Keeping Secrets in the Digital Age

By Edward A. Mazza
The Daily Yomiuri
September 23, 1997

Used with permission

As the world goes digital, encryption standards become more important.

Even those who don't use the Internet are affected by security in the online age--everything from bank account and medical information to credit card numbers and transactions requires some form of coding to protect it from prying eyes.

Yet all is not well--with each new standard comes crackers to break it. And, at the other end, governments--particularly that of the United States--are trying their darndest to ensure that encryption technology doesn't get too powerful. After all, they reason, if encoding techniques become too good, crooks can use them to subvert society.

Bruce Schneier, president of Counterpane Systems, has been at the vanguard of cyber-security and his company has handled encryption for major firms, including Disney, Canon, Citibank, Mitsubishi and Microsoft.

Schneier has been tackling both the social aspects of the matter, by taking governments to task when necessary (often), and the technical side of the issue, by helping to develop new and more powerful encryption techniques and finding flaws in existing ones.

"Nothing has created wealth on this planet faster than global trade and commerce. Cryptography facilitates global trade and commerce," he said. "It provides confidentiality, necessary for any business. It provides authentication...It allows commerce to move onto computer networks."

And that is reason enough for the government to avoid restricting the technology or forcing all powerful forms of encryption to have a back door for the authorities.

"Of course criminals will use cryptography to subvert society. They use limited-access highways to subvert society," he said. "Just because a criminal will use a technology doesn't mean you ignore the technology."

Schneier, who was in Japan last week to deliver a paper at an encryption workshop in Ishikawa, is known for developing the Blowfish algorithm, an alternative to DES, and making it available for free.

To this day, Blowfish--used in more than 50 encryption programs--has not been compromised. Schneier has just released Password Safe a free utility based on the Blowfish algorithm that allows Windows 95 users to keep secure password databases.

He is also the author of a number of papers and his book, Applied Cryptography, is considered the authority in the field. This year, Schneier and privacy advocate David Bansier of the Electronic Privacy Information Center penned the Electronic Privacy Sourcebook.

Cryptographer-graduate student David Wagner has worked with Schneier on a number of projects. Earlier this year, Wagner helped Counterpane to crack the U.S. cellular phone encryption standard.

Said Wagner: "What really sets him apart are his unparalleled contributions to the practical side of cryptography. Rather than simply retreat to the academic ivory tower, he has taken on the mantle of bringing the esoteric field of cryptography to the computer programming masses, with vast success."

Schneier's visit last week was to deliver a paper on secure uses of low-entropy keys. U.S. law limits the export of powerful encryption, so such products tend to use the less-than-ideal low-entropy keys. Other applications and people also use them for various reasons. Schneier's paper was on how those keys could be used to mimic longer, more secure keys.

He said his Japanese counterparts tend to excel at mathematical analyses, but that products have yet to emerge based on those analyses.

"Their theory is well ahead of their practice. The mathematics that comes out of the universities and research laboratories are first rate; I'd like to see more products," he said.

"I have clients that need strong encryption, both in hardware and software. If I can recommend a good Japanese product, I will," he said.

In the United States, the battle over encryption standards continues to heat up. The Clinton administration and many members of Congress seem intent on limiting the strength of standards for use at home and crippling versions to be exported.

It is this government position that has been roundly criticized by many Internet users, digital security groups and cryptographers like Schneier.

"Strong cryptography will be available to everyone, eventually," Schneier said. "U.S. export controls don't work; everyone knows that. It's just a matter of time before the United States realizes that it is not winning anything by regulating cryptography, and that it is losing jobs."

Earlier this year, Schneier released a paper on the importance of making strong encryption available to everyone.

In "Why Cryptography Is Harder Than It Looks," Schneier wrote that many weaker forms of encryption are packaged to appear stronger. The consumer doesn't know the difference, but others do.

"Present-day computer security is a house of cards," he wrote. "It may stand for now, but it can't last. Many insecure products have not been broken because they are still in their infancy."

Schneier went on to note that no one can offer 100 percent security. "But we can work toward 100 percent risk acceptance."

The answer, he wrote, is in anticipating tomorrow's problems and implementing more powerful protections today.

"Assume your adversaries are better than they are," he wrote. "Assume science and technology will soon be able to do things they cannot yet.

"When the unexpected happens, you'll be glad you did."

(Edward Mazza can be reached at underdog@tokyo.yomiuri.co.jp)

earlier story: Everything We Know About Security Is Wrong
later story: Schneier: Beware Security Products
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..