128 bit encryption
==================


Strong encryption is dangerous...
---------------------------------

If the bad guys can encrypt all their communication in a way so that
nobody can decipher it within a suitable timeframe, it is a big
advantage for them. The USA, for example, treats any software products
offering strong encryption the same as arms, they may not be exported,
except to Canada. Use within the US territory is permitted, though.
(Somehow logical, as it is widely known, that there are no bad guys in
the US, and danger is always coming from across the border.)


...but so is weak encryption.
-----------------------------

If I'm paying my bills using internet banking software, I don't want to
have anybody decrypt the passwords I'm using to access my account.
Neither do I want anybody unauthorized to see the sensitive data I'm
exchanging with a business partner concerning the new killer application
we are jointly developping.


and complicated is the law
--------------------------

I'm not an expert in this matter at all and I can only repeat what I
have heard or read. But as the story goes, importing strong encryption
to the US is no problem, only export is restricted. And to make things
even more complicated, a license fee must be paid for certain algorithms
if you use them in the US, but not if used in other countries, not even
Canada, where strong US encryption is legally available. Now, while you
may not export software offering strong encryption from the US, it is
perfectly ok to export a printout of the applicable program listing or
an explanation of the algorithm...

Do you get it? I have to confess, I don't. But I also have to be honest,
I don't care either. As I'm not living in the US there is no need to pay
license fees for the algorithms. Where I live it is also allowed to
import, export and use encryption of any strength. However, there is one
thing I do care about: the USA is currently the centre for browser
software and quite a lot of other software, so the US policy much
affects what is available in the rest of the world.

The encryption strength most commonly available outside of the US today
is only 5 bytes. Yes, Sirs, 40 bit is equivalent to a string with only 5
bytes! The USA has changed it's policy and is now allowing 56 bit for
export, but this is still only 7 bytes. And with ever increasing
computational power at ever decreasing prices and progress in
mathematics, cracking these 7 bytes will be childs play in just a couple
of years, especially if quantum computers become possible and available.


40 available, 128 required, 1024 longed for
-------------------------------------------

While still living in Japan, I was very much pleased that my bank in
Switzerland started offering access to the account via internet. I was
one of the first customers to sign up for it. Before, there was only the
slow snail-mail, the expensive phone and fax, which was the convenience
in between, but also not what one would call 'really' convenient. With
internet banking I could check my account when I wanted and I could make
payments and enter stock exchange orders easily. A godsend for someone
living far away.

While 128 bit keys are standard these days in internet banking
applications, I dare predict that within only 5 years we'll be using
1024 bit keys for such connections. But we're not yet there. All that's
available right now is 40 bit, with 56 bit probably coming soon. So
using the requered 128 bits for paying bills over the internet is quite
a pain. Special solutions must be applied.

To use the required 128 bit encryption, a special piece of software is
required. At the moment there are two different packages used by Swiss
financial institutes and they already went through a number of
revisions. Unfortunately all of them have quite a number of limitations,
incompatibilities and I found they generally cause a lot of problems. No
fun to use them. Another point is that they are only available for the
Windows platform. Basically what they do is to act as a proxy server for
your webbrowser. Although you don't know, your browser will not connect
to the selected site directly, but to the additional software on your
own machine. This software forwards the request, but has the capability
to do 128 bit encryption when needed. This would all be so easy without
the US export restrictions. At Netscape or Microsoft they could probably
just use a different switch when compiling their browsers and you would
not need all this dreadful software between your browser and the target
site.


patches are available
---------------------

I didn't know for a long time either, but fortunately there is a
possibility to get full strength encryption with your international
Netscape or Internet Explorer. Patches are available which are simple to
use and do work beautifully and reliably. These are not in any way
special for internet banking or the Swiss environment I mentioned, they
offer true compatibility to the US 128 bit versions of the browsers.

For Internet Explorer, you need to search the net for 'msie128'. A
couple of weeks ago I found about five sites. Just now altavista gave me
three sites, but only one of them carried the executable 'msie128.exe'.
Yahoo didn't know any. msie128.exe is available from www.microsoft.com
with the usual checks to make sure you connect from within the US etc.
So I don't know about the legal status of this patch when it is
downloaded from a server outside of the US or to somewhere else than the
US. If you run into any trouble don't blame me, you've been warned.
(Blame yourself as you shouldn't be using the Microsoft browser in the
first place anyway, better get Netscape or Opera.) I have briefly tested
MSIE v4.0 with this patch applied and it did not show any side effects.

For Netscape, there is a completely legal way to upgrade to 128 bit
encryption, as long as the country you are located at while downloading,
applying and using does not object to it. There is a piece of software,
called 'fortify' which has been developped outside of the US and without
help of Netscape Communications, thus it is not restricted by US laws in
any way. You can get your free copy from http://www.fortify.net/. The
latest version even sports a GUI for installation on the Windows
platform. It is compatible with most versions of the Netscape browser on
many platforms. I've tried various versions of the 'fortified' Netscape
browser and they all work very well. I have not found any side effects.

I see the day approaching when the people in the US download a 1024 bit
version of Fortify to upgrade their 256 bit Netscape browser...