A Rant about Cryptography and the U.S. Government

[crypto flag]

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear arms, shall not be infringed. -- Article II of the amendments to the U.S. Constitution

Let's survey the state of cryptography in the USA in 1997.

First, a refresher. The strength of a cryptographic algorithm is measured by the length of the key, in bits. Each additional bit multiplies by two the average amount of work needed to find the original, unencrypted text. Adding 20 bits makes a key over a million times tougher to crack. +30 bits multiplies the difficulty by over a billion.

A good cryptographic algorithm doesn't depend on the secrecy of the algorithm; it depends on the length of the key. Good cryptographers don't trust algorithms they can't read.

What's available now to people seeking to use encryption? There are a few options. You could use DES, the government-defined Data Encryption Standard, but everyone agrees that it can be cracked reasonably easily. The key length is 56 bits, which by now is too short. A variant called Triple DES, which uses DES three times, has an effective key length of 112 bits. The algorithm is widely available and has been extensively analyzed.

Pretty Good Privacy is a free 128-bit encryption program originally written by Philip Zimmerman. It uses the MD5 message digest algorithm, 128-bit IDEA for message encryption, and RSA (in a variety of key lengths up to 2048 bits) to encode the IDEA session key. The source code to version 2.6.2 is available and has been subjected to scrutiny by a number of cryptographers. There is a new version available (5.0), but I do not know if the source code is available or has been reviewed by cryptographic experts.

Skipjack is an NSA-developed 80-bit key algorithm that is the heart of the U.S. government's "Clipper" initiative. The algorithm has been reviewed by some cryptographers outside the NSA, but details are not known.

There are a number of other algorithms out there, but DES and PGP are two of the most common.

U.S. Encryption Policy

The U.S. government does not want its citizens to use encryption that it cannot crack. To date, it has promoted this goal in several ways:

  • The Clipper chip. Mandated adoption of Clipper has been largely squashed due to pressure from the technical community, but the proposal occasionally resurfaces.

  • Export restrictions on encryption software. Software with encryption strength greater than 40 bits is classified "munitions" and must be specially licensed. (Yet, for some reason it is legal to export a book containing the source code to the algorithm!)

  • Legal action against people who publish, or seek to publish, encryption algorithms and software. For example, harassment of Philip Zimmerman over Pretty Good Privacy, and the recent restraint of publication of Daniel Bernstein's "Snuffle" algorithm.

  • Pressure on legislators to pass laws that restricts the use of encryption. This is most notable in recent proposals to create a "key recovery infrastructure". A key recovery system is where the goverment (or a third party) gets a copy of your encryption key. They're not supposed to use it without a warrant.

Here's why it won't work.

  1. I can use strong, 128-bit encryption now. It is freely available. It is a genie that is not going to go back in the bottle.

  2. I can use strong encryption even in a system with goverment-mandated key recovery, completely circumventing the whole system. All I have to do is to encrypt my message privately with an encryption program (such as PGP 2.6.2) that doesn't have built-in key recovery. Then I encrypt the message again with the goverment-approved algorithm with key recovery, and send it on its way. Even if it's intercepted and decrypted by the Feds, all they get is my (privately, strongly) encrypted message - and we're back to square one.

    The only way for a key recovery system to work would be to make all other encryption schemes illegal.

  3. Even if the government outlaws strong encryption in the USA, it will still be no farther than an Internet download away. We don't own the Internet; it spans the planet. There are plenty of non-USA locations that make strong encryption available. [In fact, a Russian site has contracted with Sun Microsystems to provide the encryption code that Sun can't legally export!]

    Also, as noted above, the source code to strong encryption has been exported with the government's approval. Would it become illegal to type this code in and compile it?

  4. Creating key escrow agents (government or private) creates an incredibly tempting target for malicious crackers. By its very nature, the key escrow system must be connected to the Internet. This is one of the fundamental mistakes in the design of a secure system: you should always keep systems with critical data off public networks. Instead, the most critical data of all will be transfered across the Internet at every moment. If you ever want to hand nefarious people a prime target, this is the way to do it.

Particularly scary are some recent actions by the Executive branch. They've attempted to add amendments to pro-encryption legislation that gut their meaning (e.g., the Oxley-Manton amendments to the Security and Freedom through Encryption ["SAFE"] Act). The director of the FBI has gone on record suggesting the regulation of the domestic use of encryption. This is ostensibly to fight the big bad guys: crime rings, drug cartels, terrorists, child pornographers, et cetera.

The FBI's arguments are disingenuous. There are always technical ways to get around restrictions on cryptography, such as steganography. A national key recovery system would catch those people who don't know much about cryptography, not people whose lives depend on it - like the Mafia, drug cartels, and spies. They already know how to protect themselves, and no legislative means will prevent them from doing so. It's just not possible to stop it now.

[Actually, the government's logic works against itself. The second amendment to the U.S. Constitution defines the right of the citizens to keep and bear arms. If strong encryption is classified "munitions", then I have a very strong case to use it. After all, what better arms are there to keep than ones that cannot explode?]

The bigger constitutional question has remained unasked throughout this debate. Precisely how much power should the government have to interfere in a citizen's private affairs? It's been held by the judicial branch that a citizen does not have to arrange his or her financial dealings to make things convenient for the IRS; analogously, there is no compelling reason to abridge citizens' right to privacy for the convenience of police.

The wording of the anti-encryption amendments has disturbing implications for our constitutional balance, and for citizens' right to privacy:

  • More power is given to the executive branch (i.e., police and FBI) than ever before to authorize and conduct covert surveillance. For example, a court order is not required to recover encryption keys, whereas it is for a wiretap.

  • Immediate notification of a citizen's key being retrieved by the government is not mandated. Even if an investigation were concluded, the government could still monitor that person's encrypted communication without their knowledge.

Let me make a final hypothetical case. If a hostile foreign government were overthrown by a freedom-loving group whose very lives depended upon their use of strong encryption, we as a nation would cheer. They would be heroes, and their use of crypto would be lauded. Now, doesn't it strike you as strange that the U.S. government doesn't want to allow its citizens, the (allegedly) most freedom-loving in the world, to use such a powerful tool for freedom? What kind of example is that to set?

I have strong encryption. I use strong encryption. I will continue to do so, law or no.

Bruce Schneier's Applied Cryptography was used as a reference for this essay.


Last updated 2 June 2000
http://www.rdrop.com/~half/Creations/Writings/Rants/Rants-Crypto.html
All contents ©1997-2002 Mark L. Irons

Previous: Rants: Credit ··· Next: Rants: Disney