[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) FBI wants 'software keys', 'back door' to encryption

------- Forwarded message follows -------
Date sent:      	Wed, 26 Sep 2001 09:05:39 -0400
To:             	cryptography@wasabisystems.com,
	Digital Bearer Settlement List <dbs@philodox.com>, dcsb@ai.mit.edu
From:           	"R. A. Hettinga" <rah@shipwright.com>
Subject:        	FBI wants 'software keys', 'back door' to encryption



Opening encryption `back door' is problematic, experts say

SAN FRANCISCO (Reuters) - U.S. lawmakers may be asked to give the FBI
a ``software key'' to encryption technology that would allow the
agency to unlock secret Internet messages but experts warn the measure
would impair commerce and violate privacy right without deterring

The devastating Sept. 11 hijacking attacks on New York and Washington
have rekindled the debate over public use of powerful cryptography
software, and some U.S. lawmakers have called for restrictions on the
free and widely available technology used to scramble electronic

Sen. Judd Gregg, a New Hampshire Republican, is seeking to include in
an anti-terrorism bill backed by the Bush administration a requirement
that a ``back door'' be installed in encryption products, a step that
would essentially give law enforcement agencies a key to decode
scrambled messages.

In the face of opposition from technology advocates, software vendors
and privacy rights advocates, the Clinton administration backed off
controversial proposals it had pushed during the 1990s that would have
restricted widespread use of cryptography programs.

Many of the same experts and industry participants have registered
their renewed opposition now, and some accuse law enforcement agencies
of using the attacks as an excuse to push for previously rejected

``It feels like deja vu. I thought we solved this problem,'' said
Bruce Schneier, founder and chief technology officer at Counterpane
Internet Security. ``Unfortunately, the FBI is doing a power grab and
everything that was on their wish list for the last decade or so is

Strong cryptography programs are not perfectly impenetrable but the
scrambled messages they produce require a lot of computing power to
decode. Encryption that includes the proposed ``back door'' for
government use would be compromised and less useful for legitimate
traffic, opponents said.

Privacy and computer security experts argue that solution would
actually hinder law enforcement efforts and undermine legitimate
electronic business.

``Having a good, strong crypto infrastructure in our country is part
of what we need to combat terrorism,'' said Phil Zimmermann, creator
of PGP (Pretty Good Privacy), the most popular encryption software
used on the Internet. ``Strong cryptography does more good for a
democratic society than harm, even if it can be used by terrorists.''


So far, there has been no evidence that those responsible for the
attacks on the World Trade Center and the Pentagon used encryption
technology to scramble their communications.

Shortly after the attacks, investigators were quoted as saying they
had reams of evidence from unencrypted e-mails and paper documents
like car rental receipts and they speculated suspects weren't using

Unnamed officials were also quoted earlier this year saying they
suspected Al Qaeda, the organization led by Saudi-born militant Osama
bin Laden that the U.S. government has blamed for the attacks, was
using a different method of obscuring communications known as
``steganography.'' Typically, steganographers hide messages in digital

``The bad guys aren't going to use (compromised encryption); they're
going to use cryptography from other countries,'' said Zimmermann.
``Furthermore, other governments will use those back doors to repress
their citizens.''

``These are people who have guns and bombs, who commit mass murder and
they're not going to think twice about breaking a law against strong
crypto,'' said Steve Bellovin, a researcher on network security at
AT&T Labs.

Meanwhile, U.S. businesses and citizens would be at risk of having
their legitimate communications intercepted by either human or
technological error as a result of compromised cryptography programs,
the experts said.

``If you are weakening the crypto systems you are weakening it for
everybody, whether it's terrorists or VISA and MasterCard,'' said
David Loundy, a professor at The John Marshall Law School in Chicago
and incoming associate director for the Center for Information
Technology and Privacy Law.


Additionally, modifying encryption software increases the likelihood
of flaws, further making it less desirable for legitimate use in
e-commerce, experts said.

``As more and more of our nation's critical infrastructure goes
digital, cryptography is more important than ever and we need all the
digital security we can get,'' Schneier wrote in an e-mail newsletter
to be released next week.

For example, a bug was found after a so-called ``key recovery''
capability was integrated into a commercial version of PGP a few years

The key recovery function was designed to allow corporations to access
encrypted communications of employees in the event that one of the
digital ``keys'' needed to unlock the code was lost.

``From my own experience, when you try to add those kinds of
capabilities it increases the likelihood of flaws in the
implementation,'' Zimmermann said.

# # #

R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44
Farquhar Street, Boston, MA 02131 USA "... however it may deserve
respect for its usefulness and antiquity, [predicting the end of the
world] has not been found agreeable to experience." -- Edward Gibbon,
'Decline and Fall of the Roman Empire'

The Cryptography Mailing List Unsubscribe by sending "unsubscribe
cryptography" to majordomo@wasabisystems.com
------- End of forwarded message -------