Banks May Benefit from Call for Stronger Encryption

Technologists at banks with large overseas operations have drawn encouragement from a National Research Council report suggesting that businesses be allowed stronger forms of data encryption.

In the May 30 report, the council - a 16-member panel of business executives, technologists, and defense experts assembled at the request of Congress - proposed liberalizing government restrictions on encryption.

The finding could pave the way for banks to make a wide variety of computer transmissions more secure.

"The report went further than anyone in the government or the privacy community thought it would," said Kawika M. Daguio, federal representative for the American Bankers Association in Washington.

"All of us support the use of broader cryptography," added Colin Crook, Citicorp's chief technology officer and a member of a research council committee. "There is an inevitable force at work, and the U.S. can't control it. This report will set the tone for managing the transition."

The banking industry was among the first in the private sector to use cryptography - the scrambling of messages according to complex mathematical algorithms - beginning in the 1970s.

A recent controversy over access to strong encryption arises from a U.S. government policy that has classified the technology as a "munition" that must be kept away from military adversaries and terrorists.

Although financial transactions are generally exempt from encryption restrictions, bankers advocate more freedom in the market. They complain that government officials often refuse their requests for international use of applications with strong cryptography - and give no reasons for their decisions.

Technology experts are especially concerned about the vulnerability of older cryptographic formulas to increasingly powerful personal computers and workstations. The computing speeds of these machines could let an expert hacker test all encryption combinations until coming up with the right one, which is a key to deciphering the target message.

Current law forbids the export of hardware and software in which the cryptographic keys exceed 40 computer digits, or bits.

Hackers have succeeded in cracking 40-bit keys, however. And the research council's report proposed liberalizing export restrictions to allow 56-bit keys, which are employed in the Data Encryption Standard, or DES, widely used by the financial industry.

"That is the standard that is most available, and that most people are using," said Mr. Crook. "The recommendation was based around its being a market standard."

At 56 bits, a key is 65,536 times stronger than at 40 bits. But many cryptographers believe it is only a matter of time before hackers and their workstations catch up to the 56-bit length.

"We would like to be able to use the strongest cryptography appropriate to what we are protecting, perhaps triple-DES, or to know why we are not going to be permitted to," said Mr. Daguio.

"Our position is that anything that would help improve the security of the communications between customers and banks is a good thing," he said.

Triple-DES is a 162-bit variant that uses a three-part sequence of encrypting, decrypting, and encrypting again.

The National Security Agency has rebuffed bankers' attempts to use Triple-DES. Because the NSA has not explained its reasons, industry experts speculate that it wants to retain the ability to crack private-sector codes using the agency's fabled computing power.

The research council report also proposed continual updating of the level of high-powered cryptography available for export, but so far even the recommendation to liberalize to 56-bit DES has not been well received by the Clinton administration.

Vice President Al Gore said July 12 that more liberal export controls were contingent upon industry acceptance of "key escrow," a requirement that users of strong cryptography leave their keys with "trusted third parties" who would give them up when proper law enforcement warrants were issued.

The research council objected to key escrow, as have most strong- encryption advocates.

"In the past, this debate has been carried out behind closed doors," said Kenneth W. Dam, a professor of law at the University of Chicago and chairman of the panel.

"Thirteen of our 16 members received security clearance, and we received very detailed briefings" about key escrow, he said. "It helped us, but it didn't affect our recommendations."

Yet the council's report accepted some restrictions on higher-power cryptography, and it charted a middle course between national security interests and those of the software industry, which wants to be free to export strong systems in competition with what is available overseas.

"The report provided a middle ground for discussion between the views that cryptography is a free speech matter and cryptography is a munition and is dangerous," said Mr. Daguio. "It added another voice in the middle besides the banks."

The policy arm of the National Academy of Sciences and National Academy of Engineering, the research council met for 23 days in trying to iron out a consensus.

"Individuals and businesses want to feel secure," said Mr. Crook. "They want to feel that we can authenticate information that can't be tapped. As we begin to participate in the broader world of electronic commerce, it is only natural that all institutions, and not just banks, will want to provide secure transactions."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER