Petri Puhakainen
Department of Computer Science and Engineering
Helsinki University of Technology
Petri.Puhakainen@fi.oracle.com
Internet is growing rapidly and the sales of products
has started to move to the Internet. Much of the communications of current
systems - computer systems but also others like telephone systems - is
done through public unsecured networks. Many of the computers are connected
to public networks and there are a lot of threats to them. Several advanced
technologies can protect our systems against these threats and often cryptography
has a big role in them. But there are many political question around cryptography.
The export of cryptographic products from USA is strictly controlled and
this makes the use of cryptography more complicated. The efficient use
of cryptography needs supporting infrastructures that must be implemented
before wide acceptation of the most advanced technologies is possible.
There are also legal issues like the legislation about public key certificates
and certification authorities as well as digital signatures. The governments
and other authorities must quickly find some answers to these open questions.
2.1 The Objectives of Information Security3 The Controls of Cryptographic Products2.2 Cryptography's Role in Implementation of Security Services
2.2.1 Identifying a Safe Key Length
3.1 What Is Signals Intelligence?4 The Infrastructures Needed for Cryptography3.2 U.S Export Controls of Cryptographic Products
3.2.1 Background3.3 Usage Controls3.2.2 Relaxation of U.S. Export Controls
3.4.1 Key Recovery and Escrowed Encryption3.4.2 Implementing Escrowed Encryption
3.4.3 Operational Responsibilities and Liabilities of Escrow Agents
4.1 Managing Secret Cryptographic Keys5 Digital Signatures4.2.1 Distributing Public Keys4.2.3 Certification Authorities
Always when computers are communicating through unsecured channel, transferred data can be modified or forged. The tarnsport of the data must be secured and cryptography can provide a lot of help to this. It makes the transport of the data between two computers much safer. The technology is based on the essentials of secret codes augmented by modern mathematics that protect the data. There are two main things that make the use of cryptography secure: an effective algorithm and the length of the key. The algorithm used must be public and well known, so that many experts have had the possibility to evaluate it and find possible weaknesses. The key must be long enough to make it more difficult to break the encryption and find the key.
The usage of strong encryption is not very easy. Many fo the commercial products like databases, web servers, and web browsers are made in the United States and the export of any cryptographic product is tightly controlled. Any product using cryptography must get an export license. If the product is using strong cryptography, the license is very hard to get.
All cryptographic algorithms depend on keys that must be kept secret. The main problem in the usage of secret keys is the distribution: how to distribute the keys efficently and safely? The same problem is in the distribution of symmetric keys as well as the private keys. If the network is very large, manual distribution of symmetric keys is unbearable. Public keys are much easier to distribute, because they can and must be publicly known. One way to distribute them is in the form of public key certificates.
One very interesting and important concept is a digital
signature. It is a mechanism that protects data from undetected change.
Moreover, the digital signature associates the data with the owner of a
specific private key. This technique is expected to be in a central role
in electronic commerce, because it can provide digital credentials that
are extremely hard to forge. Digital signature is a technical concept.
Their acceptance as legal signatures depend totally on their definitions
in the law and their usage as signatures must be well defined, before they
can be used like our signatures are now with the paper documents.
The main disciplines for achieving these goal are communications security and computer security. Communications security is the protection of the information while transferred between systems. Computer security is the protection of information within a system. It includes such things as the security properties of operating system software and the security features in database management software. Communications security and computer security measures need to work in conjunction with other categories of security measures, including [7]:Confidentiality. Ensuring that information is not disclosed or revealed to unauthorized persons.
Integrity. Ensuring consistency of data by preventing unauthorized creation, alteration, or destruction of data.
Availability. Ensuring that legitimate users are not unduly denied access to information and resources.
Legitimate use. Ensuring that resources are not used by unauthorized people or in unauthorized ways.
There are many potential threats to information systems: penetration, authorization violation, planting - like Trojan horses, communications monitoring, communications tampering, denial of service and repudiation. There are several security services that must be implemented to protect the systems from these threats [7]:Physical security, such as locks on doors and other physical access controls.
Personnel security, such as employee screening and security training.
Administration security, such as investigation of security breaches and review on audit trails.
Media security, such as ensuring that discarded paper or magnetic media containing sensitive information are destroyed securely.
Authentication services provide assurance of identity. There are two main variants of authentication services: entity authentication and data origin authentication.
Access control services protect against unauthorized access to any resource. Access control is the primary means for enforcing authorization.
Confidentiality services protect against information being disclosed or revealed to any entity not authorized to have that information.
Data integrity services protect against the change of value of any data item and against creating and deleting messages without authorization.
Non-repudiation services that protect against any party of a transaction falsely denying the occurrence of that transaction.
But cryptography is a two-edged sword for U.S. national security interests. Cryptography is important in maintaining the security of U.S. classified information and the U.S. government has developed its own cryptographic systems to meet these needs. At the same time, the use of cryptography by foreign adversaries also hinders U.S. acquisition of communications intelligence. Signals intelligence (SIGNINT) is an important arm of U.S. intelligence, along with imagery intelligence (IMINT) and intelligence information collected directly by people (human intelligence, HUMINT). SIGNINT is very valuable component of U.S. intelligence capability. It makes a lot of contributions to ensure an informed, alert, and secure environment for U.S. war fighters and policy makers. Signal intelligence is important both to tactical and strategic intelligence.
Strong cryptography can prevent any given message to be understood. The U.S. decision makers are afraid of that cryptography that is used by adversaries on a wide scale would significantly increase the cost and difficulty of intelligence gathering. They also think that cryptography used by governments and foreign companies can increase an adversary's capability to conceal the development of missile delivery systems and weapons of mass destruction. Someone has said that cryptography could even improve the ability of an adversary to maintain the secrecy of its military operations to the detriment of U.S. or allied military forces that might be similarly engaged. Today, there is a noticeable trend toward better and cheaper encryption that is steadily closing the window of exploitation of unencrypted communications. The growth of strong encryption will reduce the availability of intelligence.
Authority to regulate imports and exports of products with cryptographic capabilities to and from the United States has been derived from two items of legislation: the Arms Export Control Act (AECA) of 1949 and the Export Administration Act (EEA). The AECA is the legislative basis for the International Traffic in Arms Regulations (ITAR), in which the U.S. Munitions List (USML) is defined and specified. Items on the USML are regarded for purposes of import and export as munitions, and ITAR are administered by the Department of State. The EAA is the legislative basis for the Export Administration Regulations (EAR), which define dual-use items on a list known as the Commerce Control List (CCL). The EAR are administered by the Department of Commerce. The ITAR has regulated and controlled exports of all cryptographic products with the capability of maintaining secrecy or confidentiality of information or information systems [4]. Strong authentication has been exportable, but often products using strong authentication use cryptography also for confidentiality. So the situation with these products is not very clear.
Export of these products to the industries mentioned above is only allowed to 45 separately accepted countries. This covers most major commercial market including Western Europe, Japan, and Australia. This policy excludes all service providers, manufacturers and distributors of items controlled on the U.S. munitions list. Exports to end users or destinations outside this policy are possible on a case-by-case basis. Prior to export, all products are subject to one-time product technical review.Banks and other financial institutions.
Subsidiaries of U.S. firms worldwide (except seven terrorist nations).
Insurance companies.
Health and medical organizations. This does not include biochemical or pharmaceutical manufacturers.
On-line merchants for client-server applications, with the purpose of securing electronic transactions between merchants and their customers. This does not include manufacturers and distributors of items controlled on the U.S. munitions list.
It is very hard to find any exact definition what is defined to be export of technical data related to cryptography and how strictly various things around cryptography are controlled. The writers of the book 'Cryptography's Role in Securing the Information Society' found one article about the export of technical data related to cryptography: It was published in Munitions Control Newsletter, number 80, February 1980 by Office of Munitions Control (The office is now the Office of Defense Trade Controls). In the article it was written: 'Cryptologic technical data refers only to such information as is designed or intended to be used, or which reasonably could be expected to given direct application, in the design, production, manufacture, repair, overhaul, processing, engineering, development, operation, maintenance, or reconstruction of items in such categories'. This interpretation includes algorithms and other procedures purporting to have advanced cryptologic application. It is also defined that professional and academic presentations and informal discussions, as well as demonstrations of equipment, constituting disclosure of cryptologic technical data to foreign nationals are prohibited without the prior approval.Discussing cryptography with a foreign citizen.
Giving away software with encryption capabilities over the Internet.
Shipping products with encryption capabilities to a foreign company within the United States if the company is controlled but not owned by a U.S. company.
Selling a U.S. company that makes products with strong encryption capabilities to a foreign company.
Selling products with encryption capabilities to foreign citizens on U.S. soil.
Teaching a course on cryptography that involves foreign graduate students.
In the security specific software market, U.S. manufacturers face much more competition in several foreign markets. To large extent, market for these products tend to be national. Not only due to export controls, but because the local vendors of security-specific products are at a competitive advantage. They are better situated to work closely with end-users and develop tailored encryption solutions.
Because of the absence of significant foreign competition, the impact of U.S. export controls on the international market shares of general-purpose product is very small. This means, that the economic impact is far too small that U.S. officials would give up all of the controls. But more relaxations will come, when the real information society starts to emerge even faster than now.
There are a small number of countries - in addition to France - where domestic controls on the use of cryptography are in place. These include Belarus, China, Israel, Pakistan, Russia, and Singapore. There are an even smaller number of countries that are currently considering the adoption of new controls. These Include India, South Korea and the United States. The policies of the United States are the most surprising. Almost all other democratic, industrial nations have few - if any - controls on the use of cryptography. This can be explained by the strong role that state security agencies have in the development of encryption policy.
Several approaches to key recovery have been proposed and also implemented. The Escrowed Encryption Standard (EES) was established by U.S. government in 1994. It is used in CLIPPER and CAPSTONE chips. CLIPPER is designed for use in encrypted telephones for the commercial market. CAPSTONE is designed for messaging applications - email as an example. Both of the chips use SKIPJACK block cipher algorithm. They are designed to support the typical range of crypto functions, but also providing a secure backdoor for decrypting any data they encrypt. The EES defines the functionality of the back door.
Today, escrow as a concept applies not only to the initial purpose of assuring law enforcement access to encrypted materials, but also to possible end-user or organizational requirements for a mechanism to protect against lost, corrupted, or unavailable keys. It can also mean that some process - such as authority to decrypt a header containing session keys - is escrowed with a trusted party. It can also mean that a corporation is ready to cooperate with law enforcement to access encrypted materials. The relationship between strong encryption and escrow encryption should be noted. Escrowed encryption can involve cryptographic algorithms that are strong and the keys can be long. It is intended to provide strong cryptographic confidentiality for users against unauthorized third parties, but no confidentiality at all against third parties who have authorized exceptional access.
If widely adopted and properly implemented, escrowed encryption could provide legitimate users with high degrees of assurance that their sensitive data would remain secure. It could also keep the U.S. officials happy, because they can obtain access to escrow-encrypted data in specific instances when authorized under law.
All this raises the question about partitioning escrowed information. One proposal is that there should be at least three different agents holding the components of the key and all of them need to accept the key request before the key can be given to officials. Another proposal is to use so called k-of-n arrangement - 3-of-4 as an example. Here the key should be divided into 4 pieces and all of the pieces are given to a different escrow agent. Now any 3 out of the 4 agents could enable exceptional access. Obviously, the greater the number of parties that are needed to consent, the more cumbersome exceptional access becomes. So concentrating escrow arrangements in a few escrow agents makes law enforcement access to keys more convenient, but it also focuses the attention of those who may attempt to compromise key escrow facilities. The security of this systems of course depend much on money. The systems of each escrow agent must be well protected and the more agents there are, the more money this security needs.
The users must be assured that the key information entrusted to escrow agents remains secure. That is why the escrow agents and their employees must be held accountable for improper behavior and for the use of security processes and practices that are appropriate to protect the keys. Liabilities can be criminal or civil. Criminal penalties could be established for the disclosure of keys to unauthorized parties or for the refusal to disclosure such information to authorized parties. Questions of civil liability are more complex. Ideally, levels of civil liability for improper disclosure of keys would be related to the loss that would be incurred by the damaged party. This level could potentially be very large and it might be inappropriate to allow such levels of damages. One possibility is insurance against unauthorized disclosure. But anyway, if escrowed encryption is adopted widely, compromise of escrow agents holding keys relevant to network encryption may be catastrophic.
The products needed for escrowed encryption would be more expensive, because it is far more costly to manufacture escrowed crypto devices. The security requirements are much bigger. The escrowed keys must be generated, installed and delivered to escrow agencies under extremely tight security. Also the product complexity grows with escrowed encryption.
Escrowed encryption - like any other key access scheme introduces additional ways to break into a cryptographic system. More people will know about secret keys and system designs leading to higher risks of abuse. These new vulnerabilities are complex and need to be understood as liability and privacy questions are implied.
The costs associated with the key access schemes would be very high. Up to now, questions of costs have not been addressed by policy makers. Neither is that, who should bear the costs. Important cost factors would be the specific requirements put on the agents. Some of these requirements are: response time to deliver the keys, storage time for session keys, authenticate requesting government agency, secure transfer of recovered keys, and internal security services needed. Furthermore, substantial and unknown cost would occur to the need for scaleability of the system: how to get it work with millions of users? The cost to make it work on an economy of global wide scale need to be looked carefully, but escrowed encryption seems not to be the solution for information society.
Any involvement of a third party in confidential communication increases the vulnerability of the system. The main reason for involving a third party in the management of keys for confidentiality is to allow that party to make the keys available to other than the communicating parties. This is one of the reasons, why users do not see many advantages in using escrowed encryption for confidential communications, and probably not even for stored information.
The acceptance of officially implemented escrowed encryption
remains to be seen but given its implied overheads and security holes,
it can not be regarded as an incentive for example for electronic commerce.
And the relaxations of export controls of cryptographic products makes
the need of this kind of system smaller. Even when key recovery and escrowed
encryption are not widely implemented, many people are suspecting that
key recovery features are secretly imlemented in many cryptographic products
of U.S. origin.
All the keys must have limited lifetimes at least for two reasons:
There must be an efficient and secure system for key generation, registration, backup and recovery, distribution, updating, revocation, and updating as well as termination. In general, protection of a key needs to be enforced throughout its entire lifetime, from generation to termination. All keys need to be protected for integrity purposes, as the possibility of an intruder modifying or substituting a key can compromise the protection service for which the key is being used. All secret keys must also be protected for confidentiality purposes. The key must always be stored in a physically secure location, if possible.Cryptanalysis. The more the key is used, the greater the opportunity for an attacker to gather ciphertext.
If the key will for some reason to be compromised or cryptanalyzed, limiting lifetimes of keys limits the damage that can occur.
Secret key delivery can happen in variety of ways, depending on the hardware and software being rekeyed. Paper distribution is a very common method with some strengths but as well also with some weaknesses. The media needed is everywhere, but when written on paper, the keys need to be read by people. There is also the danger of typing errors. Diskettes or other writable media has the benefit that administrators won't deed to see the values of the keys at either end. But the keys are also very easy to copy, if standard media are used. Some systems use special media like datakeys or magnetic cards for loading the keys. This makes casual copying more difficult. Docking approach is specific to some hardware products and key loading can only happen by physically attaching the cryptographic device to a keying device.
Manual rekeying is inconvenient and risky. If one device already has the key, the two devices communicating could just exchange the key. Especially, when the size of the network grows, it is useful to arrange automatic rekeying. ANSI X9.17, the banking industry's standard for exchanging DES keys, was developed because the manual rekeying became impractical as networks crew. The process involves two different types of keys: key encrypting keys (KEK) and data keys (or session keys). The key encryption keys are used to encrypt data keys. When two devices need to communicate, one of them generates a random data key and sends it to the other device encrypted with their shared KEK. Products that fully comply with ANSI X9.17 are not automatically eligible for export licenses, since they would support 112-bit keys.
There are also other ways to distribute secret session keys. For example RSA can be used to distribute symmetric encryption keys. Another algorithm that can be used is Diffie-Hellman key agreement.
The legislation about certification authorities and their actions and liabilities is almost non-existent. The same is true with certification holders. What are the liabilities of the certification authority and the certification holder, if the private key of the holder is compromised. This part of the legislation must be improved fast on an international level, before certificates can be more widely used and trusted. Many existing certification authorities are dealing with this issue by establishing certification practice statements. These statements are referred to in agreements, and clearly state the responsibilities of certificate holders. A certification practice statement does not only protect the CA, but also informs the public about the policies of that CA. This can be useful to an organization in determining whether to trust a particular CA's certificates and in comparing the policies of CAs.
These statements articulate the policies of a CA and how those policies are implemented. A certificate policy is a set of rules that a CA employs in the issuance, management, and revocation of certificates. A certification practice statement commonly includes these policies, operating procedures, and authentication issuance requirements for different levels of classes of certificates [10]. It also includes the operating environment, standards, supported applications, formatting information, security practices, operational procedures for revocation, certification alteration, disaster recovery, audit key recovery, confidentiality of certificate holder information, liability and obligations of the CA, liability and obligations of the certificate holder, certification revocation list and directory services offered, administrative policies, and any cross-certification with other CAs [10].
The simplest approach for certification is the centralized authority. This approach relies on a single CA with a single set of keying material to sign all valid certificates in the system. All public key certificates must contain a valid copy of the CA's public key to validate its certificates. Any certificate signed by a different authority will be rejected. This system is simple, but inflexible. A major complaint against it is that the central CA becomes a bottleneck.
Another possibility is to use hierarchical systems that start with root authority with a public key that is usually distributed to all participating hosts. Unlike the centralized systems, the issuing of certificates is delegated to several CAs. The root authority only signs certificates for CAs. Some CAs may only sign certificates for lower level authorities, and so on. At the bottom of the systems are authorities that sign certificates for individual entities or users. The series of certificates leading back to the root public key must be retrieved and checked in order to validate a user's certificate. Since a user' certificate is signed by a local CA, the public key in the local authority' certificate is used to validate it. To validate the local authority's certificate the key of the organizational CA is used. The process repeats itself as we walk up the hierarchy back to the root key that is manually installed in the software. This may be the root key of the entire hierarchy or a subordinate key, depending on how the system is set up.
The third possibility is web of trust, that PGP uses. PGP cryptography is designed to let individuals authenticate each other and communicate reliably. Typical implementations don't give us the right tools to associate PGP keys with business roles that are passed safely from one employee to another. The fundamental feature of PGP certification is that there is no difference between an individual PGP user and a CA. Any user may sign another user's key, acting as a CA when doing so. The convention among PGP users is that certificates are only signed if the signer is reasonably sure the certificate is legitimate.
Before issuing a certificate, it is critical that the certification authority confirms the identity of the person, device, or entity whose private key corresponds to the public key contained in a certificate. The extent to which identity must be confirmed is dependent upon the level of assurances that a particular class or type of certificate purports to provide. This is typically expressed within the certification practice statement of the authority.
For publicly available certificates, there is an additional issue that must be dealt with: What happens if a third party with no relationship with the CA relies on a certificate's authenticity, only to find that the certificate was invalid. Who is then liable? This is an issue that any company planning to issue publicly available certificates must address.
The provision of public certification services is a completely new service sector. Although still in its infancy, this sector is already rising a lot of interest. The sector is currently dominated by commercial undertakings based outside of Europe (mainly in the U.S.), although some European companies have emerged. A significant number of new entrants are expected to appear on the market very rapidly and they seem to focus on their national market. This hesitation is linked to legal uncertainties. For example, there is no uniform legal framework specifying requirements for CAs. This does not hinder CAs to be active on the market, but serious obstacles for cross-border trust would result from the lack of common rules. Certificates issued by a CA in one country would not be recognized by a CA in another country. This happens especially when the other country has foreseen a licensing system for CAs and the certificate has been issued by a foreign unlicensed CA. Establishing common criteria for the activities of CAs would allow certificates issued by a CA in one country to be recognized in other countries too. In this area a lot must be done internationally before public key certificates will have a bigger role.
X.500 provide the basis for constructing a multi-purpose distributed directory service by interconnecting computer systems belonging to service providers, governments, and private organizations, on a potentially global scale. A broad range of services can be supported, but adoption of X.500 has been much slower than originally expected. The technology is complex and service providers have not embraced the concept of interconnecting their online directories, which could immediately give their competitors direct access to their subscriber lists. The Internet Lightweight Access Protocol (LDAP) is much simpler and easier to implement than X.500. LDAP constitutes a useful standard protocol for accessing information stored in a directory, including accessing stored public key certificates. Many companies - like Microsoft, IBM and Oracle - are moving towards LDAP. For example Oracle is going to store all database users, their roles and privileges in a LDAP directory tree.
The key exchange protocols proposed or deployed for network and transportation all provide facilities to deliver public key certificates to participants in a key exchange. This is seen in IPSEC key protocols. They are also important elements of SSL.
While transparent certification distribution is usually best, it is not the only approach. Many systems rely on other mechanisms to distribute certificates interactively. When users need certificates they perform their own electronic search for the certificate they need. This may involve e-mail messages, Web site visits and finger requests.
After deciding a certificate to be revoked, a certification
authority needs to make potential users of the certificate aware of the
revocation. The most common method is a periodically published certificate
revocation list (CRL). The CRL concept is described in the X.509 standard.
CRL is a time stamped list of revoked certificates and it is digitally
signed by a certification authority. When a system uses a certified public
key, it checks the certificate signature, validity and acquires a suitable
recent CRL. Then it confirms that the certificate is not on that CRL. The
meaning of suitably resent is not standardized and may vary with local
policy. A certification authority issues CRLs regularly, such as hourly,
daily or weekly - the interval is again a policy decision of the certification
authority. One limitation of this revocation method is that the time granularity
of revocation is limited to the CRL issue period. Of course there is nothing
preventing a CA to from generating and posting a new CRL immediately when
a new revocation becomes known. However, it can not guarantee that such
off-cycle CRLs will reach systems that use certificates.
Several different methods exist to sign documents electronically varying from very simple methods to very advanced methods like using cryptography. Electronic signatures based on public key cryptography are called digital signatures. They are widely considered as crucial for many applications [6]:
Digital signatures are a very advanced, but purely a technical concept. They can be used to protect against the alteration of the data. Even the smallest change of data can be discovered immediately. Moreover, the digital signature associates the data with the owner of a specific private key. So if we can verify the signature with Alice's public key, we can expect that the data was signed with Alice's private key. It is widely believed that digital signatures can provide digital credentials that are very hard to forge.Digital signatures used for official communication with public institutions. These include calls for tender, identity documents, tax declarations, and so on.
Contractual relations in open networks, including electronic buying and selling.
Identifying and authorizing.
Digital signatures in closed networks like corporate Intranets.
Digital signatures used for personal purposes.
While commercial products for digital signatures are available in the market, only a few companies have taken steps to offer services in this area. One of the main reasons is the weakness of demand resulting from the absence of legal recognition of digital signatures. Greater use of digital signatures requires adjustments and changes in many regulatory areas. Currently, the most important legal (and political) problems result from different national rules and regulations - or actually the lack of them. One big reason is also the lack of common requirements for CAs. Some other reasons are the liability rules and the legal recognition of digital signatures. For example European Union Commissions is evaluating the possibility to provide for the harmonization of the different national provisions to support international mutual recognition of digital signatures. But today the legal concepts behind signatures and the requirements on form and procedures, are different in almost each country's jurisdictions. More countries should be encouraged to scrutinize the relevant national laws and regulations.
Ensuring equivalent legal effects for conventional and
digital signatures is not easy to realize considering their different characteristics
and their different ways of being materialized. Unlike conventional signatures,
it is not possible to distinguish between an original or a copy when using
digital signatures. Each person has only one hand-written signature, but
he can have several key sets. Digital signatures are also different for
each document signed. There are differences, but they do not prevent digital
signatures enjoying equivalent legal value for certain legal or juridical
purposes. The legal effects of documents signed with digital signatures
is implicitly linked with trustworthiness of CAs. [6]
For many years, the United States has controlled the export of cryptographic technologies, products and related technical information as munitions. Cryptography is important in maintaining the security of U.S. classified information and the U.S. government has developed its own cryptographic systems to meet these needs. At the same time, the use of cryptography by foreign adversaries also hinders U.S. acquisition of communications intelligence. The U.S. decision makers are afraid of that cryptography that is used by adversaries on a wide scale would significantly increase the cost and difficulty of intelligence gathering.
There are two main reasons for the controls. The first is to delay the spread of strong cryptographic capabilities throughout the world. The second is to give the U.S. government a tool for monitoring and influencing the commercial development of cryptography. Any U.S. vendor that wishes to export a product with encryption capabilities for confidentiality must approach the U.S. officials for permission to do so. The export license approval process is an opportunity for the U.S. officials to learn about the capabilities of such products.
Lately there has been some relaxations to the export controls. In September 1998, the U.S. officials removed the requirement for key recovery plans or key recovery commitments to be provided. Exports of unlimited strengths encryption products will be streamlined under license exception to certain industries. Export of cryptographic products is only allowed to 45 countries. This covers most major commercial market. This policy excludes all service providers, manufacturers and distributors of items controlled on the U.S. munitions list. Exports to end users or destinations outside this policy are possible on a case-by-case basis. It can easily be seen, that the more computing power the U.S. officials have the longer key length they allow. This is because they want to be able to break the encryption.
Escrowed encryption is the system by which the secret keys are stored for the purpose of key recovery. The secret keys are held in escrow until an authorized entity requests access to one. The entity then uses the escrowed key to recover the actual key used to encrypt a particular message. For escrowed encryption to play major role in protecting the information infrastructure of the information businesses and individuals, users must be assured about the operational obligations and procedures escrow agents. Clear guidelines will be required to regulate the operational behavior of escrow agents. Also clear enforcement mechanisms must be set into place to ensure that the agents comply with the guidelines. These kind of guidelines and mechanisms require a legal setting that would also include criminal penalties for malfeasance. The users must also be assured about the trustworthiness of any cryptographic product, because key escrow is possible to be implemented secretly. And it is not only possible, but we can be quite sure that it is happening today at least to some extent. When given all implied overheads and security holes of escrowed encryption, it can not be regarded as an incentive for example for electronic commerce.
A public key certificate is a data structure that convincingly identifies the owner of a particular public key. The certificate is a block of digitally signed data that contains a public key and the name of the key's owner. The certificate declares that a particular entity with a particular name owns a particular public key. The certificate's digital signature is produced by a certification authority (CA). A significant number of new entrants are expected to appear on the market very rapidly and they seem to focus on their national market. But in the field of digital signatures there are a lot of legal uncertainties. For example, there is no uniform legal framework specifying requirements for CAs. Certificates issued by a CA in one country would not be recognized by a CA in another country. In this area a lot must be done internationally before public key certificates will be more widely spread. In the use of public key certificates, revocation is one of the major technical problems that must be solved.
Digital signatures are widely considered as crucial for
many applications. Because of their importance, officials have started
to evaluate them and their use more closely. For example European Union
Commissions is evaluating the possibility to provide for the harmonization
of the different national provisions to support international mutual recognition
of digital signatures. But today, the legal concepts behind signatures
and the requirements on form and procedures are different in almost each
country' jurisdictions. More countries should be encouraged to scrutinize
the relevant national laws and regulations.
| AECA | U.S. legislation: Arms Export Control Act. | |
| ANSI X9.17 | Banking industry's standard ment for exchaning DES keys. | |
| CA | Certification Authority. | |
| CAPSTONE | A chip using EES, designed for use in encrypted telephones. | |
| CCL | Commerce Control List. Expressed in EAR. CCL defines dual-use items used both in civil and military use. | |
| CLIPPER | A chip using EES, designed for messaging applications. | |
| CRL | Certificate Revocation List. A list of invalidated certificates. | |
| DES | DES is a secret key cryptographic algorithm developed in the 1970s. | |
| EAR | Export Administration Regulations. These regulations are based on EEA. | |
| EEA | U.S. legislation: Export Administration Act. | |
| EES | Escrowed Encryption Standard, established by U.S. government in 1994. | |
| HUMINT | Human Intelligence. Intelligence information collected directly by people. | |
| IMINT | Imagery intelligence. | |
| ITAR | The International Traffic in Arms Regulatrions. These regulations are based on AECA. | |
| KEK | Key Encrypting Key, used to encrypt data keys. | |
| LDAP | The Internet Lightweight Access Protocol. Standard protocol for accessing information stored in a directory. | |
| OECD | Organisation for Economic Co-Operation and Development. | |
| PGP | Pretty Good Privacy. PGP cryptography is designed to let individuals authenticate each other and communicate reliably. | |
| SIGNINT | Signals Intelligence. | |
| SSL | Secure Sockets Layer. | |
| USML | U.S. Munitions List. This list is defined in ITAR. Items on USML are regarded as munitions for purposes of export and import. | |
| X.500 | Standard for constructing a multi-purpose distributed directory service. |
[2] Anon., A bill in the senate of the United States,
14.05.1998, [Referred 2.11.1998]
<
http://www.epic.org/crypto/legislation/eprivacy.html >
[3] Anon., The President's Commission on Critical Infrastructure
Protection: report summary, 17.04.1998, [Referred 2.11.1998]
< http://www.pccip.gov/summary.html
>
[4] Dam, K. W. et al., Cryptography's Role in Securing the Information Society, 1996, Washington D.C., National Academy Press, 688p.
[5] Dertouzos, M., What Will Be: How the new world of information will change our lives, 1997, New York, HarperCollins Publishers, 336p.
[6] Diffie, W. & Landau, S., Privacy on the Line. The Politics of Wiretapping and Encryption, 1998, Cambridge, The MIT Press, 342p.
[7] European Union Committee, anon., Towards A European
Framework for Digital Signatures And Encryption, 3.11.1997, [Referred 2.11.1998]
<
http://www.ispo.cec.be/eif/policy/97503.html >
[8] Ford, G. & Baum, M., Secure Electronic Commerce, 1997, Upper Saddle River, Prentice Hall, 470p.
[9] Global Internet Liberty Campaign, anon., Cryptography
and liberty: An international survey of encryption policy results, 6.2.1998,
[Referred 2.11.1998]
<
http://www.gilc.org/crypto/crypto-results.html >
[10] Global Internet Liberty Campaign, anon., Cryptography
and liberty: An international survey of encryption policy, 6.2.1998, [Referred
2.11.1998]
<
http://www.gilc.org/crypto/crypto-survey.html >
[11] Grant, G. L., Understanding Digital Signatures, 1998, United States, McGraw-Hill, 298p.
[12] Greenleaf, G., Privacy Implications of Digital Signatures,
10.3.1997, [Referred 2.11.1998]
<
http://www.anu.edu.au/people/Roger.Clarke/DV/DigSig.html >
[13] OECD, anon., Cryptography policy: The guidelines
and the issues, 30.10.1998, [Referred 2.11.1998]
<
http://www.oecd.org/dsti/sti/it/secur/index.htm >
[14] Reinsch, W. A., Memorandum for deputies subgroup
on cryptography: Non-Key Recovery Exports After Two Years, 25.11.1996,
[Referred 2.11.1998]
<
http://www.epic.org/crypto/key_escrow/reinsch_memo.html >
[15] Schneier, B., Applied Cryptography Second Edition: protocols, algorithms and source code in C, 1996, United States, John Wiley & Sons, Inc., 758p.
[16] Schneier, B. & Banisar, D., The Electronic Privacy Papers. Documents on the Battle for Privacy in the Age of Surveillance, 1997, United States, John Wiley & Sons, Inc., 744p.
[17] Smith, E. R., Internet Cryptography, 1997, Reading, Addison Wesley, 356p.
[18] U.S. Department of Commerce and National Security
Agency, anon., A study of the international market for computer software
with encryption, 29.01.1996, [Referred 2.11.1998]
<
http://www.epic.org/crypto/export_controls/commerce_study_summary.txt >
[19] White House, Office of the Press Secretary, anon.,
Fact Sheet: Administration Updates Encryption Policy, 16.9.1998, [Referred
2.11.1998]
<
http://www.epic.org/crypto/export_controls/wh-factsheet-998.html >
[20] White House, Office of the Press Secretary, anon.,
Press Briefing by the Vice President, 16.9.1998, [Referred 2.11.1998]
<
http://www.epic.org/crypto/export_controls/wh-transcript-998.html >