The War is Over
By Seth Ross
The computer security industry is not noted for cheery celebrations
and smiles. But there was a lot to celebrate and smile about at last
week's RSA Conference 2001 held in San Francisco: the venture capital
money has been flowing; the industry is prospering; the trade show
floor was bustling with a record number of vendors and attendees;
and, most importantly, the war between the crypto community and the
US federal government has wound down to détente and mutual accommodation.
For the last 20 years, the US crypto industry has been held back
by several regulatory difficulties. Even as the worldwide demand
for encryption technology was booming, the US maintained strict
export controls, making it extremely difficult if not impossible
to export strong encryption software. Under the International Traffic
in Arms Regulations, strong crypto was tightly regulated as a munition,
classified alongside chemical and biological weapons, firearms,
and missile technology as an item that could not be freely exported
from the US.
Even worse, the federal government was impeding the development
of strong crypto standards by promoting DES (pronounced "dez").
First adopted by the federal government in 1977, the 56-bit DES
algorithm was widely deployed over the next 20 years to protect
applications, despite concerns about its small key size and possible
Throughout the 1990s, numerous organizations, businesses, and individuals
resisted government attempts to contain strong crypto and promote
weak crypto, ranging from RSA Data Security and the Electronic Frontier
Foundation (http://www.eff.org) to the Cypherpunks,
a high-volume electronic mailing list dedicated to crypto-anarchy.
In the late 1990s, RSA Data Security sponsored a series of DES-cracking
contests to highlight the need for encryption stronger than the
56-bit standard widely used to secure both US and international
commerce. Each year, a secret DES-encrypted message was broken faster
and faster, culminating in 1999, when DES
fell in 22 hours.
Fast forward to the new millennium. The Clinton Administration
liberalized the crypto export
regulations twice in 2000: once in January and then again in
October. While the regulations are still
in place, they're far less burdensome: it's now legal, for example,
to export encryption products with larger keys and to publish open
source crypto on the Internet.
In October 2000, the National Institute of Standards and Technology
(NIST) selected an Advanced Encryption Standard (AES) to replace
DES: the Rijndael
(pronounced "Reign Dahl", "Rain Doll", or "Rhine Dahl") algorithm.
The two researchers who developed and submitted Rijndael
for the AES are both cryptographers from Belgium: Joan Daemen of
Proton World International and Vincent Rijmen, a postdoctoral researcher
in the Electrical Engineering Department (ESAT) of
Katholieke Universiteit Leuven.
Not only is the US liberalizing crypto exports, but now it's actually
"importing" foreign technology into the US, where it will become
an vital part of the information infrastructure.
As Peter G. Neumann
humorously pointed out during the Cryptographers' Panel at the RSA
Conference 2001: "Pandora's cat is out of the barn and the genie
doesn't want to go back in the closet." He was echoing the comments
of many others. After years of complaints about government interference,
the crypto business is now relatively free to expand worldwide.
Backed by venture investments and an expanding market of target
devices that require encryption, the prospects are bright for the
still fledgling encryption software business, which even has a cool
new cipher to hack around with.
Perhaps the brightest assessment at the Cryptographers' Panel was
delivered by Whitfield
Diffie. Diffie is the grandfather of modern computer security.
He staked his claim in computing history when he first developed
the idea of public key cryptography in his living room one afternoon
in May 1975. Along with his colleague Martin Hellman, Diffie sparked
a revolution that pulled the field of cryptography from its military
roots into the light of day. Now a distinguished engineer at Sun
Microsystems, Diffie has been deeply involved in crypto-politics
for the past 25 years.
Diffie sees the AES as a vindication. "As a veteran of the arguments
that surrounded the adoption of DES," Diffie explains on Sun's web
site, "I am also delighted with the openness and international character
of the AES process. The selection of an algorithm designed by Europeans
as a US standard shows our recognition that protecting information
is no longer merely a national issue but one that affects everyone
in the world."
Diffie told the RSA crowd: "We can't secure ourselves by ourselves.
We can't go it alone."
Of course, it's doubtful that Diffie or anyone else would maintain
that every battle has been won in the crypto wars. The US export
control regulations, though liberalized, are still in place, including
the requirement that US crypto vendors report on their overseas
sales. Strong crypto could mean strong privacy, but one doesn't
necessarily lead to the other. Our privacy and our fundamental right
to be left alone erode each day, strong crypto or no.
Despite the infusion of cash and energy into the encryption software
and computer security markets, many security solutions are expensive
and difficult to implement, especially those based on public key
infrastructures, and others are struggling to be born (like Microsoft's
Encrypting File System).
Perhaps it's better to say that the battle has been won but the
war won't be over until there's strong crypto everywhere -- protecting
every last filesystem, device, message, and every last bit of data
-- in a world where privacy is both guarded and respected.