[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NSCP, PRZ Hit NRC Crypto Rec



   Netscape (WSJ) and PRZ (Globe) say the NRC crypto 
   export recommendations don't go far enough. 
 
   ---------- 
 
   Wall Street Journal, May 31, 1996, p. B5. 
 
 
   U.S. Strategy Should Promote Computer Codes 
 
      Panel Says a Free Market Is Best Policy, Urges Easing of 
      Export Curbs 
 
   By John J. Fialka 
 
 
   Washington -- The federal government should promote rather 
   than discourage widespread commercial use of powerful codes 
   that can protect electronic communications, a panel 
   sponsored by the National Research Council recommended. 
 
   The government also should relax its export controls on 
   such codes, according to the 16-member panel, which 
   included a mix of business, academic and government 
   experts. The NRC is an affiliate of the National Academy of 
   Sciences, a private, nonprofit organization that advises 
   the government on scientific matters. 
 
   Encryption coding software scrambles computer data by using 
   mathematical formulas that can't be read if intercepted. 
   Only personnel with the correct "keys" can access the data. 
 
   More Study Needed 
 
   The NRC study, which took 18 months to complete, calls for 
   greater trust in freemarket demands for protection and less 
   reliance on the U.S. National Security Agency and the 
   Federal Bureau of Investigation to set the nation's code 
   policy. It said the two agencies' recent promotion of 
   "escrowed encryption," in which the government would hold 
   a mathematical key to unlock codes, requires further study 
   because it poses liability risks and introduces weakness 
   into information protection systems. 
 
   Kenneth W. Dam, a University of Chicago law professor who 
   headed the panel, said changes are needed to counter "an 
   explosion of computer-based crime" and other forms of 
   espionage that threaten U.S. companies' ability to protect 
   proprietary information, especially overseas. 
 
   By promoting the use of more-elaborate codes, U.S. 
   law-enforcement agencies would be better prepared to ward 
   off hacker or terrorist attacks on the nation's electric 
   power grid, banking and telecommunications systems and its 
   air-traffic control networks, he added. 
 
   Potential Problems 
 
   Mr Dam said the widespread use of encryption by private 
   business is "inevitable" and the government must "recognize 
   this changing reality." 
 
   The report noted that the FBI has argued for years that its 
   law-enforcement efforts would be hampered if drug cartels 
   and other organized criminals began using codes that 
   couldn't be deciphered. Courtordered wiretaps, a major tool 
   used to break organized-crime cases, could become useless, 
   the FBI has contended. 
 
   Edward Schmults, general counsel for GTE Corp. and a former 
   deputy attorney general during the Reagan administration, 
   said he and other panel members believe the FBI and other 
   law-enforcement agencies would be helped more than hurt if 
   legitimate businesses were better protected. "It's a 
   balancing issue," he said. 
 
   Spokesmen for the FBI and NSA referred questions to the 
   White House, where an official said the Clinton 
   administration disagrees with the panel's recommendation to 
   relax export controls and wants to continue to explore the 
   use of escrows by private industry to keep the keys to 
   powerful codes. "We have equities to protect that the 
   people who wrote the NRC report do not," he said. 
 
   The administration, he said, still wants to review the 
   export of more powerful codes on a case-by-case basis. The 
   use of private, third-party escrows, he said, might be one 
   way to protect the secrecy of companies while allowing 
   federal agents with court orders access to code keys. 
 
   New Markets Would Open 
 
   The panel called for the U.S. to permit the export of codes 
   containing a "56-bit" Data Encryption Standard algorithm. 
   The algorithm, or formula, was developed by the National 
   Bureau of Standards in 1975 and is 65,000 times tougher to 
   break than current "40-bit" codes that are permitted for 
   unlicensed exports. 
 
   The panel estimated its recommendations would open up new 
   markets for information security products, possibly 
   increasing software-industry revenue "many tens of billions 
   of dollars." Until now, export controls tended to set 
   industry standards for a level of protection because 
   companies were reluctant to use different systems for 
   domestic and international applications. 
 
   Jeffrey Treuhaft, director of security at Internet software 
   giant Netscape Communications Corp., welcomed the report, 
   but said exports shouldn't be limited to 56-bit keys. That 
   would still blunt the competitive edge of U.S. software 
   vendors, given that code-cracking computer power is 
   multiplying, he said. 
 
   "The U.S. has a lead right now and these arcane policies 
   from the Cold War are giving U.S. industry cement shoes to 
   compete with foreign competitors," Mr. Treuhaft said. "We 
   can't run as fast as they ean." 
 
   - Jared Sandberg in New York contributed to this article. 
 
   [End] 
 
---------- 
 
   The Boston Globe, May 31, 1996, p. 36 
 
 
   Panel criticizes US government's encryption stand 
 
      'Net, cell phone security at stake, National Research 
      Center says 
 
   By Hiawatha Bray 
 
   The Clinton administration's efforts to limit the sale of 
   software that generates coded messages, already unfire from 
   Congress and civil libertarians, is now facing criticism 
   from a committee of the National Academy Sciences. 
 
   The National Research Center, which gives science and 
   technology advice under a congressional charter, yesterday 
   said the government should promote the commercial use of 
   encryption software to help cut down on the theft of 
   computer data and other electronic communications. 
 
   Law enforcement officials and intelligence agencies are 
   worried about the development of cheap encryption grams, 
   for fear it could become impossible to intercept a 
   mobster's telephone call or read an enemy spy's electronic 
   mail messages. 
 
   But the center's report says that encryption software is 
   essential for businesses and individuals who need to 
   transmit confidential data using the Internet or cellular 
   telephones. 
 
   "On balance, the advantages of more widespread use of 
   cryptography outweigh the disadvantages," the report says. 
 
   Encrypted messages can easily be read by someone with the 
   correct code "key." Without this key, it can take centuries 
   of computer analysis to decode a message. The longer the 
   key, the tougher it is to break the code. 
 
   Under current federal law, US companies cannot export 
   encryption programs that use keys longer than 40 bits. 
   Computer experts say that 40-bit encryption systems are 
   easy to break, and provide little security. 
 
   As a result, many software companies that sell their 
   products worldwide do not build in sophisticated encryption 
   features. Industry experts say that this costs them 
   millions of dollars in sales, as customers in foreign 
   countries buy encryption software made outside the United 
   States. 
 
   The report urges a change in the federal law, to allow sale 
   of an encryption system called DES that uses 56-bit keys. 
   "Except in some very specialized situations, it gives 
   adequate security," said council chairman Kenneth Dam, a 
   law professor at the University of Chicago. 
 
   The report also urges the administration to abandon efforts 
   to force businesses and individuals to use "key escrowed" 
   encryption software. Under this plan, companies could use 
   encryption, keys of any length, but only if the keys were 
   held in escrow, and could be made available to the 
   government. 
 
   The council urges the federal government to adopt key 
   escrow to prove that the system is trustworthy. The report 
   argues that many businesses will voluntarily adopt such a 
   plan to guard against the loss of its encryption keys. 
 
   A prominent critic of encryption policy was less than 
   thrilled by-the council report. "It doesn't go far enough," 
   said Philip Zimmermann, inventor of the Pretty Good Privacy 
   encryption program. 
 
   Zimmermann scoffed at the idea that DES encryption is 
   secure enough for use by businesses. "It can be broken in 
   seconds by the NSA [National Security Agency]," Zimmermann 
   said. "All major governments can break DES. In fact, any 
   Fortune 500 company can afford a machine that can break 
   DES." 
 
   But even if DES were secure enough, Zimmermann said he 
   opposes any restrictions on the export of encryption 
   software. 
 
   [End]