In Encryption Politics, Some Good News for Bankers

Cryptography may be complicated, but the political divisions it has caused are anything but. Data encryption issues burst into mainstream business headlines this year precisely because of a clear conflict between government and private-sector interests.

While bankers, others in the corporate community, and consumer- privacy advocates were eagerly awaiting the designation of a replacement for the aging federal Data Encryption Standard, spy and surveillance agencies wanted to preserve their ability to decode messages when necessary for national security or law enforcement.

If the government got its way, and with the federal standard known as DES increasingly vulnerable to high-speed computers capable of breaking encryption codes, bankers would be uneasy about the exposure of trillions of dollars in wire transactions.

What was the financial industry to do? Say no to the government that regulates it?

It may not have to, thanks to advances in cryptographic technology and the power of market forces.

The answer, increasingly, is Triple DES - a variant on the standard that complicates and multiplies the steps necessary to break the codes and decipher a message.

"Everyone knows that DES is not enough," said Perry Metzger, president of Piermont Information Systems, a computer security consultant based in New York.

"Serious people are using Triple DES for everything from wire transfers to voice telephony," Mr. Metzger said.

This movement placed the banking and financial services community squarely in opposition to government intelligence agencies with which it has historically worked hand in hand on security matters.

The problem for the private sector was the government's advocacy of "escrow systems." The Clipper chip proposal would have allowed the government access, under restricted circumstances, to cryptographic keys held in escrow. Triple DES, virtually unbreakable and with no recourse to escrowed keys, was not acceptable to the agencies.

Times have changed since the early 1970s, when DES was co-developed by International Business Machines Corp. and the National Security Agency. The only major users of cryptography were banks and the military. The market for stronger encryption grew as academic scientists entered the discipline and inexpensive computing power made almost anyone a potential consumer of cryptography - or a hacker.

Ten years ago, trying to keep cryptography from getting too strong, the National Security Agency proposed to the banking industry the Commercial Comsec Endorsement Program, or CCEP. It included a method for the agency to keep copies of cryptographic keys.

The banking community rejected CCEP, and the idea went away until it was revived in the form of the 1993 Clipper initiative. It met a similarly critical response, for two reasons: Escrowed systems are relatively new to the discipline of cryptography; and financial institutions, among the biggest users of data encryption, are obligated to safeguard customers' privacy.

The years of controversy have seen the rise of ever cheaper and more powerful computers that can effect "brute force" attacks on data security. A study that eminent cryptographers published last January said 40-bit encryption keys - the bit length to which exported products were long restricted - were highly vulnerable to attack by relatively cheap hardware.

A 56-bit DES key was considerably harder to crack, but someone with access to the right combination of hardware in a large corporation could do it in minutes; an intelligence agency with a $300 million computer budget could do it in seconds.

"The initial investment (for a DES-cracking machine) is now down in the $300,000 range," Mr. Metzger said. "I am certain that some organizations have them.

"You can be sure that somewhere outside of Paris, one is in use by the French government," the consultant added. "You can be sure there is one at Fort Meade," the Maryland headquarters of the National Security Agency.

Mr. Metzger bemoaned the fact that the export control laws governing the movement of cryptographic technologies have made it difficult for financial service companies to secure communications between their domestic and overseas offices. Then there is the irony that the U.S. government's restricting of cryptography exports to the relatively weak 40-bit key length did not affect other parts of the world.

"Even if everyone believed he could trust his own government, he should not be in a position to have to trust the French," Mr. Metzger said.

Vocally, but circumspectly, the American Bankers Association is calling attention to its members' dilemma. Last year, the National Institute of Standards and Technology said it would not recertify DES for another five years, which requires the banks to come up with an alternative.

ABA legislative representative Kawika Daguio said banks need time to refit their infrastructure to whatever new standards emerge.

"There are well over 100,000 devices in the world using DES," Mr. Daguio said, referring to automated teller machines and credit card terminals. "You don't change them one at a time; otherwise they don't talk to each other."

This year, without the blessing of the National Security Agency, the financial community moved toward a standard specification for deploying Triple DES. The American National Standards Institute's X9.F1 committee, which governs financial transaction protocols, voted to go this route over vociferous opposition from the NSA's representative on the panel.

Approval of the specification is likely to hasten usage of Triple DES. But the technology is readily available. American and European products are well established - though those from the U.S. were hampered by the export controls.

Japan, meanwhile, is coming on strong with new cryptographic technologies, which are generally not subject to export control. Last summer the telecommunications company NTT released Triple DES chips that have been exported to more than a dozen countries.

Mr. Metzger contended there was no reason to wait to implement Triple DES. "My advice to bankers waiting for the government to act is to quit trying to be patriotic," he said. "Their business is at stake."

With the NSA still adamant in opposition, it remains to be seen how far the U.S. financial services industry will get before the government intervenes. Mr. Metzger said it was still "impossible to export anything that has any Triple DES."

A Senate science and technology subcommittee hearing last summer on a bill to loosen the export controls provided a glimpse into the government's motivations. Under questioning by the bill's sponsor, Sen. Conrad Burns, R-Mont., FBI Director Louis Freeh said he would pursue a legislative ban on non-escrowed encryption systems if the strong, uncrackable cryptography be-came ubiquitous.

Could Mr. Freeh have been bluffing? Mr. Metzger didn't think so.

"They won't realize export controls don't work even after the dried, strangled corpse of the U.S. security software industry is laid before the Congress," Mr. Metzger said. "They will leave the manacles on the corpse long after it is obvious that the body isn't going anywhere."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER