Securius Newsletter

April 20, 2001
Volume 2, Number 3
http://www.securius.com

The War is Over

By Seth Ross

The computer security industry is not noted for cheery celebrations and smiles. But there was a lot to celebrate and smile about at last week's RSA Conference 2001 held in San Francisco: the venture capital money has been flowing; the industry is prospering; the trade show floor was bustling with a record number of vendors and attendees; and, most importantly, the war between the crypto community and the US federal government has wound down to détente and mutual accommodation.

For the last 20 years, the US crypto industry has been held back by several regulatory difficulties. Even as the worldwide demand for encryption technology was booming, the US maintained strict export controls, making it extremely difficult if not impossible to export strong encryption software. Under the International Traffic in Arms Regulations, strong crypto was tightly regulated as a munition, classified alongside chemical and biological weapons, firearms, and missile technology as an item that could not be freely exported from the US.

Even worse, the federal government was impeding the development of strong crypto standards by promoting DES (pronounced "dez"). First adopted by the federal government in 1977, the 56-bit DES algorithm was widely deployed over the next 20 years to protect sensitive online
applications, despite concerns about its small key size and possible back doors.

Throughout the 1990s, numerous organizations, businesses, and individuals resisted government attempts to contain strong crypto and promote weak crypto, ranging from RSA Data Security and the Electronic Frontier Foundation (http://www.eff.org) to the Cypherpunks, a high-volume electronic mailing list dedicated to crypto-anarchy.

In the late 1990s, RSA Data Security sponsored a series of DES-cracking contests to highlight the need for encryption stronger than the 56-bit standard widely used to secure both US and international commerce. Each year, a secret DES-encrypted message was broken faster and faster, culminating in 1999, when DES fell in 22 hours.

Fast forward to the new millennium. The Clinton Administration liberalized the crypto export regulations twice in 2000: once in January and then again in October. While the regulations are still
in place, they're far less burdensome: it's now legal, for example, to export encryption products with larger keys and to publish open source crypto on the Internet.

In October 2000, the National Institute of Standards and Technology (NIST) selected an Advanced Encryption Standard (AES) to replace DES: the Rijndael (pronounced "Reign Dahl", "Rain Doll", or "Rhine Dahl") algorithm. The two researchers who developed and submitted Rijndael
for the AES are both cryptographers from Belgium: Joan Daemen of Proton World International and Vincent Rijmen, a postdoctoral researcher in the Electrical Engineering Department (ESAT) of
Katholieke Universiteit Leuven.

Not only is the US liberalizing crypto exports, but now it's actually "importing" foreign technology into the US, where it will become an vital part of the information infrastructure.

As Peter G. Neumann humorously pointed out during the Cryptographers' Panel at the RSA Conference 2001: "Pandora's cat is out of the barn and the genie doesn't want to go back in the closet." He was echoing the comments of many others. After years of complaints about government interference, the crypto business is now relatively free to expand worldwide. Backed by venture investments and an expanding market of target devices that require encryption, the prospects are bright for the still fledgling encryption software business, which even has a cool new cipher to hack around with.

Perhaps the brightest assessment at the Cryptographers' Panel was delivered by Whitfield Diffie. Diffie is the grandfather of modern computer security. He staked his claim in computing history when he first developed the idea of public key cryptography in his living room one afternoon in May 1975. Along with his colleague Martin Hellman, Diffie sparked a revolution that pulled the field of cryptography from its military roots into the light of day. Now a distinguished engineer at Sun Microsystems, Diffie has been deeply involved in crypto-politics for the past 25 years.

Diffie sees the AES as a vindication. "As a veteran of the arguments that surrounded the adoption of DES," Diffie explains on Sun's web site, "I am also delighted with the openness and international character of the AES process. The selection of an algorithm designed by Europeans as a US standard shows our recognition that protecting information is no longer merely a national issue but one that affects everyone in the world."

Diffie told the RSA crowd: "We can't secure ourselves by ourselves. We can't go it alone."

Of course, it's doubtful that Diffie or anyone else would maintain that every battle has been won in the crypto wars. The US export control regulations, though liberalized, are still in place, including
the requirement that US crypto vendors report on their overseas sales. Strong crypto could mean strong privacy, but one doesn't necessarily lead to the other. Our privacy and our fundamental right to be left alone erode each day, strong crypto or no.

Despite the infusion of cash and energy into the encryption software and computer security markets, many security solutions are expensive and difficult to implement, especially those based on public key infrastructures, and others are struggling to be born (like Microsoft's Encrypting File System).

Perhaps it's better to say that the battle has been won but the war won't be over until there's strong crypto everywhere -- protecting every last filesystem, device, message, and every last bit of data -- in a world where privacy is both guarded and respected.



Subscribe to the Securius Newsletter
Please enter your email address:



Securius.com is a service of GuardianEdge Technologies.
Copyright © 2006 GuardianEdge. All rights reserved.
We will not share your personal information with third parties.
Nor will we contact you without your permission.