The importance of computers in today's information cannot be overstated.
In the past, large, expensive mainframe computer systems were
the norm. These systems were only available to the largest of
businesses that could afford their lofty price tag as well as
the number of programmers it took to keep the systems running.
Banking and insurance industries, research institutions and the
US government were common recipients of such systems. The average
citizen did not even consider owning a computer since there was
no need for one. Today, however, the computing paradigm is radically
different. Although there exists a small niche in industry that
still demands the power of mainframe computers, they have all
but been phased out by the personal computer and recent progress
in parallel computing.<1> As the personal computer
becomes ubiquitous, society's reliance upon them seems to approach
absolute. Whether we talk about sending or receiving electronic
mail, facsimiles referred to commonly as "faxes", or
even "surfing the web", computer technology and advanced
telecommunications equipment have arguably made electronic communications
easier, and information more accessible. Unfortunately, if data
is easily accessible by one, it is most likely accessible by another,
which may not always prove to be an ideal situation.
Whether electronic data transfers take place over a closed, point-to-point
connection such as a BBS<2>, or they occur
over the Internet, and regardless of whether a MODEM<3>
is used, the security and integrity of one's data is always in
jeopardy. Without proper precautions, electronic messages and
data transferred over the Internet is prey to wanting criminals.
Such data can easily be intercepted in transit by an unauthorized
party, copied, and then passed on to the rightful recipient without
either party realizing what had happened, or alternatively the
data may be intercepted and never ultimately make it to its intended
destination. The would-be "electronic-hijacker" could
then make use of the stolen data at their leisure without leaving
much of a trail for authorities to trace. Imagine if credit card
information, personal medical records, business contracts and
trade secrets, not to mention highly classified government information
were to fall into the possession of criminals. This does in fact
happen, and the problem is that most people don't realize when
a crime has been committed. With the burgeoning of the Internet
and increased demand for security, the use of encryption to ensure
secure electronic communications has been adopted by average citizens,
organizations and businesses world-wide. Encryption is no longer
a practice employed solely by armies and diplomatic corps around
the world.<4> Realizing this, the US government
now more than ever must balance the encryption policy concerns
of domestic law enforcement and national security agencies, against
the range of concerns expressed by private US citizens and industry.
One unfortunate side effect of the rapidly growing popularity
of encryption technology has been the government's inability to
maintain a viable, up-to-date encryption technology export policy
which properly balances the needs of both the government and the
private sector. On October 1, 1996, in efforts to relieve some
of the public pressures, President Clinton issued an executive
order announcing a new encryption export policy. Much controversy
surrounds this policy, and there are currently three bills pending
in congress which all address this issue; They include: the SAFE
act, the encrypted communications privacy act, and the Pro-CODE
act. This paper talks more about encryption technology and its
origins, past encryption legislation and the viability of the
proposed legislation.
Encryption in its simplest form is the transformation of readable
"plaintext" data into an unreadable format called "ciphertext."<5>
The main purpose of encryption is to ensure privacy by keeping
data from being read by people to whom it is not intended. Even
if an unauthorized party were to obtain the encrypted data, it
would be unusable without first being decrypted. Decryption transforms
encrypted data back into some intelligible form. Encryption and
decryption both require the use of secret information to control
access to the data. This secret information is usually referred
to as keys,<6> which are actually strings of
alphanumeric digits that get plugged into mathematical algorithms
during the encryption process. Depending on the encryption mechanism
used, the same key may be required to both encrypt and decrypt
messages, or two separate keys, one for encryption and another
for decryption, may be required.
Codes<7> and ciphers<8>
have been around for thousands of years. In fact, Julius Caesar
used a very simple letter substitution cipher for his military
communications. He would replace the nth letter in the alphabet
with the n+kth letter.<9> The problem with
this routine is that there are only 26 possible offsets in the
English alphabet to try which presents a trivial problem to a
code breaker. Through the years, many techniques have been developed
to encrypt data and many more will continue to be introduced.
Perhaps it is worth digressing to note one of the oldest twentieth
century encryption machines and the efforts that went into breaking
the code created by that machine.
The code was called Enigma and it was developed by the German
armed forces during World War II. The Enigma cipher machine that
created the code was an electromechanical keyboard machine that
used multiple rotors wired in different ways to establish letter
translation tables.<10> The machine would step
the rotors after each letter was enciphered. The German army's
version of the Enigma had three rotors with 26 letter positions
each and a patch panel. The German naval Enigma had more letter
positions to allow for umlauted characters, and one could select
three rotors from a set of five. Later in the war the machine
was improved so as to allow a choice of four rotors from a set
of nine. Cracking the German naval Enigma messages was especially
difficult, however, the Allies eventually obtained Enigma machines,
monthly key tables, and code books, which allowed them, with the
help from the people of Bletchley Park, to break the code.
Much of the code-breaking work was done in Bletchley Park, England
under the leadership of Alan Turing. Alan Turing is well known
for devising the conceptual "universal Turing Machine"
computer in the course of developing a proof of Godel's undecidability
theorem.<11> Reading Enigma messages was
brutally hard work. Much of the success at Bletchley is attributable
not only to Turing, but to two breakthroughs by Polish Mathematician
Marian Rejewski. Rejewski developed a mathematical model of the
Enigma that allowed the stepping mechanisms and wiring of the
rotors to be solved algebraically, as well as an electromechanical
device called a bombe.<12> The bombe measured
nearly ten feet wide and eight feet tall, had gears and turning
wheels, and could quickly scan through a series of Enigma settings
looking for one that would decode the current message.<13>
The bombe was also considered to be a very early computer, or
proto-computers, and during the war the they were tended by operators
who were mostly women.<14> Messages sent
in the German Enigma code were handed to the women tending the
120 bombes. Using guesswork, the women guided the bombes through
all the possible combinations of Enigma until they found one that
created a coded message. Once they had that, they had the key
for the German message traffic for that entire day.<15>
By war's end, Britain and the United states had hundreds of bombes
in service. They used the information from Enigma messages to
help end the dominance of German U-boat wolf packs over Allied
shipping in the Battle of the Atlantic.<16>
Bombes were in many ways the forerunners of modern digital computers<17>
and Alan Turing with his "Turing machine" the forefather
to modern digital computing.
Webster's Collegiate Dictionary defines cryptography as the "science
or study of the techniques of secret writing, especially code
and cipher systems...." As the field of cryptography has
advanced, it has become harder to determine what is and what is
not cryptography<18>. What is certain
though, is that modern cryptography does involve more than secret
writing, encryption and decryption.<19>
Today, cryptography provides mechanisms that allow for the authentication
of electronic documents including digital signatures,<20>
which tie particular documents to particular keys, and digital
timestamps, which bind particular documents to a discrete creation
time. Cryptography is fundamentally based on problems that are
difficult to solve without possessing some secret knowledge<21>.
The cryptanalyst tries to solve these problems and thus compromise
cryptographic mechanisms. Cryptology is the science of studying
cryptography and cryptanalsis combined.<22>
Traditional cryptography is based on the sender and receiver of
data knowing and using the same secret key to encrypt and decrypt
their respective data. The inherent problem with this technology
is the need for both parties to have access to or know the secret
key. In order for the other party to know the secret key, the
key must be transmitted either electronically over a computer
or telephone network, physically via a courier such as the postal
service, orally via a telephone, or in person. With each of these
methods there is a chance that the secrecy of the key could be
compromised and the secure data could then be read, modified,
or forged by an unauthorized party. Some secret-key systems<23>
store the private keys in central databases that are prone to
attack. Such an attack would allow widespread forgery since a
user holding another's private key would be able to impersonate
the other user. The data that is transferred using secret key
cryptography is thus as safe as the key management system that
is employed.
The concept of Public-Key cryptography was introduced in 1976
by Whitfield Diffie and Martin Hellman<24>
to solve the security concerns inherent with secret key cryptography.
The primary advantage of public-key cryptography is increased
security and convenience.<25> Public-Key
cryptography requires the sender and receiver to each have a pair
of keys. One key is referred to as a public-key and the other
as a private key. The recipient's public key would be published
such that anyone would have access to it, and their private key
would remain secret.<26> Data that was
encrypted using the recipient's public key could only be decrypted
using their corresponding private key which, presumably would
only be in the possession of the recipient. In this way, anyone
could encrypt data but only the intended recipient would be able
to decrypt it.<27> In this manner,
no private keys would ever need to be transferred.
Unfortunately, public-key systems have the disadvantage of being
slow.<28> There are secret key cryptography
systems that are significantly faster than any public-key cryptography
system.<29> DES<30>
for example, is 100 times faster than RSA<31>
when used in software, and 1,000 to 10,000 times faster when used
in hardware implementations.<32> By using
a combination of public-key and private-key encryption methods
together, however, one can gain the best features of both techniques.
It is possible to encrypt a message quickly using a private-key
encryption method and then encrypt that ciphertext again using
the public-key system upon data transmission.<33> An example of
a digital envelope technology implementation can be found in the
very popular LOTUS Notes software which employs the use of what
they have termed "cryptolopes". These are in essence
cryptographic digital envelopes.
Occasionally it may be necessary to authenticate the author or
verify the creation date of a digital record. Digital signatures
and timestamps provide this ability. The first step in the process
of either adding a digital signature or timestamp involves a certification
procedure with which the author of a record can "sign"
a record or bind a "time" to it. This information is
stored in a certifying file or what is known as a certificate.<34>
The second step requires a verification procedure by which any
user can check a record and its corresponding certificate to confirm
that either the sender is who they claimed to be or that a particular
creation or file access date is correct. The certificate that
is returned by the preceding procedure is usually called a signature.
In order to be able to sign such records or documents a user must
use special software to create a private-key and a public-key.
After a message has been converted to binary code a computation
is performed involving the sender's private key and the binary
equivalent of the message. The result is considered the digital
signature of the sender and is attached to the message to be sent.
In order to verify the signature, the recipient would do some
computation involving the message, the purported digital signature,
and the public key of the sender. If the result properly holds
in a simple mathematical relation, the signature is verified.
If the mathematical relation does not hold, the data may have
been altered or perhaps the sender was not who they claimed to
be.
The validation procedure for digital timestamps is similar to
that of digital signatures except the fact that digital timestamps
do not rely on keys or any other secret information whereas digital
signatures do. The particular certificate that is returned by
the certification procedure of the digital timestamping relates
to a particular record at a particular time. By using the timestamp
certificate to link the digital representation of a record in
question to a summary number that is unique to only that record,
one can verify, upon receipt of the work that it was indeed certified
at the time claimed. The verification procedure takes the particular
record, the assumed timestamp certificate for that record, and
a particular time, and compares it against the widely available
summary number. If the numbers are the same, then the time that
is being claimed is legitimate.
The use of digital signatures as a replacement or supplement to
a handwritten signature has drawn much attention over the past
few years. There are questions as to the security and authenticity
of the digital signature and not everyone is willing to accept
digital signatures with open arms.
"A digital signature is superior to a handwritten signature
in that it attests to the contents of the message as well as the
identity of the signer."<35> "As
long as a secure hash function<36> is
used, there is no way to take someone's signature from one document
and attach it to another or to alter a signed message in any way."<37>
Any change in the digital document would cause the digital signature
verification to fail. Data transmission errors just as well as
forgery could cause a digital signature verification to fail.
Because of the uncertainty behind the cause of a failure, it would
be possible to certify a sender was who they claimed to be but
not necessarily disprove that someone wasn't who they claimed
to be.
There are many different methods of encrypting data available.
RSA and DES are among the two most widely known and widely used
encryption systems in the world<38>
and so this discussion will be limited to those two systems. Even
the popular encryption package PGP<39>
is partly based on RSA. RSA and DES each work differently and
therefore each has their own "Achille's heel."
An RSA operation is essentially a modular exponentiation, which
can be performed by a series of modular multiplications.<40>
There are a few "ways to break" RSA. The most damaging
would be for an attacker to discover the private key corresponding
to a given public key; this would enable the attacker both to
read all messages encrypted with the public key and to forge signatures.<41>
The task of recovering the private key is equivalent to the task
of factoring the modulus. The security of RSA generally depends
on factoring being difficult, but another way to break RSA exists
as well.<42> This attack would allow someone
to recover encrypted messages and forge signatures even without
knowing the private key. The attack is not known to be equivalent
to factoring and no general methods are currently known that attempt
to break RSA in this way.<43> RSA-129
is a 129-digit (426-bit) integer that was published in Scientific
American in 1977. A prize of $100 was offered to anybody who was
able to factor the number. It wasn't until March of 1994 that
it was factored using the resources of 1600 computers from the
Internet.<44> The factoring took about
4000 to 6000 MIPS<45> years of computation
over an eight-month period.<46>
There are also attacks that are aimed at beating RSA but not necessarily
breaking RSA. These methods are aimed at defeating insecure implementations
of RSA rather than exploiting the RSA algorithm. For example,
if a private key is stored insecurely, an attacker may discover
it and thus beat RSA. In order to be assured of a truly secure
implementation of RSA one must do more than implement mathematical
security measures such as choosing a large key size. In practice,
most successful attacks will likely be aimed at insecure implementations
and at the key management stages of an RSA system.<47>
No easy attack on DES has yet been discovered. In that DES uses
a block cipher,<48> the obvious method
of attack is a brute-force exhaustive search of the key space.
Since DES uses a 56-bit key, an exhaustive search of the key space
would take 255 steps on average. Early on it was suggested that
a rich and powerful enemy could build a special-purpose computer
capable of breaking DES by exhaustive search in a reasonable amount
of time.<49> No feasible way to break
DES faster than an exhaustive search has yet been discovered though.
in May, 1994, M. Weiner estimated that the cost of a specialized
computer to perform an exhaustive search requiring 3.5 hours on
average, would be one million dollars.<50>
More recently another method of attack on DES was developed. Using
linear cryptanalysis, a DES key can be recovered by the analysis
of 243 known plaintexts. The first experimental cryptanalysis
of DES was successfully achieved requiring 50 days on 12 Hewlett
Packard model 9735 workstations.<51> Although
possible, this attack is still impractical.<52>
Over the last fifteen years, factoring has become easier due to
the increase in computing power and the development of new factoring
algorithms. In the future, computer hardware will most certainly
become more powerful, but hardware improvements make RSA more
secure, not less secure. This is because a hardware improvement
that allows an attacker to factor a number two digits longer than
previously possible, will at the same time allow a legitimate
RSA user to use a key dozens of digits longer than before with
no performance slowdown.<53> One place
that his rule may fail is when a more powerful computer of the
future is used to attack a key of the past. Here, only the attacker
would have the advantage of the new technology. This point argues
that in order to prepare for the security demands of the future,
one should use a larger key size now, and/or replace one's key
with a longer key size every few years.<54>
As long as hardware continues to improve at a faster rate than
the rate at which the complexity of factoring algorithms decreases,
the security of RSA will increase assuming that RSA users regularly
increase their key sizes by appropriate amounts.<55>
The consensus regarding DES is that when used properly, it is
still secure. Triple DES, or DES that has been encrypted three
times is far more secure than standard DES. The block ciphers
RC5 and RC2, and the stream cipher<56>
RC4 are all faster than DES and all have variable key size such
that the security they offer can be adjusted. The future of DES
is not certain as the NIST<57> has indicated
that it may not recertify DES again.<58>
Quantum computing is a new field in computer science that has
been developed along with our increased understanding of quantum
mechanics. Computers that rely on quantum computing could be exponentially
faster than modern computers given certain tasks.<59>
Quantum computing is based on the idea of a quantum bit or qubit.
Computers as we know them today operate using bits that have a
discrete range of wither zero or one.<60>
The qubit can be a linear superposition of the two states, and
as long as it is left alone, the different states will evolve
according to some internal set of rules. "Fix the rules right,
and that evolution can be a calculation."<61>
"Because of superposition, a concept called quantum parallelism
allows exponentially many such computations to take place simultaneously,
vastly increasing the speed of computation."<62>
Some say that quantum computers will be able to, in principle,
do more calculations at one time than there are atoms in the universe.<63>
Unfortunately, the development of a practical quantum computer
is still far away because of what is called quantum decoherence.
Quantum decoherence is due to the influence of the outside environment
on the quantum computer.<64> If these
methods can be perfected, factorization may prove simple using
a quantum computing device.
Encryption and cryptography as a whole are a double-edged sword
that "shields the law abiding and the lawless equally."<65>
Because of this, the US government has a vested interest in ensuring
that criminals or "the lawless" do not obtain powerful
encryption technology that the government can't defeat. Furthermore,
"the federal government has an important stake in ensuring
that its important and sensitive political, economic, law enforcement,
and military information, both classified and unclassified, is
protected from misuse by foreign governments or other parties
whose interests are hostile to those of the United States."<66>
The operability of the U.S. civilian infrastructure including
the banking system, electronic power grids, Public Switched Telecommunications
Network, and air traffic control is essential. Defending these
assets against information warfare and crimes of theft, misappropriation,
and misuse potentially conducted by hostile nations, terrorists,
criminals, and electronic vandals is a matter of national security
and require high levels of information protection and strong security
safeguards.<67> Unfortunately a solution
to these problems does not appear to be simple. The US government
believes that by limiting the export of strong encryption technology
out of the United States, it will be furthering national security.
This may be true, but there is a fine line between ensuring national
security via the control of encryption and encroaching upon American
values such as one's personal rights to privacy.
A mandatory key escrow or a key recovery plan such as the one
that President Clinton has announced, (see infra "Proposed
Policy")
presents Constitutional issues as well as economic ones. Mandatory
key escrow forces users of cryptography to disclose something
they would prefer to keep secret which amounts to compelled speech.
Key recovery could have the same effect as mandatory key escrow
if one were forced to comply with the recovery. This would happen
if key recovery became a defacto standard and all who wanted to
conduct business with government agencies were required to use
key recovery systems. There is also the chance for government
abuse which may result in unreasonable searches or seizures and
thus violate the Fourth Amendment. There may be problems with
the Fifth Amendment and a key recovery since giving one's key
away in advance could be analogous to forcing users to disclose
their secrets in advance. Another very strong argument from the
public centers on the economic impact that export policies have
had over the years and the impact that the new policy may have.
By the government limiting cryptographic exports, they are in
fact hurting many businesses in the U.S. With voluntary key recovery,
International communications are still vulnerable since products
sold by the dominant U.S. hardware and software manufacturers
must conform to U.S. export controls. Many companies cannot afford
to produce two versions of their software, one to distribute within
the U.S. and one to distribute outside of the U.S., so they produce
one weaker version and mass market that worldwide. Since U.S.
cryptographic exports will still be controlled, it will make U.S.
firms uncompetitive in a global market and the U.S. may eventually
lose its lead in encryption technology development.
The United States encryption export policies, whether past, present,
or those currently proposed, all raise Constitutional issues.
Is there a way to balance the rights of the people as granted
by the Constitution with the government's concern for national
security? The debate continues.
In the past, under the International Traffic in Arms Regulations
(ITAR) category 13(b)(1), the Department of State controlled exports
of cryptographic products. On February 16, 1996, the Department
of State amended ITAR by establishing an exemption for the temporary
export of cryptographic products for personal use. The exemption
did not apply to those persons contemplating sales, marketing
or demonstration, nor did it apply to exports to destinations
listed in Section 126.1 of the ITAR, which are prohibited by a
United Nations Security Council Resolution, or to countries that
have been determined to have repeatedly provided support for acts
of international terrorism. The planned effect of the amendment
was to ease the burden on U.S. citizens and lawful permanent residents
who have the need to temporarily export cryptographic products
when leaving the U.S. for brief periods of time. Until this amendment,
it was unlawful for a person traveling out of the U.S. to carry
cryptographic products without first obtaining proper licensing
from the Department of State. This in effect meant that any person
who needed or wanted to carry their laptop computer that happened
to contain an installation of Netscape for example, out of the
country, whether on business or for pleasure, needed to obtain
a Department of State license. Such a citizen would have had to
sign the computer out and back upon return to the U.S. and could
not sell, market, or demonstrate the encryption installed on the
computer abroad.<68> The U.S has never
limited what cryptographic technology a person was able to use
within the U.S., only what was exportable. The U.S. has made much
progress in the past year redefining what the U.S.'s encryption
export policy should be. Many critics argue that President Clinton's
new plan (see infra Section VI) still
does not meet the needs of the industry, yet they concede that
at least some progress is being made.
On October 1, 1996, the White House released a statement by Vice
President Gore announcing that the Clinton administration would
relax the export restrictions on 56-bit encryption technology.<69>
Along with President Clinton, Gore believes that the new policy
will "support the growth of electronic commerce, increase
the security of the global information, and sustain the economic
competitiveness of US encryption product manufacturers during
the transition to a key management infrastructure." (Press
Release) Under the new policy, the export of 56-bit length encryption
products will be permitted, with, however, a few limitations.
A six-month general export license will be issued after one-time
review and contingent upon commitments from the exporter to explicit
benchmarks and milestones for developing and incorporating key
recovery features into their products and services. The specific
commitments will depend on the applicants line of business. Initial
approval will be contingent on firms providing a plan for implementing
key recovery. If all milestones are met at the end of the six-month
period, the government will renew the export license for another
six months. Two years from now, the export of 56-bit products
that do not support key recovery will no longer be permitted.
Currently exportable 40-bit mass market software products, however,
will continue to be exportable. The key recovery vision presumes
that a trusted party (in some cases internal to the user's organization)
would recover the user's confidentiality or secret key for the
user or for law enforcement officials acting under proper authority.
Access to keys would be provided in accordance with destination
country policies and bilateral understandings. No key length limits
or algorithms will apply to exported key recovery products. Domestic
use of key recovery will be voluntary, and any American will remain
free to use any encryption system domestically. For export control
purposes, commercial encryption products will no longer be treated
as munitions. After consultation with Congress, jurisdiction for
commercial encryption controls will be transferred from the State
Department to the Commerce Department. The administration also
will seek legislation to facilitate commercial key recovery, including
providing penalties for improper release of keys, and protecting
key recovery agents against liability when they properly release
a key. The government will also continue to support financial
institutions in their efforts to assure the recovery of encrypted
financial information. Longer key lengths will continue to be
approved for products dedicated to the support of financial applications.
On November 15, 1996, Vice President Gore announced that President
Clinton has taken two significant actions to implement the encryption
liberalization plan announced in October.<70>
First President Clinton signed an executive order directing the
transfer of jurisdiction for the export control of commercial
encryption products from the State Department to the Commerce
Department. The transfer will become effective upon the promulgation
of regulations by the Commerce Department, which is expected before
the end of 1996. Second, President Clinton has designated Ambassador
David L. Aaron as Special Envoy for Cryptography. As Special Envoy
for Cryptography, Aaron will have the responsibility "to
promote the growth of international electronic commerce and robust,
secure global communications in a manner that protects the public
safety and national security."
A total of three pieces of legislation are currently pending in
Congress. Senators Burns and Leahy introduced S.1587 entitled
the "Encrypted Communications Privacy Act of 1996" and
Representatives Goodlatte, Delay and 28 other representatives
introduced the House of Representatives counterpart, H.R.3011,
entitled "Security and Freedom Through Encryption (SAFE)
Act." Lastly, Senator Burns recently introduced S.1726 referred
to as the "Promotion of Commerce On-Line in the Digital Era
(Pro-CODE) Act of 1996." The Pro-CODE bill offers the electronic
commerce counterpoint to S.1587.
The purpose of 1587 is 1) to ensure that Americans are able to
have the maximum possible choice in encryption methods to protect
the security, confidentiality, and privacy of their lawful wire
or electronic communications and 2) to establish privacy standards
for key holders who are voluntarily entrusted with the means to
decrypt such communications, and procedures by which investigative
or law enforcement officers may obtain assistance in decrypting
such communications.
S.1726 would 1) relax current export controls by lifting restrictions
on all encryption hardware and software, regardless of key length,
that is "generally available" or in the public domain
in the United States. Hardware and software not available in the
mass market or public domain would fall under an export scheme
that would currently allow up to roughly DES-strength (56-bit
key length) security; 2) Give the Commerce Department exclusive
jurisdiction over encryption exports, rather than the State Department;
3) Affirm domestic use and sale of encryption and explicitly prohibit
mandatory key escrow; 4) Prohibit Commerce Department standard-setting
activities on encryption; 5) Present broad new Congressional finding
on the negative impact of current encryption regulations on electronic
commerce.
H.R.3011 is to amend title 18 of the United States Code, to affirm
the rights of Americans to use and sell encryption, and to relax
export controls on encryption. In general, the USC is amended
by inserting after chapter 121 the following new chapter. Section
2801 - Definitions, Section 2802 - Freedom to use encryption,
Section 2803 - Freedom to sell encryption, Section 2804 - Prohibition
on mandatory key escrow, Section 2805 - Unlawful use of encryption
in furtherance of a criminal act.
The current export control regime on strong cryptography is an
increasing impediment to the information security efforts of U.S.
firms competing and operating in world markets, developing strategic
alliances internationally, and forming closer ties with foreign
customers and suppliers. Export controls also have had the effect
of reducing the domestic availability of products with strong
encryption capabilities. The need for U.S. vendors to market their
products to an international audience forces many of them to weaken
the encryption capabilities of products available to the domestic
market, even though no statutory restrictions are imposed on that
market. Because of this, domestic users face a more limited range
of options for strong encryption than they would in the absence
of export controls. As demand for products with encryption capabilities
grows worldwide, foreign competition could emerge at a level significant
enough to damage the present U.S. world leadership in this industry.
Overly restrictive export controls thus increase the likelihood
that significant foreign competition will step into the vacuum
left by the inability of U.S. vendors to fill a demand for stronger
encryption capabilities integrated into general purpose products.
The U.S. has wrestled with instituting a viable encryption policy
for years. Before a voluntary key recovery plan was proposed,
there was a mandatory key escrow plan. Before the mandatory key
escrow proposal, there were the reality of the ITAR regulations.
As long as there has been an encryption export policy there has
been criticism to follow. The new key recovery plan seems to be
the most realistic proposal yet, but there are still some shortfalls.
Many experts have stated that a 56-bit export limitation on cryptographic
products is far below what is deemed acceptable today. Why then
is the government using 56-bit technology as a starting point
to institute the key recovery plans. Industry is being forced
to use key recovery in order to be able to use a more powerful,
albeit still too weak, encryption technology. Why should industry
cooperate? Because industry stands to lose lucrative government
contracts that will require the use of a key recovery plan. IBM
and Hewlett Packard long with nine other major U.S. firms have
already begun to study and design key recover plans that would
conform to the government's requirements.
The time is ripe for a new export policy but there is no reason
why U.S. citizens and industry should not have input as to the
form that policy should take. Why have all recent cryptographic
policies been instituted via executive order and not through the
voices of the citizens? Encryption is complicated enough that
all well founded concerns should be heard and addressed. Congress
is the only way in which to do this. The encryption legislation
that has been proposed aims to address the problems and concerns
discussed in this paper and shows that encryption policy enjoys
bipartisan concern. Both the House of Representatives and the
Senate have held hearings concerning the state of U.S. encryption
policy and extensive transcripts have resulted. There will most
certainly be more debate regarding encryption policies when Congress
reconvenes in January.
<1> Parallel Computing is a technique used to
combine the computing power of many independent computers such
that in tandem they have the equivalent power of a much larger
system.Encryption and U.S. Export Policies of Cryptographic Products
Clipper 3.1.1
Fall 1996
I. INTRODUCTION
II. THE TECHNOLOGY
III. HOW "BREAKABLE" IS IT?
IV. CONFLICTING CONCERNS
V. PAST POLICY REGARDING ENCRYPTION USE AND U.S. EXPORT
VI. PROPOSED POLICY
REGARDING ENCRYPTION USE AND U.S. EXPORT
VII. PROPOSED LEGISLATION
VIII. CONCLUSION
Endnotes
<2> Short for Bulletin Board System.
<3> MODEM is short for MOdulate DEModulate
which refers to the way the device converts digital pulses to
analog sound waves such that communication between digital instruments
such as the computer is possible over analog telephone wires.
<4> "Hackers: Heroes of the Computer Revolution",
Steven Levy; New York Times, June 12, 1994.
<5> Id. at 6
<6> Just as digital information can be represented
as a sequence of zeros and ones or bits, so can an alphanumeric
encryption key. Once the alphanumeric key has been converted to
binary code, the bit-length of the key may be determined. Each
zero or one occupies one bit in binary code. The longer the bit
length of a key, presumably the harder it will be to guess the
key and ultimately break the code.
<7> Codes use word or phrase substitutions.
The major problem with codes is that they are generally complicated
enough to have to be written down, and a code book could eventually
fall into the wrong hands. - "Keeping Big Brother at Bay
With an Encryption Machine"; Windows Magazine, July 1st 1994
<8> Ciphers use character substitutions and
may or may not be easy to remember.
<9> Julius Caesar always used k=3. - Windows
Magazine
<10> Id.
<11> Id.
<12> Named after the Sundae Rejewski was
eating when he thought of the idea. - Id.
<13> Computer hero of World War II set
quietly aside; National perspective - Boston Globe; June 3, 1994
<14> Id.
<15> Id.
<16> Windows Magazine
<17> Id.
<18> RSA Laboratories' "Answers to
Frequently Asked Questions About Today's Cryptography - page 12;
http://www.rsa.com/rsalabs/
<19> Id. at 11
<20> See infra "Digital Signatures and
Timestamping"
<21> RSA FAQ at 12
<22> Id., see also Mariam Webster's Dictionary
<23> Kerberos is one example. Such an
encryption system is good for centrally administered systems with
a large number of users. As long as the key database is protected,
the data should be safe.
<24> Id. at 15. See also W. Diffie and
M.E. Hellman. New directions in cryptography. IEEE Transactions
on Information Theory, IT-22: 644-654, 1976, and "Hackers:
Heroes of the Computer Revolution", Steven Levy, New York
Times June 12, 1994.
<25> RSA FAQ at 17
<26> For complicated mathematical reasons,
the two keys are related such that it would be possible to transmit
one's key freely without compromising security - Both keys would
be required to "crack the code"
<27> If the recipient were to compromise
the security of their private key by giving it away purposely
or otherwise, or by misplacing it, the security of the communications
can not be guaranteed.
<28> Id.
<29> Id.
<30> DES is the Data Encryption Standard,
a block cipher (see infra note <36>)
developed by IBM, and defined and endorsed by the US government
in 1977 as an official standard. It is the most well known and
widely used symmetric cryptosystem in the world. Id. at 69
<31> Named after three M.I.T mathematicians,
Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman, RSA is the
most widely used public-key cryptosystem today and is often referred
to as a defacto standard.
<32> Not all cryptography is implemented
via software. There are electronic hardware solutions in the form
of integrated circuits that also encrypt information. Id.at 22
<33> Id at 29
<34> Certificates are digital documents
attesting to the binding of a public key to an individual or other
entity. Certificates are issued by a certifying authority (CA)
which can be any trusted central administration willing to vouch
for the identities of those to whom it issues certificates and
their association with a given key. Id. at 128.
<35> Id. at 19
<36> A hash function H is a transformation
that takes a variable-size input m and returns a fixed-size string,
which is called the hash value h. (h=H(m)). Id. at 97.
<37> Id. at 19
<38> See supra notes <20>
and <21>
<39> PGP stands for Pretty Good Privacy.
It was designed by Phillip Zimmermann and distributed freely on
the Internet. PGP is a very strong encryption program.
<40> RSA works as follows: Take two large
prime numbers p and q and find their product n=pq; n is called
the modulus. Choose a number, e, less than n and relatively prime
to (p-1)(q-1), which means that e and (p-1)(q-1) have no common
factors except 1. Find another number d such that (ed-1) is divisible
by (p-1)(q-1). The values e and d are called the public and private
exponents, respectively. The public key is the pair (n,e); the
private key is (n,d). The factors p and q maybe kept with the
private key or destroyed. It is presumably difficult to obtain
a private key d from the public key (n,e). If one could factor
n into p and q, however, then one could obtain the private key
d. RSA FAQ at 21.
<41> The obvious way to do this attack
would be to factor the public modulus n into its two prime factors,
p and q. From p, q, and e, the public exponent, the attacker can
easily get d, the private exponent. Id. at 23
<42> One must find a technique to compute
e-th roots mod n. Id.
<43> Id.
<44> Id. at 58
<45> Millions of Instructions Per Second
<46> Id.
<47> Id. at 24
<48> A Block Cipher transforms a fixed-length
block of plaintext data into a block of ciphertext data of the
same length using a secret key.
<49> Id. at 70
<50> Id. - citing M.J. Weiner. Efficient DES
Key Search. Technical Report TR-244, School of Computer Science,
Carleton University, Ottawa, Canada, May 1994.
<51> Id.
<52> Id.
<53> Id. at 54
<54> Id.
<55> Id.
<56> A Stream Cipher is a symmetric encryption
algorithm that operates much faster than any block cipher (see
supra note 35). Stream Ciphers operate on bits rather than blocks
of plaintext.
<57> NIST is an acronym which stands
for the National Institute of Standards and Technology. NIST is
formerly known as the National Bureau of Standards and is a division
of the U.S. Department of Commerce. NIST issues standards and
guidelines that it hopes will be adopted by all computer systems
in the US. In 1987 Congress passed the Computer Security Act,
which authorized NIST to develop standards for ensuring the security
of sensitive but unclassified information in government computer
systems. In 1977 NIST declared DES (See supra note 20) the official
U.S. encryption standard. RSA FAQ at 129.
<58> Id. at 69.
<59> Id. at 114.
<60> "Alan Turing's insight was that
a simply described calculating machine could, with enough time
and memory, calculate anything about that universe that was calculable:
it could be a universal computer. His description of this machine
-- a description that applies to everything called a computer
today -- was so simple that it was taken to be a matter of pure
mathematics. But a truly fundamental description of such a machine
must take into account quantum mechanics, the underlying theory
of physical reality; machines are a matter of physics, not math.
It turns out that calculating machines working to quantum rules
end up with different properties, and with the potential to do
things that normal computers cannot do." - The economist
Newspaper, Ltd. "An Enigma to unwrap a mystery"; April
30, 1994
<61> Id.
<62> RSA FAQ at 114.
<63> The economist Newspaper, Ltd. April
30, 1994 "An Enigma to unwrap a mystery"
<64> RSA FAQ at 114
<65> "Hackers: Heroes of the Computer
Revolution", Steven Levy, New York Times June 12, 1994.
<66> "Cryptography's Role in Securing
the Information Society" - http://www2.nas.edu/cstbweb/2646.html
- May 30, 1996 p2
<67> Id.
<68> "Inter national Restrictions
May Ease For Laptop Users" - The Encryption Revolution by
Christine Hudgins-Bonafield; Network Computing ;
http://techweb.cmp.com/nc/704/704f3travel.html
<69>
http://www.cdt.org/crypto/clipper311/961001_Gore_stmnt.htm
and http://www.rsa.com/PRESSBOX/releases/56bitGore.htm
<70> http://www.cdt.org/crypto/clipper311/961115_WH_pr.htm