A secure information network

This chapter will be to answer critics of the form "Everything can be hacked - consider the Blue Card".
So we shall describe how to implement a network support for the liberal system of powers which we described, that is best protected from hackings.

This method relies on the techologies of encoding and especially of electronic signature whose features I learned by reading the book " Future Imperfect ".

Principle of the electronic signature

Here are the properties of the electronic signature: a computer, using a generator of random numbers, produces a pair of two keys (sequences of figures) A and B. By key A, one can encode a document which will be decoded using the key B. Key A is private, key B is public. It is impossible to calculate A starting from B (i.e. being given the complexity of the problem, the probability of reaching that point in thousand years of calculations of supercomputers is extremely low).

The coding of a document by key A is called the signature of the document. Its decoding by B is the checking of this signature. Having only B, one can only check the signature and not to produce it, because, according to current knowledge in cryptography, it is impossible to carry out such coding as verifiable by B if one does not know A. Precisely, without A, one cannot in practice produce an alleged "signed document" whose reading by B gives better than a succession of characters of random appearance without significance. The fact of obtaining a meaningful document proves that it was produced thanks to A.

How to date and sign

Initially, to date the documents, one can consider the following system of "one day's signature". That is to say a machine online which each day produces a new pair of keys (A,B). It publishes the key B and encodes by all the documents that one sends to it. The day over, it deletes from its memory the key A.

Now, to date and sign, one poses first the signature of the individual, then the signature of the day. (This so that the individual cannot envisage to require perhaps in the future to present such a document signed and dated to today, that he would sign only later if he decides it). A signed document dated this way proves that it was signed no later than the written day. What misses with that? One can consider the risk that the signed document is held by others who would make it date on a later date. With that, an easy solution: let us suppose the date written explicitly in the document before it is signed. Only the documents presenting a date in conformity with that of the signature of the day would be valid. By seeking much, one can see a last fault of safety there: "Sign for me this document dated to the future D date, and the D-day I will make it validate if I want of it". One can refuse to yield with such an injunction. But one can give a technical solution of it:
it is enough to add to the document, before signing it, a number which cannot be known before the day in question, such as for example the last gaining combination of the Lotto (this to be less heavy than to make twice date the document, once before and once after the signature).
Another "hardware" solution less absolutely reliable (but nevertheless sufficiently) would be that the addition of the date would be an irremovable functionality of the machine of electronic signature, which locks up secret code A, unknown even of its owner, which will not want to disassemble his instrument just to be able to yield with blackmails.

Material Securisation of the signature

One can imagine an electronic instrument called "passport" in the shape of a watch or object attached to the belt, which secretly contains code A of the signature. Such as it would be manufactured, it would be only able to carry out operations of the following type:
It receives a document (by infra-red), it displays it on its screen, then, if it receives the signal of agreement (keys pressed), it signs it (encode) and sends the result outside.
If ever one detaches it from the body (watch detached from the wrist, girdles detached), it is disabled until, once attached, a biometric system or of code ensures to it that it is well again connected to its owner.
A signed document can comprise a division in files, certain files being able to be documents signed by others, not displayed as such on the screen but accompanied by the clear indication of the contents, which will be displayed. (the passport of each one can have the functionality to check the signature of documents of others).

General structure of the network

Consider a set of individuals members of the network, as well as a set of Internet servers maintained each one by one or more individuals (preferably charged with political legitimity, "root agents" = system administrators), independent of the administrators of the other servers.
Anyone can install his own server independent of the others, in order to self-proclaim political agent of his server. Anyway the extent of his power will be defined by the extent to which the other people choose to exchange information with him (and trust the informations from him)

For example if there are 500 members there can be for example 1 to 3 servers, and if there are 100.000 members there could be 10 to 40 servers. Each server is in fact made up of two machines, one "passive" with the fixed functionalities (nonreprogrammable, anyway the possibility of an illicit reprogramming of a machine does not constitute a significant threat for the whole of the network), and the other "active". The passive machine will have as principal function to file the data definitively, while the active machine will handle the current operations (markets and payments, answers to the requests, etc).
Relative with each server, exist two kinds of individuals: "user agents" being able to interact with the two machines as users, and the root agents having moreover one right of root on the active machine (allowing to make administrative operations), except that this right will be exerted only according to the administration rule which we will describe further. Each passive machine comprises the functionality to date the documents, following its own code of the day independent of that of the other servers.
The interactions will be protected so that no third can observe nor deteriorate information circulating between the machines (e.g. each server is provided with a cryptographic key which makes it possible whoever to send data to it that only this server will be able to decrypt).

User operations

Each individual is free to use (to be economic agent of) the servers he wants.
The economic operations are of two types:
- interrogations, request posed by an economic agent with the active machine. That is exactly the same thing as the ordinary Web servers which answer the visitors (with maybe just a login of the user).
- the operations (declarations, contracts and payment orders): the passive machine receives the document signed by its author, checks the authenticity of it, then dates it and definitively stores it in its file (signed and dated), and sends back a copy of it to its author ("acknowledgement of delivery "= copy of the document signed by the current date) and to the active machine. This machine can send it to other servers which will date and file  themselves a copy in an independent way.

In its operation, the active machine can constantly consult the files stored in the passive machine and add new data to it to be filed, but cannot give the order to erase data. The active machine does not contain itself all the current data but only the data which are currently operational, that are able to have effective consequences on the economic operations.

Root operations: administration rule

A root agent, to exert his right of administration on an active machine, will have to proceed in the following way.
Initially, it imports a copy (of a part) of the contents of the two machines (active and passive) on a third machine, the test machine which he uses as desktop. He can consult its contents freely, but each intervention = modification of contents of the active machine (current data and software which handles them), takes the form of an instruction recorded in the machine-test. Once the work of administration finished, the series of the recorded instructions is signed by the agent, then, as for the user operations, sent to the passive machine which checks the authenticity of it (including the correction of the syntax of the instructions), files it and transmits it to the active machine which may send a copy for filing of it to other independent servers. And it is then only that this series of administrative instructions is carried out in the active machine to modify in it the current data and the software which manages it.

Back to the other pages