Wired News
Wednesday, September 16, 1998
4:00am, revised 9:45am

Feds Relax Encryption Rules

The Commerce Department finally eases its tight restrictions
on the export of strong encryption. But is it too little, too late?

by Niall McKay, niall@wired.com and James Glave, james@wired.com

The federal government today relaxed its controversial regulations strictly limiting the export of strong data-scrambling technologies. Critics say the decision is long overdue.

The Commerce Department will grant US security software companies the ability to export software containing the 56-bit Data Encryption Standard (DES) to 45 nations around the world.

Some privacy advocates are skeptical about the move.

"The devil is in the details", said Alan Davidson, senior counsel for the Center for Democracy and Technology, an Internet civil liberties group based in Washington. "While this move is good for US business, it does little to protect the privacy of the individual."

The new guidelines also permit the financial, medical, and health sectors, among others, to export very strong encryption with any key length.

However, export of encryption products is prohibited to the seven so-called "terrorist" nations: Iran, Iraq, Libya, Syria, Sudan, North Korea, and Cuba.

Wednesday's move comes as good news for Internet stores, such as Amazon.com, which will now be able to export strong encryption to protect online electronic-commerce transactions with their customers.

Encryption software vendors are singing a much different tune.

"This is a day late and dollar short", said Phil Zimmermann, who invented the Pretty Good Privacy encryption program.

"We needed to have 128-bit cryptography exportable years ago", he said. "That's what we needed to stay competitive in the world economy."

Until now, software companies wishing to sell products such as Web browsers or financial programs overseas were forced to use relatively weak 40-bit encryption. The policy was pushed by US intelligence and law-enforcement agencies to prevent international terrorists and hostile nations from communicating in secret.

However, the policy has been widely panned by Silicon Valley as a total failure that has only strengthened the overseas crypto market. For example, Baltimore Technologies, a Dublin, Ireland-based company, develops and sells powerful 128-bit encryption both inside and outside the United States.

By merely upping the strength of the exportable software from 40 to 56 bits, the government has hardly changed course, said Zimmermann.

"The Electronic Frontier Foundation (EFF) can crack [56-bit] DES."

In July, the EFF, a leading Internet free-speech advocacy group, cracked 56-bit DES in three days with a computer made for US$250,000, disproving government and law enforcement claims that it is secure.

Still, other crypto experts were encouraged.

"We very much welcome the move", said Jon Callas, a chief technical officer with Network Associates. "But of course we are going to want more: 56-bit encryption has been cracked."

"I think it is an excellent opportunity for the Commerce Department to upgrade its policy with the rapidly changing field of encryption", said California-based cryptographer Dave Del Toro.

Some 56-bit encryption technology has already left the country, with the government's blessing.

In February, Cylink, Digital Equipment, and Trusted Information Systems were allowed to export this technology on the condition that law enforcement be given the means to unlock the data.

"There shouldn't be a limit on exports", said Zimmermann. "Some parts of the government recognize the inadequacy of the current export limits. The fact that we have the Advanced Encryption Standard from [the National Institute of Standards and Technology] is recognition that we need advanced encryption for the economy, too."

Currently, the institute is reviewing submissions for algorithms that will form the Advanced Encryption Standard, a new cryptographic cipher that will replace the aging DES as the basis for all secure, non-classified government communications.

Critics point to the search for a replacement for 56-bit crypto as evidence that it is no longer sufficiently safe and, therefore, neither threatens law enforcement nor benefits electronic commerce.

Related Wired Links:

Copyright © 1998 by Wired Digital. All Rights Reserved. Reprinted with permission.