[From Jim Lucier and Americans for Tax Reform. These have been faxed to the Hill all week, a different one each day. --Declan] ************ Attention, House Commerce Committee: Send this email to a friend in France, and you both could go to jail print pack"C*",split/\D+/,`echo"16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc` The above two lines of code in the perl computer language implement the world-standard RSA encryption algorithm. They can handle an arbitrarily long key-length and encrypt a file of any size. Therefore, these 147 keystrokes constitute an ITAR-controlled munitions item for export purposes. A popular T-shirt at computer conventions has a similar version of RSA in machine readable bar-code form. The T-shirt is a munition too. Sending this code in an email to a friend in France constitutes a go-to-jail federal offense for "exporting" a munitions item. Your friend in France may run afoul of local laws that ban cryptography except as approved by the French government. Fortunately, you are perfectly legal if you just write the code on a postcard. The fact is, it requires no great programming skill to write tiny programs that produce very powerful encryption. There^"s one web site we know of that has about a dozen^oand an ongoing contest to see who can write the smallest one. Over the next few days, Americans for Tax Reform will share with you some interesting encryption facts. On Friday, we will tell you where to find the "tiny encryption" contest. If you took math at the middle school level and had access to a published algorithm, you could possibly write your own encryption program. The math is little more exotic than multiplication, prime numbers, factoring, and a little modular arithmetic, all of which were SAT questions. The basic principle is that multiplying two large prime numbers together is easy, whereas factoring their product to find the original input is hard. This is the one-way function that makes public key cryptography possible. For a more complicated explanation with real mathematical notation, see the account published by Peter Wayner in the September 6 New York Times Cyber Times. Or you can get a textbook such as Bruce Schneier^"s Applied Cryptography, which is on the shelf at Border^"s Bookstore in downtown Washington, DC. The bottom line is that public key encryption is no secret and has not been for quite some time. Trying to ban or control it serves no purpose. You might as well ban arithmetic. The House should pass H.R. 695, the Security and Freedom through Encryption (SAFE) Act, as approved by the Judiciary and International Relations Committees. The other bills need a reality check. Their mathematics simply does not add up. For more information on cryptography, see Wayner^"s very accessible column in the New York Times Cyber Times at http://www.nytimes.com/library/cyber/week/090697patent.html, his July 29 New York Times op-ed about how the Framers of our Nation used cryptography, and his excellent reporting generally. ### ***************** Attention, House Commerce Committee--Crypto-Gram #2: Bit length is irrelevant for export control purposes? the real test is prevailing market standards Yesterday we disclosed that strong cryptography requires about the same level of skill from a computer programmer that building a hot rod requires from an auto mechanic-which is to say that any bright and industrious 19-year-old with cheap tools and a greasy set of Chilton's manuals can do it. What the final product lacks in finesse and aesthetic judgment, it more than makes up for in brute power. Another thing we pointed out is that bit-length used in any cryptographic system is independent of the underlying algorithm. The code fragment we presented yesterday works equally well with 40, 128, 1024, 2048, and even 4096-bit keys. The only practical limit is where key lengths get too cumbersome to handle computationally. This is not to put the strength of 1024-bit crypto, which is very secure, on the same level as 40-bit crypto, which is clearly not secure. Indeed, these days 40-bit crypto could theoretically be defeated by a well-planned high school science project incorporating a handful of $20 Field Programmable Gate Array (FPGA) chips. (Parents of boy and girl scouts seeking electronics merit badges, take note.) The point is that anyone who can write 40-bit crypto into an application can just as easily write in 80 or 128-bit crypto. Either key length can work with exactly the same code. Thus by limiting key-lengths for export to 40 or even 56 bits, we do not prevent foreigners from learning the "secrets" of programming for longer key lengths. If foreigners can program any crypto at all, they can already program any key length they want. So what limits key length for export purposes? Market choice. The computer world is already standardizing itself around 128-bit key lengths for several reasons. First, in binary terms, 128 bits is a round number. Second, given current technology, experts feel that 70 to 90 bits is about the range necessary to guarantee security without become unwieldy. Finally, looking toward the future the market discounts current standards to account for rapid technological growth and possible surprises. Therefore 128 bits is what buyers want and suppliers offer. The Trusted Information Systems Website (www.tis.com) lists 1,393 sources of cryptography worldwide and many of the most popular are 128-bit. Siemens-Nixdorf, Brokat, and Expresso are all examples of popular European technology that computers with American products. The Europeans are perfectly capable of selling and creating 128, 256, and 512-bit cryptography on their own if buyers want it. If this is where the market is going, Americans should supply the products first. ***************** Attention, Members of Congress from Ohio-Crypto-gram #3: You need the SAFE Act to Protect Your Phone Cell phone communications are not secure. Any idiot would-be felon with a few hundred bucks and a modified Radio Shack police band scanner can intercept your calls and tape them for the New York Times-or the London tabloids, as both England's Prince Charles and Princess Diana learned to their sorrow. Another big problem with cell phones is the cloning of numbers-when again modified police band scanners intercept non-encrypted analog cell phone numbers and steal the electronic identity (plus billing information) of the unwary caller. The thousands of telephone numbers stolen daily in this way give criminals an unlimited supply of cell phone numbers which they can use for free and switch rapidly to avoid detection. This is perhaps the biggest criminal telecommunications problem there is. There are three solutions. First, pass more federal laws against it, which is ineffective. Second, put anti-cloning chips in cell phone handsets, which works until someone rips out the chips and solders over them. Or third, switch to digital cell phones with encrypted signals. This stops the problem cold. Major U.S. manufacturers and designers make dandy digital cell phones, but they can't export their best products to fast-growing markets like Hong Kong because selling U.S.-made phones equivalent to the most popular cell phones already in use in Hong Kong would violate U.S. export controls. So the U.S. manufacturers, including one also in the email business, largely have to stay home and watch the competition make money. But wait, there is more: even your best U.S. digital cell phone has a hole in it because the dumbed-down encryption mandated by the U.S. government happens to be flawed. You are probably okay with the cell phone of your choice, but you can't be sure. Your political speech is literally on line with the encryption debate-plus your personal business, your financial records, and your medical information. It's impossible to build a mandatory backdoor into all communications with a sign on it that says "Uncle Sam with a search arrant only." If criminals know the backdoor is there, they will certainly discover where it is, what it looks like, and how to kick it down. Other countries, such as France, with a stronger tradition of wiretapping than that of the U.S., are given to full-blown political scandals when collaboration between state-owned telephone companies and national intelligence services puts transcripts of sensitive conversations in papers like Le Monde. Just ask Charles Pasqua, who is not now President of France or a holder of high office due to precisely such an instance. Published reports have suggested that the Charles and Diana tapes resulted from security services checking up on the Royals. Mr. Oxley from Ohio defends his dubious amendments to the Security and Freedom through Encryption (SAFE) Act on the basis that he simply wishes to defend the type of wiretaps he performed in his previous line of business. The problem is, Mr. Oxley does not represent the FBI in Congress; he represents the people of Ohio, digital and analog cell phone users alike. They may have different views. ***************** On the 210th Anniversary of the U.S. Constitution--Crypto-gram #4: Celebrate the Constitution's Birthday: Pass SAFE George Washington, Thomas Jefferson, James Madison, and the Founding Fathers routinely wrote letters in code. This is because in Colonial times letters were often intercepted, just as emails and cellular telephone calls are today. Jefferson actually des igned his own encryption machine, using a method considered ingenious and effective even today. With company like this, it is no wonder that top libertarian and conservative opinion leaders are speaking out on encryption: "? We have a First and Fourth Amendment Right to speak in a manner of our own choosing and to be secure from government searches. Just as we have the right to speak in Spanish and Greek as well as in English on our computers, we have a right to speak in code on our computer or on our cell phone so that our messages will be private." Phyllis Schlafly, Washington Times August 12 1997. "Congress should pass the SAFE Act sponsored by Rep. Bob Goodlatte and a host of Democrats and other Republicans. This bill is critical to protecting privacy on the Internet and to thwarting theft and industrial espionage? But Washington is gumming up t he works. The Feds fear effective encryption because it might hobble their finding ways to tax on-line commerce." Steve Forbes, "Fact and Comment," Forbes Magazine, April 21, 1997. "Now the Clinton Administration and supporters of S. 909 are doing their best to require that U.S. users of strong encryption give law enforcement officers access to their keys via a "key recovery" system. They might just as well demand that every family give the federal government a copy of the house keys, just in case the government ever needs them." Solveig Bernstein, Cato Institute, Washington Times, July 19, 1997. "Nothing could be more perverse than to turn the power of the digital era to empower individuals into a more invasive means of government surveillance and control. I believe that the Administration's positions will not withstand Constitutional challenge. The question to ask is why ?we should waste our time and money pursuing something that, in a Jeffersonian sense, is so patently un-American and which, in the practical sense of Moore's Law, is simply wrong." George A. Keyworth, II, former Science Advi ser to President Reagan, Progress and Freedom Foundation, Commerce Committee Testimony, September 4, 1997. The SAFE Act simply affirms traditional American Constitutional principles that Americans should be free 'in their persons and possessions from unreasonable searches and seizures,' and they should be allowed to conduct their legal business with a minimum of interference from the state. These are indeed truths which we should hold self-evident." Grover Norquist, Americans for Tax Reform, Judiciary Committee Testimony, March 20, 1997. ### ------------------------- Declan McCullagh Time Inc. The Netly News Network Washington Correspondent http://netlynews.com/