Net groups protest crypto policy

Led by Net pioneer Vint Cerf, they say the U.S.-driven regulations will stifle e-commerce and undermine privacy.

Jan. 2, 2002 4:43 p.m. PT

2 min read

With Internet pioneer Vint Cerf leading the way, two obscure Internet entities are protesting that U.S.-driven encryption regulations adopted recently by 33 nations will undermine Internet privacy and the growth of electronic commerce.

In a joint statement today, the Internet Architecture Board and the Internet Engineering Steering Group warned that limits in the Wassenaar Arrangement, which were announced earlier this month, will make the Internet weak and vulnerable. They urge stronger encryption.

"Restriction to 64 bits [encryption algorithms] is too extreme," Cerf, senior vice president of MCI Worldcom and chairman of the Internet Society, said in an interview. "It has already been demonstrated that 56-bit schemes are readily cracked."

The Electronic Frontier Foundation last summer cracked a 56-bit key in 56 hours using a $220,000 network of PCs designed for that purpose. Cerf believes the same methods could crack a 56-bit key in three hours today.

"The cost per key-cracking is quite modest, so it's not out of question for individuals, not just companies or countries, to do that," Cerf added.

The IAB and IESG estimated that a 64-bit cipher can be cracked in less than a day for about $2,500 per key.

The IAB and IESG, both of which are affiliated with the Internet Society, three years ago endorsed a 90-bit key length as the minimum required security for Internet commerce and communications.

In today's statement, the two groups raised a concern that the restrictions would hurt developing nations that may lack the financial and technical resources to create their own cryptographic capabilities. I-Soc, which endorsed the statement, represents Net users in more than 150 countries.

"Strong cryptography is essential to the security of the Internet; restrictions on its use or availability will leave us with a weak, vulnerable network, endanger the privacy of users and businesses, and slow the growth of electronic commerce," the groups stated.

"The new restrictions will have a particularly deleterious effect on smaller countries, where there may not be enough of a local market or local expertise to support the development of indigenous cryptographic products," they added.

The new Wassenaar limits--signed by the U.S., Japan, Germany, Britain and other developed nations--have drawn relatively little protest since they were adopted December 3.