Governmental Involvement in Cryptography

In the United States, in the 1960s to 1980s, exportation of cryptographic mechanisms and equipment was very carefully regulated and monitored. The goal was to make obtaining and using encryption technology harder for terrorists and criminals. Harry Truman created the NSA in 1952, and its main mission was, and still is, to listen in on communications in the interest of national security for the United States. The NSA keeps an extremely low profile, and its activities are highly secret. The NSA also conducts research in cryptology to create secure algorithms and to break other cryptosystems to enable eavesdropping and spying.

The government attempted to restrict the use of public cryptography so enemies of the United States could not employ encryption methods that were too strong for it to break. These steps caused tension and controversy between cryptography researchers, vendors, and the NSA pertaining to new cryptographic methods and the public use of

them. The fear of those opposed to the restrictions was that if the government controlled all types of encryption and was allowed to listen in on private citizens’ conversations, the obtained information would be misused in “Big Brotherly” ways. Also, if the government had the technology to listen in on everyone’s conversations, the possibility existed that this technology would fall into the wrong hands, and be used for the wrong reasons.
At one time a group existed whose duty was to control the export of specific types of weapons and cryptographic products to communist countries. This group came up with the Coordinating Committee on Multilateral Export Controls (COCOM). Because the threat of communism decreased over time, this group was disbanded. Then, in 1996, a group of 33 countries reached an agreement to control exportation of the same types of items to several countries deemed to be “terrorist states.” These countries (Iran, Iraq, Libya, North Korea, Sudan, Cuba, and Syria) were identified as having connections with terrorist groups and activities. The group set up agreed-upon guidelines regarding how to regulate exportation of certain types of weapons and technologies that contained cryptography functionality. In part, this group worked together to ensure “dual-use” products (products that have both civilian and military application) that contain encryption capabilities were not made available to the “terrorist states.” Because one of the main goals of every military is to be able to eavesdrop on its perceived enemies, the group of 33 countries was concerned that if terrorist states were able to obtain strong encryption methods, spying on them would be much harder to accomplish.

Just as the United States has the NSA, different countries have government agencies that are responsible for snooping on the communications of potential enemies, which involves using very powerful systems that can break a certain level of encryption. Since these countries know, for example, that they can break encryption methods that use symmetric keys of up to 56 bits, they will allow these types of products to be exported in an uncontrolled manner. Anything using a symmetric key over 56 bits needs to be controlled, because the governments are not sure they can efficiently crack those codes.
The following outlines the characteristics of specific algorithm types that are considered too dangerous to fall into the hands of the enemy and thus are restricted:

• Symmetric algorithms with key sizes over 56 bits

• Asymmetric algorithms that carry out factorization of an integer with key sizes

over 512 bits (such as RSA)

• Asymmetric algorithms that compute discrete logarithms in a field with key

sizes over 512 bits (such as El Gamal)

• Asymmetric algorithms that compute discrete logarithms in a group (not in a

field) with key sizes over 112 bits (such as ECC)

The Wassenaar Arrangement contains the agreed-upon guidelines that this group of countries came up with, but the decision of whether or not to follow the guidelines has been left up to the individual countries. The United States has relaxed its export controls over the years and today exportation can take place to any country, other than the previously listed “terrorist states,” after a technical review. If the product is an open-source product, then a technical review is not required, but it is illegal to provide this type of product directly to identified terrorist groups and countries. Also, a technical review is not necessary for exportation of cryptography to foreign subsidiaries of U.S. firms.

Source: http://www.logicalsecurity.com/resources/resources_articles.html

Review full Cryptography Chapter at www.LogicalSecurity.com

http://logicalsecurity-ls.blogspot.com/2009/03/governmental-involvement-in.html

Steganography

Steganography is a method of hiding data in another media type so the very existence of the data is concealed. Steganography is mainly accomplished by hiding messages in graphic images. The least significant bit of each byte of the image can be replaced with bits of the secret message. This practice does not affect the graphic enough to be detected.

Steganography does not use algorithms or keys to encrypt information. This is a process to hide data within another object so no one will detect its presence. A message can be hidden in a WAV file, in a graphic, or in unused spaces on a hard drive or sectors that are marked as unusable. Steganography can also be used to insert a digital watermark
on digital images so illegal copies of the images can be detected.

Source: http://www.logicalsecurity.com/resources/resources_articles.html
Review full Cryptography Chapter at http://www.LogicalSecurity.com
http://logicalsecurity-ls.blogspot.com/2009/03/steganography.html