-----BEGIN PGP SIGNED MESSAGE----- UK Proposals for a Key Escrow Encryption System "Another person's secret is like another person's money: you are not as careful with it as you are of your own" - Edgar Watson Howe "The principle that a man's home is his castle is under new attack. For centuries the law of trespass protected a man's lands and his home. But in this age of advanced technology, thick walls and locked doors cannot guard our privacy or safeguard our personal freedom" - President Lyndon B Johnson "The human animal needs a freedom seldom mentioned, freedom from intrusion. He needs a little privacy quite as much as he wants understanding or vitamins or exercise or praise" - Phyllis McGinley "As every man goes through life he fills in a number of forms for the record ... Every man, permanently aware of his own invisible threads, naturally develops a respect for the people who manipulate the threads" - Alexander Solzhenitsyn - -- Background -- The way a proposal, especially a potentially controversial proposal, is launched in the United Kingdom is to drop tasty tidbits into the laps of tame journalists who duly report. If the reaction is adverse the proposal is quietly dropped, never to have officially existed, otherwise the government goes ahead and publishes a White Paper. Although officially a discussion document and not cast in stone it is usually difficult at this stage to change the government's mind. In the first six months of 1996 articles on key escrow kept appearing in the media. These were very much along the lines of US proposals. Government wished to see a key escrow system in place. There was no indication that the system would be mandatory, or that the government was seeking a ban on non-escrowed encryption systems. But note that for a key escrow system to be effective it requires a ban on all alternative cryptosystems - there is no point in the government having a back door key if the door is barred and bolted from the inside. My concern at this stage was the complete lack of public reaction. This was understandable, few if any would understand what key escrow was, even fewer would fully appreciate the implications. June 1996 the UK Government (HMG) announced a Trusted Third Party escrow scheme. A user's key would be deposited with a third party. This appeared to be a major climb down. Why? As noted, there had been no public reaction. Maybe behind the scenes lobbying by industry. Maybe the security services. Did they wish to see a security system for which it could be guaranteed that the Americans had a back door key. It is also important to note where this is coming from. Unlike a National ID Card, the proposals are coming from the Department of Trade and Industry (DTI) not the Home Office. The DTI is the Government Department that acts for industry, in the same way that the Ministry of Agriculture acts for agribusiness, often to the detriment of consumers, the environment and the country as a whole - cf BSE (mad cows disease). Were the proposal to be coming from the Home Office it is likely to be slanted towards surveillance. Note that in the US the key escrow proposals were sponsored by the FBI. - -- The Report -- The report is entitled Paper on Regulatory Intent Concerning Use of Encryption on Public Networks It is available from John Walker tel +44 171 215 1399 Commercial IT Security Group Department of Trade & Industry fax +44 171 931 7194 151 Buckingham Palace Road LONDON SW1W 9SS The Government Minister Ian Taylor MBE MP Minister for Science & Technology I note with some irony the lack of an electronic address for a Ministry charged with mapping out the UK's electronic future! Late News! DTI Web address http://www.dti.gov.uk Following a period of consultation the paper will be enacted by legislation. I have resisted the temptation to post the paper and covering letter on the 'net. I feel to do so would be improper and there may be a breach of copyright. Also I feel that if concerned citizens write for a copy, and I urge you to do so, HMG will get a better idea of grass-roots concern. Representation is likely to be from industry groups who only represent their own self-interest. I will make representation that the report be posted to all security and privacy groups. The paper does clearly state that HMG wishes to hear the views of all interested parties. Although the report is a UK report it recognises that communication is Global and should be seen in a global context. In his covering letter John Walker gives various assurances - 'the scheme is voluntary ... we do not intend to ban non-escrowed encryption ... the Trust between the Trusted Third Party must be between the User and their chosen TTP ... there will be no so called "back doors" in any UK scheme ...' He goes on to say that access to the keys will only be by 'legal warrant under the Interception of Communications Act (1985)'. Whether this Act grants powers of access above and beyond that which the Police already have to gain physical access to a person's property I don't know, and I note that the paper itself states that the powers of warrant will be similar to those of the Act. Whilst John Walker may have given these assurances in good faith I note that they are not incorporated in the paper! - -- Comments -- I found it difficult to take seriously a report that was so vague and woolly, nevertheless I will try. The basic assumption upon which the paper is founded is flawed, that is that there is a demand for TTPs and the future of electronic communications depends upon their establishment. I am not aware of any such demand, and the paper provides no evidence to support that assertion. The banking system has been transferring electronic funds by means of 56-bit DES for many years. By today's standards 56-bit DES is weak and getting weaker by the day. The banks have been quite happily transferring funds without the need for TTPs and no doubt will continue to do so. The paper correctly correlates economic growth with global communication, and correctly identifies the need for security and integrity and that encryption offers the means to provide security and integrity. It incorrectly identifies TTPs as the specific means to provide security and integrity. The spectre of crime and terrorism is raised as the justification for monitoring electronic traffic. It is difficult to square that with a scheme that is voluntary and doesn't apply to personal encryption. If I'm planning a multimillion dollar drugs deal it is naive to assume that I'm going to voluntarily give up my key to enable monitoring. I'm not even likely to if I face a $1,000 fine for none compliance. Anyone who knows or suspects that their 'phone is bugged modifies their behaviour accordingly. Public 'phones are used by prior arrangement, any illicit scheme is discussed in code. Anyone who has customers can set up as a TTP. This implies my local grocery store can be a TTP (assuming they satisfy the licensing requirements). The paper refers to banks. I can see security groups wishing to be involved. Their staff are sometimes vetted, but not those running the security companies. There has been too many examples of criminals setting up security companies. Banks have a cosy little arrangement between themselves and credit agencies to swap customers' details. Can they be trusted not to trade in keys? Can their staff be trusted not to trade in keys? Those offering encryption services are to be licensed. Is this to be applied to individuals in the same way that it does to those offering financial services? Would I need a licence to advise people on encryption? I can see a need to weed out the cowboys but I can't see how. If this was to apply in the UK to those offering computer services we would see at least 90% of computer dealerships close down overnight. There is a need to evaluate encryption systems. Who is to do the evaluating? The obvious choice, the government, has a vested interest in seeing weak encryption flourish to enable monitoring. The paper lumps all encryption services together, time stamping, key verification, document signing, key escrow. This may be fine for a one stop shop but key escrow is something vastly different to the other services and is the one of most concern to civil liberties. The paper is indiscriminately mixing together what can be seen as a Certifying Authority (which may need regulation to maintain standards) and an issue of civil liberties. There is a need for key verification, document signing and time stamping. If I have a key from a third party I may need verification from a TTP to ensure its validity. I can sign my own documents. This will prevent tampering and provided no one else has access to my secret key I have authenticity. The problem is the date and time. Whilst the computer will not lie, I can cheat. I can set the computer to any date and time I require. Unlike a signature on a paper document there is no way of detecting this fraud. I can have my document signed by a TTP. By offering a million dollars I can still cheat. Regulation will not in itself stop cheating. What is required is a protocol that does not permit cheating. I have developed two protocols which I believe will prevent cheating on time stamps - 'spatial protocol' and 'two dimensional protocol'. At this stage I'm not prepared to disclose. The paper refers to TTPs offering a key recovery service. I'm baffled as to what this means. If it means that the key can be recovered from the data, then the cryptosystem is weak and should not be used. If the TTP can recover the key, then so can anyone else. The paper somewhat vaguely refers to offering an encryption service to enable parties to communicate. If Alice wishes to communicate with Bob they should do so directly. The paper seems to imply that Alice communicates with a TTP Trudy, Bob with a TTP Trent, Trent and Trudy communicate on a secure link. This begs the question as to how do our two characters communicate with their TTPs, if the link is not secure it can be tapped, if it is secure why can not Bob and Alice communicate directly? The assumption has to be that any escrowed system is compromised. If it is compromised it defeats the very rational for using encryption. An enforced key escrow system would encourage the emergence of several parallel black markets. There would be a black market in keys, anyone would be able to purchase a key to your cryptosystem. There would be a black market in the information obtained, either indirectly via the official key holders or directly through a black market in stolen keys. There would be a black market in encryption systems that faked information going out the back door. A voluntary system may not remain voluntary. If no one took it up there would be pressures for it to become mandatory. It may be voluntary but you may not have a choice if you expect to receive government contracts. The involvement of the European Junta is disturbing. HMG has a sorry track record to caving in to demands from the European Junta. HMG may not have a choice if the matter were to be decided on a majority vote. There is some confusion as to the role of the ISO in setting standards. A metre defined by the ISO is a length we can all measure by. ISO 'standards' for encryption are simply registrations of algorithms. On payment of a suitable fee I could register an algorithm into which I have built a back door. I could then display my ISO number to lead my customers into believing that it had received some measure of approval which implied quality. This is already happening with the BS5750 scam. The paper refers to standards. There are already two standards. A de-jure standard, PEM, which no one uses; and a de-facto standard, PGP, which is in widespread use. The paper refers to the need to maintain export controls. This contradicts with a desire expressed elsewhere to have international standards to encourage cross-border traffic. I was also not aware that HMG were exercising control over the export of cryptosystems Nowhere does the paper state that the system proposed is voluntary, but then neither does it say that it will be mandatory. Electronic communication gives unprecedented opportunity to monitor that traffic, encryption removes that opportunity and safeguards privacy and confidentiality. It would be impossible for commerce, government and everyday life to function without confidentiality and privacy. Any weakening of the protection afforded by encryption should be strongly resisted. The measures proposed by HMG would weaken that protection afforded by encryption. To date there has been an abysmal failure to protect data held, and to prevent its collection by data snoopers. The sordid trade in data is a growth industry. Under the guise of surveys more and more data is being collected. The Data Protection Registrar is a toothless watchdog. Even when blatant breaches of the Data Protection Act are brought to his attention the resultant action is rarely more than a slap on the wrist. The complete failure of the Data Protection Act to protect individual privacy bodes ill for any legislative key escrow system. - -- Key Escrow System -- A key escrow system is an encryption system whereby a third party, the Government or their agents hold a copy of the key or hold a master key to the encryption system. That is they hold a back door key giving them access to all the encrypted communications, whether or not they go through the legal niceties of obtaining a warrant to gain access. Key escrow, under the user's control, can be an advantage. It is all to easy to lose a key. The system I would propose is that the key be cut in half. The two halves are deposited with trusted third parties, trusted and selected by the user. Neither half is of use without the other. The holders of the halves do not know the location of the matching half. The holders of the halves would not reveal that they are holding the halves. - -- Computer-Related Political Groups -- The following are groups that take an interest in computers, privacy and security. The Electronic Frontier Foundation (EFF) Electronic Frontier Foundation 1001 G St., NW Suite 950 East Washington, DC 20001 tel +1 202 347 5400 fax +1 202 393 5509 e-mail eff@eff.org Computer Professionals for Social Responsibility (CPSR) CPSR National Office P.O. Box 717 Palo Alto, CA 94302 tel 415-322-3778 fax 415-322-4748 e-mail cpsr@cpsr.org Electronic Privacy Information Group (EPIC) 666 Pennsylvania Ave SE, Suite 301 Washington, DC 0003 tel 202 544 9240 fax 202 547 5482 e-mail info@epic.org Association for Computing Machinery (ACM) CypherPunks majordomo@toad.com - -- References -- Simson Garfinkel, 'PGP: Pretty Good Privacy', O'Reilly & Assoc, 1995 Keith Parkins, 'Why Use Pretty Good Privacy?', 1996 Philip R Zimmermann, 'The Official PGP User's Guide', MIT Press, 1995 Keith Parkins, 'How Secure is PGP?', 1996 Keith Parkins, 'Privacy in an Electronic Age', to be published Andr‚ Bacard, 'The Computer Privacy Handbook', Peachpit Press, 1995 Bruce Schneier, 'Applied Cryptography', 2nd Ed, Wiley, 1996 Paul Elliot, 'Cypher Rant: Reasons why private cryptography should not be regulated' http://www.efh.org/pgp/rant.html (c) Keith Parkins July 1996 rev 6 pub 1024/B09CC89D 1996/04/22 Keith Parkins <10 GU14 6QJ England> Key fingerprint 2A 66 6A 8F 91 42 48 C8 48 98 38 AD 2F D3 45 08 -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBMfoW50XTJSWwnMidAQElswP/XGNifhrRfJySmspdGqvZhdlhFZqFJU0W 0u+9L+YUTMbAMZo1HXgzoWzoo3B/9Q5x/EZMZ1GOuUVGPUmQkGoe69t8uMGBOcIS ske0xVdB4OBwDUpXzi2dCQIEcmLkRIQgfWawWL6HU8gA1AStdxugZ0C6Hsvs3ZmI UcJmTx9lgG8= =BjIG -----END PGP SIGNATURE-----