A few weeks ago, your humble blogger looked into how difficult it was for someone to crack encryption in light of debates on Capitol Hill about whether policies should be put in place to limit its strength. In March and May, security researchers uncovered two related flaws in the secure sockets layer (SSL) and transport layer security (TLS) protocols commonly used to encrypt web traffic. Both of these flaws appear to be the result of encryption export policies from the 1990s.
The first of the two flaws is FREAK, which allows an attacker monitoring web traffic to inject a packet into a traffic flow between two parties that will force them to use an encryption key that complies with 1990s-era export requirements. The second flaw, Logjam, relies on injecting a packet, during the negotiation phase of the communication, that forces export-grade encryption to be used. Both bugs can allow interception of ostensibly secure communications over the web, email and virtual private networks (VPNs).
So how did we end up here? Until the 1990s, encryption software was classified as a munition, which made it subject to export controls similar to those for a tank or a stealth bomber. Secure communications are essential to military operations, and prior to the widespread commercial adoption of the Internet, this policy made sense. As Internet usage became more ubiquitous, the task of limiting the export of encryption technology fell to the Department of Commerce.
The policy rationale for limiting the export of encryption was to give U.S. law enforcement and military the ability to intercept encrypted communications and ensure that the U.S. had the best cryptography in the world. This is similar to the rationale that some are providing in the present for the introduction of back doors into, and limits upon, encryption technology. During the 1990s, several unsuccessful attempts were made to limit encryption strength, ultimately making export controls the only viable option for controlling its spread and development.
During this time, if a company wished to export encryption of even modest strength, the Department of Commerce had to issue it a license. Companies attempting to export their products containing encryption technology found themselves frequently negotiating with the government and facing the threat of being unable to market their products overseas. Ultimately, this resulted in companies creating U.S. versions of their products and versions for export containing weaker encryption. To ensure that both versions could communicate, the U.S. versions usually included an option for the encryption to be downgraded to export levels.
Over time, the business value of using encryption to protect online communications—specifically in the area of e-commerce where sensitive financial information was being transmitted—became increasingly apparent. This, coupled with the use of the Internet as a means for the distribution of software outside of the control of the U.S. government, ultimately made the encryption export control regime unworkable. As a result, the Clinton administration lifted most controls on the export of encryption in 1999.
Fast forward to 2015, and the use of export-grade encryption still remains an option in most modern software. Often this is to ensure backward compatibility with legacy systems. As technology has progressed at a dizzying pace over the last 16 years, encryption that was intentionally weak in 1990s is relatively easy to crack now, given access to the right resources.
If nothing else, the discovery of FREAK and Logjam is proof that the law of unintended consequences does not have a statute of limitations. Beyond that, it informs the current debates on whether law enforcement should have a back door into encryption technologies and whether limitations should be placed on encryption strength. Opponents of measures to limit encryption could easily cite these two flaws as evidence that such policies are harmful to consumers.
In the ever-evolving world of data privacy, policies that were common sense one day can become catastrophic the next day. Proactive engagement with policy-makers and close monitoring of policy developments, informed by an understanding of the technologies involved, is crucial for businesses to remain competitive.