Tech Note #35: How Encryption and Digital Signatures Work
©
1999 Bionic Buffalo Corporation; All Rights Reserved.
19 May 1999
http://www.tatanka.com
Page
8 of 10
Political Considerations
It doesn’t take long to find that encryption is a highly controversial subject, restricted in
many ways by laws and regulations. There is a conflict between the need for individual
liberty and economic freedom, and a desire for governments to monitor their own
citizens and the military and industrial activities of competitors.
Governments have at times encouraged the use of systems, which allow the
governments themselves to decrypt traffic, which is another way of saying the systems
are insecure. Even large vendors such as IBM have admittedly added secret mechanisms
(known as trap doors) into commercial software, to allow U.S. Government decryption
of message traffic.
Because of the large quantity of rumour and disinformation about these matters, it is
important to trust no one completely. Once again, public scrutiny is the most significant
single indicator of how trustworthy a system might be. If the algorithm hasn’t been widely
studied, and the source code isn’t available, don’t believe it.
Just because the encryption program itself can be studied, is not sufficient reason to
believe it is secure. An operating system, for example, or a virus, can intercept key
strokes input to an application, rendering any cryptosystem unsafe. Open systems, such
as FreeBSD and Linux, which are built by the user from the sources, are considered the
most secure platforms.
Because of export or import restrictions, the use of a foreign implementation (which has
no problems with export) or a domestic implementation (which has no problems with
import) might be preferred.
Commercial Factors
Some cryptosystems are patented, and the patents are not equally valid in all
jurisdictions. For example, RSA is patented in the United States, but can be used freely
in other countries. On the other hand, IDEA (a symmetric key system) is patented in
Switzerland, but can be used freely in the United States.
Needless to say, the use of a patented system may entail royalties or other expenses,
which would not apply to a system free of such restrictions.
There is also a considerable amount of lobbying by patent holders to include their
algorithms into public standards, since it increases their revenue. The owners of the
RSA patent have successfully worked to incorporate the RSA algorithm into various
formal standards, making its use required for compliance.