Crypto Wars

From Wikipedia, the free encyclopedia
(Redirected from Crypto wars)
Export-restricted RSA encryption source code printed on a T-shirt made the T-shirt an export-restricted munition, as a freedom of speech protest against US encryption export restrictions. (The shirt's back shows relevant clauses of the United States Bill of Rights under a 'VOID' stamp.)[1] Changes in the export law means that it is no longer illegal to export this T-shirt from the US, or for US citizens to show it to foreigners.[2]

Attempts, unofficially dubbed the "Crypto Wars", have been made by the United States (US) and allied governments to limit the public's and foreign nations' access to cryptography strong enough to thwart decryption by national intelligence agencies, especially the National Security Agency (NSA).[3]

Export of cryptography from the United States[edit]

Cold War era[edit]

In the early days of the Cold War, the U.S. and its allies developed an elaborate series of export control regulations designed to prevent a wide range of Western technology from falling into the hands of others, particularly the Eastern bloc. All export of technology classed as 'critical' required a license. CoCom was organized to coordinate Western export controls.

Two types of technology were protected: technology associated only with weapons of war ("munitions") and dual use technology, which also had commercial applications. In the U.S., dual use technology export was controlled by the Department of Commerce, while munitions were controlled by the State Department. Since in the immediate post WWII period the market for cryptography was almost entirely military, the encryption technology (techniques as well as equipment and, after computers became important, crypto software) was included as a Category XIII item into the United States Munitions List. The multinational control of the export of cryptography on the Western side of the cold war divide was done via the mechanisms of CoCom.

By the 1960s, however, financial organizations were beginning to require strong commercial encryption on the rapidly growing field of wired money transfer. The U.S. Government's introduction of the Data Encryption Standard in 1975 meant that commercial uses of high quality encryption would become common, and serious problems of export control began to arise. Generally these were dealt with through case-by-case export license request proceedings brought by computer manufacturers, such as IBM, and by their large corporate customers.

PC era[edit]

Encryption export controls became a matter of public concern with the introduction of the personal computer. Phil Zimmermann's PGP cryptosystem and its distribution on the Internet in 1991 was the first major 'individual level' challenge to controls on export of cryptography. The growth of electronic commerce in the 1990s created additional pressure for reduced restrictions.[4] Shortly afterward, Netscape's SSL technology was widely adopted as a method for protecting credit card transactions using public key cryptography.

SSL-encrypted messages used the RC4 cipher, and used 128-bit keys. U.S. government export regulations would not permit crypto systems using 128-bit keys to be exported.[5] At this stage Western governments had, in practice, a split personality when it came to encryption; policy was made by the military cryptanalysts, who were solely concerned with preventing their 'enemies' acquiring secrets, but that policy was then communicated to commerce by officials whose job was to support industry.

The longest key size allowed for export without individual license proceedings was 40 bits, so Netscape developed two versions of its web browser. The "U.S. edition" had the full 128-bit strength. The "International Edition" had its effective key length reduced to 40 bits by revealing 88 bits of the key in the SSL protocol. Acquiring the 'U.S. domestic' version turned out to be sufficient hassle that most computer users, even in the U.S., ended up with the 'International' version,[6] whose weak 40-bit encryption could be broken in a matter of days using a single personal computer. A similar situation occurred with Lotus Notes for the same reasons.[7]

Legal challenges by Peter Junger and other civil libertarians and privacy advocates, the widespread availability of encryption software outside the U.S., and the perception by many companies that adverse publicity about weak encryption was limiting their sales and the growth of e-commerce, led to a series of relaxations in US export controls, culminating in 1996 in President Bill Clinton signing the Executive order 13026[2] transferring the commercial encryption from the Munition List to the Commerce Control List. Furthermore, the order stated that, "the software shall not be considered or treated as 'technology'" in the sense of Export Administration Regulations. This order permitted the United States Department of Commerce to implement rules that greatly simplified the export of proprietary and open source software containing cryptography, which they did in 2000.[8]


As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security.[9] Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license[9] (pp. 6–7). Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 FR 36494). In addition, other items require a one-time review by or notification to BIS prior to export to most countries.[9] For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.[10] Export regulations have been relaxed from pre-1996 standards, but are still complex.[9] Other countries, notably those participating in the Wassenaar Arrangement,[11] have similar restrictions.[12]

Export of cryptography from Britain[edit]

Until 1996, the government of the United Kingdom withheld export licenses from exporters unless they used weak ciphers or short keys, and generally discouraged practical public cryptography.[13] A debate about cryptography for the NHS brought this out in the open.[13]

Mobile phone signals[edit]

Clipper chip[edit]

RSA Security campaigned against the Clipper Chip backdoor, creating this memorable poster which became an icon of that debate.

The Clipper chip was a chipset for mobile phones made by the NSA in the 1990s, which implemented encryption with a backdoor for the US government.[4] The US government tried to get phone manufacturers to adopt the chipset, but without success, and the program was finally defunct by 1996.

A5/1 (GSM encryption)[edit]

A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone standard.

Security researcher Ross Anderson reported in 1994 that "there was a terrific row between the NATO signal intelligence agencies in the mid-1980s over whether GSM encryption should be strong or not. The Germans said it should be, as they shared a long border with the Warsaw Pact; but the other countries didn't feel this way, and the algorithm as now fielded is a French design."[14]

According to professor Jan Arild Audestad, at the standardization process which started in 1982, A5/1 was originally proposed to have a key length of 128 bits. At that time, 128 bits was projected to be secure for at least 15 years. It is now estimated that 128 bits would in fact also still be secure as of 2014. Audestad, Peter van der Arend, and Thomas Haug say that the British insisted on weaker encryption, with Haug saying he was told by the British delegate that this was to allow the British secret service to eavesdrop more easily. The British proposed a key length of 48 bits, while the West Germans wanted stronger encryption to protect against East German spying, so the compromise became a key length of 56 bits.[15] In general, a key of length 56 is times easier to break than a key of length 128.

DES Challenges[edit]

The widely used DES encryption algorithm was originally planned by IBM to have a key size of 128 bits;[16] the NSA lobbied for a key size of 48 bits. The end compromise were a key size of 64 bits, 8 of which were parity bits, to make an effective key security parameter of 56 bits.[17] DES was considered insecure as early as 1977,[18] and documents leaked in the 2013 Snowden leak shows that it was in fact easily crackable by the NSA, but was still recommended by NIST.[19] The DES Challenges were a series of brute force attack contests created by RSA Security to highlight the lack of security provided by the Data Encryption Standard. As part of the successful cracking of the DES-encoded messages, the EFF constructed a specialized DES cracking computer nicknamed Deep Crack.

The successful cracking of DES likely helped to gather both political and technical support for more advanced encryption in the hands of ordinary citizens.[20] In 1997, NIST began a competition to select a replacement for DES, resulting in the publication in 2000 of the Advanced Encryption Standard (AES).[21] AES is still considered secure as of 2019, and the NSA considers AES strong enough to protect information classified at the Top Secret level.[22]

Snowden and NSA's Bullrun program[edit]

Fearing widespread adoption of encryption, the NSA set out to stealthily influence and weaken encryption standards and obtain master keys—either by agreement, by force of law, or by computer network exploitation (hacking).[4][23]

According to the New York Times: "But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government's nuclear department and another's Internet service by cracking the virtual private networks that protected them. By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300."[23]

As part of Bullrun, NSA has also been actively working to "insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets".[24] The New York Times has reported that the random number generator Dual EC DRBG contains a back door from the NSA, which would allow the NSA to break encryption relying on that random number generator.[25] Even though Dual_EC_DRBG was known to be an insecure and slow random number generator soon after the standard was published, and the potential NSA backdoor was found in 2007, and alternative random number generators without these flaws were certified and widely available, RSA Security continued using Dual_EC_DRBG in the company's BSAFE toolkit and Data Protection Manager until September 2013. While RSA Security has denied knowingly inserting a backdoor into BSAFE, it has not yet given an explanation for the continued usage of Dual_EC_DRBG after its flaws became apparent in 2006 and 2007,[26] however it was reported on December 20, 2013, that RSA had accepted a payment of $10 million from the NSA to set the random number generator as the default.[27][28] Leaked NSA documents state that their effort was "a challenge in finesse" and that "Eventually, N.S.A. became the sole editor" of the standard.

By 2010, the NSA had developed "groundbreaking capabilities" against encrypted Internet traffic. A GCHQ document warned however "These capabilities are among the Sigint community's most fragile, and the inadvertent disclosure of the simple 'fact of' could alert the adversary and result in immediate loss of the capability."[23] Another internal document stated that "there will be NO 'need to know.'"[23] Several experts, including Bruce Schneier and Christopher Soghoian, have speculated that a successful attack against RC4, a 1987 encryption algorithm still used in at least 50 per cent of all SSL/TLS traffic is a plausible avenue, given several publicly known weaknesses of RC4.[29] Others have speculated that NSA has gained ability to crack 1024-bit RSA and Diffie–Hellman public keys.[30] A team of researchers have pointed out that there is wide reuse of a few non-ephemeral 1024 bit primes in Diffie–Hellman implementations, and that NSA having done precomputation against those primes in order to break encryption using them in real time is very plausibly what NSA's "groundbreaking capabilities" refer to.[31]

The Bullrun program is controversial, in that it is believed that NSA deliberately inserts or keeps secret vulnerabilities which affect both law-abiding US citizens as well as NSA's targets, under its NOBUS policy.[32] In theory, NSA has two jobs: prevent vulnerabilities that affect the US, and find vulnerabilities that can be used against US targets; but as argued by Bruce Schneier, NSA seems to prioritize finding (or even creating) and keeping vulnerabilities secret. Bruce Schneier has called for the NSA to be broken up so that the group charged with strengthening cryptography is not subservient to the groups that want to break the cryptography of its targets.[33]

Encryption of smartphone storage[edit]

As part of the Snowden leaks, it became widely known that intelligence agencies could bypass encryption of data stored on Android and iOS smartphones by legally ordering Google and Apple to bypass the encryption on specific phones. Around 2014, as a reaction to this, Google and Apple redesigned their encryption so that they did not have the technical ability to bypass it, and it could only be unlocked by knowing the user's password.[34][35]

Various law enforcements officials, including the Obama administration's Attorney General Eric Holder[36] responded with strong condemnation, calling it unacceptable that the state could not access alleged criminals' data even with a warrant. In one of the more iconic responses, the chief of detectives for Chicago's police department stated that "Apple will become the phone of choice for the pedophile".[37] Washington Post posted an editorial insisting that "smartphone users must accept that they cannot be above the law if there is a valid search warrant", and after agreeing that backdoors would be undesirable, suggested implementing a "golden key" backdoor which would unlock the data with a warrant.[38][39]

FBI Director James Comey cited a number of cases to support the need to decrypt smartphones. Interestingly, in none of the presumably carefully handpicked cases did the smartphone have anything to do with the identification or capture of the culprits, and the FBI seems to have been unable to find any strong cases supporting the need for smartphone decryption.[40]

Bruce Schneier has labelled the right to smartphone encryption debate Crypto Wars II,[41] while Cory Doctorow called it Crypto Wars redux.[42]

Legislators in the US states of California[43] and New York[44] have proposed bills to outlaw the sale of smartphones with unbreakable encryption. As of February 2016, no bills have been passed.

In February 2016 the FBI obtained a court order demanding that Apple create and electronically sign new software which would enable the FBI to unlock an iPhone 5c it recovered from one of the shooters in the 2015 terrorist attack in San Bernardino, California. Apple challenged the order. In the end the FBI hired a third party to crack the phone. See FBI–Apple encryption dispute.

In April 2016, Dianne Feinstein and Richard Burr sponsored a bill, described as "overly vague" by some,[45] that would be likely to criminalise all forms of strong encryption.[46][47]

In December 2019, the United States Senate Committee on the Judiciary convened a hearing on Encryption and Lawful Access, focusing on encrypted smartphone storage.[48] District Attorney Cyrus Vance Jr., Professor Matt Tait, Erik Neuenschwander from Apple, and Jay Sullivan from Facebook testified. Chairman Lindsey Graham stated in his opening remarks "all of us want devices that protect our privacy." He also said law enforcement should be able to read encrypted data on devices, threatening to pass legislation if necessary: "You're going to find a way to do this or we're going to do this for you."[49]

End-to-end-encrypted messaging services[edit]

In October 2017, Deputy Attorney General Rod Rosenstein called for key escrow under the euphemism "responsible encryption"[50] as a solution to the ongoing problem of "going dark".[51] This refers to wiretapping court orders and police measures becoming ineffective as strong end-to-end encryption is increasingly added to widespread messenger products. Rosenstein suggested key escrow would provide their customers with a way to recover their encrypted data if they forget their password, so that it is not lost forever. From a law enforcement perspective, this would allow a judge to issue a search warrant instructing the company to decrypt the data; without escrow or other undermining of encryption it is impossible for a service provider to comply with this request. In contrast to previous proposals, the decentralized storage of keys by companies instead of government agencies is claimed to be an additional safeguard.

Front doors[edit]

In 2015 the head of the NSA, Admiral Michael S. Rogers, suggested further decentralizing the key escrow by introducing "front doors" instead of back doors into encryption.[52] This way, the key would be split into two halves: one kept by government authorities and the other by the company responsible for the encryption product. The government would thus still need a search warrant to obtain the company's half-key, while the company would be unable to abuse the key escrow to access users' data without the government's half-key. Experts were not impressed.[53][52]

Lightweight encryption[edit]

In 2018, the NSA promoted the use of "lightweight encryption", in particular its ciphers Simon and Speck, for Internet of Things devices.[54] However, the attempt to have those ciphers standardized by ISO failed because of severe criticism raised by the board of cryptography experts which provoked fears that the NSA had non-public knowledge of how to break them.[55]

2015 UK call for outlawing non-backdoored cryptography[edit]

Following the 2015 Charlie Hebdo shooting, a terrorism attack, former UK Prime Minister David Cameron called for outlawing non-backdoored cryptography, saying that there should be no "means of communication" which "we cannot read".[56][57] US president Barack Obama sided with Cameron on this.[58] This call for action does not seem to have resulted in any legislation or changes in the status quo of non-backdoored cryptography being legal and available.

2020 EARN IT[edit]

The Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act of 2020 provides for a 19-member National Commission which will develop a set of "best practice" guidelines to which technology providers will have to conform in order to "earn" immunity (traditionally provided 'automatically' by Section 230 of the Communications Decency Act) to liability for child sexual abuse material on their platforms. Proponents present it as a way to tackle child sexual abuse material on internet platforms, but it has been criticized by advocates of encryption because it is likely that the "best practices" devised by the commission will include refraining from using end-to-end encryption, as such encryption would make it impossible to screen for illegal content.[59][60]

See also[edit]


  1. ^ "Munitions T-shirt".
  2. ^ a b "Administration of Export Controls on Encryption Products" (PDF). Retrieved 2016-06-11.
  3. ^ "The Crypto Wars: Governments Working to Undermine Encryption". Electronic Frontier Foundation. 2 January 2014.
  4. ^ a b c Ranger, Steve (24 March 2015). "The undercover war on your internet secrets: How online surveillance cracked our trust in the web". TechRepublic. Archived from the original on 2016-06-12. Retrieved 2016-06-12.
  5. ^ "SSL by Symantec - Learn How SSL Works - Symantec".
  6. ^ "Netscape Netcenter - Download & Upgrade Page for browsers, servers, shareware". Archived from the original on 1999-09-16. Retrieved 2017-03-30.
  7. ^ Crypto: How the Code Rebels Beat the Government—Saving Privacy in the Digital Age, Steven Levy, Penguin, 2001
  8. ^ "Revised U.S. Encryption Export Control Regulations (January 2000)". Electronic Privacy Information Center. US Department of Commerce. January 2000. Retrieved 2014-01-06.
  9. ^ a b c d Robin Gross. "Regulations" (PDF). Archived from the original (PDF) on 2010-12-03. Retrieved 2014-10-24.
  10. ^ "U. S. Bureau of Industry and Security - Notification Requirements for "Publicly Available" Encryption Source Code". 2004-12-09. Archived from the original on 2002-09-21. Retrieved 2009-11-08.
  11. ^ "Participating States - The Wassenaar Arrangement". Archived from the original on 27 May 2012. Retrieved 11 June 2016.
  12. ^ "Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies: Guidelines & Procedures, including the Initial Elements" (PDF). December 2009. Archived from the original (PDF) on 2014-10-14. Retrieved 2016-06-11.
  13. ^ a b "Ross Anderson FRS FREng - Keys Under Doormats. Cambridge University Mathematics Faculty. 7/03/2017". YouTube.
  14. ^ Ross Anderson (1994-06-17). "A5 (Was: HACKING DIGITAL PHONES)". Newsgroupuk.telecom. Usenet: 2ts9a0$
  15. ^ "Sources: We were pressured to weaken the mobile security in the 80's". Aftenposten.
  16. ^ Stallings, W.: Cryptography and network security: principles and practice. Prentice Hall, 2006. p. 73
  17. ^ Stanford Magazine (27 June 2017). "Keeping Secrets". Medium.
  18. ^ Diffie, Whitfield; Hellman, Martin E. (June 1977). "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" (PDF). Computer. 10 (6): 74–84. doi:10.1109/C-M.1977.217750. S2CID 2412454. Archived from the original (PDF) on 2014-02-26.
  19. ^ Anderson, Ross (2020). Security engineering : a guide to building dependable distributed systems (Third ed.). Indianapolis, IN. ISBN 978-1-119-64281-7. OCLC 1224516855.{{cite book}}: CS1 maint: location missing publisher (link)
  20. ^ Curtin, Matt (25 October 2007). Brute Force. Springer. ISBN 9780387271606.
  21. ^ Commerce Department Announces Winner of Global Information Security Competition. (1997-09-12). Retrieved on 2014-05-11.
  22. ^ Lynn Hathaway (June 2003). "National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information" (PDF). Retrieved 2011-02-15.
  23. ^ a b c d "N.S.A. Able to Foil Basic Safeguards of Privacy on Web". The New York Times. 6 September 2013. Retrieved 11 June 2016.
  24. ^ "Secret Documents Reveal N.S.A. Campaign Against Encryption". New York Times.
  25. ^ "New York Times provides new details about NSA backdoor in crypto spec". Ars Technica. 11 September 2013.
  26. ^ Matthew Green (20 September 2013). "RSA warns developers not to use RSA products".
  27. ^ Menn, Joseph (December 20, 2013). "Exclusive: Secret contract tied NSA and security industry pioneer". San Francisco: Reuters. Retrieved December 20, 2013.
  28. ^ "$10m NSA contract with security firm RSA led to encryption 'back door' | World news". 2013-12-20. Retrieved 2014-01-23.
  29. ^ "That earth-shattering NSA crypto-cracking: Have spooks smashed RC4?".
  30. ^ Lucian Constantin (19 November 2013). "Google strengthens its SSL configuration against possible attacks". PCWorld.
  31. ^ Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; VanderSloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (October 2015). "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" (PDF).
  32. ^ Meyer, David (6 September 2013). "Dear NSA, Thanks for Making Us All Insecure". Retrieved 11 June 2016.
  33. ^ "Schneier on Security". Retrieved 2016-06-11.
  34. ^ Matthew Green (4 October 2014). "A Few Thoughts on Cryptographic Engineering".
  35. ^ "Keeping the Government Out of Your Smartphone". American Civil Liberties Union. 18 September 2012.
  36. ^ "U.S. attorney general criticizes Apple, Google data encryption". Reuters. 30 September 2014.
  37. ^ "FBI blasts Apple, Google for locking police out of phones". Washington Post.
  38. ^ "Compromise needed on smartphone encryption". Washington Post.
  39. ^ "Washington Post's Clueless Editorial On Phone Encryption: No Backdoors, But How About A Magical 'Golden Key'?". Techdirt. 6 October 2014.
  40. ^ "The FBI Director's Evidence Against Encryption Is Pathetic - The Intercept". The Intercept. 17 October 2014.
  41. ^ "Schneier on Security".
  42. ^ Cory Doctorow (October 9, 2014). "Crypto wars redux: why the FBI's desire to unlock your private life must be resisted". the Guardian.
  43. ^ Farivar, Cyrus (2016-01-21). "Yet another bill seeks to weaken encryption-by-default on smartphones". Ars Technica. Retrieved 2016-06-11.
  44. ^ Farivar, Cyrus (2016-01-14). "Bill aims to thwart strong crypto, demands smartphone makers be able to decrypt". Ars Technica. Retrieved 2016-06-11.
  45. ^ Dustin Volz and Mark Hosenball (April 8, 2016). "Leak of Senate encryption bill prompts swift backlash". Reuters.
  46. ^ "Senate bill effectively bans strong encryption". The Daily Dot. 8 April 2016.
  47. ^ "'Leaked' Burr-Feinstein Encryption Bill Is a Threat to American Privacy". Motherboard. 8 April 2016.
  48. ^ "Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy". December 10, 2019.
  49. ^ "Senators threaten to regulate encryption if tech companies won't do it themselves". CNBC. December 10, 2019.
  50. ^ "As DOJ calls for "responsible encryption," expert asks "responsible to whom?"". 24 November 2017.
  51. ^ "Lawful Access".
  52. ^ a b "The NSA wants 'front door' access to your encrypted data - ExtremeTech".
  53. ^ Fisher, Dennis (21 April 2015). "Crypto 'Front Door' Debate Likely to Go On For Years". Threatpost. Retrieved 14 September 2018.
  54. ^ Beaulieu, Ray; Shors, Douglas; Smith, Jason; Treatman-Clark, Stefan; Weeks, Bryan; Winger, Louis (2015-07-09). "Simon and Speck: Block Ciphers for the Internet of Things" (PDF). Retrieved 2017-11-23.
  55. ^ "Linux Cryptography — [PATCH v2 0/5] crypto: Speck support".
  56. ^ "BBC News - Can the government ban encryption?". BBC News. 13 January 2015.
  57. ^ "UK prime minister wants backdoors into messaging apps or he'll ban them". Ars Technica. 12 January 2015.
  58. ^ Danny Yadron (16 January 2015). "Obama Sides with Cameron in Encryption Fight". WSJ.
  59. ^ Riana Pfefferkorn (January 30, 2020). "The EARN IT Act: How to Ban End-to-End Encryption Without Actually Banning It". Stanford University.
  60. ^ Joe Mullin (March 12, 2020). "The EARN IT Bill Is the Government's Plan to Scan Every Message Online". Electronic Frontier Foundation.