Cryptography

From New World Encyclopedia
Revision as of 22:04, 22 June 2007 by Robert Irwin (talk | contribs) (references, wording)
Previous (Crypt)
Next (Crystal)

Legal issues involving cryptography

Prohibitions

Cryptography has long been of interest to intelligence gathering agencies and law enforcement agencies. Because of its facilitation of privacy, and the diminution of privacy attendant on its prohibition, cryptography is also of considerable interest to civil rights supporters. Accordingly, there has been a history of controversial legal issues surrounding cryptography, especially since the advent of inexpensive computers has made possible widespread access to high quality cryptography.

In some countries, even the domestic use of cryptography is, or has been, restricted. Until 1999, France significantly restricted the use of cryptography domestically. In China, a license is still required to use cryptography. Many countries have tight restrictions on the use of cryptography. Among the more restrictive are laws in Belarus, Kazakhstan, Mongolia, Pakistan, Russia, Singapore, Tunisia, Venezuela, and Vietnam.[1]

In the United States, cryptography is legal for domestic use, but there has been much conflict over legal issues related to cryptography. One particularly important issue has been the export of cryptography and cryptographic software and hardware. Because of the importance of cryptanalysis in World War II and an expectation that cryptography would continue to be important for national security, many western governments have, at some point, strictly regulated export of cryptography. After World War II, it was illegal in the US to sell or distribute encryption technology overseas; in fact, encryption was classified as a munition, like tanks and nuclear weapons.[2] Until the advent of the personal computer and the Internet, this was not especially problematic. Good cryptography is indistinguishable from bad cryptography for nearly all users, and in any case, most of the cryptographic techniques generally available were slow and error prone whether good or bad. However, as the Internet grew and computers became more widely available, high quality encryption techniques became well-known around the globe. As a result, export controls came to be seen to be an impediment to commerce and to research.

Export Controls

In the 1990s, there were several challenges to US export regulations of cryptography. One involved Philip Zimmermann's Pretty Good Privacy (PGP) encryption program; it was released in the US, together with its source code, and found its way onto the Internet in June of 1991. After a complaint by RSA Security (then called RSA Data Security, Inc., or RSADSI), Zimmermann was criminally investigated by the Customs Service and the FBI for several years. No charges were ever filed, however.[3][4] Also, Daniel Bernstein, then a graduate student at UC Berkeley, brought a lawsuit against the US government challenging some aspects of the restrictions based on free speech grounds. The 1995 case Bernstein v. United States which ultimately resulted in a 1999 decision that printed source code for cryptographic algorithms and systems was protected as free speech by the United States Constitution.[5]

In 1996, thirty-nine countries signed the Wassenaar Arrangement, an arms control treaty that deals with the export of arms and "dual-use" technologies such as cryptography. The treaty stipulated that the use of cryptography with short key-lengths (56-bit for symmetric encryption, 512-bit for RSA) would no longer be export-controlled.[6] Cryptography exports from the US are now much less strictly regulated than in the past as a consequence of a major relaxation in 2000;[7] there are no longer very many restrictions on key sizes in US-exported mass-market software. In practice today, since the relaxation in US export restrictions, and because almost every personal computer connected to the Internet, everywhere in the world, includes US-sourced web browsers such as Mozilla Firefox or Microsoft Internet Explorer, almost every Internet user worldwide has access to quality cryptography (eg, using long keys at a minimum) in their browser's Transport Layer Security or SSL stack. The Mozilla Thunderbird and Microsoft Outlook E-mail client programs similarly can connect to IMAP or POP servers via TLS, and can send and receive email encrypted with S/MIME. Many Internet users don't realize that their basic application software contains such extensive cryptosystems. These browsers and email programs are so ubiquitous that even governments whose intent is to regulate civilian use of cryptography generally don't find it practical to do much to control distribution or use of cryptography of this quality, so even when such laws are in force, actual enforcement is often effectively impossible.

NSA involvement

Another contentious issue connected to cryptography in the United States is the influence of the National Security Agency in cipher development and policy. NSA was involved with the design of DES during its development at IBM and its consideration by the National Bureau of Standards as a possible Federal Standard for cryptography.[8] DES was designed to be secure against differential cryptanalysis,[9] a powerful and general cryptanalytic technique known to NSA and IBM, that became publicly known only when it was rediscovered in the late 1980s.[10] According to Steven Levy, IBM rediscovered differential cryptanalysis,[11] but kept the technique secret at NSA's request. The technique became publicly known only when Biham and Shamir re-rediscovered it some years later. The entire affair illustrates the difficulty of determining what resources and knowledge an attacker might actually have.

Another instance of NSA's involvement was the 1993 Clipper chip affair, an encryption microchip intended to be part of the Capstone cryptography-control initiative. Clipper was widely criticized by cryptographers for two reasons: the cipher algorithm was classified (the cipher, called Skipjack, was declassified in 1998 long after the Clipper initiative lapsed), which caused concerns that NSA had deliberately made the cipher weak in order to assist its intelligence efforts. The whole initiative was also criticized based on its violation of Kerckhoffs' principle, as the scheme included a special escrow key held by the government for use by law enforcement, for example in wiretaps.[12]

Digital Rights Management

Main Article: Digital Rights Management

Cryptography is central to digital rights management (DRM), a group of techniques for technologically controlling use of copyrighted material, being widely implemented and deployed at the behest of some copyright holders. In 1998, Bill Clinton signed the Digital Millennium Copyright Act (DMCA), which criminalized all production, dissemination, and use of certain cryptanalytic techniques and technology (now known or later discovered); specifically, those that could be used to circumvent DRM technological schemes.[13] This had a very serious potential impact on the cryptography research community since an argument can be made that any cryptanalytic research violated, or might violate, the DMCA. The FBI and the Justice Department have not enforced the DMCA as rigorously as had been feared by some, but the law, nonetheless, remains a controversial one. One well-respected cryptography researcher, Niels Ferguson, has publicly stated that he will not release some research into an Intel security design for fear of prosecution under the DMCA, and both Alan Cox (longtime number 2 in Linux kernel development) and Professor Edward Felten (and some of his students at Princeton) have encountered problems related to the Act. Dmitry Sklyarov was arrested during a visit to the US from Russia, and jailed for some months for alleged violations of the DMCA which had occurred in Russia, where the work for which he was arrested and charged was then, and when he was arrested, legal. Similar statutes have since been enacted in several countries. See for instance the EU Copyright Directive. In 2007, the cryptographic keys responsible for DVD and HDDVD content scrambling were discovered and released onto the internet. Both times, the MPAA sent out numerous DMCA takedown notices, and there was a massive internet backlash as a result of the implications of such notices on fair use and free speech.

  1. RSA Laboratories' Frequently Asked Questions About Today's Cryptography rsasecurity.com Retrieved June 22, 2007.
  2. Cryptography & Speech from Cyberlaw
  3. "Case Closed on Zimmermann PGP Investigation"
  4. Levy, Steven. 2001. Crypto: how the code rebels beat the government, saving privacy in the digital age. New York: Viking. ISBN 0140244328
  5. Bernstein v USDOJ, 9th Circuit court of appeals decision. Retrieved June 22, 2007.
  6. The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies
  7. Cite error: Invalid <ref> tag; no text was provided for refs named cryptofaq
  8. "The Data Encryption Standard (DES)" from Bruce Schneier's CryptoGram newsletter, June 15 2000
  9. Coppersmith, D. (May 1994). The Data Encryption Standard (DES) and its strength against attacks. IBM Journal of Research and Development 38 (3): 243.
  10. E. Biham and A. Shamir, "Differential cryptanalysis of DES-like cryptosystems", Journal of Cryptology, vol. 4 num. 1, pp. 3-72, Springer-Verlag, 1991.
  11. Levy, pg. 56
  12. Cite error: Invalid <ref> tag; no text was provided for refs named levybook
  13. Digital Millennium Copyright Act
Retrieved from https://www.newworldencyclopedia.org/p/index.php?title=Cryptography&oldid=338104

Content is available under Creative Commons Attribution/Share-Alike License; additional terms may apply. See Terms of Use for details.
Copyright Logo
Powered by MediaWiki