news & analysis

Breaking through the encryption barrier

US security hinders global economy

What the media tagged as a "disaster" came as no surprise to Netscape. In mid-August, a team of graduate students and Netscape users performed a brute force decryption on RC4, RSA Data Security's encryption algorithm that supports the backbone of security for the Netscape World Wide Web Navigator. A second team's decryption program finished the task one day later. The media then quickly latched onto the story, and started whipping it into a frenzy for anyone with an interest in electronic commerce.

Yet, users familiar with RSA encryption, or public-key encryption in general, know that any message can be decrypted by brute force sooner or later. Netscape surely did, and there is not much they can do about it: the problem is not with the algorithm, but with the export policy of the US. The only way to increase the security of communications is for the US to legalize the export of hard-to-decrypt cryptography. And with RC4, that means longer keys.

The key to a Netscape session (it changes every 100 seconds) is a 128-bit number for browsers sold within the US, but the key is limited to 40 bits for versions that are exported to other countries. It was this 40-bit software that was "broken" (and only a single 100-second session key was decrypted); the brute force decryption work was completed in 8 days, on the equivalent of 50 networked Pentium computers. The 128-bit key, on the other hand, could not be broken in a reasonable amount of time with private resources; doing so would be 288 times harder.

But large-key encryption algorithms cannot legally be exported from the US; they are classified, seemingly perversely, in the same category as munitions. In some ways, though, that classification is an apt one. Encryption technology is similar to nuclear technology: both give a country an immense advantage, and both are hard to keep secret. Yet, while the world would be a better place without nuclear weapons, most people would argue the opposite for encryption. Internet users, in particular, would like the guaranteed privacy that this encryption system provides.

Will the US back down under pressure from business? While Netscape maintains that the 40-bit encryption is good enough for credit card transactions, concessions for financial transactions seem to be in the works. According to Netscape's Japan Country Manager Shin-ichi Sugihara, "By the end of November, we should be seeing 60- to 100-bit encryption being made available for financial institutions."

In hopes that this is the case, Netscape has announced a new product called Secure Courier for financial transactions that will use a 56-bit key (making it 64,000 times as hard to break as a 40-bit key). Yet even this will probably not be enough to keep data secure from a determined and resourceful hacker in the future.

In the end, the US is just buying time. Even if the government does not see fit to ease its restrictions on the export of cryptographic technology, more than likely the know-how for creating the technology will emigrate, and encryption programs developed in Japan or elsewhere could become the world standard. In preparation, the US should be considering the impact of the technology on the future, and how ultimately secure communications will affect governments and their role in business.

If the current policy buys enough time for government to formulate intelligent policy on global electronic commerce, there is no wrong-headedness about it. But, then, what are the chances of that?ç

IntraAsia Internet nears reality

In "Breaking Through the Glass Ceiling" in our Sept./Oct. issue (pages 16-17), Craig Oda described a proposal by Pindar Wong of Supernet (a Hong Kong Internet provider) to establish the infrastructure for an intra-Asia Internet hub. The chances of success for such an effort, as Oda pointed out, will depend on several factors, including mutual cooperation among countries, deregulation of national telecommunications laws, the future of Hong Kong after its reabsorption into China in 1997 (assuming the central linkage point is there, as was proposed), and the changing usage patterns of the Internet itself.

Those hurdles remain, but the envisioned intra-Asia Internet took a giant step closer to reality in October as four firms -- Internet Initiative Japan (Japan's largest Internet access provider), Sumitomo Corporation, Pacific Internet (Singapore), and Supernet (Hong Kong) -- announced plans to form a joint venture that will build a high-speed internetwork linking Internet providers in Japan, Hong, Kong, and six other Asian countries.

The new operating company, Asian Internet Holding (aka A-Bone), was to be established in mid-November, capitalized at ¥600 million with each investor holding an equal share. Internet providers in Indonesia, Malaysia, and Thailand are expected to invest in A-Bone by the end of the fiscal year, with Korean and Taiwanese providers joining sometime in fiscal 1996.

Initially, A-Bone will lease 1.5M-bps bandwidth for the project from KDD and other international communications companies to link Japan and Singapore via Hong Kong. If providers in other Asian countries join as expected, the intra-Asia backbone would link at least eight Asian countries within two years.

The major benefits of the project for Internet users in Asia will be faster response time and greater available international bandwidth. At present, Internet traffic between countries in Asia (and, sometimes, even between two providers within the same country) is routed though linkage points in the US. A-Bone will be the first intra-Asia pipeline for Internet data communications, and can be expected to stimulate the growth of the Internet in Asia even further.ç

Japan's PC sales surge -- but not enough

While sales increase nearly 60%, few manufacturers earn a profit

S.ales of personal computers in Japan have soared in 1995. The projection by Dataquest Japan at the beginning of the year was that the Japanese PC market had entered a long-term period of high-growth, and that 1995 PC sales would grow by 21%, to 3.9 million units. (This on the heels of a 30% year-on-year sales increase in 1994.)

The sudden popularity of the PC, driven in part by lower prices and easier-to-use systems, caught nearly everyone by surprise. In October, Dataquest released revised figures, announcing that 1995 Japanese PC sales will actually grow by 58% (nearly triple the earlier estimate), to 5.3 million units. The pace will slow in 1996, Dataquest predicts, to 33%, but this would still be 1.5 times the 22% that it expected for 1996 a year ago.

A year-on-year "historic" 58% increase should be good news, but the sales of 5.3 million units anticipated by Dataquest are actually well below the combined sales targets of Japan's eight major computer vendors. Most aggressive in upping sales targets has been Fujitsu, which initially doubled its target from 500,000 units to 1 million, and is now aiming for 1.5 million sales in FY 1995. NEC, too, has raised its sales target from 2.3 million to 2.8 million, and now to 3.0 million units. If these and other manufacturers in fact have increased their production in line with their stated targets, there must now be a sizable oversupply of new PCs sitting in warehouses throughout Japan.

Which would spell "bad news" for Japan's computer giants. Prices and, more importantly, profit margins have already dropped over the past several months. (The average sales price of a PC so far this year is said to be ¥238,000, down over 10% from 1994.) If one or more manufacturers tries to dump an oversupply, prices will plummet even further.

In attempting to meet its sales target, Fujitsu has been a leader in the price battle. Sales volume does not equate with profits, though. Fujitsu officials publicly admit that the company's PC operation is in the red this year. IBM Japan, too, reports that although the company is meeting its sales volume targets, gross profits are plummeting. NEC remains hopeful, but admits that it did not meet its first-half 1995 profit target. Some observers suggest that, of Japanese computer manufacturers, only NEC and Toshiba are likely to earn a profit.

The picture looks bleak for Japanese computer makers, especially with new foreign entrants like Gateway 2000 and Packard Bell entering the fray, along with established foreign firms like Dell, Compaq, and HP. Bad news for manufacturers is good news for consumers, though, as prices fall even as systems improve, and good news for software makers as well. And, eventually, it may even be good news for computer manufacturers; just think of the expanded installed base of Pentiums that will need to be upgraded to P6 or P7 machines in another two or three years.ç

The PC vs.

In japan, the personal computer
faces tough competition from the wapuro (word processor). Basically a text-dedicated, scaled-down computer (or souped-up electric typewriter), the wapuro has gained widespread acceptance. A recent survey report released by the Management and Coordination Agency (MCA) reveals that, in 1989, one-quarter (25.1%) of Japanese households of two or more persons owned a word processor, about double the 12.4% that owned a personal computer.

In 1994, the diffusion rate of word processors into Japan's households had increased to 43.7%, more than 2.5 times the 16.6% of households that owned a personal computer. While over 18% of households had purchased a word processor
in the five years from 1989 to 1994, only
a bit over 4% acquired their first PC. In fact, more households owned an electric carpet (64%), cordless telephone (44%), and video camera (34%) than owned a computer.

One surprising statistic of the MCA survey reveals that single women are among the most active purchasers of word processors and computers. The number of single women owning a word processor rose 2.8 times between 1989 and 1994, while the number owning a computer more than tripled. The report suggests that this is attributable to the increasing number of women in the workplace.ç

(c) Copyright 1996 by Computing Japan magazine