The following text is copyright 1999 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Busy days on the crypto front

by Scott Bradner

France is giving up, Deep Crack strikes again and the Feds seem to partially get it. Encryption is in the news again and the implication is that many organizations should review their data security policies.

France has long been quite antagonistic towards encryption with most domestic uses of encryption technology outlawed and the only permitted mechanisms including mandatory key escrow where the government gets to keep a copy of the encryption key. Thus it came as quite a shock when the government of France proposed to eliminate all controls on the use of encryption within the country two weeks ago. The announcement specifically pointed out that good strong cryptography is essential to protect the confidentiality of communication and for privacy and that it was futile for the government to try to keep encryption technology away from criminals, it is just to widely available.

Meanwhile, the Electronic Frontier Foundation's Deep-Crack special-purpose crypto key breaker working with 100,000 PCs on the Internet was able to find the secret key used to encrypt a test message using the US standard encryption algorithm DES in less than 23 hours.

In a not unrelated story, the US Commerce Department just recommended abandoning DES and is proposing Triple-DES instead. The draft Commerce Department proposal (http://csrc.nist.gov/fips/dfips46-3.pdf) admits that they "can no longer support the use of single DES for many applications." They also state that "Single DES will be permitted for legacy systems only."

This comes a few weeks after the US government relaxed but did not eliminate controls on the export of cryptographic technology from the US. (http://www.bxa.doc.gov/Encryption/1231ERC.htm)

The underlying message in these four stories is that good crypto is important to good data and network security. The US government claims to be quite worried about the security of the Internet. The Department of Justice has just created a new program to fight attacks on data networks in response to a call by the President's Commission on Critical Infrastructure Protection (http://www.pccip.gov/). But this same government recently persuaded 32 other countries to extend the Wassenaar Arrangement adding new restrictions on the export of cryptographic technology to many parts of the world. They have not yet figured out what France has, namely that restrictions only ensure that the bad guys have good access to the good guy's information.

The lesson of all of the above is that anyone who is using DES or any other encryption using keys shorter than 128 bits should start planning to migrate to something stronger such as Triple DES and if the data is very valuable the plan should be fast tracked.

disclaimer: Fast-Track and Harvard do not belong in the same sentence so the above must be my observations