The use of technology to stay ahead of and get around laws and regulations is a recurrent theme in my writings and talks. A legislative process that cannot keep up with the pace of technology is often guilty of producing regulations too mired in the specifics of today's technology that they do not anticipate and do not apply to the changes that will inevitably come. An example of a technology that may be a way around existing encryption legislation is Chaffing and Winnowing.
As of this writing, the U.S. Department of Commerce's new regulations regarding relaxing encryption exports has not been released. A preliminary draft of the new standard, which is set for release on December 15, seems to indicate that it will not be as revolutionary as promised. It appears that we must continue to deal with a somewhat complex and arbitrary set of restrictions for encryption. What is Chaffing and Winnowing, and is it a way around these laws?
"Chaff" and "Winnowing" are terms that come from the oldest profession (or second oldest, depending upon who you ask) - farming. Winnowing means to remove the useless parts, or "chaff", from grain. By adding useless information to valuable data, you are able to securely transport the entire package until it can be safely winnowed at the other end. By obscuring data within meaningless bytes, we are providing the same functionality as encryption, but technically we aren't encrypting anything. Here is how it works:
First, the sender breaks a valid data file or message into packets.
Second, a checksum is computed for each packet. The checksum is computed by using an authentication key. This is a secret key shared between both parties.
Third, "chaff" is added in the form of packets with random data. The key part of the process of adding chaff is that the checksum is not computed with the authentication key. The checksum is therefore bogus and will identify the packet as phony.
Fourth is the "winnowing" process. The recipient uses the authentication key to recompute the checksum for each incoming packet. This checksum is compared to the checksum computed on the sender's end. Any packets with mismatched checksums are discarded as "chaff." The remaining packets are reassembled to reveal the actual message or data file. You can correlate the receiving process very nicely with how communications protocols such as Ethernet verify the integrity of packets.
We have now sent data securely, all in clear text. How secure is Chaffing and Winnowing? Like encryption, it is as secure as you want to make it. The important considerations are the algorithm for computing the checksum, the technique for adding chaff packets, and the size of data within each packet. Ideally, each packet would contain a very small amount of data, as little as a bit or a byte. Packets that contain large amounts of legitimate data could potentially be discovered, as the data appears to be ordered, as opposed to the random data in the chaff. In theory, it seems very solid. The main issue is the amount of chaff data that would be needed to obscure messages for high security communications. However, this is the type of issue that we can expect hardware and bandwidth to solve.
Chaffing and Winnowing is new and unproven, but it isn't fantasy: It has been proposed by none other than Ron Rivest, an inventor of the RSA encryption algorithm and a professor at MIT. There has been some development work on the technique, but it is not in shipping products. By the wording in the Department of Commerce regulations, this technique seems to be legal for export because it is not encryption. My hope is that our policymakers will decide to get out of the way and let us freely use strong encryption without restrictions. Encryption technology is good, and I have a real preference for using tried-and-true solutions. However, to the extent that encryption export regulations are going to be a long-term issue, perhaps we need to turn these theories into reality.
RELATED LINKS
Cryptic Crypto Rules Uncloaked
The Industry Standard, 11/24/99.
Industry not keen on government regulation
Network World, 11/15/99.
Pros and cons of the Clinton administration's encryption export announcement
Network World, 10/06/99.
White House proposes easing encryption export regulation
Network World, 09/17/99.
RELATED LINKS
Cryptic Crypto Rules Uncloaked
The Industry Standard, 11/24/99.
Industry not keen on government regulation
Network World, 11/15/99.
Pros and cons of the Clinton administration's encryption export announcement
Network World, 10/06/99.
White House proposes easing encryption export regulation
Network World, 09/17/99.
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
