[ISN] Signs of Insecurity in Cyberspace - Analysis

From: mea culpa (jerichot_private)
Date: Thu Jul 02 1998 - 19:12:11 PDT

  • Next message: mea culpa: "[ISN] 1998 USENIX Annual Technical Conference - Call for Papers"

    Forwarded From: Nicholas Charles Brawn <ncb05t_private>
    Cryptography legislation is on the way, but a number of key issues still
    have to be resolved, says Wendy Grossman.
    Cryptography legislation has been a long time coming. Shortly before last
    year's general election, the Department of Trade and Industry announced
    proposals for creating a network of "trusted third parties" to provide
    authentication services and enable electronic commerce. 
    Now, a year later, the DTI has released details of the 260 comments it
    received on those proposals, along with a promise (or threat) of
    legislation to be introduced in the next session of Parliament. The DTI's
    spokesman, Nigel Hickson, says the legislation is expected to include
    voluntary licensing for providers of cryptographic services; freedom of
    choice regarding specific products or technologies; legal recognition of
    electronic signatures; and legal access for law enforcement agencies with
    the appropriate warrant. Some of these are a big improvement on last
    year's proposals, which made licensing mandatory. 
    Because the Internet was designed to allow people to share information
    rather than protect it, it is inherently insecure. Cryptography, the art
    of scrambling data so it can't be read by unauthorised interceptors, is a
    core technology for protecting the confidentiality of data and
    authenticating its integrity via digital signatures. As we move towards
    electronic commerce, digital signatures that are as legally binding as
    handwritten ones are a necessity. In such a world, certification
    authorities will act as guarantors in much the way that notaries public do
    The fly in the ointment has been law enforcement's desire for access to
    the contents of encrypted communications lest the Net turn into a
    free-for-all for drug dealers, terrorists, paedophiles and organised crime
    (a quartet sometimes called the "Four Horsemen of the Infocalypse").
    Privacy advocates, cryptography fans, civil libertarians and businesses
    have all argued against this, on the grounds that restricting the use of
    strong cryptography is like requiring everyone to send all their personal
    mail on postcards. 
    It's a step forward, therefore, that this year's proposals have separated
    signing keys (the scrap of data that proves the communication came from
    you) from confidentiality keys (the key used to encrypt data so only you
    can read it). Under last year's proposals, it was conceivable that law
    enforcement officers might be allowed access to signing keys, a violation
    of every basic precept of good security. Under this year's revisions, it
    looks likely that signing keys will be exempt from law enforcement access
    But there is a lot still to be concerned about; in fact, the outlined
    intentions raise more questions than they answer. For example, we don't
    know who would issue licences or under what conditions; whether the same
    service provider could offer both licensed and unlicensed services; what
    liability service providers would have; the relationship to other laws,
    particularly the Data Protection Act; or how uses other than signatures
    and confidentiality fit in. Those other uses aren't trivial, either, as
    they include such things as digital watermarking schemes to protect
    intellectual property. 
    At the same time, the European Commission is looking at international
    issues that are also important: how and whether the export of strong
    cryptography should be restricted; how to ensure that national
    infrastructures will be interoperable; and, again, what the liability of
    service providers should be. "The most important principle," said Richard
    Schlechter for the EC's DGXIII at a recent conference on cryptography in
    London, "is to be sure that if you're doing business over the Internet you
    have a legal signature at the end." 
    Everyone sounds so reasonable that you would never guess the political
    battle over the availability of cryptography has been one of the fiercest
    of recent times. Four years ago, as Hickson says, no one imagined the
    Government would ever need a cryptography policy because no one except
    governments had cryptography. The advent of cheap computing power and the
    development of public data networks, along with the release on the Net of
    the free program PGP (for Pretty Good Privacy), changed that. Across the
    Internet, I can now read papers that 10 years ago would have been
    classified out of reach and use software of a grade formerly available
    only to the military. 
    At the same time, however, I take far greater risks by sending my personal
    correspondence across Internet links than I ever did sealing it into an
    envelope and entrusting it to the Post Office. So, without hesitation, I
    can say: yes, we need a framework for electronic signatures, and yes,
    there probably is a market for voluntarily licensed certification
    authorities of one type or another. But we need to think very carefully
    before we hand law enforcement agencies the right to our private keys, and
    we need to think hard about what the answers should be to those unanswered
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:40 PDT