Can You Keep A Secret? encryption 1998
Cant is an example of a cryptolect, a characteristic or secret language used only by members of a group, often used to conceal the meaning from those outside the group. Cryptographic Message Syntax Email
Can You Keep A Secret?
Encryption
is simple enough. But when millions of people want to ensure privacy on
a medium as public as the Internet, things get complicated. If
you conduct business over the Internet, use the Web to transmit sensitive
documents, or like to chat on your favorite cybersites without leaving
tracks, you are at the center of a furious battle in Washington.
Maybe
not you personally and directly, but your right to have access to encryption
software used to transmit data in ultra-secret form.
This
may come as a surprise, because for much of the last decade, the clash
has centered on Washington's efforts to regulate the export of strong,
hard-to-break encryption programs.
Now,
however, legislators and law enforcement agencies, most notably the Federal
Bureau of Investigation, are clashing with cyberlibertarians and powerful
commercial interests over efforts to extend controls on so-called strong
encryption to domestic uses.
The
worry once was that strong encryption would aid America's enemies abroad.
More recently, some members of Congress and the FBI have begun to worry
that without domestic fetters on strong encryption,
home-grown criminals, too, will have free rein on the Internet.
Cyberlibertarians,
meanwhile, fret that new efforts to control encryption
will rob Americans of privacy.
And major business interests warn that anything less than strong
encryption will cripple their efforts to
move commerce fully onto the Internet
and into the 21st century.
Says David Banisar, a lawyer and senior policy analyst for the
Electronic Privacy Information Center,
a nonpartisan Washington research
organization focusing on civil liberties issues concerning electronic
communication: ``The FBI is determined that nothing passes they
won't accept. Industry and the public is not thrilled with what
the FBI wants. It is a fairly intractable
problem.''
There is no argument over the basics of encryption.
Secret
codes are simple to use when only a small group of people depend
on them. Before exchanging messages, the users simply exchange
solutions to the codes. But
when millions want to keep secrets on a medium as public as the
Internet, things become more complicated.
What is required then, is an encryption method that guarantees tha only
the right person gets the decoding key to a message. Moreover,
the process by which the secret communication
is carried out has to guarantee
that the last decoding key does not decode the sender's next message.
Peter may want Paul to read a message with a credit-card number
- but not the love letter to Mary.
The solution rests in using public-key
encryption.
With that method, the encryption code has two component keys.
One, called the public key because it is available to anyone who
wants to use it, encrypts the message.
For now, such public keys are available because they are part and parcel
of late-model Web browsers such
as Netscape and Internet Explorer. Eventually, every Net user -
whether a corporation or a private person
- will have an individualized public
key that will be published for all to see.
The other, private key, however, remains in the hands of the recipient
of the message.
It works this way:
Suppose
that you have an Internet browser armed with a strong encryption
utility. And suppose that you want to do business on your financial
service's Web site, which also has an encryption utility.
Once contact is established, the encryption utilities exchange
public keys. With the help of private keys
at each end, your site and your
broker's site encode and decode messages as they flow back and
forth.
When you log off, all traces of the communication vanish, leaving
nothing behind that anyone else can use.
Public-key cryptology is only part of the answer to computer security.
Encryption
codes - written in bits or sequences of zeros and ones, the
language of computers - have relatively short shelf lives. As recently
as last year, at least one message written in a 56-bit key
- which could comprise 70 quadrillion (that's 15 zeros after the
70) secret combinations - was solved by
computer experts.
As a result, 128-bit encryption - think of the possible combinations
as an eight followed by 37 zeros - is gaining favor. And 192-bit
and 256-bit codes are on the horizon.
The idea that the 128-bit code and its successors may fall into the
wrong hands is what has kept a lot of people
in Washington staring at the ceiling
in the middle of the night.
For most of the 1990s, the concern was that strong encryption would
be used by terrorists, hostile governments,
and international drug cartels for
encoding data.
To stop that from happening, Washington imposed export controls on
strong encryption software.
U.S. software developers were allowed to export only if they agreed
to give copies of private keys to third
parties. Those key holders would
be required to make key copies available to government agencies if they
obtained judicial permission to have them.
Encryption software vendors grumbled that the key escrow requirements
would cut them out of the massive and growing international
market for their software, but most found ways to live with
them - some by applying for and getting exemptions from the controls.
``The number of export licenses granted on this special case, on
that special case'' slowly mounted during
1997, so that the export restrictions
have come to ``resemble the Massachusetts blue laws that say
that there is not much you can do on Sunday unless it is on this
list of 400 special cases,'' says Daniel
E. Geer Jr., vice president of Certco
LLC, a Cambridge, Mass., company specializing in Net security.
Some firms have set up manufacturing subsidiaries abroad or joined
forces with foreign companies that develop
and sell encryption programs.
But now, as Congress prepares to deal with several encryption bills
and a fistful of variations on some of
them, the struggle over encryption has increased substantially.
According to James X. Dempsey, senior staff counsel at the Center
for Democracy and Technology, a Washington
nonprofit public interest organization
that defines itself as protector of cyberspace civil liberties:
``The FBI radically changed the nature of the debate by saying
that they not only oppose changes in the export law, but wanted
domestic controls on encryption.''
In testimony to Congress, FBI Director Louis Freeh put it starkly:
Drug dealers, members of organized crime,
pedophiles, and a host of other
criminals stand ready to take full advantage of strong encryption.
``Unless we have some solution to unbreakable encryption, we will
be devastated with respect to our ability
to fight crime and terorrism,''
Freeh said.
Freeh is not alone in believing that key escrow holds the secret to
civil safety.
The
Senate Judiciary Committee's subcommittee on terrorism, technology and
government information has received letters from every major
law enforcement agency, arguing against strong encryption.
To many on Capitol Hill, the argument that law enforcement agencies
should be able to tap into computer communications
just as they can tap into telephone
conversations makes sense.
If they don't get that right, U.S. Sen. Dianne Feinstein (D., Calif.)
said during the hearings with Freeh, ``it's going to just create
enormous problems downstream.''
But the notion that law enforcement agencies should have access to
encrypted communications appalls civil
libertarians, who see in key escrow
the potential for unbridled intrusion into the lives of Americans.
The proposal also has rattled the business community.
Leaning heavily on the opinions of many cryptography experts, businesspeople
argue that a key-escrow system would make hash of secure
Internet communications. The computers of third parties holding keys in
escrow, they say, would be subject
to successful criminal hacking efforts.
More to the point, the opponents say, there is no guarantee that
employees of escrow companies themselves
would not steal crucial keys, sell
them to criminals, or give them up in response to blackmail threats.
Even if hackers were unable to crack key-escrow accounts, the mere
possibility that they could do so would
undermine electronic commerce, critics
of the plans say. Buyers and sellers who want to renege on Internet
transactions could claim that transactions bearing their secret
codes were fraudulent, that argument goes.
Some observers in Washington think that the FBI and its allies
would be willing to back off on domestic
encryption controls if a proposal
for establishing a national technology center were to pass.
Under the the provisions of one of the encryption bills moving
through Congress, such a center would help
law enforcement officials at the
federal, state and local levels deal with decryption and other
electronic challenges.
``That logic says that we should focus on developing the right
tools'' to cope with illegal encryption,
rather than force encryption ``technology
back into the bottle,'' says a Washington privacy expert who
did not want to be identified.
Still, some Washington experts think there is a 50-50 chance that
Congress will send encryption-control legislation
to President Clinton for his signature
this year.
Given that the White House wants to keep a tight grip on the crime
issue, which it has wrested from the Republicans,
the chances are good that Clinton
would sign a bill that would deny criminals a safe harbor in
encryption, those observers say.
Other observers, meanwhile, think that no matter what tack Congress
and the White House take, the courts are
likely to come up with the solution
that civil libertarians and businesses are hoping for.
In a suit challenging the validity of the controls on exporting
encryption software, a U.S. District Court
in California has ruled of speech
protected by the First Amendment.
That case is before the Federal Court of Appeals for the Ninth
Circuit in California.
In hearing arguments, the appeals-court judges asked questions that
seemed to indicate that they were leaning
toward accepting the lower court's
ruling, said David Banisar, of the Electronic Privacy Information
Center.
Internet security systems can be bypassed
1997 Commerce Chief Calls Encryption System Flawed Internet security systems can be bypassed
It sounds like a computer user's worst nightmare: Someone gains access to your personal computer via the Internet and deletes files. Alters money accounts. Destroys information stored on the hard disk. And it all takes just a minute or two. Fred McLain demonstrated how in San Francisco, renewing heated debate over a nagging concern of computer users today: Internet security. Using a Microsoft technology called ActiveX and Microsoft's Internet Explorer Web browser, McLain invaded a remote computer on the World Wide Web and moved files, altered a bank account, called up tax records and wreaked digital havoc on the PC's hard disk using Net-transmitted programs.
McLain's feat became the talk of JavaOne, the conference where he put on the demonstration and where about 10,000 developers who use the software language called Java were in attendance. Other technologies with similar capabilities are on the horizon. The risk comes with the ability to gain access to a Web user's hard drive from a remote computer. Java, which until now has protected against disk access, is being altered to provide just that. Java supporters say they are building in extra security layers to protect against ActiveX-type incursions. But security experts say any disk-access technology poses risks. In any case, McLain said, "I'll be right there to expose" potential risks to computer users "from any technology." So far, the focus is on fast, compact Internet-transmitted programs, called applets, which need access to a computer's hard disk to work. The benefits of using applets are considerable, and many observers believe they are the next big phase of advancement for the Internet. These little applications - hence the term "applets" - can handle everything from text and numbers to games, animations, finances, health advisories and shopping aids.
Hard-disk access is also key to the current big wave of new Web technology, called "push." Advertisers, vendors and company information-systems directors are expected to use push technology to automatically "broadcast" a variety of applications and services over the Web to users who have indicated specific interests and needs. The commercial potential of push is estimated in the billion-dollar range.
For push to work, however, the door to your computer will have to be left open. And that poses risks.
Estep sees a culture clash at the heart of the hacker ethic. Broadly speaking, he sees the people who run computer networks and design their programs as wanting an open environment to enable free exchange of files, programs and information. Corporate managers, however, worry about theft or abuse of proprietary information.
Hackers can be viewed as performing a whistle-blower function for the user public, their defenders say. "Security is always more important to corporations and consumers than to companies selling software," Littman said. "Hackers are doing a service for the public. The industry may not like it, but ultimately it's to their advantage."
Netscape co-founder Marc Andreessen acknowledged as much when his company's market-leading browser was under fire from hackers. "I'm happy hackers are concentrating on trying to break our products," he said. "As a result, we get to improve them."
McLain's demonstration and a similar ActiveX program he posted last fall on the Web called "Internet Exploder" have gotten him in hot water with a leading security certifier on the Web. "Exploder" seized control of a remote PC on the Web and shut the computer down after making sure no programs or data would be damaged. The effort gave McLain the distinction of being the only person to have his license revoked by VeriSign, a Silicon Valley company that authenticates the digital identity of a program's source.
"What Fred's doing is entirely legitimate," said Ben Thorsteinson, like McLain a veteran Seattle bulletin-board system operator. "Sun, IBM (and) Microsoft know Fred, and know that Fred knows what he's talking about."
Title: Daley Calls For Compromise in Encryption Debate 4/16/98
Issue: Encryption Description: Speaking to an Information Technology Policy Council forum, Secretary William Daley warned that if the sides of encryption debate don't start compromising, the data security industry will move overseas and US policy and products will become obsolete. Sec Daley called for 1) online intellectual property legislation from Congress and 2) the industry to start doing a better job on self-regulation on privacy. A Commerce Department report says that electronic commerce lowers purchasing and marketing costs, increases inventory flexibility, and improves customer service. The report also find many companies waiting for a resolution of the encryption debate before they expand their Internet business.
Title: Commerce Chief Calls Encryption System Flawed 4/16/98
Yesterday, Secretary of Commerce William M. Daley said in a speech to the high-tech industry that the Clinton Administration's attempts to control encryption technology has failed and are forcing U.S. software makers to "concede ground" to foreign competitors. Secretary Daley's comments are the strongest indication to date that the administration is considering "parting ways" with the FBI and other law enforcement and spy agencies over the issue of data scrambling. "We are headed down a lose-lose path, and we have to get back to win-win," Sec. Daley said.
