F r o n t l i n e Code Read by Brett Widness On August 25th of this year, the Federal District Court of California struck down the U.S. Commerce Department's export restrictions on the privacy technology called encryption. It found that "the encryption regulations are an unconstitutional prior restraint in violation of the First Amendment." Civil liberties activists, academics, and the communications industry collectively cheered while law enforcement officials cringed. Now that phone lines, fax lines, electronic banking transfers, and most other forms of electronic communication use digital lines, there is a need for more secure communication. In the future, information such as medical records or checking and savings accounts, contained in a central database and accessed through a personal "SmartCard," might also be easy pickings for hackers. "There are three main issues of security," explains Brett Tjaden, a Ph.D. in Computer Science here at U.Va.: "Integrity, privacy, and availability. Everyone likes the idea of having their blood type and their medical records on a card; if they are ever in an accident, the doctor has instant access to all he or she might need to know. But what if someone breaks in and changes those records?" Just as easily, someone might use the medical records for blackmail, or they could just crash the system, preventing the doctor from accessing the information. Each time advocates for strong encryption have sought new legislation and reform, the government has stood firmly on the idea of key escrow, which allows the government to posses a skeleton key that will unlock all encrypted information. It appears that the government wants to maintain their ability to "tap" encrypted communications just as they can currently access other areas with phone taps and hidden microphones. To do so, they would need a trapdoor that would allow them access to all encrypted technology. The idea of the federal government, specifically any one agent of the government, possessing a means to access all the encrypted information in the U.S. and most of the world is, for obvious reasons, unappealing. Most industry, academic, and civil liberties advocates claim that it would be too easy to corrupt a one-man, one-key system. Unfortunately, Representative Gerald Solomon (R-NY), the chair of the House Rules Committee, has vowed not to allow any new encryption legislation to pass his committee unless it includes mandated key escrow policies. At the same time, the last bill to go before the Rules Committee, which included a similar "Big Brother" amendment, was voted down 35 to 16. So neither side of the issue appears to be in a position to do anything anytime soon, unless Speaker of the House Newt Gingrich forces Solomon to back down. Representative Bob Goodlatte (R-Va.), the sponsor of the original bill, which had no key escrow policy, still hopes that his bill will be passed next term. In a Reuters report, he said, "Based on my conversations with a lot of people, I think they will make sure we bring something that represents the principles of the underlying legislation." The principles he refers to boil down to strong encryption without mandatory key escrow. Brett Tjaden is not so optimistic. Having just finished his Ph.D. in Computer Science and months of writing computer protocols to improve on-line security, he is skeptical that anything will be done right now. "When you have five different versions of the bill go before the Rules Committee, it is fairly common for the bill never to reach the floor at all." Tjaden thinks that the status quo will probably continue until Congress is sparked into acting after some tragedy: "Look at the anti-terrorist legislation enacted in direct response to the Oklahoma City bombing. I just hope that if something happens where the criminals planned an act using encrypted communication, cooler heads will prevail." The status quo allows exportation of technology using a 40-bit key. The number of bytes refers to the length of the key. An 128-bit key, for example, with current technology, would be impossible to break "before the sun burns out," Tjaden claims. Right now, domestic and Canadian companies are allowed access to 56-bit technology. "A study was done that showed that it would cost about $100 million to build a machine that could decrypt information that had used a 56-bit key in a matter of days. That amount of money puts you only in the range of governments and very large corporations. The cost is constantly going down because of the advancements in computers, but anything that you are encrypting using a 56-bit standard is going to be safe from all but the highest levels." Probably the most bizarre aspect of the current debate is the myopic attitude of Congress. Tjaden points out, "They're assuming that people in other countries can't type. It is perfectly legal to print out the source code for strong encryption, put it on a plane, and then type it on your own computer in China. People have published books with the code in them, and it is perfectly legal to buy and sell those, but not the actual technology." Dr. Alan Sherman, a leading cryptology expert at the University of Maryland, Baltimore County, said, "Strong encryption is readily available and legislation will do little to curtail its use. Legislation will adversely affect U.S. industry that develops crypto products by restricting access to international markets ... Soon the criminals, especially well-financed and sophisticated ones, will be using strong crypto regardless of what legislation the USA passes ... There are many other tools at the disposal of the FBI." The 40-bit key that can be legally exported has been estimated to be breakable at an expense of about $1 million. "There's always going to be a trade-off between time and money. The assumption has always been that since the U.S. allows us to freely export the 40-bit technology but nothing any stronger, NSA (National Security Agency) must have a computer that is capable of breaking the code almost instantaneously," Tjaden speculated. Since both parties involved seem diametrically opposed on this issue, Tjaden hopes that they can find a middle ground. It is possible to break up a key into five or ten parts. If ten people held one piece of the key, and they would only give pieces to the FBI if they were shown a court order from a judge, the system would be theoretically secure, while allowing law enforcement agencies the access they desire.

back to Decweb main