[ISN] Key to Encryption - Ever Heard of TTP and Clipper Chips?

From: mea culpa (jerichoat_private)
Date: Thu Nov 05 1998 - 04:57:34 PST

  • Next message: mea culpa: "[ISN] Hackers Beware: This Man's Life Mission is to Stop Your Fun"

    Forwarded From: Nicholas Charles Brawn <ncb05at_private>
    SOME see them as the ultimate line of defence against hackers, industrial
    spies, terrorists and cyber-criminals. Opponents view them as little short
    of a totalitarian threat in the computer age. But have you ever heard of
    Trusted Third Parties? And did you know that Tritheme, a small affiliate
    of the French electronics giant Thomson-CSF, became the world's first
    commercial Trusted Third Party in late September? 
    Does it matter? Yes. Few outside the worlds of computer technology and
    cryptography know much about Trusted Third Parties or realise to what
    extent the debate about them has divided the corporate community, inflamed
    privacy advocates and stirred law enforcement and intelligence agencies. 
    Trusted Third Parties did not appear on the agenda of talks on electronic
    commerce in Ottawa attended early this month by ministers from the 29
    members of the Organisation for Economic Co-Operation and Development
    (OECD, the club of the world's better-off nations). But they discussed
    them when considering ways to tighten the security of communications on
    the Internet. 
    The 'Clipper Chip' looked good
    The Trusted Third Party system originated in the United States as a result
    of the Clinton administration's failure to persuade American computer
    manufacturers to install the so-called 'Clipper Chip' in their hardware as
    a way of helping American law-enforcement and intelligence agencies fight
    organised crime or terrorism. 
    Devised by the National Security Agency, the 'Clipper Chip' was to have
    given the authorities a 'back door' into all American-built computers so
    that they could monitor the communications - encrypted or otherwise - of
    suspected criminals. 
    When the computer industry, civil libertarians and legislators threw up
    their arms in horror over the potential abuses of the 'Clipper Chip', the
    Clinton administration switched to proposing a "key recovery system" that
    would provide another way for investigators to gain access to data
    communications. This worked by making it compulsory for those using
    encryption to store the 'private keys' that encrypt and decrypt messages
    with commercial Trusted Third Parties. These would be required to turn
    keys over to the authorities when presented with a court order; the keys
    would enable the Federal Bureau of Investigation and other law enforcement
    agencies to read a suspect's encrypted mail. 
    Private and public
    How does it work? When the armed forces, police or banks use encryption on
    closed-circuit networks, they employ 'private keys'. However, when a bank
    wishes to send an encrypted message to someone outside the system or
    receive an encrypted message from outside the system, a dual-key system
    involving a 'public key' and a 'private key' comes into play. The sender
    uses the receiver's 'public key' code to transmit the message while the
    recipient employs its 'private key' to decode it. The sender does not know
    the code on the recipient's 'private key'. 
    The 'public key' system was invented in the United States over 20 years
    ago and American firms such as RSA still largely dominate the market for
    public-private key software (known technically as asymmetric
    cryptography).  Paradoxically, the companies which make the software now
    stand in the forefront in warning about the dangers of key recovery
    systems, saying Trusted Third Parties would not only be subject to
    government snooping but also to unending attacks by hackers. Senders and
    receivers wanted to rely on their own high-tech security systems. Result:
    the Clinton administration has failed to win acceptance of compulsory TTPs
    as it failed with the 'Clipper Chip'. 
    Failure, too, has dogged American efforts to curb the export of
    state-of-the-art encryption software. The fear is that criminal gangs or
    terrorists might obtain and use encryption systems that would defy
    code-breakers from the FBI or the NSA. As a result, the administration had
    long banned American firms from exporting complicated software with a 'key
    length' of over 48 bits. Under pressure from industry, however, it
    increased the limit to 56 bits, enabling villains to send or receive
    messages much harder to decrypt. 
    Psst! You want 256 bits? 
    Specialists dismiss this ban as a waste of time, pointing out that
    villains can buy encryption software with 'key lengths' of up to 256 bits
    on the domestic market and take it home in a briefcase. 
    Snubbed at home, the Clinton administration has gone abroad to marshal
    support for 'key recovery systems' from governments and international
    organisations. Working on the assumption that convincing foreigners to
    adopt Trusted Third Parties would give it a better chance of introducing
    them at home, the United States tried to persuade the OECD to accept the
    system last year. It failed again. 
    However, the administration found two allies in Britain and France. Indeed
    the French, advocates of state control over most aspects of national life,
    have become the first to approve a law paving the way for Trusted Third
    Parties; Britain has come out in favour of a voluntary TTP system. 
    Predictably, Germany is hesitating. The United States has made some
    headway in persuading its North American neighbours, Canada and Mexico, to
    set up 'key recovery centers'. 
    The French will be first
    In the past, the use of encryption in France was illegal save by the
    government and banks - yet most of the country's big corporations used it. 
    Under the new law, all encryption users except government services and the
    military are obliged to store their 'private keys' with commercial Trusted
    Third Parties. Big firms such as Bull, Compagnie des Signaux and Thomson -
    following its Tritheme affiliate - are bidding to operate as Trusted Third
    Parties because the financial stakes are enormous: they will be able not
    only to sell to their clients the encryption software that goes with the
    'key' but also to charge handsome fees for managing the customer's 'keys'. 
    As for the United States, the administration looks unlikely to win legal
    power to force American industry to use a 'key recovery system'. That may
    please civil libertarians but it could prove costly. The law enforcement
    lobby had hoped "key recovery" would give it a shortcut in the fight
    against cyber-criminals and organised crime. Without that shortcut, the
    cost of such crime can only increase. 
    FOREIGN REPORT 05/11/1998
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:08 PDT