The Hamilton Spectator
Monday, March 2, 1998

Cracking the codes

A debate is brewing over government control of cryptopgraphy techniques that business argues are essential to the growth of electronic commerce

by David Akin, dakin@ham.southam.ca

Electronic commerce in Canada already growing at a furious could be stopped in its tracks by governments worried about protecting their citizens from criminal activity.

The growth of electronic commerce using the Internet and other communications networks has been fuelled by improving techniques to protect the security of digital transactions.

But security or cryptography techniques are becoming so sophisticated that governments here and in the United States are worried criminals could use them to hide information from law enforcement agencies, agencies that may not have the resources or skills to crack such sophisticated security measures.

Governments, however, are under increasing pressure from the computer and information technology industry to loosen up cryptography controls.

The industry maintains the ability to protect digital data is far more important to a national economy than what they say are exaggerated threats to national security.

The debate in the U.S. will spill over this spring into the mainstream media. A group called Americans for Computer Privacy will launch an advertising blitz within the next few weeks that it hopes will put pressure on the American government to liberalize cryptography laws.

Two attempts last year to introduce legislation in the U.S. Congress that would loosen up cryptography controls were scuttled by intense lobbying efforts by the FBI and the White House.

In Canada, the debate is just beginning to heat up. Last month, the federal government released a discussion paper on cryptography, the first step before any legislation might be introduced.

"I don't think there is any doubt that Canadian law-enforcement officials will want a crypto system in which they can access information in any one's e-mail, on an encrypted cell phone, or files which have been encrypted on a disk", Internet expert and author Jim Carroll said in a recent message posted to an Internet discussion group. "Of course, this begs the question of whether Canadians will want them to have it."

Canadians can respond to the discussion paper by the end of April.

The resolution of the issue will affect not only domestic electronic commerce but could affect Canada's International competitiveness in software development and electronic commerce.

Electronic Frontier Canada, an organization set up to protect freedom of expression in cyberspace, argues Canadians need to be able to protect their communications with whatever cryptographic measures they feel comfortable with and it shouldn't be up to any government to decide which locks Canadians can use and which ones they can't.

"Because of its importance in facilitating both private personal communications and secure electronic commerce, Electronic Frontier Canada supports the widespread use of strong cryptographic techniques", says a policy paper released in August by EFC founders David Jones and Jeffrey Shallit, computer science professors at McMaster University and the University of Waterloo respectively.

"Canadian government intervention, in the form of regulation of encryption products and services would very likely do more harm than good", they wrote.

Cryptography is the general term applied to various techniques used to protect electronic data. One common technique uses long alphanumeric codes to disguise and hide data, a technique used in encryption/decryption software and in digital signatures.

The strength of these codes is related to the number of pieces or bits in the code.

In July 1997, it took 78,000 computers hooked together via the Internet 96 days to crack a message encrypted with a key that was 56 digits long.

There are 16 characters used in such codes: 1 through 10, then A, B, C, D, E, F. The set is referred to as a hexadecimal set because It uses 16 separate characters.

On Jan. 13, 22,000 volunteers using 50,000 computers hooked to the Internet began work trying to crack a tougher 56-bit hexadecimal key.

They succeeded last Thursday, 40 days after the start.

The computers used what hackers call the brute force method to crack the code: They literally set out to test each and every one of the 72 quadrillion possible key combinations in a 56-bit hexadecimal code.

As it turns out, the 22,000 volunteers had to crunch their way through only 61 quadrillion, 254 trillion combinations before hitting the right one.

A quadrillion is a one with 15 zeros after it or 1,000 times bigger than one trillion, which is itself 1,000 times bigger than 1 billion.

Some cryptographers argue that, with little more than $200,000 worth of specialized computer hardware, a lucky and bright backer could break a 56-bit key within hours. So far, there has been no public evidence of that being accomplished.

Experts say it would take the 78,000 computers 67 years to crack a secret key algorithm using a 64-bit key and well over 13 billion times the age of the universe for those computers to crack a 128-bit key.

Canadian banks that allow customers to complete transactions over the Internet use 128-bit encryption to hide customer data while it travels between the bank and the customer's home computer.

Each extra bit in the key, incidentally, doubles the amount of times it takes today's computers to crack the code.

And while computers are constantly being improved, experts believe it will he at least a decade before a single computer wilt be able to crack a 56bit code In a reasonable amount of time.

To export 56-bit encryption or higher, U.S. Software makers must receive a special licence and agree to give law agencies access to the secret codes.

Canada's export controls on software are relatively permissive but because of U.S. restrictions, Canadian firms often follow American regulations to maintain access to that market.

Those American export restrictions, some say, are a competitive disadvantage for both the Canadian and U.S. economy.

But others say that's a small price to pay for giving the state the ability to combat terrorist and criminal activity.

Governments, they say, either need a skeleton key that unlocks any encrypted data or message or they need to restrict the kinds of encryption software that citizens can use so the codes can be broken if required by governments.

Giving a government or third party the keys to a particular code is called key escrow.

Without key escrow or other encryption controls, some lawmakers say the bad guys could electronically transmit criminal information, distribute child pornography in an encrypted form, or launder money using online banking systems.

Groups in Canada and the U.S. like Electronic Frontier Canada, however, say such scenarios ate unlikely exaggerations.

"Key escrow . . . (is) comparable to the government demanding that every Canadian be required to deposit copies of keys to their residence at their local court house in order to facilitate police entry should suspicion of a criminal act arise."

"The privacy rights of 30 million Canadians and the legitimate business interests of Canadian companies have in conducting secure electronic commerce should not be set aside because law enforcement officials can imagine an unlikely scenario in which their investigation would be made more difficult", says the EFC policy paper.

"Our view is that there is a far greater risk to individuals, businesses, and the government if we are unable to effectively prevent criminals from gaining unauthorized access to our records and communications."

Without the ability to use strong cryptography techniques, some say electronic commerce will never flourish because neither vendors nor buyers will have any assurances that their transactions are confidential, secure, and authentic.


These sites contain background on the cryptography debate:

A Cryptography Policy Framework
The Canadian government's discussion paper on the issue. Industry Canada is looking for your comments on this issue before it decides if any action is required. Read the discussion paper at:
http://strategis.ic.gc.ca/SSG/cy00001e.html

Electronic Frontier Canada
The electronic civil liberties group has a statement on Canadian Cryptography Policy at:
http://www.efc.ca/pages/crypto/policy.html

Encryption Privacy and Security Resource Page
Deals largely with the American debate but contains helpful information at:
http://www.crypto.com/key_study/

Communications Security Establishment
The Canadian federal government agency charged with overseeing Canada 5 public key Infrastructure.
http://www.cse.dnd.ca/

Links to other resources
Industry Canada's Strategis site contains this page which lists other Internet resources about privacy and digital security:
http://strategis.ic.gc.ca/SSG/pv00013e.html
http://strategis.ic.gc.ca/SSG/cy00014e.html

Distributed Computing Technologies
This volunteer organization cracked a 56-bit code on Thursday, 40 days after the individuals started. Learn about the nuts and bolts of cracking codes at:
http://www.distributed.net/


Copyright © 1998 by The Hamilton Spectator. All Rights Reserved. Reprinted with permission.