Canadian Press
Thursday, March 5, 1998

Keeping it Secret

Feds try to get a grip on encryption policy

by Jennifer Ditchburn

OTTAWA (CP) -- Encrypting messages and codebreaking seems like something out of a war movie -- the military specialist hunched over a pile of papers pressing a pair of headphones to his ears.

In reality, the average person uses cryptography nearly every day when using a bank or credit card at an automatic teller.

And now that more people are using the Internet and wanting to conduct business transactions in cyberspace, the demand for the privacy that data encryption provides is exploding.

A new policy framework on cryptography, released last week by Industry Canada's task force on electronic commerce, addresses the challenge of balancing business interests with the need for public security and privacy.

Helen McDonald, director general of policy development for the task force, said Canada needs a stance on cryptography to remove some of the uncertainty that surrounds the complex technology.

Society is clamouring for more secure ways of doing business on the Internet, but those same techniques are also being used to hide criminal activity from prying eyes.

"You need to know what you're going to do, even if you're not going to change anything", McDonald said. "As this growth rate accelerates, then what will be faced with?"

The cryptography industry is expected to grow to $750 million by the year 2000 in Canada, and approximately $5 billion worldwide.

The federal government is facing increasing pressure from industry to go easy on the regulations so as not to limit access to international markets.

Ottawa wants to establish a policy before a meeting of the OECD this October after collecting input from concerned parties.

The strength of cryptography is measured in bits, with the international data encryption standard at 56 bits. For now, Canadian regulation prevents companies from exporting cryptographic technology beyond that strength.

Last summer, it took 78,000 volunteered computers on the Internet 96 days to crack a 56-bit cryptographic key. A 64-bit key would take 67 years, a 128-bit key a millennium.

"It would be wonderful if it was completely deregulated", said Steven Baker, president and CEO of Chrysalis-ITS, a leading developer of data encryption technology.

Baker said he's worried European companies will start to get a leg up if Canada places too many restrictions on cryptography in the future.

"The government should be very practical in its approach to the extent that we not be disadvantaged."

But letting the market drive the standards for the encryption of stored data doesn't address the problem of digital crime.

Money laundering, terrorist communications, and tax fraud can go unnoticed with cryptography. And even if police track down a criminal, decoding evidence can be close to impossible in some cases.

"We have no way of accurately forecasting how large the problem may be, but we expect as electronic commerce becomes more widely used, those involved in criminal activities will also use that type of communication", said RCMP Staff Sgt. Ray Lamb, with the technical investigation services branch.

At the heart of the technology lies something called public key cryptography. Using the example of a contract being signed by two people, each individual would have two keys to the network -- one that is public (something like an e-mail address) and another that is private.

One person would send the encrypted contract over the network using the recipient's public key. The only way the recipient could open and thus decode the contract into text would be by using his or her private key.

But what if someone dies and doesn't leave behind their key? Or more importantly, how do police see what's stored inside a computer if they don't have access to this key?

The federal government -- as well as countries like the U.S. and Britain -- are examining ways for law enforcers to have access to secret keys without breaching privacy rights.

Options include establishing "trusted third parties" or "certification authorities", who could hold a copy of secret keys and turn them over only when presented with a valid search warrant.

"There will have to be some changes take place to allow us to have access to the data", said Lamb. "But whether or not legislative changes are required will obviously depend on the recommendations that are put forward to cabinet."

Quick Facts

A guide to some terms related to cryptography, a science for keeping data secure:

Digital keys:
A unique combination of ones and zeros used to encrypt, decrypt and verify digital data.
Secret key cryptography:
The same key is used to encrypt and decrypt data. Used in more secure environments such as banking systems.
Public key cryptography:
Two different but related keys are used. What is encrypted with one can only be decrypted by the other.
Digital signature:
Uses public key cryptography to digitally sign and verify a signed message. Used to verify the integrity of data or the authenticity of the sender of data.
Intelligible data, revealed after something has been decrypted.

Source: Industry Canada, OECD secretariat on electronic commerce.

Copyright © 1997 by Canadian Press. All Rights Reserved. Reprinted with permission.