Busy days on the cryptography front


Network World, 02/01/99

France is giving up, Deep Crack strikes again and the Feds seem to
partially get it. Encryption is in the news again, and the implication is
that many organizations should review their data security policies.

France has long been quite antagonistic toward encryption, with most
domestic uses of encryption technology outlawed. The only
permitted mechanisms include mandatory key escrow, in which the
government gets to keep a copy of the encryption key.

So it came as quite a shock when the government of France two
weeks ago proposed to eliminate all controls on the use of encryption
within the country. The announcement specifically pointed out that
good, strong cryptography is essential to protecting the
confidentiality of communication and for privacy. The announcement
said it is futile for the government to try to keep encryption
technology away from criminals because it is just too widely
available.

Meanwhile, the Electronic Frontier Foundation's Deep Crack special-
purpose crypto key breaker put in an impressive showing. Working
with 100,000 PCs on the Internet, it took the key breaker less than
23 hours to find the secret key that encrypted a test message using the
U.S. standard encryption algorithm, Data Encryption Standard
(DES).

The U.S. Department of Commerce just recommended abandoning
DES and is proposing Triple-DES instead. In its draft proposal
(http://csrc.nist.gov/fips/dfips46-3.pdf), the Commerce Department
admits that it "can no longer support the use of single DES for many
applications."

The department also states that "Single DES will be permitted for
legacy systems only."

This comes a few weeks after the U.S. government relaxed, but did
not eliminate, controls on the export of cryptographic technology
from the U.S. (www.bxa.doc.gov/Encryption/1231ERC.htm).

The underlying message in these stories is that good crypto is
important to good data and network security. The U.S. government
claims to be quite worried about the security of the Internet.

The U.S. Department of Justice has just created a program to fight
attacks on data networks in response to a call by the President's
Commission on Critical Infrastructure Protection (www.pccip.gov/).
But this same government recently persuaded 32 other countries to
extend the Wassenaar Arrangement, adding new restrictions on the
export of cryptographic technology to many parts of the world. The
U.S. government has not yet determined what the French
government has, namely that restrictions only ensure that the bad
guys have good access to the good guys' information.

The lesson of all of the above is that anyone using DES or any other
encryption that employs keys shorter than 128 bits should start
planning to migrate to something stronger, such as Triple DES. And
if the data is very valuable, the plan should be fast-tracked.

Disclaimer: Fast-track and Harvard do not belong in the same
sentence, so the above must be my observations.