FBI wants 'software keys', 'back door' to encryption

R. A. Hettinga rah at shipwright.com
Wed Sep 26 09:05:39 EDT 2001 

http://www.siliconvalley.com/docs/news/svfront/050272.htm

------------------------------------------------------------------------

Opening encryption `back door' is problematic, experts say

SAN FRANCISCO (Reuters) - U.S. lawmakers may be asked to give the FBI a
``software key'' to encryption technology that would allow the agency to
unlock secret Internet messages but experts warn the measure would impair
commerce and violate privacy right without deterring terrorism.

The devastating Sept. 11 hijacking attacks on New York and Washington have
rekindled the debate over public use of powerful cryptography software, and
some U.S. lawmakers have called for restrictions on the free and widely
available technology used to scramble electronic communications.

Sen. Judd Gregg, a New Hampshire Republican, is seeking to include in an
anti-terrorism bill backed by the Bush administration a requirement that a
``back door'' be installed in encryption products, a step that would
essentially give law enforcement agencies a key to decode scrambled
messages.

In the face of opposition from technology advocates, software vendors and
privacy rights advocates, the Clinton administration backed off
controversial proposals it had pushed during the 1990s that would have
restricted widespread use of cryptography programs.

Many of the same experts and industry participants have registered their
renewed opposition now, and some accuse law enforcement agencies of using
the attacks as an excuse to push for previously rejected measures.

``It feels like deja vu. I thought we solved this problem,'' said Bruce
Schneier, founder and chief technology officer at Counterpane Internet
Security. ``Unfortunately, the FBI is doing a power grab and everything
that was on their wish list for the last decade or so is back.''

Strong cryptography programs are not perfectly impenetrable but the
scrambled messages they produce require a lot of computing power to decode.
Encryption that includes the proposed ``back door'' for government use
would be compromised and less useful for legitimate traffic, opponents said.

Privacy and computer security experts argue that solution would actually
hinder law enforcement efforts and undermine legitimate electronic business.

``Having a good, strong crypto infrastructure in our country is part of
what we need to combat terrorism,'' said Phil Zimmermann, creator of PGP
(Pretty Good Privacy), the most popular encryption software used on the
Internet. ``Strong cryptography does more good for a democratic society
than harm, even if it can be used by terrorists.''

BAD GUYS SEEN UNDETERRED

So far, there has been no evidence that those responsible for the attacks
on the World Trade Center and the Pentagon used encryption technology to
scramble their communications.

Shortly after the attacks, investigators were quoted as saying they had
reams of evidence from unencrypted e-mails and paper documents like car
rental receipts and they speculated suspects weren't using encryption.

Unnamed officials were also quoted earlier this year saying they suspected
Al Qaeda, the organization led by Saudi-born militant Osama bin Laden that
the U.S. government has blamed for the attacks, was using a different
method of obscuring communications known as ``steganography.'' Typically,
steganographers hide messages in digital images.

``The bad guys aren't going to use (compromised encryption); they're going
to use cryptography from other countries,'' said Zimmermann. ``Furthermore,
other governments will use those back doors to repress their citizens.''

``These are people who have guns and bombs, who commit mass murder and
they're not going to think twice about breaking a law against strong
crypto,'' said Steve Bellovin, a researcher on network security at AT&T
Labs.

Meanwhile, U.S. businesses and citizens would be at risk of having their
legitimate communications intercepted by either human or technological
error as a result of compromised cryptography programs, the experts said.

``If you are weakening the crypto systems you are weakening it for
everybody, whether it's terrorists or VISA and MasterCard,'' said David
Loundy, a professor at The John Marshall Law School in Chicago and incoming
associate director for the Center for Information Technology and Privacy
Law.

OPEN A BACK DOOR AND THE HOUSE COMES DOWN?

Additionally, modifying encryption software increases the likelihood of
flaws, further making it less desirable for legitimate use in e-commerce,
experts said.

``As more and more of our nation's critical infrastructure goes digital,
cryptography is more important than ever and we need all the digital
security we can get,'' Schneier wrote in an e-mail newsletter to be
released next week.

For example, a bug was found after a so-called ``key recovery'' capability
was integrated into a commercial version of PGP a few years ago.

The key recovery function was designed to allow corporations to access
encrypted communications of employees in the event that one of the digital
``keys'' needed to unlock the code was lost.

``From my own experience, when you try to add those kinds of capabilities
it increases the likelihood of flaws in the implementation,'' Zimmermann
said.


# # #
	 

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list