FITUG e.V.
Förderverein Informationstechnik und Gesellschaft
FITUG e.V.Förderverein Informationstechnik und Gesellschaft |
|
------- Forwarded message follows ------- Date sent: Wed, 26 Sep 2001 09:05:39 -0400 To: cryptography@wasabisystems.com, Digital Bearer Settlement List <dbs@philodox.com>, dcsb@ai.mit.edu From: "R. A. Hettinga" <rah@shipwright.com> Subject: FBI wants 'software keys', 'back door' to encryption
http://www.siliconvalley.com/docs/news/svfront/050272.htm
---------------------------------------------------------------------- --
Opening encryption `back door' is problematic, experts say
SAN FRANCISCO (Reuters) - U.S. lawmakers may be asked to give the FBI a ``software key'' to encryption technology that would allow the agency to unlock secret Internet messages but experts warn the measure would impair commerce and violate privacy right without deterring terrorism.
The devastating Sept. 11 hijacking attacks on New York and Washington have rekindled the debate over public use of powerful cryptography software, and some U.S. lawmakers have called for restrictions on the free and widely available technology used to scramble electronic communications.
Sen. Judd Gregg, a New Hampshire Republican, is seeking to include in an anti-terrorism bill backed by the Bush administration a requirement that a ``back door'' be installed in encryption products, a step that would essentially give law enforcement agencies a key to decode scrambled messages.
In the face of opposition from technology advocates, software vendors and privacy rights advocates, the Clinton administration backed off controversial proposals it had pushed during the 1990s that would have restricted widespread use of cryptography programs.
Many of the same experts and industry participants have registered their renewed opposition now, and some accuse law enforcement agencies of using the attacks as an excuse to push for previously rejected measures.
``It feels like deja vu. I thought we solved this problem,'' said Bruce Schneier, founder and chief technology officer at Counterpane Internet Security. ``Unfortunately, the FBI is doing a power grab and everything that was on their wish list for the last decade or so is back.''
Strong cryptography programs are not perfectly impenetrable but the scrambled messages they produce require a lot of computing power to decode. Encryption that includes the proposed ``back door'' for government use would be compromised and less useful for legitimate traffic, opponents said.
Privacy and computer security experts argue that solution would actually hinder law enforcement efforts and undermine legitimate electronic business.
``Having a good, strong crypto infrastructure in our country is part of what we need to combat terrorism,'' said Phil Zimmermann, creator of PGP (Pretty Good Privacy), the most popular encryption software used on the Internet. ``Strong cryptography does more good for a democratic society than harm, even if it can be used by terrorists.''
BAD GUYS SEEN UNDETERRED
So far, there has been no evidence that those responsible for the attacks on the World Trade Center and the Pentagon used encryption technology to scramble their communications.
Shortly after the attacks, investigators were quoted as saying they had reams of evidence from unencrypted e-mails and paper documents like car rental receipts and they speculated suspects weren't using encryption.
Unnamed officials were also quoted earlier this year saying they suspected Al Qaeda, the organization led by Saudi-born militant Osama bin Laden that the U.S. government has blamed for the attacks, was using a different method of obscuring communications known as ``steganography.'' Typically, steganographers hide messages in digital images.
``The bad guys aren't going to use (compromised encryption); they're going to use cryptography from other countries,'' said Zimmermann. ``Furthermore, other governments will use those back doors to repress their citizens.''
``These are people who have guns and bombs, who commit mass murder and they're not going to think twice about breaking a law against strong crypto,'' said Steve Bellovin, a researcher on network security at AT&T Labs.
Meanwhile, U.S. businesses and citizens would be at risk of having their legitimate communications intercepted by either human or technological error as a result of compromised cryptography programs, the experts said.
``If you are weakening the crypto systems you are weakening it for everybody, whether it's terrorists or VISA and MasterCard,'' said David Loundy, a professor at The John Marshall Law School in Chicago and incoming associate director for the Center for Information Technology and Privacy Law.
OPEN A BACK DOOR AND THE HOUSE COMES DOWN?
Additionally, modifying encryption software increases the likelihood of flaws, further making it less desirable for legitimate use in e-commerce, experts said.
``As more and more of our nation's critical infrastructure goes digital, cryptography is more important than ever and we need all the digital security we can get,'' Schneier wrote in an e-mail newsletter to be released next week.
For example, a bug was found after a so-called ``key recovery'' capability was integrated into a commercial version of PGP a few years ago.
The key recovery function was designed to allow corporations to access encrypted communications of employees in the event that one of the digital ``keys'' needed to unlock the code was lost.
``From my own experience, when you try to add those kinds of capabilities it increases the likelihood of flaws in the implementation,'' Zimmermann said.
# # #