Computers Today, August 16-31, 1999, Tech Trends; Keep off those Prying Eyes

Encryption is the sure-fire way to protect privacy and secure communications on the Net. Expect the boom in E-commerce and defence imperatives to spur encryption development in India too.

The Net has given us invaluable information for free. The rejoicing is over. It is time to worry about security and privacy. And time to devise ways and means to "lock" the message transmited, so only the person you want to communicate with, has access to it. The simple way to protect yourself from electronic snoppers is through encryption. This involves scrambling the data in a complex manner, so that it becomes unintelligible to anyone except the intended recipient.

Encryption was initially used for defence purposes, and regarded more as a secretive, even arcane sub-specialty of mathematics and espionage. But with the growth of technology, it rapidly developed into a sophisticated science-cryptography. With more and more of the world's information exchanged on electronic networks, cryptography is now being applied to the consumer market with a host of off-the-shelf software and hardware.

In India, encryption is not much talked about even though IT has become a fashionable thing. Dewang Mehta, president of the National Association of Software and Service Companies (NASSCOM), is optimistic that the growth of the Net and E-commerce will spur the domestic market for encryption software. But experts do not think India needs to develop indigenous software as of now. Says Saurabh Srivastava, chairman, IIS Infotech: "We are application focussed and encryption is not applied technology. It is nothing new for Indian companies in software and otherwise, to wait and watch where fundamental sciences are involved." Arun Mehta, a private consultant, reasons that with encryption software being available free, Indian software companies can stay away from the area. For encryption to be reliable, it is essential that experts worldwide should carefully examined it for flaws. This demands that the source code be made public, which in turn implies that the developer cannot make money from it.

Telecom and IT consultant Ravi Visvesvaraya Prasad believes that the only business model that will work for encryption software is open-source, on the lines of Linux, Netscape Navigator or Internet Explorer. That is how Pretty Good Privacy (PGP) became widespread and reliable, he adds. He himself uses ZipLip and HushMail, while sending confidential messages.

Encryption is basically a mathematical representation or an algorithm used to transform plain text into a coded equivalent for transmission or storage. The coded text is subsequently decrypted at the receiving end and reverted to plain text. The encryption algorithm uses a key, which is made of "bits" of information. These binary units of information can have the value of zero or one. An eight-bit key has 256 (2 to the eighth power) possible values. A 56-bit key creates 72 quadrillion combinations.

Ironically though, the US government allows export of 56-bit encryption only. This was recognised as the Data Encryption Standard (DES) in 1977. This was around the same time when it was revealed that cryptographic tools were listed on the US Munitions List-classified along with tanks and bomber planes-under an Arms Regulation Law! Meanwhile, though it seemed like there was no control over the development or use of strong encryption within the country, the fact was that the industry found it expensive to offer separate products in different markets and therefore sold the simpler, exportable products both at home and abroad. But it is acutely conscious of foreign competition moving in and has been fighting for relaxation of the restrictions. Sue Hofer, a US administration spokesperson on encryption policy, strongly contests this allegation. She told Computers Today, "While there may be anecdotal evidence that the US encryption policy has a negative impact on US manufacturers, our data suggest that US firms have the flexibility they need to compete in the sectors that need encryption-financial institutions, insurance, medical, and online merchants." At the same time, the FBI is pushing for a legislation that would make it a crime to make, distribute or import to the US, encryption products that do not include a key recovery system.

This has pitted both the high-tech industry as well as the civil liberties group against the Clinton Administration. At the heart of the problem in every individual's mind is the fear of loss of privacy: the harsh picture of Uncle Sam monitoring electronic transactions from bank records to video-on-demand selections along an information snooperhighway.

No doubt, the FBI and the National Security Agency have long held legal and technological powers to spy and capture virtually any conversation or data transmission over phone lines, amd cellular phones. But with more and more people demanding privacy through computing power, and PGP, the US government had to do some fast thinking. PGP used 128-bit encoding keys in 1991, when the US export laws allowed only 40-bit encryption! Worried when PGP surfaced in other countries, the agencies devised a new "government-designed encryption chip" called Clipper. By adding a Clipper chip to a telephone, users could scramble their phone conversations. The Clipper decoding keys vested with the government and its exact encryption technique was classified.

In 1996 the US government declared that encryption would no longer be considered munitions, unless it was created specially for military purposes, but continued its demand for key recovery systems, or key escrow. When cryptographers took pains to impress on the government that the existing keys could be cracked, the government even came up with a compromise formula under which stronger encryption-up to 64 bit could be used-provided the key is deposited with a trusted third party. Of course, the plan was bogged down over such details as precisely who might qualify as a trusted third party.

Being the most-debated IT issue on Capitol Hill, there have been several attempts to counter the government's moves through legislation. In February, US Representatives Bob Goodlatte and Zoe Lofgren introduced the Security and Freedom through Encryption (SAFE) Act. The Act seeks to ban government-mandated key recovery as a requirement for the domestic use and sale of encryption and relax controls on the export of encryption products, if they are commercially available outside the US. In April, Senator Patrick Leahy introduced a bill that would guarantee users' rights to use any kind of encryption domestically and Senator John McCain introduced a bill that would allow the export of encryption with up to 64-bit keys immediately and up to 128 bits by 2002.

In June, a San Francisco court ruled that the government's ban of a university professor's "export" of encryption software via the Net violated free-speech protections. The administration appealed against the decision. The ruling has not taken effect.

Meanwhile, the US government continues its battle for the key to people's privacy. In July, there was talk of a plan to create two broad, FBI-controlled monitoring systems designed to protect the nation's key data networks from interlopers. Critics unanimously denounced the plan as a Big Brother act.

However, the Net community, government and financial sectors are closely monitoring the developments in the encryption front. As N. Vittal, Central Vigilance Commissioner says, "Encryption is an area of anxiety, at least in the banking sector. With the US barring export of sophisticated technology, it is necessary that we develop our own."

Look Around and Learn

Despite the threat of surveillance, cryptography-enthusiasts and the IT industry in India are sceptical over the need for an indigenous cryptography industry. It is believed that there is no profitable market anywhere in the world for encryption software, including the US and that the entire world does not require more than half-a-dozen packages, for both commercial and defence applications. Developing and testing encryption from scratch is incredibly difficult and expensive. For instance, the Data Encryption Standard was developed by an IBM-led consortium, thanks to generous subsidies from the US government.

The technical and financial resources required for verification and validation are beyond the means of any single software firm in the world. Very extensive white box testing for logic, and black box testing for different data sets have to be carried out, points out IT consultant R.V. Prasad. Even though RSA Data Security developed the RSA algorithm in 1970, it has still not been able to recover its costs for testing the source code, especially for versions RSA MD2, MD5, RC2-CBC and RC4. And this is in spite of the algorithm having been investigated and tested by thousands of academics and students for free for several years.

The common chorus seems to be that strong crypto has been and will be available for free on the Net worldwide. "Once the genie is out of the bottle, there is no way of getting it back in. Like radio waves, intellectual constructs-and the mathematical basis of strong crypto is just that-are singularly unimpeded by national boundaries," points out one consultant who advises a sizeable chunk of India's top 500 companies.

Yet, the rise of E-commerce has led to some misgivings. For public-key crypto has an important application here. That of authentication through a digital signature. This is possible by putting the message through a computation which produces a unique value called a message digest. The message digest is encrypted with a private key and appended to the message. When the message is received the person at the other end performs the same computation on the message to get the digest. Decrypting the digital signature using the public key, he compares the two and thereby ascertains not only the origin of the message, but also that it has not been altered.

According to Uday Shankar N., a Net consultant, the combination of security and authentication ensures that cryptography can lay the foundation of an E-commerce infrastructure. Ashok V.A., senior consultant, Infosys Technologies, adds that industry response to encryption issues may be sluggish at the moment, but would increase once issues like E-commerce gains momentum, rendering tranmission security as a vital aspect.

It is popularly believed that the only effect of the US restrictions have been to greatly hurt US manufacturers and exporters of hardware and E-commerce solutions. That it has greatly slowed the velocity of international business and trade and delayed the adoption of E-commerce internationally. Sue Hofer, US administration spokesperson on encryption policy, is dismissive: "The US policy represents a balance among the interests of national security, public safety, personal privacy and online commerce. No better example is our allowing-without a licence requirement-the export of strong encryption for use in financial and other on-line transactions." It transpires Citibank in Chennai indeed uses 64-bit encryption in some areas of transactions. Hofer also cites a recent US study where the value of E-commerce transactions in 1996 is placed at $12 million and the projected value for 2000 is $2.16 billion.

What, therefore, seems important is to build good strong applications that utilise tried and tested crypto techniques to ensure security and routing of content. Says consultant Vickram Crishna, "This is where Indian firms need to create niche products meshing well with standard relatively inexpensive imported products to deliver solutions strong enough for the global market."

In Defence of Securitye

All governments think alike on matters of encryption: the power of omnipresent surveillance. And they make it happen, either through secret means and behind the cloak of national security, or through policy. India too is toeing the line. Awaiting clearance from the Law Ministry is the Indian Information Technology Act. The draft bill by the Department of Electronics (D0E), includes a proposal to make it binding upon Internet Service Providers to monitor all traffic through its servers and make it available to "properly constituted authorities" for "valid reasons of security." Encrypted messages require the user to deposit the decryption key with authorities.

With the US barring export of encryption software that is "too strong to be broken by the National Security Agency", the clamour to make it mandatory for all vital institutions to adopt indigenously developed and tested software is spiralling in official circles. Granted, cryptography is a pre-requisite for all defence and external affairs communications. And if a country is relying on imported encryption software, it could very well be an open invitation to danger. In 1941when the Japanese attacked Pearl Harbour, America was totally unprepared, because they were unable to crack the code used by the Japanese. More recently, the much publicised Cox report on the security breaches at America's top nuclear weapons lab, was followed by disturbing revelations that China had received information about US nuclear warhead, W-88, when a scientist transferred large amounts of classified information from a highly secure computer to a more accessible network.

Closer home, in India too, a senior Indian diplomat defected to Norway in 1984, together with the master code book of algorithms, then used by the Ministry of External Affairs-they had to totally redo their encryption system consequently. Now of course, we are patting ourselves on our backs for acquiring the Kargil tapes, through technical intelligence. As Major General (retd) Yashwant Deva comments, "Intelligence and security are two sides of the same coin. The Pakistan military, smarting at our intelligence coup will be waiting to exploit any chinks in our communication security."

Viewed in this context, the report in the European Parliament on the US-led satellite surveillance network-Echelon-run by the NSA together with UK, Australia, New Zealand and Canada has alerted the Indian Government. For long there has been an opinion that a NSA-like outfit be set up. Deva who is an expert in defence electronics and electronics and cyber warfare, has been pressing for an encryption policy too. Now he is also demanding that a parallel agency be set up on the lines of the National Security Agency, for controlling both cryptography and cryptoanalysis (Cryptoanalysis is the science of breaking ciphers.) "This agency should also act as the certification authority for all cryptographic products in India. Anyone can develop encryption, but only a stamp of approval can assure its use and dissemination, " he says.

In fact, encryption development is going on in the country at a more academic level at the IITs and on more sophisticated scales under the aegis of the Defence Research and Development Organisation (DRDO). Forever in the quest for strong security software tools, the Centre for Artificial Intelligence and Robotics (CAIR) in Bangalore and the SAG in Delhi are engaged in developing secure encryption codes where there is no upper limit on the security level provided, in contrast to those that the US exports. Naturally, the project is shrouded in secrecy.