The background to this paper is proposals made by the UK Department of Trade and Industry to licence anyone offering an encryption service, with the possibility of mandatory escrow of encryption keys.
This paper should be read in conjunction with the papers listed in the reference section below.
Key escrow is a non-starter.
Interception and secure communications are two mutually exclusive objectives. It is possible to have one or the other, but not both, though it is possible to have neither. What have been put forward as compromise proposals, on closer examination, result in neither objective being met.
The US compromise, as seen in Web browsers such as Netscape, is to limit key size to 128-bits for home use, and 40-bits for overseas communication. Weak security translates to no security. With relative ease the security supposedly given can be broken (and that ease is rising daily).
The UK compromise is to propose key escrow. The encryption can be strong, that is any method and key size may be chosen, but the user is obliged to hand over their key to a third party, for possible access by a government agency. Currently that obligation is voluntary, but the likelihood is that the once the mechanisms are in place the scheme will become mandatory. In practice, third party access to a key, means everyone has access to the key and thus the communication is not secure.
Under either compromise there is no security. The lack of security will not benefit crime detection or prevent terrorism as any malefactor knowing that the channel of communication is not secure will not use that channel to discuss an indictable offence.
A very clear choice has to be made, either we have hard crypto in place (anything less is an illusion of security and benefits no-one but the criminal) or we have the ability to intercept and eavesdrop, in which case we have no security. We can not have both.
A cost benefit analysis would put the emphasis on secure communication. Criminals and terrorists will undoubtedly take full advantage of this technology, but this is no different to them taking advantage of every other form of technological advance from firearms, fast cars to mobile phones.
If the emphasis is to be on criminals and terrorists, greater inroads would be made by concentrating upon money laundering.
This is not to argue against key escrow per se, the argument is against the formal structure as proposed by the DTI. There is an advantage to be had in escrowing a key (loss of key, loss of password et cetera) where the user decides who to trust. Ideally the key is escrowed in two parts, with both parts required for access.
An example of such escrow would be where a user escrows a key with a solicitor, bank, colleague, friend or relative. It is the user who decides who he or she will trust, not a government appointed regulator, with access to the keys.
Companies may need escrow services to safeguard against disgruntled employees, or the untimely demise of a trusted employee. There would have to be a clearly defined procedure for accessing the key in the absence of the employee. It should be noted that such schemes are always open to abuse and represent a compromise in security. The trade-off is between a weakened security, and no access under unforeseen circumstances.
Under the DTI proposals these informal, and very effective, escrow procedures would not be possible as whereas the user is free to choose a licensed or non-licensed TTP, those offering the informal TTP service, unless licensed for encryption services, would be acting unlawfully under the DTI proposals.
If an escrowed key were released into the public domain, in the absence of a clearly traceable route, it would be extremely difficult to show who had released the key - the TTP or the client.
To allay fears over escrowed keys several interested parties have put forward the proposal that the client's key be escrowed within the encrypted traffic, with access to the key via a TTP master key, that is the key is no longer directly escrowed with the TTP. This offers no additional security benefits - in both cases to read the traffic, access is required to the traffic and to a key held by the TTP. The security situation is now considerably worse - access to the TTP master key gives potential access to every client's encrypted traffic.
It is truism to say that the third party offering encryption services has to be trusted. How that trust is to be guaranteed is the difficult question.
Trust can not be guaranteed by legislation or licence. The trust has to be in part by reputation, in part by foolproof transparent policies. These policies have to be open, published protocols, the algorithms used, the key lengths, the verification procedures, everything has to be open to public scrutiny.
A TTP will be trusted because its protocols are seen to be immune to cheating, not because it may get caught out.
I trust the PGP Time Stamping service based in the Channel Islands, not because it has or does not have a licence, but because it has published protocols. These protocols are by no means perfect but they do give a degree of protection against cheating, a far greater degree than the possession of a licence could ever give.
This is not to argue against legislative sanctions. The sanctions would be to provide a framework of support for any existing 'net protocols.
The weak point of any system will be identifying a key with a human identity. It would be all too easy for a TTP to link the two based on a false identity. Penalties should be aimed at preventing transgressions in this weak area.
The DTI paper in many ways puts the cart before the horse. It is trying to legislate into place a structure that will protect the user. This is to ignore the way Internet works and has developed, and why Internet has to date been such a success.
Internet is an organic system. Novel ideas are tried. If they work they are quickly incorporated and become part of the 'net standard, if they fail they are just as quickly abandoned.
The DTI paper is ignoring this mode of development, and is progressing in a vacuum as though the 'net does not exist. What is required is a legal framework that supports whatever security system develops within Internet itself.
Licencing is not required. This would simply impose a bureaucratic overhead and do nothing for security. It would have the same adverse effect upon security as BS5790 has had on quality control. With licensing in place the mind-set would be focused on the bureaucracy not on security.
What is required is a minimum standard to which TTPs have to adhere, followed by penalties if they fail. An example would be the linking of a digital ID to a human entity - three forms of ID could be the minimum requirement, at least one of which has to be a current passport or similar. There would have to be similar minimal provisions in place for company IDs.
Company keys offer additional problems. Who is authorised to use the key, and who has access to that key? The onus would be on the company to show that only authorised persons had access to their keys, and that would be part of the open published procedures to engender public trust. Failure to restrict access, or improper use could be the subject of penalties.
These penalties have to be part of criminal proceedings, not left to the individual to pursue civil proceedings when the individual may be at a serious financial disadvantage. The individual would be at liberty to pursue civil action for consequential costs.
In any proceedings, civil or criminal, the onus would be on the TTP to demonstrate that their procedures were secure.
These minimal legislative requirements would cover all TTPs and encryption services, that is they would cover intra-company schemes, and private schemes such as used by banks and TV channels. The public is entitled to have confidence in these private schemes, just as much as the public is entitled to have confidence in other parts of 'net security. Moreover the public may have greater trust in an internal company certificate than in an external TTP certificate.
The emphasis or implied assumption within the DTI paper is that the TTPs will form part of a hierarchy, or be independent entities. A pyramid structure is flawed, as errors can propagate, if TTPs are independent, the whole basis of 'net communication will collapse as a signature from one TTP may not be recognised elsewhere.
The structure as assumed does not reflect the pattern of 'net communication or business transactions. The bulk of such transactions will be between known entities, a business and its clients for example. Such entities should therefore certify each others keys. Only for communication outside of this normal arena will the signature of a TTP be required.
This grass roots approach to certification is considerably more secure. The user can choose which if any signatures or certificates to trust, certification takes place between known entities (they are already locked together in some trading function, thus known to each other). The interlocking nature of this grass roots certification, means the system can be made self-checking, thus foolproof.
Under the DTI proposals this grass roots approach would be unlawful as the certification would be undertaken by non-licensed TTPs.
This poses grave threats. A simple example should suffice.
A human rights group operating in Turkey escrows their key in London, Turkey under reciprocal arrangements requests a copy of the key .....
The proposals in paragraphs 45, 55, 57, 72 and 83 are both illogical and unenforceable.
An offshore TTP offering encryption services to the UK is required to obtain a UK licence, and it will be a specific criminal offence to offer such a service to the UK public without a valid licence (unenforceable). Anyone within the UK is free to choose their TTP, including whether or not to choose a non-UK, non-licensed TTP (illogical).
The current de facto Internet standard for encryption, digital signatures and authenticity is Pretty Good Privacy (PGP). With the emergence of this as a standard, a number of products are starting to appear on the market that make its use as transparent as possible. The principle strength of PGP, apart from the accepted strength of the underlying algorithms and their implementation is the excellent key management and the use made of grass roots certification. Such certification does not exclude the use of TTPs, but as has already been noted more accurately reflects traffic and transactions on the 'net and leaves the user the option of deciding who to trust. Such a method of certification is inherently more secure.
The proposals as currently framed, paragraphs 72-75, would make the use of PGP unlawful. In particular it would become unlawful to sign a PGP key, unless this act was carried out by a licensed TTP.
Grass roots certification, reflecting the pattern of traffic and transactions, would become unlawful, even though it satisfied the needs of the partners in the transactions, as the certification would not be carried out by a licensed TTP.
Offshore services, such as the provision of key servers, would also probably become unlawful, although not explicitly covered by the present proposals these would probably be caught by key management and key storage.
The offering of advice and consultancy on encryption becomes a grey area. Although not explicitly defined in the proposals, para 74, such advice and consultancy would be to offer an encryption service.
The author of this paper has written extensively on PGP, privacy, security and encryption, and even has a Web site devoted to the subject. Would the author be seen as offering an unlawful service, or would the author be forced to move this information service offshore (though even then it may be caught in the proposal's catch-all by attempting to include non-UK services offering a service to the UK public)?
The author of this paper, both directly and indirectly, provides the means to obtain keys other than his own. This would probably become a criminal offence under the headings of key management and key storage. The mere act of listing another user's PGP digital fingerprint could become a criminal act.
By explicitly excluding inter-encryption services between UK licensed TTPs and non-UK non-licensed TTPs the proposals (para 75) effectively curtail secure communication between the UK and the rest of the world.
There has to be certification between TTPs, or a worldwide hierarchical structure, otherwise what value is to be placed on a UK certificate by a non-UK client, or vice a versa a non-UK certificate by a UK client?
This would appear to be the sole rationale for the establishment of licensed TTPs - to give fast track, back-door access to government agencies.
This is no different to US proposals to give back-door access to encryption systems via the clipper chip, or the requirement for telcos to give access ports, at their expense, to Federal Agencies (FBI Digital Telephony proposals, enacted 1994). The only difference, is that direct access to the encrypted traffic is too obvious, and leads to vigorous public opposition, as the US experience has clearly demonstrated, whereas this more subtle obfuscated approach will help to diffuse opposition.
The infrastructure required to enable this fast track back-door entry will be at the expense of the TTP.
The requirement to escrow keys is currently voluntary. For how long would this remain so, when government agencies find that they had a fast track back-door access to nothing?
As already noted, if the means to monitor exists, there will be nothing of interest to monitor.
It is implicit within the DTI paper that standards are required. These fall into two areas - standards of behaviour for those offering encryption services, and common 'net standards to enable interoperability.
This was brought home very forcibly to the author of this paper by a visit to InfoSec97 (London, Spring 1997). After the event, myself and an exhibitor agreed that 95% of those exhibiting did not have a clue and were peddling moonshine.
From my own conversations with several vendors it was obvious that many vendors were supplying flawed products and few if any had considered key distribution, let alone tried to resolve the many problems. This was vividly illustrated by one vendor, who when attention was drawn to the major security flaws in his product, simply said that like any software vendor he was not guaranteeing that the product was fit for the purpose, it was not for him to question whether or not it secured a communication channel, and if it did not that was the customer's problem not his!
But even if the products are fit for their stated purpose, there remains the problem that two people at either ends of a communication link may be using different encryption products, and as a result are unable to communicate securely due to the lack of interoperability between the two products.
If regulation is to be introduced it has to be extended to those offering encryption products.
There has to be common Internet standards for encryption products as well as the 'net itself. As a minimum, these have to include a standard for keys, certificates and the encrypted traffic itself.
The onus would either be to show how difficult or how easy it was to gain access to the key, depending what it was that was being proved.
As a trivial example, I could post my key and password to a number of User Groups if I wished to repudiate my key. It is also all too easy to gain access to a key if the will exists.
The architecture shown in Annex E is not, it is crude policy statements. An international architecture is required, but developed through the existing Internet structure, not untested, untried and imposed from outside.
On the whole the paper contains many good points. It recognises the importance of secure communications, it recognises the rights of the individual to privacy, it also recognises that TTPs will only be effective if trusted.
Key escrow, does not meet its stated objectives of enabling interception of communications, and simply results in insecure systems. There is also the implied threat that the use of TTPs, in particular key escrow could become mandatory. Key escrow should be removed from the proposals.
Licencing does not make a TTP trustworthy, and this requirement should be removed, as apart from imposing an unwieldy (and thus costly) bureaucratic structure, it gives a false illusion of security. There is a need to have minimum standards, with appropriate penalties, this should be explored further.
The sole rationale for licensed TTPs would appear to be to grant government agencies fast track back-door access to escrowed keys. This alone, would be sufficient grounds to object to the introduction of licensed TTPs.
Dual legality has grave civil rights implications and should be dropped.
Standards are required, standards of behaviour to engender trust, and 'net standards to ensure interoperability. Both these areas require further exploration.
Were some form of regulation to be introduced, it has to cover all encryption services, this to include not only intra-company TTPs and private encryption channels (used and trusted by the public), but also those offering encryption products.
DTI is attempting to legislate into place a secure communication system. This will not work. DTI should wait until such a structure slots into place by international agreement, then draw up legislation, if necessary, to support that structure.
The best service the DTI could currently offer is to act as a sounding board for UK thoughts on secure communication, then feed these into the normal Internet decision making process.
The DTI proposals as currently formulated will be seen as an attack on the 'net. The 'net, as designed to do, will simply route around the damage. This will leave the UK as an isolated island, marooned in a sea of information.
DTI, Licencing of Trusted Third Parties for the Provision of Encryption Services, March 1997
Keith Parkins, UK Proposals for a Key Escrow System, July 1996, rev 6