What have a bomb and a cryptography got in common? Under current US law, cryptography is classified as a munition and the export of software programs that include cryptography is controlled by the Defense Trade Regulations. In general these regulations prohibit the export from the US of software that employs strong encryption, although there are some exceptions for example, for software used solely for the purposes of encrypting financial data passed between approved banks.
In 1992, the Software Publishers Association reached agreement with the State Department to allow the export of software that contained RSA’s RC2 and RC4 encryption algorithms, but only if the key size was limited to 40 bits as opposed to the 128 bit keys available for use within the US.
The security of an algorithm is dependent on the length of the key used. The longer the length the more possible combinations there are and the longer it takes “crack” the code.
Since 1992 the speed and availability of computers has increased dramatically and although a 40 bit key would still take a considerable amount of time and computer power to “crack” it is now feasible to do so. It is still much easier and more productive though, for a thief to scan Internet traffic for un-encrypted credit card numbers than it is to try to find and “crack” encrypted ones. However as computers continue to grow in power the time to decrypt 40 bit codes will continue to drop and 40 bit keys may no longer be deemed secure enough for e-commerce transactions.
The US government has proposed several methods whereby it would allow the export of stronger encryption. These methods are all based on some sort of key escrow or key recovery system which would allow the law enforcement agencies to obtain a copy of a private key to enable it to decrypt messages.
An executive order – the Administration of Export Control on Encryption Products – came in to effect on January 1st 1997. This allows vendors to ship world-wide encryption products using 56 bit keys but only if they agree to add key recovery to their products within two years. However, there is considerable resistance within the industry to the use of key recovery systems because of the potential threat to corporate and individual privacy.
This resolution of this issue is widely regarded as vital to the future of global e-commerce.
Related Posts:
- Enabling Technologies – Encryption Overview - Many Web store merchants understandably want to concentrate their energies on what they do best – selling – and either ignore the technical aspects or...
- Enabling Technologies – Public Key Encryption - Public-key encryption, or asymmetric encryption involves the use of two keys, one that can be used to encrypt messages (the public key) and one that...
- Enabling Technologies – Secure Electronic Transactions (SET) - SET is the Secure Electronic Transaction protocol developed by Visa and MasterCard specifically for enabling secure credit card transactions on the Internet. It uses digital...
- Enabling Technologies – Smart Cards - Introduction At first glance, smart cards look like normal credit or debit cards. However, closer examination reveals the absence of a magnetic stripe as smart...
- Enabling Technologies – Frequently Asked Questions (FAQ) - Why is encryption needed for Web commerce? Encryption performs four key functions which enable secure Web transactions to take place: Authentication allows customers to be...