See Also   Introduction   Encryption   SSL   SET   Smart Cards   Links   FAQ

In 1992, the Software Publishers Association reached agreement with the State Department to allow the export of software that contained RSA's RC2 and RC4 encryption algorithms, but only if the key size was limited to 40 bits as opposed to the 128 bit keys available for use within the US.

Since 1992 the speed and availability of computers has increased dramatically and although a 40 bit key would still take a considerable amount of time and computer power to "crack" it is now feasible to do so. It is still much easier and more productive though, for a thief to scan Internet traffic for un-encrypted credit card numbers than it is to try to find and "crack" encrypted ones. However as computers continue to grow in power the time to decrypt 40 bit codes will continue to drop and 40 bit keys may no longer be deemed secure enough for e-commerce transactions.

The US government has proposed several methods whereby it would allow the export of stronger encryption. These methods are all based on some sort of key escrow or key recovery system which would allow the law enforcement agencies to obtain a copy of a private key to enable it to decrypt messages.

An executive order - the Administration of Export Control on Encryption Products - came in to effect on January 1st 1997. This allows vendors to ship world-wide encryption products using 56 bit keys but only if they agree to add key recovery to their products within two years. However, there is considerable resistance within the industry to the use of key recovery systems because of the potential threat to corporate and individual privacy.

This resolution of this issue is widely regarded as vital to the future of global e-commerce.