The Ottawa Citizen
Friday, August 23, 1996

Going cryptic on the Net

Battle Plan: Security is the chief bugbear of business on the Internet. This concern is bringing cryptology, a wartime art pioneered in ancient Greece, into the profitable forefront of the computer industry.
by Brad Evenson

Executives at Green Line Investors Services liked their new WebBroker trading system. But would thieves like it, too? Determined to find out, they paid the best, high-tech safecrackers to break into their computer network.

For a month, a firm of "ethical hackers", that tests so-called computer firewalls, threw its best efforts into the attack. After all, Green Line expects 80,000 of its customers to use the Internet to make stock trades on WebBroker when the product is rolled out in September. So the company was taking no chances its secret codes could be unravelled.

How did it do? Green Line officials aren't keen to elaborate.

"I think it's just best if we say that we passed the test", said David Sypher, manager of electronic delivery systems. Another senior official, Steve Gesner, went further: "When you have people whose sole task it is to burn holes through your system, you pay great attention to their recommendations."

Security is the chief bugbear of business on the Internet, scaring off potential clients by the busload. In addition, most private citizens dislike the thought of hackers - or the police - pawing through their Internet e-mail without permission.

This concern is bringing cryptology, a wartime art pioneered in ancient Greece, into the profitable forefront of the computer industry.

Scrambling the message

In 400 B.C., Spartan military commanders would send each other strips of leather with a scrambled message. The message could only be deciphered by wrapping the strip around a special baton. The basic idea hasn't changed in 2,400 years, except today Canadian companies such as Nortel's Entrust, not Spartans, are leaders in the $2-billion field.

"We're at least two years ahead of anyone else", says Shauna White, marketing director at Entrust.

Many knowledgeable Internet users already encrypt their communications, as do banks and the military. Soon, encrypting messages will become as routine to most computer users as checking for e-mail.

But that is raising serious problems for law-enforcement agencies and governments that still consider secret codes a military tool. After all, deciphering Japanese and German transmissions helped turn the tide of the Second World War.

The export of encryption software, which converts a document into an undecipherable code, is considered so sensitive to Canada's interest, it is treated the same as guns or tobacco. It cannot be exported to such countries as Iraq and Libya; the law considers this as serious as smuggling weapons. American laws are stricter still: Only encryption that U.S. authorities know how to decipher can be exported.

"Generally, (export) restrictions are there to make sure subversive or terrorist organizations don't get these products", says White.

It takes Entrust four to six weeks to get an export permit from the Foreign Affairs Department, which reviews each international sale. The company's products, licensed by IBM this month for the computer giant's software, are already in use on Wall Street and within the federal government.

The scrambling of Internet e-mail or digital telephone calls into a meaningless string of digits and letters may make communication secure, but it also pulls the plug on a valuable tool of police agencies: wiretapping.

"When cell phones first came on the market, there was no place (for police) to put on their little alligator clips and listen", says David Jones, spokesman for Electronic Frontier Canada, a lobby group.

Coding phone calls?

Dismay turned to glee when police realized a radio scanner could pick up cell-phone calls. But now that digital telephone service is set to arrive soon, it becomes possible to encrypt phone calls as easily as e-mail.

That worries the police. The RCMP and Canadian Association of Chiefs of Police want some kind of "back door" that would allow them to decrypt telephone and e-mail communication the intercept by wiretapping.

In the U.S., the Federal Bureau of Investigation supports the need for such a decryption tool with claims that wiretaps have allowed it to thwart terrorist activity and to cement prosecutions.

But when the Clinton administration tried to introduce a voluntary encryption standard, known as the Clipper Chip, that would have allowed the FBI and National Security Agency to decrypt all communications, business and privacy advocates shot it down. The initiative was dropped.

Some powerful programs

In Canada, citizens are free to use whatever form of encryption they wish.

Among the most popular is a powerful program called Pretty Good Privacy, available for free over the Internet. Computer users all over the world use it, including dissident groups in the former Soviet Union and China. Among its most attractive features are ease of use and its structure, known as public-key infrastructure.

By next year, six federal Canadian departments will use a $7-million, public-key system developed by Entrust and the top-secret Communications Security Establishment to encrypt its e-mail and document systems.

So how powerful is this stuff?

Over the past two years, companies such as Netscape have had numerous, well-publicized problems with college students poking holes in their browser security system. Each year, hackers make 250,000 attempts to get into U.S. military computers.

Sypher says the company uses a 128-bit key version of Netscape encryption, which is thousands of times more impenetrable than the 40-bit key system that was cracked.

"You need several years with supercomputers, in theory, to crack a 128-bit (key) session, and then even if you do decipher one of those sessions, it's going to be two years after the fact", adds Gesner.

Gesner says hackers continually probe the company's computer "firewall", a system designed to keep them out. "As soon as you put up a firewall and advertise the (Internet) address, people try ringing the bell", he jokes.


Copyright © 1997 by Southam News. All Rights Reserved. Reprinted with permission.