Forwarded From: Nicholas Charles Brawn <ncb05at_private> 05Nov98 CANADA: THE KEY TO ENCRYPTION - EVER HEARD OF TRUSTED THIRD PARTIES AND CLIPPER CHIPS? SOME see them as the ultimate line of defence against hackers, industrial spies, terrorists and cyber-criminals. Opponents view them as little short of a totalitarian threat in the computer age. But have you ever heard of Trusted Third Parties? And did you know that Tritheme, a small affiliate of the French electronics giant Thomson-CSF, became the world's first commercial Trusted Third Party in late September? Does it matter? Yes. Few outside the worlds of computer technology and cryptography know much about Trusted Third Parties or realise to what extent the debate about them has divided the corporate community, inflamed privacy advocates and stirred law enforcement and intelligence agencies. Trusted Third Parties did not appear on the agenda of talks on electronic commerce in Ottawa attended early this month by ministers from the 29 members of the Organisation for Economic Co-Operation and Development (OECD, the club of the world's better-off nations). But they discussed them when considering ways to tighten the security of communications on the Internet. The 'Clipper Chip' looked good The Trusted Third Party system originated in the United States as a result of the Clinton administration's failure to persuade American computer manufacturers to install the so-called 'Clipper Chip' in their hardware as a way of helping American law-enforcement and intelligence agencies fight organised crime or terrorism. Devised by the National Security Agency, the 'Clipper Chip' was to have given the authorities a 'back door' into all American-built computers so that they could monitor the communications - encrypted or otherwise - of suspected criminals. When the computer industry, civil libertarians and legislators threw up their arms in horror over the potential abuses of the 'Clipper Chip', the Clinton administration switched to proposing a "key recovery system" that would provide another way for investigators to gain access to data communications. This worked by making it compulsory for those using encryption to store the 'private keys' that encrypt and decrypt messages with commercial Trusted Third Parties. These would be required to turn keys over to the authorities when presented with a court order; the keys would enable the Federal Bureau of Investigation and other law enforcement agencies to read a suspect's encrypted mail. Private and public How does it work? When the armed forces, police or banks use encryption on closed-circuit networks, they employ 'private keys'. However, when a bank wishes to send an encrypted message to someone outside the system or receive an encrypted message from outside the system, a dual-key system involving a 'public key' and a 'private key' comes into play. The sender uses the receiver's 'public key' code to transmit the message while the recipient employs its 'private key' to decode it. The sender does not know the code on the recipient's 'private key'. The 'public key' system was invented in the United States over 20 years ago and American firms such as RSA still largely dominate the market for public-private key software (known technically as asymmetric cryptography). Paradoxically, the companies which make the software now stand in the forefront in warning about the dangers of key recovery systems, saying Trusted Third Parties would not only be subject to government snooping but also to unending attacks by hackers. Senders and receivers wanted to rely on their own high-tech security systems. Result: the Clinton administration has failed to win acceptance of compulsory TTPs as it failed with the 'Clipper Chip'. Failure, too, has dogged American efforts to curb the export of state-of-the-art encryption software. The fear is that criminal gangs or terrorists might obtain and use encryption systems that would defy code-breakers from the FBI or the NSA. As a result, the administration had long banned American firms from exporting complicated software with a 'key length' of over 48 bits. Under pressure from industry, however, it increased the limit to 56 bits, enabling villains to send or receive messages much harder to decrypt. Psst! You want 256 bits? Specialists dismiss this ban as a waste of time, pointing out that villains can buy encryption software with 'key lengths' of up to 256 bits on the domestic market and take it home in a briefcase. Snubbed at home, the Clinton administration has gone abroad to marshal support for 'key recovery systems' from governments and international organisations. Working on the assumption that convincing foreigners to adopt Trusted Third Parties would give it a better chance of introducing them at home, the United States tried to persuade the OECD to accept the system last year. It failed again. However, the administration found two allies in Britain and France. Indeed the French, advocates of state control over most aspects of national life, have become the first to approve a law paving the way for Trusted Third Parties; Britain has come out in favour of a voluntary TTP system. Predictably, Germany is hesitating. The United States has made some headway in persuading its North American neighbours, Canada and Mexico, to set up 'key recovery centers'. The French will be first In the past, the use of encryption in France was illegal save by the government and banks - yet most of the country's big corporations used it. Under the new law, all encryption users except government services and the military are obliged to store their 'private keys' with commercial Trusted Third Parties. Big firms such as Bull, Compagnie des Signaux and Thomson - following its Tritheme affiliate - are bidding to operate as Trusted Third Parties because the financial stakes are enormous: they will be able not only to sell to their clients the encryption software that goes with the 'key' but also to charge handsome fees for managing the customer's 'keys'. As for the United States, the administration looks unlikely to win legal power to force American industry to use a 'key recovery system'. That may please civil libertarians but it could prove costly. The law enforcement lobby had hoped "key recovery" would give it a shortcut in the fight against cyber-criminals and organised crime. Without that shortcut, the cost of such crime can only increase. FOREIGN REPORT 05/11/1998 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:08 PDT