US Cryptography Policy.

US Cryptography Policy

International Security Review. — 1997 . — January/February. — P. 11-14.

US Cryptography Policy

Public key cryptography, which appeared in 1970, has radically changed and expanded the possibilities of using this information security technique. At the same time, the struggle has intensified between those who support the use of cryptography exclusively in the interests of governments and those who consider its wider application necessary and appropriate.

In the United States, state policy in the field of cryptography is carried out by the National Security Agency: NSA (National Security Agency — NSA), in the UK, the corresponding functions are performed by the Government Communications Headquarters (GCHQ).

These agencies are engaged in obtaining intelligence information using electronic means and breaking the codes of potential enemies and even their allies. Governments interested in the effective operation of these agencies allocate large amounts of money for their maintenance. The actual appropriations allocated to these agencies remain secret.

If good, reliable cryptography becomes widely available for use, this will have some impact on the activities of the NSA and the GCHQ. These agencies try to prove that the widespread, uncontrolled dissemination of cryptography and cryptographic technology will have a negative impact on the national security of states. In support of this argument, they cite data on the impact that the successful cracking of German codes by Allied intelligence services had on the outcome of military operations during World War II. This argument cannot be ignored, but the problem is that the state of cryptography today and its application cannot be judged from the perspective of a time when the public knew virtually nothing about cryptography.

The government's second main argument against relaxing controls on the use of cryptography is that it could be used by criminals and terrorists, making it much more difficult for law enforcement to combat them. This argument is not widely supported in non-governmental circles. Very few consider this problem to be relevant. This can be explained by the almost complete absence of publications about the failure of certain operations due to the use of cryptography by criminals.

There is virtually nothing that can currently prevent the use of cryptography by criminals and terrorists. They have access to cryptographic protection programs for messages transmitted over communication networks and e-mail, such as Pretty Good Privacy (PGP). This means that control over the use of cryptography will be of little use and will not be able to prevent the use of cryptographic communication for criminal purposes. Even without the use of cryptography, criminals have many ways to communicate with each other without fear of being detected by law enforcement.

Therefore, the argument for the need to increase control over the use of cryptography as a means of combating crime and terrorism cannot be taken without considering the impact on society as a whole. The result could be a more effective interaction between different sectors and law enforcement agencies and an understanding of the challenges they face. There are currently indications that cryptography may become an obstacle to the use of this opportunity.

On the other hand, there are currently strong arguments in favor of a wider application of cryptography. Over the last decade, the Internet has been steadily developing, mainly due to the commercial transactions carried out over this network. Despite the large size of this network, it is considered to be secure enough to carry out such transactions, which can be explained by the strict observance of a certain discipline by most of its users, and not by a certain security inherent in the network itself. In fact, it has long been established that the actions of certain individuals can have an adverse effect on the entire network. This was demonstrated by the recent incident called the Internet Worm, when a certain R. Morris launched a program that disabled many central computers connected to the network, whose normal functioning was restored only after several days.

This vulnerability of the network cannot meet the requirements of expanding electronic commerce, as a result of which these factors and a number of other conditions determine the direction of cryptography development at the present time. These other conditions include:

identification and authentication of users;
maintaining data integrity;
use of digital (electronic) signatures;
elimination of the possibility of the sender or recipient of messages refusing to participate in the exchange process.

It is in these areas that the particular flexibility of cryptographic technology is demonstrated, since it can provide a general approach to solving all these problems.

In 1992, the US government attempted to balance the competing demands on the use of cryptography by introducing the Cliper Initiative. The goal of this program was to provide secure cryptography for commercial use while preserving government interests. The government retained the right to access encryption keys when necessary (legally). Since the keys were held by third parties, this cryptographic system was called Escrowed Encrypton.

This system immediately caused objections and protests:

civil rights groups and the Internet user community saw the program as a violation of their rights and freedom to use cryptographic systems at their own discretion;
US computer and communications firms, fearing the loss of their customers and consumers, strongly opposed the government's proposals;
experts soon discovered weaknesses in the proposed system, which reduced confidence in it and made it virtually impossible to implement.

With this domestic attitude towards the Cliper system, US computer industry companies, which are the main suppliers of hardware and software products for the global information infrastructure Gil (Global Information infrastruktur), were faced with increasing demands from their international customers to supply them with more secure products. But US companies could not meet these demands, since none of the 40-bit cryptographic systems, which the government had authorized for export, could be considered secure enough to meet the new requirements. This was confirmed by students who, using the spare computing power of Internet computers, cracked such keys within a few hours.

In this situation, US companies proposed several schemes for more secure cryptography:

a). Differential Cryptography — this is a Lotus encryption program similar to the DES encryption standard that uses a 56-bit key but allows U.S. government agencies to easily obtain 16 bits of the encryption key when needed. This reduces the U.S. government's cost of breaking keys to the equivalent of breaking a 40-bit key while still providing users with the benefits of increasing the key length to 56 bits. For those users who do not see the U.S. as a threat, this system offers some advantages. But for most, it is considered an unacceptable solution.

b). Plug & Play Cryptography — this product is sold with an interface that allows the use of external cryptographic modules. The problem with this system is that U.S. export controls apply not only to cryptographic products, but also to other products related to their use.

However, the US administration has agreed to the use of interfaces of this system on the condition that the cryptographic modules used with them are certified by a digital signature. Such a signature makes it possible to check the modules before they are used to run certain applications and to exercise control during their operation. The use of unapproved (unauthorized) cryptographic modules will be very difficult, since cryptographic control can be carried out even with the presence of such interfaces.

At the end of 1994, Microsoft published technical data for the Plug & Play cryptosystem interfaces, which enable the use of digitally signed cryptographic modules with the Windows NT and Windows 95 operating systems.

The company reports that in order to receive a US government certificate, all cryptographic modules must be digitally signed by Microsoft in strict accordance with US law.

In practice, this means that all cryptographic modules intended for domestic use in the US must be digitally signed, regardless of their cryptographic strength, i.e., key length, and modules exported for use outside the US (and Canada) can only be digitally signed if they meet the criteria for export, which is equivalent to their unsuitability for information security.

A few weeks after the publication of these data, there were statements that the proposed approach would give the United States a good cryptographic system, while the rest of the world, including countries friendly to the United States, would not gain anything of significant value from it. Unfortunately, such predictions came true, and the result was as follows:

US citizens have certain benefits from using the Internet and the WWW system, using a good cryptographic system with a key length of 128 bits;
users in other countries of the world have received a limited system of protection of their information, determined by a key length of 40 bits.

At the same time as the technical data for the company's interfaces was published, Microsoft announced the availability of tools that can be used to develop integrated cryptographic modules that use the company's interfaces. However, these tools are also subject to export regulations and can therefore only be supplied to US companies for now, putting international cryptographic product suppliers at a disadvantage compared to their US competitors.

Despite these actions by the US, which restrict open competition and free trade in the global market, this does not provoke retaliatory actions from governments of other countries (at least in the area of public cryptography). And although many firms in these countries express dissatisfaction, this does not have a noticeable effect.

This means that US cryptographic vendors have a one-year head start in selling cryptographic tools that work with Microsoft interfaces. In addition, the US government recently announced changes to its export policy that will allow US companies to take advantage of this advantage. Given the strong position of Microsoft products in the global market, these circumstances are unfavorable for developers and vendors of cryptographic tools outside the US. It is therefore surprising that European governments and firms have had a limited reaction to this. There is some reason to believe that such a policy by the US government will promote the development of industry in this country. However, one should expect the opposite international opposition to this policy. Here is how the programming administrator of Sephos Data Security (UK) characterizes the current situation: «With their cryptographic policy, the Americans have made themselves the object of general ridicule, but this policy of theirs is partly explained by the fact that European companies have never yet offered their own publicly available encryption algorithm. The restrictions on the export of cryptographic products introduced by the US cannot stop companies in other countries from developing their products. But it may turn out that if Sophos exports its D-Fence 4 cryptographic protection system to the US, it may not receive permission to import this system from the US».

A number of other companies, including Intel, Novell and Hewlett Packard, are developing a new cryptosystem based on the use of electronic signatures, which has a chance of being accepted at the international level. The idea behind the system of these companies is that they certify with an electronic signature a shell module of the system, the purpose of which is to enter electronic signatures into any cryptographic submodules and control them. Also, submodules with an electronic signature (and their verification) allow each country (or organization) to create its own cryptographic system with its own cryptomodules, provided that their electronic signatures are recognized and accepted by the shell module of the highest level.

But although such a chain of electronic signatures provides a better solution than the approach of Microsoft, this does not eliminate the political problem associated with the question of who has the right to control the electronic signatures of the highest level. And this, ultimately, determines who can use cryptographic modules.

Hewlett Packard, for example, recently announced the creation of the International Cryptography Framework (ICF) to implement control over a hierarchical system of electronic signatures. At the same time, the company reported that it has the support of governments of several countries that are members of the «big seven» (G7), including France and the United Kingdom.

However, even if the chain of electronic signatures is adopted as a solution, the vital question of choosing the right root signature holder that can be trusted internationally remains unresolved. It is also important to establish a procedure for using modules with electronic signatures from one country in other countries that would create confidence that this is done in strict accordance with the laws of the particular countries.

Another important problem associated with the implementation of a generally accepted good cryptographic system is the problem of disclosure of cryptographic keys. This problem is caused by the question of what happens if governments stop their actions that prevent the widespread use of high-level cryptography.

The answer is that highly secure cryptography will quickly become widely available, but users will soon realize that if they lose their encryption keys (and they will) their vital information will be lost forever because they will not be able to decrypt it. In such circumstances, they will be forced to turn to cryptographic vendors to provide them with a means of quickly recovering information to protect them from the potential dangers associated with losing an encryption key (which is like asking a locksmith to open and replace the lock on your front door if you lose the key).

It is important to ensure that such a key recovery capability does not expose users' confidential information to a «third party». However, this does provide certain commercial advantages in the following circumstances:

firms will be forced to seek assistance in restoring information encrypted on the keys of their employees in the event of the death of such an employee or his/her departure from the firm for one reason or another;
in many cases it is important for firms to have independent records of their activities and the actions of their staff and to use such records to explain the requirements of legislative and regulatory bodies.

An important difference between encryption key recovery in this manner and key escrow is that in the former case the organization or firm manages its own keys, while in the latter case a neutral but mandatory government mechanism is created to do so.

A key recovery system with «recovery centers» may be offered. This type of system may be useful for smaller organizations that, for economic reasons, cannot maintain their own expensive recovery service.

It is possible that some governments will insist that key recovery be done only through the appropriate centers. But it is already known that one European government has approved the approach according to which the choice of the method of key recovery is presented to the first party, i.e. the user, and there is reason to believe that other governments will follow this example.

Therefore, we can expect the emergence of mixed systems and key recovery services with and without the participation of a third party. Since the need for key recovery services is determined by the needs of commercial firms and organizations, the idea of their creation is supported by broad industrial areas, for example, the Key Recovery Alliance, headed by IBM (USA), which already includes more than 40 other firms. Many other technical approaches to the implementation of the key recovery problem are known, supported by Trusted Information Systems (TIS), Banker Trust, etc.

In early 1997, the UK Department of Trade and Industry announced its intention to introduce controls on the provision of cryptographic services by public telecommunications services. The basis for such controls would be licensing. The press release from the department did not provide any further details. However, subsequent clarifications from department representatives suggested that this was a mandatory deposit of encryption keys. The department stated that it did not intend to change the rights of individual UK citizens to use cryptography to protect their personal information at their discretion. However, this statement does not correspond to the real situation, since any legislative decisions to limit the use of cryptography cannot but affect the personal interests of citizens.

Although the Department of Trade and Industry is the initiator of such restrictions, the policy is actually set by the Government Communications Office of Great Britain, which is interested in establishing stricter control over communications and computing equipment.

A number of civil society organizations are putting up some resistance to such cryptographic policies, the most active of which is the Organization for Economic Cooperation & Development (OECD). The activities of this organization are supported by many civil liberties groups in Europe and the United States.

The US government recently announced a major change in its cryptographic policy, moving from key escrow to key recovery. Under this decision, firms intending to supply products with key recovery will have two years to export cryptographic products using the 56-bit DES encryption algorithm. Once the key recovery technique has been implemented to a significant degree (after a transition period), all restrictions on the cryptographic strength (key length) of the encryption algorithms used in such products will be lifted.

This policy will likely result in US-made cryptographic products with third-party key recovery being readily exportable, while products with first- or third-party key recovery designed and manufactured in other countries will be restricted to «friendly» countries.

Although this change in US government policy is significant and welcomed by all sectors whose interests it affects, it does not mean that the US has abandoned its aspiration to manage the security of the global information structure. Thus, the US maintains the procedure according to which the technology for restoring encryption keys in equipment used within the country can be used voluntarily, but in equipment exported to other countries, its use is mandatory.

Cryptography, being a special-purpose field, gives rise to a number of important ethical issues related to the relations between the government and society in a given country. In democratic countries, citizens can communicate with each other without fear of interference from government bodies. Cryptography, combined with a global information structure, can become a means of implementing this basic civil right on an international scale.

According to official government statements, the policy of limiting the use of cryptography is aimed at preventing its use by terrorists and other criminal elements. However, history refutes such claims, since any restrictions on the use of cryptography affect the rights and freedoms of all members of society.

Therefore, it is regrettable that the US government's cryptographic policy, determined by narrow national interests, may become an obstacle to its use for free communication between people living in different countries of the world.