration rule
A root agent, to exert his right of administration on an active machine,
will have to proceed in the following way.
Initially, it imports a copy (of a part) of the contents of the two
machines (active and passive) on a third machine, the test machine which
he uses as desktop. He can consult its contents freely, but each intervention
= modification of contents of the active machine (current data and software
which handles them), takes the form of an instruction recorded in
the machine-test. Once the work of administration finished, the series
of the recorded instructions is signed by the agent, then, as for the user
operations, sent to the passive machine which checks the authenticity of
it (including the correction of the syntax of the instructions), files
it and transmits it to the active machine which may send a copy for filing
of it to other independent servers. And it is then only that this series
of administrative instructions is carried out in the active machine to
modify in it the current data and the software which manages it.
Back to the other pages