Forwarded From: Nicholas Charles Brawn <ncb05@uow.edu.au>
05Nov98 CANADA: THE KEY TO ENCRYPTION - EVER HEARD OF TRUSTED THIRD
PARTIES AND CLIPPER CHIPS?
SOME see them as the ultimate line of defence against hackers, industrial
spies, terrorists and cyber-criminals. Opponents view them as little short
of a totalitarian threat in the computer age. But have you ever heard of
Trusted Third Parties? And did you know that Tritheme, a small affiliate
of the French electronics giant Thomson-CSF, became the world's first
commercial Trusted Third Party in late September?
Does it matter? Yes. Few outside the worlds of computer technology and
cryptography know much about Trusted Third Parties or realise to what
extent the debate about them has divided the corporate community, inflamed
privacy advocates and stirred law enforcement and intelligence agencies.
Trusted Third Parties did not appear on the agenda of talks on electronic
commerce in Ottawa attended early this month by ministers from the 29
members of the Organisation for Economic Co-Operation and Development
(OECD, the club of the world's better-off nations). But they discussed
them when considering ways to tighten the security of communications on
the Internet.
The 'Clipper Chip' looked good
The Trusted Third Party system originated in the United States as a result
of the Clinton administration's failure to persuade American computer
manufacturers to install the so-called 'Clipper Chip' in their hardware as
a way of helping American law-enforcement and intelligence agencies fight
organised crime or terrorism.
Devised by the National Security Agency, the 'Clipper Chip' was to have
given the authorities a 'back door' into all American-built computers so
that they could monitor the communications - encrypted or otherwise - of
suspected criminals.
When the computer industry, civil libertarians and legislators threw up
their arms in horror over the potential abuses of the 'Clipper Chip', the
Clinton administration switched to proposing a "key recovery system" that
would provide another way for investigators to gain access to data
communications. This worked by making it compulsory for those using
encryption to store the 'private keys' that encrypt and decrypt messages
with commercial Trusted Third Parties. These would be required to turn
keys over to the authorities when presented with a court order; the keys
would enable the Federal Bureau of Investigation and other law enforcement
agencies to read a suspect's encrypted mail.
Private and public
How does it work? When the armed forces, police or banks use encryption on
closed-circuit networks, they employ 'private keys'. However, when a bank
wishes to send an encrypted message to someone outside the system or
receive an encrypted message from outside the system, a dual-key system
involving a 'public key' and a 'private key' comes into play. The sender
uses the receiver's 'public key' code to transmit the message while the
recipient employs its 'private key' to decode it. The sender does not know
the code on the recipient's 'private key'.
The 'public key' system was invented in the United States over 20 years
ago and American firms such as RSA still largely dominate the market for
public-private key software (known technically as asymmetric
cryptography). Paradoxically, the companies which make the software now
stand in the forefront in warning about the dangers of key recovery
systems, saying Trusted Third Parties would not only be subject to
government snooping but also to unending attacks by hackers. Senders and
receivers wanted to rely on their own high-tech security systems. Result:
the Clinton administration has failed to win acceptance of compulsory TTPs
as it failed with the 'Clipper Chip'.
Failure, too, has dogged American efforts to curb the export of
state-of-the-art encryption software. The fear is that criminal gangs or
terrorists might obtain and use encryption systems that would defy
code-breakers from the FBI or the NSA. As a result, the administration had
long banned American firms from exporting complicated software with a 'key
length' of over 48 bits. Under pressure from industry, however, it
increased the limit to 56 bits, enabling villains to send or receive
messages much harder to decrypt.
Psst! You want 256 bits?
Specialists dismiss this ban as a waste of time, pointing out that
villains can buy encryption software with 'key lengths' of up to 256 bits
on the domestic market and take it home in a briefcase.
Snubbed at home, the Clinton administration has gone abroad to marshal
support for 'key recovery systems' from governments and international
organisations. Working on the assumption that convincing foreigners to
adopt Trusted Third Parties would give it a better chance of introducing
them at home, the United States tried to persuade the OECD to accept the
system last year. It failed again.
However, the administration found two allies in Britain and France. Indeed
the French, advocates of state control over most aspects of national life,
have become the first to approve a law paving the way for Trusted Third
Parties; Britain has come out in favour of a voluntary TTP system.
Predictably, Germany is hesitating. The United States has made some
headway in persuading its North American neighbours, Canada and Mexico, to
set up 'key recovery centers'.
The French will be first
In the past, the use of encryption in France was illegal save by the
government and banks - yet most of the country's big corporations used it.
Under the new law, all encryption users except government services and the
military are obliged to store their 'private keys' with commercial Trusted
Third Parties. Big firms such as Bull, Compagnie des Signaux and Thomson -
following its Tritheme affiliate - are bidding to operate as Trusted Third
Parties because the financial stakes are enormous: they will be able not
only to sell to their clients the encryption software that goes with the
'key' but also to charge handsome fees for managing the customer's 'keys'.
As for the United States, the administration looks unlikely to win legal
power to force American industry to use a 'key recovery system'. That may
please civil libertarians but it could prove costly. The law enforcement
lobby had hoped "key recovery" would give it a shortcut in the fight
against cyber-criminals and organised crime. Without that shortcut, the
cost of such crime can only increase.
FOREIGN REPORT 05/11/1998
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sat Nov 7 13:20:43 1998