Crypto-Politics: Decoding the New Encryption Standard

This fall the Department of Commerce announced its choice for the Advanced Encryption Standard (AES): the Rijndael algorithm (pronounced "Rhine doll" and named for its Belgium creators Vincent Rijmen and Joan Daemen). The first-of-its-kind international competition for the proposed new Federal Information Processing Standard included 15 entries by leading cryptographers from 12 countries. Sun Microsystems' Whitfield Diffie and Susan Landau, renowned authors and encryption experts, provide exclusive commentary on the AES, the political victory it represents, and why it heralds a new era in cryptography. They also discuss the government's new willingness to allow the export of strong encryption and the FBI's Internet surveillance program, Carnivore.

For privacy advocates, the AES is a promising turn in the history of Washington's encryption policy. Sun Microsystems' Whitfield Diffie and Susan Landau, veterans in the battle for strong private cryptography, predict the AES will be widely adopted by commerce as well as government agencies. The contrast between the old and new styles in government policy on encryption and surveillance was illustrated by the irony of the FBI's Internet Surveillance program being engulfed in cover-up on the eve of the AES selection.

Whitfield Diffie Whitfield Diffie This fall, Sun Microsystems Laboratories' Whitfield Diffie and his Stanford University colleague Martin Hellman received the Marconi award, widely considered the most prestigious in the fields of telecommunications and information. Diffie and Hellman shared the award for their innovation of public key cryptography. Since its invention in 1975, public key cryptography has enabled secure, electronic transactions in commerce and between individuals over a wide variety of media. It has been called the "sealing wax" of the information age. The Marconi foundation noted that the invention "was fundamental to the development of the world of e-commerce." Equally noteworthy, public key cryptography also launched the modern era of open, non-government-controlled cryptography. The brilliance of the public key approach is the use of two keys, instead of one key. The keys -- one private and one public -- are inverses of each other: one key is used to encipher messages and the other to decipher messages, and vice versa. Despite this relationship, one key cannot be accurately inferred by the discovery of the other key. Accordingly, one key can be made public without endangering the security of the other. This, together with the use of digital certificates, makes possible the assumption by which all e-commerce works: you can do business with someone you don't see, don't know, or cannot otherwise trust. When asked what led to the insight for public key cryptography, Diffie said that he "was trying to combine the one-way functions that protect Unix passwords and the Identification Friend-or-Foe systems used to identify military aircraft." Diffie explains: "These work by having a fire-control radar send a challenge to an aircraft and listen for a response. If the plane responds correctly, the radar tells the gun not to shoot. Early IFF systems used passwords; later ones identified aircraft by whether they could return correctly encrypted messages." This thought led Diffie to a realization: that not one, but two separate keys could be used asymmetrically: one key to encrypt a message, the other to decrypt a message.

When the National Institute of Standards and Technology (NIST) proposed the Belgium algorithm Rijndael (pronounced "Rhine doll") for the Advanced Encryption Standard (AES), it was a victory and vindication for privacy advocates. Few were better positioned to reflect on the proposed AES than Whitfield Diffie and Susan Landau.

Diffie, who just received the prestigious Marconi award for his path-breaking invention of public key encryption, is a Distinguished Engineer at Sun Microsystems Laboratories and a defender of privacy for over a quarter century. Susan Landau, is a Senior Staff Engineer at Sun Microsystems, a fellow of the American Association for the Advancement of Science, and co-author with Diffie of the definitive book Privacy on the Line: The Politics of Wiretapping and Encryption.

A Better Lock

The AES will replace the DES (Data Encryption Standard), which the government adopted in 1977. Despite criticism for having too short a key, DES served well, enduring years of controversy and government efforts to limit its export. A stronger version known as triple-DES is currently widely used in private industry.

Making History

The AES, and the process used to select it, made history. It marked the first time that a government had sponsored an international competition for an encryption standard that involved vetting by the global community of security experts. This bodes well for the quality of the new standard. Does it also herald a new era, one in which the U.S. government would no longer seek to control or constrain efforts to develop strong cryptography for commerce and private use?

Certain moves by the government, namely the recent loosening of export controls on cryptography, indicate such a change. On the other hand, an FBI program called Carnivore that has just come to light shows an interest, at least in certain parts of the government, in expanding surveillance capabilities in the networked era.

In their book Privacy on the Line (MIT Press, 1998) Diffie and Landau articulate and defend the right of private conversation. They note that, in an era of sophisticated communication technologies and surveillance techniques, privacy is at risk without strong and accessible cryptography. "If we assert the individual's right to private conversation and take measures in the construction of our communication systems to protect that right," the authors wrote, "we may remove the danger that surveillance will grow to unprecedented proportions and become an oppressive mechanism of social control."

Diffie and Landau recount the history of government policy on encryption. It is a story of repeated attempts to limit public access to strong cryptography. Perhaps the best-known episode was the previous attempt to replace DES. Rather than standardizing an algorithm as with DES and AES, the government adopted the Clipper chip, a cryptographic device that provided for law enforcement access to keys as "The Escrowed Encryption Standard (EES)." Although it remains in force, Clipper found few takers outside of government. A government spokesman recently declared key escrow "dead."

Whether by controlling production, censoring books and publications, or banning exports, the government has tried and failed repeatedly to stifle the development and distribution of effective encryption technologies. Diffie and Landau observe that at every turn, these efforts were opposed by a formidable alliance: personal privacy advocates and business. "Fortunately, the fight for cryptographic freedom, "is a fight in which privacy and commerce are on the same side."

With the selection of the Advanced Encryption Standard and the loosening of export controls on U.S.-made cryptography, some government agencies seem to have come round. The newest trade regulations permit the export of any strength cryptography to members of the European Union and its partners. Also allowed is the export of open source cryptography. Full trade liberalization is not here yet, however; among other things, the new regulations still make it difficult to export cryptography that protects the information infrastructure.

Diffie sees the AES as a vindication. "As a veteran of the arguments that surrounded the adoption of DES," said Diffie, "I am also delighted with the openness and international character of the AES process. The selection of an algorithm designed by Europeans as a U.S. standard shows our recognition that protecting information is no longer a merely a national issue but one that affects everyone in the world."

Landau called the international character and fairness of the process "a major step forward," noting that NIST's efforts in AES are a "wonderful acknowledgment of the importance of strong cryptography in international commerce and communication."

Susan Landau Susan Landau Sun Microsystems' Susan Landau co-authored with Whitfield Diffie Privacy on the Line: The Politics of Wiretapping and Encryption (MIT Press: Cambridge, 1998). Landau met Diffie while serving on an NSF-funded ACM panel on cryptography policy, an undertaking of the USACM Committee on Public Policy. The full version of the report is available. In February 2001, she was made a Fellow of the American Association for the Advancement of Science. She recently wrote a two-part series on the Data Encryption Standard and the Advanced Encryption Standard, "Standing the Test of Time: The Data Encryption Standard," and "Communications Security for the Twenty-First Century: The Advanced Encryption Standard." A shorter version of these two articles appeared in the May, 2000 issue of the Communications of the ACM under the title, "Designing Cryptography for the New Century." Before coming to Sun, Landau was a faculty member at Wesleyan University and at the University of Massachusetts. Her research, in algebraic algorithms and symbolic computation, has applications to number theory, computational geometry, and cryptography. This work included an algorithm that showed how to quickly decompose polynomials, thus fatally breaking a proposed public-key cryptosystem.

Carnivore

Within hours of the NIST press conference, controversy over Carnivore demonstrated that not all agencies of government are supportive of online privacy. First proposed in 1997 for use in court-ordered surveillance of criminal suspects, Carnivore is an interception device designed to be installed at Internet service providers. Carnivore monitors e-mail and Web browsing as well as Voice over IP, according to the Electronic Privacy Information Center (EPIC).

Carnivore's existence was revealed in April by Earthlink, an Atlanta-based Internet service provider, which resisted the installation of the device. In a practice that follows the laws regulating telephone interception, police have previously presented ISPs with a court order to turn over information about the communications of particular customers. Courts are more reluctant to grant authority to intercept content (wiretap) than authority to extract information about time, duration, origin, and destination of communications (trap and trace). Because the FBI refused to allow Earthlink to examine Carnivore selection mechanisms, the company had no way of determining whether interception exceeded the limits set by the court order or was even limited to the targets the order named.

In response to criticism from EPIC and other privacy advocates, Department of Justice (DOJ) announced an independent panel of experts to evaluate Carnivore. This attempt at compromise provoked further controversy when blacked out portions of a pdf file were restored and suggested that proposed panel members --- who held security clearances and were intermittently employed by the the FBI, the NSA, and the IRS --- had conflicts of interest.

Privacy is often cited as a major reason that people are reluctant to engage in Internet commerce and otherwise take up residence in the new digital world. Clearly we are making progress but equally clearly, the battle for Internet privacy isn't over.

Related Links

• Sun Security Home Page
• Conference 2000: Privacy/Security Issues and Solutions -- Keynote Speaker: Dr. Susan Landau

What It Means To You