Soon we will all be using nearly transparent data encryption techniques for everything from electronic mail to digital voice communications. How will law enforcement agencies deal with this? The criminal element in society will be quick to jump on this new technology. Will public policy forbid encrypted communication? Will electronic mail services refuse to accept encrypted messages? Will courts be able to force us to reveal our encryption keys—under what circumstances? Would such disclosure of our encryption keys be considered self-incrimination under the Bill of Rights? Data encryption has the power to render all wiretaps useless. What then?
In order to even begin addressing these questions, we need to understand a little bit about the history of cryptography and how it is currently being used.
The Data Encryption Standard (DES) was developed in the mid-1970s under sponsorship of the National Institute of Standards and Technology (NIST). DES was designed for individual, commercial, and governmental users who did not require military-level encryption. The DES algorithm is conventional in nature; anyone holding the single cryptographic key can encrypt or decrypt messages.
Public key cryptography systems evolved about the same time as DES. Public key systems use a pair of keys—a public key and a private key—and messages encrypted in one key can be decrypted only with the other key. It doesn’t matter which key is used for encryption, only that its companion key must be used for decryption. Public keys are widely distributed, allowing messages to be encrypted and decrypted without either originator or recipient ever revealing their private keys.
Digital signatures can be used to “sign” or authenticate an electronic message or document using a public key encryption system like PGP. The recipient is given the digitally signed material and is informed that it came from the originator. The recipient uses the originator’s public key to verify the digital signature. If the verification is successful, the recipient knows that the message did, indeed, come from the originator and hasn’t been altered in any manner since it left the originator.
Current law in the United States forbids the export of software or hardware products that provide cryptographic protection using keys larger than 40 bits. 40-bit key cryptographic systems have been demonstrated to be vulnerable to attack. In practice, this tends to prevent strong cryptographic tools from being used in the United States as well, since almost all manufacturers find it economically unfeasible to produce two versions of the same product: one with strong cryptography for domestic use and a separate product with weak cryptography for export.
In mid-February 1997, a team of programmers based in Switzerland cracked a 48-bit encryption code in thirteen days in response to a challenge sponsored by cryptography vendor RSA Data Security. Previously, a 40-bit encryption code was cracked in less than four hours by a Berkeley graduate student. The 48-bit encryption code was approximately 256 times more difficult to crack than the 40-bit code because the number of possible key combinations increases by a factor of two for each bit.
In June 1997, a 56-bit encryption code was cracked. By the time you read this, a 64-bit key will likely have been cracked. And so on, and so on. Commonly available public key cryptography systems currently use keys as large as 4,096-bits.
Not content to wait for the U.S. legal system to catch up with technology, RSA Data Security has licensed its strong cryptographic technology to Japan’s Nippon Telegraph and Telephone Corporation (NTT). NTT built a strong cryptographic system around RSA technology, based on a two-chip set and began selling the system in early June 1996.
Article 21 of the Japanese Constitution specifically forbids wiretapping and NTT has already sold its chipset to customers in fifteen countries, including the United States. It’s reasonable, therefore, to assume that access to strong cryptography is available to virtually anyone on the planet with a computer and an Internet connection.
The NTT system uses a 1,024-bit public key system.