I especially like the part about DEEPCRACK and how because EFF knew that the message was in English that it doesn't really prove that the FBI can break 56bit DES encryption. --------------------------------------------------- http://www.infosecuritymag.com/sept/q%26a.htm Q & A WITH WILLIAM REINSCH Cryptos Key Man Commerce Undersecretary William Reinsch defends the governments encryption export policyeven though it puts him "in the hot seat." BY ANDY BRINEY Q: How would you characterize current U.S. cryptographic export policies? A: The President has consistently articulated a policy of balancebetween privacy, electronic commerce, law enforcement and national security. We believe all four elements are important, and were trying to produce a policy that takes all of them into account. But is it really possible to balance all these issues at the same time? We think so. Im not sure the industry agrees with us, and its not easy. The privacy issues involved have been discussed for 50 years in debates about wiretaps and law enforcement devices for intercepting phone conversations. Encryption poses some of the same issues: privacy vs. law enforcement. The country has come to terms with wiretaps over the years, and people still use phoneseven though, with proper court orders, theres the possibility that law enforcement could be listening in. We think well be able to arrive at the same common public understanding with encryption. But theres no question that getting there will be difficult. What kind of time frame are we looking at? Is the administration looking at releasing a "final" crypto export policy within the next three months? Six months? A year? The policy I articulatedone of balanceis based on implementations in the marketplace. We expect the market to develop the products we like, and we expect that there will be a demand for the products. We want to work through the market. What that means is, if the market turns in unexpected directions, we have to be ready to re-evaluate our policy. So I dont think youre going to see a "final" versionever. As long as the market moves and changes, our policy will be tweaked to accommodate whats happening. In the short run, however, the policy we are currently operating under expires January 1. Weve told industry we expect to revisit that policy this fall, and make judgments about whats going to happen after January 1. So weve committed to trying to come out with the next update, hopefully by Labor Day, although my expectation is it may take a little longer than that. Can you be more explicit about what this policy might entail? No. Because were not there yet. What has been the industrys reaction to current policy? Industry has been quite active, particularly with submitting key-recovery plans. We provide more liberalized export controls for companies that provide plans by which they will build key-recovery products. Weve approved some 55 plans nowwith a few more pending. I dont think theyre doing it just because the government asked them to; theyre doing it because they see a market. In addition, in the spring the FBI and the Justice Department asked companies to come in to see if a technical solution could be found to deal with these issues. Companies have done that, too. At the same time, of all the economic sectors in the country, this ones moving the fastest. Theres a real danger that, if we cant get our policy together and out there in the marketplace soon, we could be overtaken by events overseas. Recently, a panel was charged with developing a Federal Information Processing Standard (FIPS). One of this groups directives was to design a federal computer security system that includes back doorswhich they failed to do. Whats next for this panel, and for this issue? My understanding is that, at the request of a majority of the panels members, the Secretary [of Commerce] has extended their charter to the end of the year. The Secretary received a letter from the panel in which the majority felt they would be able to complete their work with additional time. However, they also said they werent entirely confident that at the end of the day it would be unanimous product. Even if it were possible to do key escrow on the scale the government is asking, would anyone willingly buy such a product knowing that stronger encryption products without back doors are available? To prevent this, wouldnt it be necessary to criminalize the domestic possession of stronger crypto? First of all, we havent supported the latter. Second, I think you need to look at this problem in pieces, not as a unitary problem. The pieces are: stored data, data in transit (such as e-mail) and voice communications. I would argue that with the first two of those pieces, theres going to be substantial demand in the market for the kinds of products that are helpful from our standpoint. For stored data, we see a demand for key recoverywere not using the term "key escrow" much anymore. Particularly in business and financial institutions, theres a demand for recovery products, because people want to be able to access employees data in the event of accidents or other such things. As for e-mail, the most significant development there was the announcement nine companies made in early July. Each of these companies submitted an application for a so-called "door bell" technology, which connotes a variety of means of recovery at the server level. What we see developing here is growing use of network encryptionas opposed to encryption at the PCfor secure transmission of messages. Employers will want that, for employee control purposes. From the standpoint of law enforcement, thats a happy development, because it creates two "third point" locationsthe senders server and the recipients serverthat are physically separate from the sender and recipient of the message. These points are often controlled by third parties, namely contractors running the system. So, with the proper court order, law enforcement could go to those third points and obtain plain-text access. What was your reaction to the Electronic Frontier Foundations cracking of DES in July? I think you have to contrast that situation, which was reasonably artificial, with the reality of law enforcement. In this case, it took a decent amount of resources to crack a specific message that, I believe, the people doing the crack knew was in English, and knew was one message. Now, if youre the FBI, think about that. From their standpoint, were talking about traffic that isnt so easily identifiable. It might be a long stream of encrypted material that theyre trying to intercept in real time; they dont necessarily know what language its in; they dont necessarily know what part of the message is of interest to them; and they dont know whether its words or text or graphics or what it might be. Telling the FBI that, under those circumstances, you can buy an expensive computer and crack one message in 56 hoursthats not a lot of comfort to the FBI. And it doesnt seem to me that it should make anybody in the private sector nervous about the security of 56-bit products. If thats the best were going to get56 hours for a single message decrypted by equipment most people dont have and arent ever going to havethat doesnt exactly mean that its an unsecured product. But it does illustrate a trend. As time passes, its taking fewer and fewer resources and less and less time to crack the same algorithm. In 1997, it took three months. In February, it took 39 days. Now, its one $250,000 computer and 56 hours. Whos to say in two more months it wont be cracked in an even shorter amount of time with even fewer resources? You can project that curve, and maybe youll be right. The immediate effect of that is that its going to accelerate a trend thats already begun anyway, which is toward 128-bit products. I think thats a trend that would have occurred regardless of this particular event. The technical people Ive talked to say that once you get beyond 90 or 100 bits, it doesnt make all that much difference because youre talking about brute-force cracking times that are beyond any real time that you can imagine. Obviously, the faster you can crack 56 bits, the faster you can crack 90 or 100. But since each successive bit doubles your time, by the time you get to 90, I think youre into thousands of years... But the question is, assuming that 90 is safe, wouldnt it then be prudent to have a policy that allows uniform export of 90-bit products without special dispensation? I dont think we expect to set bit-length requirements. We believe in the marketplace deciding what is secure and what is not. The government is not going to say that 90 is good or 128 is good But right now its saying 56 is sufficient. No, the government is saying that 56 can be exported under certain circumstances. What the government has also said is that if its a key-recovery product, it can be exported with any bit length without constraint. And thats what we would prefer to focus onto tell people, if youre product has recovery features, bit length doesnt matter. Thats the incentive. What happens if a key-recovery standard cannot be agreed upon? Is there a fallback plan? We are doing everything we can to encourage people to find it acceptable and to get the market to move in that direction. We think thats whats happening. So I dont think weve developed a Plan B in that sense. Can you discuss progress on the Advanced Encryption Standard (AES)? No. Im not particularly involved in that. I think you need to talk to some NIST or NSA people about that. ALSO Q: You seem to be the governments point man on encryption policy issues. Is that a function of your office, your background, or what? A: "Designated victim" is the term we use [laughs]. Actually, its a function of the office. An integral component of our policy involves export controls, and the BXA [Bureau of Export Administration] administers export controls of dual-use items for the government. So I end up in the hot seat. EDITORS NOTE: Next month, Bruce Schneier, author of the definitive text Applied Cryptography, will respond to Undersecretary Reinschs comments in a special Word in Edgewise article.