Computers & Security, 16 (1997) 583-589

Encryption Policy - AUK Perspective Nigel Hickson

Communications and Information Industries Directorate, Department of Trade and Industry, 152 Buckingham Palace Road, London S Wl W 9S.S.

Introduction Whether one has an interest in information security or not it would be surprising if anyone serious about developments in IT had managed to escape the recent debate on the use, regulation or export of encryption. It is a debate that has been escalating in pitch (and some would say in vindictiveness) since th e US Authorities launched their ill-fated ‘Clipper Chip’ proposals in 1993. Prior to that there was hard- ly any debate at all (at least not in commercial or industrial circles). Since then the debate has spread both east and west from the US, and even permeat- ed such August institutions as the OECD and UN. Individuals have become famous because of it (Zimmerman and Anderson are but two) and Government officials have become laden with air miles as international discussions proliferate. Or in my case have become a well-known hate figure in the crypt0 newsgroups.

Without going into technical detail I will try and explain below why the debate is still raging, why it is important (for both business and government) and why global and interoperable solutions for encryption are still some way off. But first I shall outline why the DTI has become involved in this debate at all.

DTI Role and Involvement in Information Security As I will explain below information security (and encryption) are essentially business issues. Although infosec (as it is often absurdly shortened to) may have come from a technical stable, the protection of our IT systems (on which modem life has become increas- ingly dependent) is too important to be left to techni- cians.The DTI is not interested so much in the nature of the beast but in the effect it has on business and on the competitiveness of our economy Studies continue to show that companies and organizations that do not plan and implement information security policies lose most through information security breaches. And for every company that suffers a hit, another loses out (from a competitive point of view) through not employing the appropriate IT solutions.Too often one hears of small companies that are put off dealing on public networks because of the perceived threat of security. So we believe that the DTI does have a role; a role in educating end users, a role in producing appropriate guidance advice and standards (BS 7799 being the bible here) and a role in representing the views of industry in national and international debates on this increasingly critical issue.

0167-4048/97$17.00 0 1997 Elsevier Science Ltd 583

Encryption Policy - A UK Perspective/Nigel Hickson

Information Society

How long I wonder before we can drop the usage of this phrase? Or do we simply say electronic commerce instead. However we describe it I do not think there can be any doubt about the significance in the recent awareness and use of public networks and the Internet in particular. From something that was hardly spoken about a few years ago (well only at conferences in California) the Internet has become the global phe- nomenon of the 90s. Conference organizers (as well as Microsoft) have made millions out of it and it features in all the important debates our ministers attend. All this hype (and a lot of it is) has had the beneficial side effect of increasing the prominence of information security on the business agenda. At last executives have realized that their information is of value if it were to be lost, corrupted or copied. They can visualize the damage that might be done if the message (or orders) to their suppliers ended up with their competitors instead. They can also understand the importance of their orders (to suppliers) arriving intact and correct. Thus information security has moved up the business agenda. But there is a lot more to do: we have an obli- gation to deliver the tools (yes we are talking about cryptography) that will help business to secure their information on public networks, we have a duty to ensure that digital signatures are legally recognized and we must work with industry to ensure that the solu- tions developed are truly interoperable. We cannot afford to make the mistakes of history: the video tapes that only play in one manufacturer’s machines or the disc that is only formatted for one type of PC. Encryption standards have to be global and digital sig- natures (from whatever jurisdiction they emanate from) must be recognized internationally.

Thus there is an awful lot of work that has to be done. Many will say it is already - by the market (therefore government keep ofl) - but others point to the inconsistencies which the market throws up. Are UK SMEs (small medium-sized enterprises) really confi- dent to trust the public keys in the latest release of Netscape, and is Pretty Good Privacy (now widely available on the Internet) the real solution to secure electronic commerce? I suspect there are no easy answers. History will tell what role Governments

should have had in the ‘encryption’ debate. It will also determine whether we took the correct decisions on law enforcement: did government’s abandon the fight - for law enforcement without one - or did they impose restrictions which stifled the growth of those very services which might have helped businesses sur- vive the ravages of the 21st century? Now let us look (albeit briefly) at why this issue has become both important and controversial.

A Business Issue Without doubt - as noted above - the principal reason why we all talk about this subject (or at least some of us) is the benefit it can bring business in terms of secure transactions. Whilst cryptography (despite what some say) is not the Holy Grail of information security it does have real benefits for all types of users who transact business - or whom simply converse on public networks. While some Governments would like to think that users might only be interested in integri- ty (as opposed to confidentiality) services - for rea- sons for which I explain below - in reality they want both.They are concerned that their messages go to the right people (and that the recipients cannot deny receiving them) and that they are not read on route. In the UK, in surveys on why people are reluctant to use their credit cards for purchases on the Internet, the majority of the public cited privacy and confidential- ity as key factors.Therefore Governments are probably right in their thinking that some form of Public (or dare I say global) Key Infrastructure will be required whereby users can have trust in the public encryption keys of others they would like to do business with. Such an infrastructure is often derided by those already in nice cosy communities of trust (I will not mention PGP here); but if the needs of the many are to be satisfied then at least some form of global trust agreements will need to be reached.

Whether such ‘trust’ is established through (govern- ment) licensing arrangements or through standards adopted (and agreed) in the marketplace is probably less-crucial. What is, use the services on cially when dealing have not yet met.

however, is that users feel able to offer and have confidence, espe- with people (or businesses) they

584

Computers & Security, Vol. 16, No. 7

Law Enforcement Issue

We also talk (but mainly argue) about encryption (or at least Government’s do) because of the detrimental affect it can have on the legal right (in many coun- tries) to intercept communications with respect to law enforcement and national security. This is, of course, where the fur really begins to fly! In the recent con- sultation exercise in the UK on introducing licensed TTP’s’ the authorities have been accused of all kinds of Machiavellian intent, from banning free speech to introducing a totalitarian State.The truth is, as always, much less exciting. All the previous government was proposing was that the current laws governing the legal interception of communications (IOCA in the UK) should remain effective. As I will explain below they planned to facilitate this through the licensing of (so-called) Trusted Third Parties. These bodies (which in our proposals would have been voluntary to use) would facilitate cryptographic use (i.e. digital signa- tures et al) and also store the private encryption (con- fidentiality) keys of their users. Such keys would then be subject to legal access where a legally intercepted encrypted communication was encountered.

One of the difficulties, of course, is whether such methods would be effective or cost efficient; would the criminals use such systems and (even if they did) would their costs outweigh the value of the decrypt- ed data? These are questions that governments have to answer. As a starting point a recent booklet by Dorothy Denning (one of the gurus of cryptography) details the use made of intercepts in the US and the incidence of encryption being_ found. It indicates that the problem is increasing: 6% of FBI intercepts were found to be encrypted last year.

A Privacy Issue Yes, it is this as well! The widespread use of cryptog- raphy, however, cuts both ways. On the one hand it undoubtedly extends privacy by enabling individuals to converse with each other in private with confi-

‘. The DTI Consultation Document on the licensing of TTPs can be found at http://wwwdti.gov.uk/pubs.

dence that a third party will not be able to interpret their conversations by listening in. On the other hand it can have the effect of reducing anonymity, as the identity of the individual becomes generally known as they send messages and buy services and goods on secure public networks. One obvious concern is the tracking of individuals (by private or State corpora- tions) as they make particular purchases on the Internet. In the UK many are already concerned at the use the supermarkets may make of personal shopping trends. Do you really want to receive a letter at home, opened at the breakfast table, with some vouchers for pregnancy testing kits ? It can be coherently argued that the purchase of a product electronically should be no more known about than when it is bought by cash in a corner store.

An International Issue A ‘no-brainer’ as I think our American cousins would say. Well it is fairly obvious that as electronic com- merce and communication on public networks tra- verse national boundaries that any policy (concerning encryption) needs to be global in nature. And that is why so many organizations (in both the private and public sectors) have been discussing encryption policy Below, I pick out but a few.

What countries (and groups of them) have been doing: United Kingdom

Policy in the UK has been slow to develop but was made clear due to the issue in March of a public Consultation Paper. This set out (as noted above) a licensing regime for Trusted Third Parties offering encryption services. Within such a remit were included Certification Agents (for the authentication of Public Keys) and those bodies offering key storage/recovery facilities. In the latter case (where the TTP was facilitat- ing the encryption of communications) there was a requirement for the private key to be escrowed. It would then (for law enforcement purposes) be subject to legal access for reasons noted above.

The issue of the Consultation Paper (which caused a great deal of interest in the UK and beyond - and

585

Encryption Policy - A UK Perspective/Nigel Hickson

especially in Internet newsgroups) coincided with the calling of the general election. The new Labour Government is not (you may be pleased to here) bound to the ‘balanced’ approach (where the needs of business are tempered with those of law enforcement) or to the introduction of legislation on Trusted Third Parties (TTPs). As I write (in late September) Ministers are just about to be asked to take decisions on a way forward. The inter-departmental group on encryption policy has. in its deliberations, taken full account of the responses to the Consultation Document (more than 300 responses received). I can honestly say that I do not know whether the existing policy with respect to TTPs will be continued or not. Whatever we decide on, however, I am confident that it will take the international scene into account. We simply cannot afford (for sound economic reasons) to be isolated on this critical issue for the future of secure electronic commerce.

France France, along within Western Europe, has for some time had controls on the use and import of encryption products. Users have required licenses to use encryp- tion products (for confidentiality) and to import pro- duces whether in hardware or software. Recent legis- lation however, plans to lessen the restrictions by allowing the use of encryption products where the user’s private confidentiality key is escrowed with a Trusted Third Party. The legislation (yet to be fully implemented) licenses these Trusted Third Parties and outlines the legal access conditions to keys (along sim- ilar lines to the former UK proposals). The use of non-TTP encryption products remains subject to full licensing controls.

European Union Within the European Union the European Commission has a special unit dedicated to informa- tion security issues. In 1994 it announced ambitious plans to construct a network of encrypted communi- cations (using TTPs) throughout the EU. Unfortunately such plans were considered too ambi- tious (and politically sensitive) by some Member States and the proposals came to nothing. Between then and

now the EU have been relatively inactive on the pol- icy front although they have recently sponsored some useful pilot projects demonstrating the validity and usefulness of Trusted Third Parties. In April, however, they launched a Communication on Electronic Commerce that outlined future plans on introducing, and legally recognising, digital signature services throughout the EU. This was indeed welcome news, and has led to the (even more welcome) news that in October the Commission will adopt detailed propos- als both on digital signatures - as noted above - and on the setting of minimum standards for Certification Agents and TTPs.

OECD The OECD is not at first thought a body you might associate with thrashing out the details of encryption policies. It does, however, have an ideal locus for tak- ing work forward in this area. Firstly it is concerned with international trade and economic growth (isn’t that what electronic commerce is about?) and sec- ondly it brings together the main trading countries of the world. It thus found itself in October 1995 (after some prompting from the US) holding a cru- cial business government forum on cryptography. For the first time international business was able to talk face to face with the very government officials they had often criticised for inaction and negativity. It was extremely useful; both sides learnt a lot, consumed some red wine and pledged to work together to develop global policies on encryption. A working group was quickly set up by a forward thinking OECD secretariat with the first meeting being host- ed in Washington in May last year. Several other meetings followed with the group completing its work in Paris at the end of last year. The Guidelines on Cryptography Policy were subsequently approved by the relevant OECD committees (with little change) and issued in March this year. Although high-level in nature with few detailed recommenda- tions, they do - I believe - lay out a crucial frame- work on which governments can develop encryption policies. Not least they commit the 29 governments of the OECD to work together to develop interop- erable polices which respect the needs of the citizens, businesses and national authorities!

586

Computers & Securit- Vol. 16, No. 7

The OECD Guidelines were endorsed by ministers in May with a recommendation that the OECD take forward further work (see below) and also enter into a dialogue with non-OECD Countries. The first reali- sation of the latter was a conference in Australia that is being followed up by a major workshop in Paris in December. Business and Government representatives from over 40 countries, including such non-OECD countries as China, India, South Africa and Israel will attend.

Later in October the OECD will decide on its future work in this area. We firmly believe it should build on the foundation of the Cryptography Guidelines; next steps being the production of procedures and policies for Certification Agents (facilitating cross certification and mutual recognition) and further work on the pri- vacy implications of these new technologies.

United States I will not attempt (you will be glad to hear) to track all the policy developments on encryption since the ‘Clipper’ proposals in 1993. Suffice to say that the US authorities can take a lot of credit for the emergence of the international debate. Clipper (for all its sins) put encryption on the map and (at last) forced Governments to think about the problem. For too long we (governments) had simply relied on export controls as an excuse for an encryption policy.

So where are the US now? Writing in September the scene is not totally clear; but I think there is one strand that bears analysis. Since October last year there has been a clear policy which links the emergence of encryption products which support key-recovery with the ‘fillip’ of relaxed export controls. Through the actions of those in the Key Recovery Alliance2 (and others) - and the ‘rewards’ being offered by the US Administration - it now seems likely that key recov- ery products will emerge in both the domestic US market and in Europe in the very near future. Indeed

2.The Key Recovery Alliance (KKA) is an association of around 70 com- panies (most in the US but some in the EU) who are working to devel- op common standards for key recovery products.

both TIS and IBM have announced products ready to ship into the EU marketplace.This must be good news (especially to US policy makers) but it also brings with it concerns. For one country’s export is another’s import, and it is far from certain whether an infras- tructure to deal with key recovery products (in terms of legal access) will be in place in those countries in which US exporters might find markets. This might not worry US firms but it will worry foreign govern- ments (and their citizens) if users find - without their prior consent - their private encryption keys being held by Key Recovery Agents outside their own juris- diction.

The US authorities are not indifferent to these con- cerns. Ambassador Aaron (US ambassador at the OECD) has travelled tirelessly in the last year to the US’s industrial partners to discuss US encryption pol- icy. He has also been active in Congress where a num- ber of different (and contradictory) legislative propos- als are gaining momentum. (One seeks to abandon all controls on encryption products while another pro- posed draconian use controls).

What should we all do?

Common standards for Certification Agents

Irrespective of law enforcement concerns there would seem to be an almost un-arguable case for Government, and industry, to work together to ensure that the development of national Public Key Infrastructures (for the provision of digital signature services) recognise common standards and values. Without the trust (which such standards will help to generate) citizens and businesses may well not be pre- pared to transact electronically with each other. A widget producer in Watford will want to have conti- dence that the public key of a boat builder in Boston has been correctly authenticated before he accepts an order from him. And while he may just happen to know the firm (and therefore trust it) in many cases he will not; and will not be prepared to accept a simple certificate signed by a CA whom he knows nothing

587

Encryption Policy - A UK Perspective/Nigel Hickson

about. Thus the requirement for some form of mini- mum standards (for CAs) backed up by cross-certifica- tion arrangements between the CAs in different juris- dictions.

Fortunately these requirements are being met; the Expert Group in OECD is taking up the challenge concerning the procedural and policy requirements for cross certification of CA responsibilities and the legal requirements are being studied by the electronic commerce working group of UNCITRAL. Both of these groups (fortunately) have a mixture of govern- ment and industry members.

In the same breath Governments urgently need to address the requirements for the legal recognition of digital signatures. For whilst businesses may have con- fidence in the respective CAs they are dealing with; they will also need confidence that their electronic contracts are recognised in the jurisdictions in which they operate. (Things can always go wrong!) A great deal of progress has already been made in the US on this issue; with many States having adopted legislation. Further work, however, is required to ensure that other countries also adopt appropriate legislation with common understandings on such issues as liability and under what circumstances a certificate is revoked. In this vein the proposed initiative by the European Commission, and the work being taken forward in UNCITRAL is to be welcomed.

Common Key Management Architectures for encryption

And now to the difficult issue. Whilst there is a clear market requirement for Certification Agents to authenticate public keys (for digital signature use) there is a less certain commercial case for such agents (or should we say Trusted Third Parties) to offer key-recovery services. And while such services could - at some point - support key recovery for stored data (a real business requirement) it is less clear that business will want them to store keys for transmitted data. But then we have to factor in export controls and the real feasibility that US policy will lead to key recovery products with ‘strong’ encryption being avail-

able in the marketplace. Such availability may, given the ‘lesser’ strength alternatives, persuade users and business to trust such products thus making possible some form of legal access.

So what should governments do? Firstly they must talk together. As noted above US export policy does affect the encryption policy of other countries; as a decision in the EU to abandon all export controls on encryption (which some would support) would affect US domestic policy. Fortunately they are. Ambassador Aaron (as noted above) has initiated a dialogue with countries on this very subject and the principal EU countries have been discussing the need for a common KMA for encryption for a num- ber of years. I also predict increased dialogue between interested Governments and the Key Recovery Alliance. Clearly it is important that the various ‘key-recovery’ products work together and also that where possible they meet the requirements of national authorities in terms of law enforcement. An architecture which escrows split keys but then still requires an exhaustive search on a remaining key fragment is just nonsense in law enforcement terms. One either facilitates legal access (under strict legal conditions) or one does not. PGP is always there as an alternative to users who distrust (perhaps stronger) key-recovery products.

On the technical front work is also being done to define standards for key management architectures. In Europe an ETSI (European Telecommunications Standards Institute) working group has nearly finalized a TTP standard which addresses both authentication and confidentiality. Whilst in the US NIST have spear- headed an initiative on Key Management

Infrastructures (with the helpful acronym TACDFIPS- FKMI). This work is clearly important: we do not want a situation - although we might well have it at first - of multiple key-recovery architectures being rolled out in products which do not interoperate. Users want, and deserve, products that enable them to converse securely with other users irrespective of the type of products they use. Key recovery products need to be more like mobile phones (in terms of their inter- operability) than hi-f? systems or cameras.

588

Conclusions

So what do we do; apart from talk? At the expense of an obvious cliche we are, I believe, facing a closing window. Governments (well at least democratic ones) only have limited tools at their disposal to influence the market for the good of both secure electronic commerce and law enforcement. And these tools become increasingly less effective as time passes and the market develops its own (sometimes-incompati- ble) solutions. The OECD Guidelines, and the recent initiatives by the US and now the EU, do, however, give us the opportunity to move forward and develop

Computers & Security, Vol. 76, No. 7

global standards.We need to seize these and not let go until we have succeeded on three fronts. First to devel- op minimum standards for Certification Agents; sec- ond to develop a co-or&rated approach to the legal recognition of digital signatures and lastly, and most controversially, to work on a key management infras- tructure to support interoperable key recovery/key escrow products. We cannot afford to fail.

Nigel Hickson works at the Communications and Information Industries Directorate at the UK Government5 Department ofTrade and Industry, and has specific responsibility for IT Security policy. This paper was first presented at Compsec International ‘97 in London this November.

589