70 likes | 235 Views
Encryption Export Controls in the US. Preliminary Research. Overview of Encryption Technology. Use of mathematical algorithm (called ciphers) to scramble bits of data. Operation of the algorithm (encryption or decryption) requires the use of a key (string of characters).
E N D
Encryption Export Controlsin the US Preliminary Research
Overview of Encryption Technology • Use of mathematical algorithm (called ciphers) to scramble bits of data. • Operation of the algorithm (encryption or decryption) requires the use of a key (string of characters). • The length of the key, measured in bits (number of digits in the key), can be used as an approximation of the strength of an encryption program. • Public Key Encryption (developed in 1974) uses 2 keys, which are mathematically related : • The public key is available to anyone and is used to encrypt a message to a particular user. • The private key is know only to the individual user and is the only one that can be used to decrypt the message. • This system can be symmetrically used to authenticate the sender (digital signature). Encryption Export Controls in the US
History of Encryption Regulation • Goal of encryption public policy : to create an infrastructure that guarantees the government’s ability to decode encrypted messages. • Before 96, 40-Bit limit : • Regulation of encryption under Arms Export Control Act of 1976 (AECA). The International Traffic in Arms Regulation (State Department) used to class encryption as “munitions”. • Exportation of encryption software with key of more than 40-Bits and accessible to government is possible after approval of ITAR. Regulation by Commerce Department as a “dual-use” product. • Attempts to impose a standard (Clipper I, II and III, and Key Recovery Plan), with escrow of critical key information, failed. • In 1996, regulation that allows exportation of products with up to 56-Bit keys if development of key recovery procedure. Restrictions on interoperability, source code, re-export of technology, assistance to foreign nationals. Encryption Export Controls in the US
History of Encryption Regulation • In 1998, export control liberalization measure : • Allows export of up to 56-Bit encryption after one time review. • Allows export of products with unlimited bit-length • to US subsidiaries worldwide (except some cases). • to online merchants in 45 countries for client-server applications, banks, health and medical organizations, financial companies and insurance companies (with or without key recovery). • Allows export of products that support key recovery after one-time review to grant license. • In beginning 2000, the Bureau of Export Administration publishes an interim rule that liberalizes the export controls. • In 2001, although the Export Administration Act (EAA) was supposed to expire, President Bush decided to maintain the US system of export controls on advanced technology under International Emergency Economic Powers Act (IEEPA). Encryption Export Controls in the US
The Debate over Export Controls • Government advocates a “balanced” approach : • Needs of individual privacy, business. • Needs of public safety, national security. • But the regulator’s view does not maintain the constitutional balance : • First Amendment (free speech) • Fourth Amendment (gives right to search for incriminating message, with a warrant, not to forbid encryption) • “Cost” of export controls ($60 billion per year, and 200.000 jobs) is not balanced by benefits to law enforcement : • Weaker domestic and international security due to low availability and cost of strong encryption. • Takeover of encryption innovation by foreign competitors. • Ease of evading export controls and key-recovery mechanisms. Encryption Export Controls in the US
The Key Recovery Scheme • Is of little use to private sector as a “Key Management Infrastructure” : • Keys can be self-escrowed. • To store vast quantity of secret keys info is dangerous. • Key Recovery Infrastructure is implausible : • High cost of development (estimates : $5-100 billion / year). • Amount of keys and communication would “overflow” system. • Delay factor in real-time communications. • Dangers of government abuse • Normally action of US government is restricted by Fourth Amendment, but historically disregarded. • Espionage by foreign governments which participate in Key Recovery Infrastructure. Encryption Export Controls in the US
Conclusions • With or without Key Recovery option, the Export Controls policy apparently has major flaws : • Networks are instantaneous and control can be evaded easily. • Markets demand simple, cheap, universal security solutions. • The policy drives encryption innovation overseas and underground, thus making law enforcement harder. • The cost of pursuing such policy for US is hard to estimate, since there are a lot of “opportunity” costs. • A comparative analysis with countries which have liberalized encryption export and where businesses develop and use encryption technologies could allow to make an estimate. Encryption Export Controls in the US