Cryptic Controls

crypto/scope
January 15, 1998

Norvin Leach
MSDN Online News Editor

This week, RSA is holding its Data Security Conference. Time for the annual Bashing of the Feds, in which one or two hapless government representatives get to sit on a panel and deflect punches from critics of the federal data-encryption policy.

It's a bitter fight and it's been going on for years. If you're not familiar with it, here's the basic battleground: The government wants to limit strong encryption, claiming that law enforcement agencies need to be able to access messages and data sent and stored by criminals. Technology and privacy advocates argue that the government shouldn't curtail privacy rights, and that encryption limits will put the United States at a competitive disadvantage.

Focal points of the battle include the strength of the encryption, prohibitions against exporting encryption technology, and the required use of escrow keys so that the law enforcement officials can get at data more easily.

What does this mean for software developers? Uncertainty, for one thing. We know where the government stands today—the Clinton administration favors limits on encryption technology. But it's unclear where we'll be tomorrow. Law-enforcement proponents like FBI Director Louis Freeh are pushing for even stronger controls but some lawmakers are trying to relax controls, through bills like the proposed SAFE Act (see the U.S. House of Representatives Web site at http://www.house.gov/goodlatte/encryption.htm).

Microsoft, by the way, supports SAFE and similar initiatives. We believe that current export controls are outdated and that customers want stronger security and privacy protections.

But this uncertainty doesn't mean that encryption technologies are out of reach. For a good overview of what's out there today, read Peter Berkman's column, "Safety Net," in the November/December 1997 issue of Developer Network News.

If you're looking at using cryptography in your application but don't know much about it, dip into Cryptography API (CryptoAPI), our library of high-level cryptographic interfaces.

CryptoAPI manages details like key management, formatting, and cipher algorithms. It also presents developers with a single interface that supports different underlying ciphers. Third-party cryptography companies such as BBN, Cylink, and Hewlett-Packard have created plug-in modules, called Cryptographic Service Providers (CSP), for the CryptoAPI.

You can get more information about the CryptoAPI and the current Cryptographic Service Providers from the Microsoft Security Advisor Web site—see especially the "CryptoAPI" (http://www.microsoft.com/security/tech/misf6.htm) and "CSP Development" (http://www.microsoft.com/security/tech/capi/cspdev.htm) pages. There is a wealth of cryptography information also available in the MSDN Library, Internet, Security bin.

Overall, the Microsoft Security Advisor Web site (http://www.microsoft.com/security/) offers a good collection of information. While a lot of the material concerns network administration and security issues, the site also houses developer-related information on technologies, such as Microsoft Authenticode technology (http://www.microsoft.com/security/tech/misf8.htm) and smart cards (http://www.microsoft.com/security/tech/misf18.htm). Information on both of these topics can also be found by searching the MSDN Library.

Incidentally, on the subject of network security, I've heard that British and Australian network administrators have been amused and confused by the latest denial-of-service attack against Windows NT and Windows 95.

At Microsoft, we call it NewTear, since it's a variant of the Teardrop attack. On the Internet, however, it's called Bonk. And, given the meaning of the term "bonking" in Britain (I'll let you guess at that), there's quite a bit of funny mail flowing around. It may not be as memorable as the Ping of Death, but it's close.

Also, our Future Directions page on the Microsoft Windows NT Server Web site (http://www.microsoft.com/ntserver/guide/nt5_pdcwp.asp) lists several white papers discussing security technologies that we're working on for Windows NT version 5.0.

Finally, if you have more questions about security, check the RSA Web site (http://www.rsa.com/). It has a lengthy FAQ file (http://www.rsa.com/rsalabs/newfaq/) that answers almost 200 questions ranging from the simple to the complex.

Is cryptography important to your applications? If the government limits strong encryption, will it affect your work? Let me know.