The subject and practice of cryptography has rarely been free of controversy in recent history. For the last decade, the US Government, the self-appointed policeman of the world, has been struggling with the issue of how to ensure that it will be able to read messages sent by criminals or hostile governments. Its policies have set it at odds with much of the US computer industry, and with the rest of the world. After abandoning attempts to force manufacturers to use the Clipper chip in all their products a cryptographic device to which it held the keys it is now intent on discouraging ‘strong’ encryption, where the cryptography technology used is greater than 40-bits in length.

By Nat Tunbridge

That means that a software encryption product such as F-Secure from Finnish company Datafellows is classed as ‘munitions’ by the US Department of Commerce. It can be developed for use within the US and it can be imported from overseas, but it cannot be exported. In the words of one analyst, It’s driving the US software industry batty, because they have a technology that the rest of the world would like to use but they can’t export it. The policy is proving very beneficial to companies outside America, which can develop strong encryption products using the same algorithms and processes as their American counterparts, but without being held back by the US export laws. A lot of US companies feel they have a handicap and that they’re losing business to overseas companies, says Ari Hypponen, director of development for Datafellows, a 44-strong privately-owned encryption company that has done work for NASA and MCI. Along with companies such as Ireland’s Baltimore Systems and Canada’s Entrust, Datafellows is taking advantage of the restriction to make inroads into the encryption market. If big corporations want to choose a product that will let them do secure business globally, they’ll go outside the US, says Hypponen, we’ve ended up with two markets. The absurdity of the US position is becoming increasingly apparent, as foreign companies are able to sell their products globally and re-invest the profits to develop yet stronger encryption technology. It is no coincidence that the UK, Israel, Canada, Ireland and Finland all now boast encryption centers of excellence. The situation is exacerbated by the very trends that are driving the uptake of cryptography. Extranets and virtual private networks (VPNs) require cryptography to guarantee message security, but they also extend across nations. A product from a European company can give strong encryption protection for all of a company’s offices worldwide, not just those in the US. A global company doesn’t want separate solutions in different countries, says Alan Liddle, a cryptography expert with US supplier Trusted Information Systems. They want a single solution which they can apply across the board. Liddle notes that US companies are tackling the restriction in different ways. Microsoft’s approach has simply been to use weaker cryptography in its products. Some companies, however, have been allowed to export software up to 56-bits in strength, once they have agreed to the government’s policy of ‘key escrow’. This means a user’s data can be unlocked by keys that it gives to government-approved organizations. Companies which have chosen to go this route include Netscape, Digital Equipment and Trusted Information Systems.

DWF alternative

An alternative to key escrow is differential work factor (DWF), a methodology being explored by IBM subsidiary Lotus. The company’s Domino product uses 56-bit cryptography, but Lotus has overcome the export ban by agreeing to take 16 bits of the cryptography present in it and giving this data to the US Government. This means the amount of work required to crack the cryptography is lessened by 16 orders of magnitude. In spite of all this effort, there are questions as to the efficiency of the solutions these vendors are offering. Strong encryption is not strong, says Bruce Tobor, internet security expert w

ith Bloor Research, 56- bit encryption has just been broken by a bunch of college kids in Japan. This, say suppliers, also underlines the absurdity of attempting to limit the allowed bit-length to 40 bits.

Computer Business Review.