Canada’s encryption debate

Canada still imposes restrictions on encryption. Who knew?

Today I happen to read something that Michael Geist had written about Canada’s state of encryption laws and I was floored. In it he referenced this article which discussed the Government of Canada’s new public consultation on encryption laws. From the article:

Encryption controls have been a challenge for many Canadian software and hardware vendors. Category 5 — Part 2 of Canada’s Export Control List identifies information security items that require a permit in order to be exported from Canada to destinations other than the United States. Because the threshold for control is very low — key lengths in excess of 64 bits (in the case of symmetric algorithms) — many vendors have been surprised to learn that the export or transfer of their encryption goods and technology requires a permit before shipment to their foreign customers. Often, they first discover this when the Canada Border Services Agency detains these goods just prior to export. Failure to obtain a permit prior to exporting or transferring controlled goods or technology can attract significant penalties.

The reason I am so surprised by this is that today, in 2010, 64-bits is nothing. For a recent school project a few colleagues of mine and myself designed a distributed brute-force approach to cracking an RC4 key. Doing some internal algorithm speed tests we determined that a single machine could brute force approximately 402,000 different keys per second. At that rate it would take one machine 1,455,081 years to check all 2^64 keys. Seems pretty good so far huh? Well the problem with this number is that we are not professional cryptographers. RC4 has known weaknesses that allow you to break it faster than a brute force attack would otherwise allow. But assuming you still attempted to complete the brute force method, I highly doubt it would take that long. DES, the older, widely used, encryption standard, also had a key size of 64-bits but, thanks to specially designed hardware, is now able to be broken in less than a week. While it is true that not all algorithms are built equally (i.e. AES with a 128-bit key is more secure than RC4 with the same sized key) it is generally true that having a larger key size and a secure algorithm are good things. According to current Canadian encryption laws 64-bits is deemed to be the strongest security you can legally export without a permit. Clearly this current limitation is simply unacceptable.

When you visit a secure website, for example your bank’s, your browser usually uses a 128-bit or 256-bit secret key to ensure that absolutely no one can listen in. And yet this security, the very security that gives people piece of mind when they shop online, is essentially illegal to export or sell overseas with our current laws. I completely agree with the author of the article when he says that requiring Canadian businesses to secure a permit before they can ship their software puts them at a distinct disadvantage.

Additionally, the Canadian government has allowed themselves to fall behind the security curve in other ways. Recently a good friend of mine was hired for a research job at the Government. In order to move him through the hiring process they requested that he send sensitive materials like his SIN and birth certificate through unencrypted e-mail to them. And you wonder why identity theft is so bad…

We as citizens and workers have some real things to gain or lose depending on the outcome of this consultation. If the current law is allowed to stand we will be stuck at a competitive disadvantage and have to choose between either less security in exported software products or more paperwork.

So do your part and make sure Canada doesn’t get stuck behind the technology curve. Join the debate.