[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
TWP on Crypto Export Policy
The Washington Post, February 25, 1996, pp. H1, H4.
Scrambling for a Policy on Encryption Exports
As Technology Advances, U.S. and Industry Seek
Compromise That Balances Public, Private Fears
By Elizabeth Corcoran
Keeping information about technology out of other people's
hands gets tougher all the time. And in the realm of the
Internet, where information ignores boundaries and some
cybersurfers flaunt rules, it may become impossible.
A big test of that statement is emerging in cryptography,
the business of scrambling information so that it looks
like gibberish to anyone lacking the keys for unlocking the
code.
Once considered an arcane subspecialty of mathematicians
and espionage, cryptography is rapidly becoming big
business as more and more of the world's information is
exchanged on electronic networks and as more and more
people want to protect their data from prying eyes.
But in these times of international terrorism, drug
trafficking and sometimes peculiar financial transactions,
law enforcement agencies want to be able to legally
eavesdrop. As technology has grown dramatically more
powerful, the ability to peek at encrypted information is
slipping from the hands of government.
That balance -- how much access can government demand vs.
how much privacy others want -- has long been a theological
debate between civil liberties advocates and worried law
enforcement officials.
Now, giddy with the growth of the Internet, technology
companies have joined the debate. Both the software
industry and civil liberties advocates believe powerful
encryption will spur the growth of electronic
communications and the Internet. And they don't want
encryption restrictions to curb that growth.
There are no limits on what kinds of encryption people can
use within the United States. But the government has used
export restrictions to try to shape what encryption
technology is used internationally, and by extension, what
is available in the United States. Those export laws
prohibit U.S. companies from selling their best technology
overseas.
The restrictions, companies contend slow the development of
the Internet and harm a potentially lucrative market for
U.S. manufacturing. Making two flavors of an encryption
product, U.S. companies contend, is expensive. Yet even
more worrisome is that foreign competitors are likely to
move in and offer better technology. That could spell the
loss not just of sales of encryption technology, but of
many other products that rely on strong digital protection
as well.
So companies are looking hard for ways to wriggle around
the rules -- and beginning to find them.
"Trying to suppress this technobgy is like Prohibition,"
said Whitfield Diffie, a cryptographer at Sun Microsystems
Inc. and an outspoken advocate of widespread use of
encryption technology. Companies will use anything at hand
-- technology, business strategies and even the promise of
congressional action -- to begin to get their home-brews
out.
Building and breaking encryption is hard. All information
stored in computers -- whether pictures or sounds or
documents -- is represented by ones or zeros or bits, the
genetic code of the digital world. Encryption techniques
amount to applying clever mathematical formulas to a
collection of bits to make it look like gibberish to the
uninitiated.
Unlocking encrypted data requires a "key," a mathematical
formula that can make sense of the tricks used to scramble
the data. One common way to measure the sophisticaticn of
an encryption scheme is by the number of bits in the key.
The more bits, the harder it is to decode the information.
A 30-bit key, for instance, could take as many as a billion
random calculations to crack the code. A 60-bit key could
take a billion-times-a-billion calculations.
In past decades, governments were largely the only
organizations with the money and need to tackle such
expensive problems. But as the power of computers has
soared -- and the cost of running millions of calculations
has fallen -- companies and individuals have begun to
clamor for sophisticated encryption.
"We believe that encryption is a critical technology" to
support many areas of electronic commerce, said Craig
Mundie, a senior vice president at Microsoft Corp.
Under current rules, U.S. companies can export encryption
technologies that use up to 40-bit keys. A few years ago,
such a lock might have stopped all but the most determined
digital interlopers.
No more. Within the past year graduate students at the
Ecole Polytechnique in Paris and others at the
Massachusetts Institute of Technology have shown they can
break the 40-bit encryption used by Netscape Communications
Corp. A few weeks ago, Diffie and six other well-know
cryptographers began circulating a report in which they
argue that to "adequately" protect information for the next
20 years, keys should be as long as 90 bits.
Even encryption wizards at the National Security Agency
would have trouble unlocking 90-bit encrypted information,
experts say.
So the government has tried to craft a compromise. Last
summer, the government suggested that it would likely let
companies use up to 64-bit encryption -- provided they set
up a way for law enforcement agents, with a court order, to
unlock encrypted information.
Under this proposal, a "trusted third party," such as a
bank or an encryption company that typically handles
sensitive information, would safeguard the key. The plan
has since bogged down over such details as precisely who
might qualify as a trusted third party.
Last fall, Trusted Information Systems (TIS) in Glenwood,
Md., in what it calls a test case, applied for a license to
export a sophisticated (and still unexportable) 56-bit
encryption system called DES. Steve Walker, who heads TIS,
has invested months in outlining the sort of spare-key
program that he believes both the government and his
customers can stomach. In late January, he got approval to
ship his product to Britain.
"It's not perfect; it's not where we want to be," Walker
insisted. He purposely submitted a case, he said, that was
virtually certain to meet the government's still evolving
criteria. "But it's a first, giant baby step," he said.
Trusting a Third Party?
Others are uneasy with putting the means to unlock files in
the hands of a "trusted third party."
"Ask anyone who owns a business: Are they willing to give
copies of a spare key that leads to everything sensitive in
their company to a third party," said Jim Bidzos, chief
executive of RSA Data Security Inc., a leading encryption
firm.
But government officials get nervous if the only keys to
the scrambled material are held by its owners. Ed Roback,
an encryption policy specialist at the National Institute
of Standards and Technology, puts it this way: "I know of
few front doors that can't be broken down. It's a little
different with encryption," when it literally might take
10,000 years to break the code without the key.
Roback and law enforcement officials say they'd be
delighted to see Americans make more use of encryption,
particularly if spare keys were held by a third party.
"This nation, more than any other, relies on computers ...
[so] there's a lot of vulnerability and encryption can help
that," Roback said. "So it's a good thing -- but it can
present a problem for national law enforcement."
But momentum in the United States could swing toward
widespread use of sophisticated encryption -- without spare
keys -- if such technology was widely available. That's
just what a recent announcement from Microsoft could help
spur.
In January, Microsoft told developers it had created a
module in its operating system software that will let
applications such as word processing programs or
spreadsheets "plug in" to encryption technology.
An application developer who built a software program for
filing expense accounts would not have to add encryption to
his product. Instead, the developer would need only to
write a small program that taps the encryption technology
available through the operating system.
The strength of the encryption program could vary.
Microsoft plans to include a 40-bit code with the version
of Windows used principaUy by companies (called Windows
NT). That encryption technology would be easy to export.
But Microsoft also is encouraging other encryption firms,
including RSA and TSI, to build more sophisticated
encryption modules that could be used in the United States.
Commercial products that take advantage of the new function
are not likely to appear until the end of the year. But
Microsoft is hoping it will spur more widespread use of
encryption. "The single most pressing problem for
electronic commerce is to create a secure payment
structure," Mundie said -- and Microsoft is hoping to
accelerate that work.
RSA's Bidzos is among those in industry who would love to
see the government give up on trying to control encryption
technology. He worries that other countries are gearing up
to snatch a big role in selling encryption while his
company and other U.S. businesses remain entangled in U.S.
policies.
So he's testing the rules. Early this month, RSA announced
that it had created subsidiaries in the People's Republic
of China and in Japan. In China, RSA partners include the
Chinese government. Bidzos plans to do joint research on
encryption software with scientists there.
Although Bidzos says he is planning to export only the
approved, 40-bit encryption technology to his Chinese
colleagues, "one genuine concern is that they might try to
strengthen it themselves," he said. "It would be hard to do
-- but not impossible. I've never had a conversation with
[the Chinese] about it," Bidzos added.
In addition, the Chinese have some interesting ideas of
their own about new areas of cryptography, Bidzos said.
"They're pretty advanced." And if the group developed more
powerful techniques than even RSA has in the United States?
Bidzos shrugged. RSA would likely take any promising ideas
and develop them into products in the United States. As for
Chinese export restrictions, "I haven't thought about it,"
he said.
Going Up to the Hill
Industry also is fanning Congress's interest in taking a
bigger role in the encryption debate. "Without
congressional interest, the administration has no reason to
liberalize exports at all," said Becca Gould, director of
policy at the Business Software Alliance. "This issue is in
Congress's front yard because it affects the economy" as
well as U.S. citizens' privacy rights.
Sen. Patrick J. Leahy (D-Vt.) and Rep. Robert W. Goodlatte
(R-Va.) agree. They plan to introduce bills in the Senate
and House aimed at loosening the restrictions on
encryption. "The federal government is taking an attitude
that's based more in the 1970s than in present time," said
Leahy in a telephone interview.
"This is a matter that should be decided by legislation,"
he added. "We're talking about billions of dollars in
revenues and thousands of jobs if we're handicapped in our
global market, especially if what we're told to do is to
build an export encryption program that is so outdated that
our 12-year-old computer experts would laugh at it."
The bills would do away with export licenses for any
encryption technology considered to be "generally
available," or "in the public domain." Leahy said that
although he, too, worries about national security and
terrorism, trying to bottle up technology won't solve the
problem.
Law enforcement has "got to figure out how to keep ahead
... and surprise, surprise, there will be some times when
we won't be able to eavesdrop," Leahy said. Even now,
criminals can make calls at pay telephones or avoid
detection in other ways. The government shouldn't cripple
the computer industry every time a new technology springs
up that challenges law enforcement, he said.
"What I'm suggesting is that if [the administration] works
with the Congress, we'll find a solution," Leahy said.
"We say over and over that we recognize that this is a very
difficult issue," Roback said. But, he added, "the
government has thought about [encryption policies] for a
long time as well as industry," he said. To reach some
resolution, he added, "compromise is going to be necessary
on all fronts."
[Photo] Jim Bidzos, chief executive of RSA Data Security
Inc., a leading encryption firm, hopes the government wlll
let go of encryption technology controls.
_________________________________________________________
Code Breakers
Recent advances in technology have allowed much faster and
cheaper invasion of encrypted information. The deciphering
time, however, varies widely with the computer power of the
attacker.
Here are estimates of cracking times by one group of
experts.
Type of Budget for Time to Time to
attacker computing recover recover
engine 40-bit key 56-bit key
_________________________________________________________
Pedestrian
hacker $400 5 hours 38 years
Small
business $10,000 12 minutes 556 days
Corporate
department $300,000 24 seconds 3 hours
Big company $10 million 7 seconds 13 hours
Intelligence
agency $300 million 0.0002 sec. 12 seconds
_________________________________________________________
Source: Report by an ad hoc group of cryptographers and
computer scientists Matt Blaze, Whitfield Diffie, Ronald L.
Rivest, Bruce Schneier, Tsutomu Shimomura, Eric Thompson,
Michael Wiener.
_________________________________________________________
[End]