RESPONSE TO THE DTI PUBLIC CONSULTATION
PAPER ‘LICENSING OF TRUSTED THIRD PARTIES
FOR THE PROVISION OF ENCRYPTION SERVICES’
Professional Projects Company Ltd
Introduction
*Acknowledgements
*Recommendations
*Current Position and DTI Paper Overview
*Trust
*TP Functions and Key Escrow
*1) Encryption Services
*2) Keyholder Information
*3) Key Escrow
*1) Signing keys
*2) Criminals and registration
*3) Aims of key escrow would be unfulfilled
*4) Mandatory use of TPs can be circumvented
*5) Public key techniques are inappropriate for key escrow
*6) Criminal communications to society
*7) The value of covert monitoring
*8) Technology and LEAs
*9) Conclusions on key escrow
*4) Data Recovery
*5) Key Delivery to LEAs
*Licensing
*Liability and Appeals
*Digital Signatures
*OECD Policy Guidelines
*References
*Appendix 1
*
This document is a response to the proposals outlined by the DTI in March 1997 entitled ‘Licensing of Trusted Third Parties for the Provision of Encryption Services’. It aims to meet the following objectives:
The fifth point is important: the DTI document has been valuable in initiating an important debate on matters vital to everyone; in addition, there are a number of elements that are to be supported (even though this submission will recommend major changes to the DTI proposals). Cryptography is important to the country, thus it is also important to get the legislation right, balancing the needs of the individual and society.
Given the complexity of the issues, the interplay of the technological, human and social factors and the limited time given for this response, many topics are dealt with in insufficient detail or are completely missed out. However, it is believed that it is preferable to provide some response, albeit imperfect, rather than none at all.
This document is organised around a number of issues, which are all discussed in the main text. There are a number of recommendations, which appear throughout the document, and so are also listed after the acknowledgements for easy access.
This document would not have been possible without the contributions and help from a large number of people, and I have attempted to reflect their views in an integrated manner. Where possible, people have been credited and references given; where this has been impossible I now take the opportunity here to thank them unreservedly. Of course, all errors, omissions and inaccuracies remain entirely my responsibility.
The following are the recommendations from this document, and the page number of each is shown. If it is in response to a request for comment from the DTI, the appropriate paragraph number from the DTI document is also given. Trusted third parties are referred to as ‘TPs’:
Current Position and DTI Paper Overview
The DTI paper aims to describe a series of proposals for the licensing of trusted third parties (TTPs) for the provision of encrypted services. In doing so, it actually intermingles several issues which need to be separated and appraised for an effective discussion to take place. These issues include:
The DTI proposals develop a single paragraph in the foreword by Ian Taylor, which seems to define the Government position:
‘These proposals – aimed at facilitating the provision of secure electronic commerce – are being brought forward against a background of increasing concern, not about the technology, but about the security of information itself. In a world where more and more transactions are taking place on open networks like the internet, there has been a growing demand from industry and the public for strong encryption services to help protect the integrity and confidentiality of information. These proposals have been developed to address these concerns, but at the same time are aimed at striking a balance with the need to protect users and the requirement to safeguard law enforcement, which encryption can prevent.’
As Gladman has pointed out [1], there is no evidence supplied for the last sentence, yet this paragraph drives the entire set of proposals. It also misses out the fact that many believe that encryption may well directly help law enforcement. Appendix 1 briefly outlines the rest of the DTI document and some of the numerous issues raised can now be discussed.
The DTI document frequently refers to ‘trust’. Paragraph 17 highlights the need for TTPs to be trusted and states that licensing will help this. Paragraphs 34 and 39 reinforce this proposal.
Trust is a human concept; typically we trust people to do things or behave in certain ways. We often say things like ‘I trust Bob’, but there is usually an applied meaning such as ‘I trust Bob to arrive on time’ or to be honest, and so forth. Thus trust is embedded in a web of human relationships, and is an estimate by one human being of another’s behaviour under certain conditions, from the experience of knowing that person. In other words, if I don’t know you, I cannot trust you (although a recommendation from someone I know can start the process of forming a trust relationship).
This has a practical consequence: an institution cannot ‘trust’; only individuals can. Individuals can ‘trust’ an organisation to behave in a certain way or do certain things (from their experience of it), but the reverse cannot be the case: an organisation cannot ‘trust’ individuals (only individuals in the organisation can).
This leads to the following implications:
The conclusion is that the word ‘trust’ in all its forms should be removed. The TTPs as described in the paper are not really ‘trusted’ by anyone. However, they have gone through some sort of validation procedure (as proposed in the document), so a better term would be ‘validated third parties’, or ‘licensed third parties’, or some such equivalent. This also makes clear what these third parties are: entities that have gone through a checking procedure in order that they can provide services.
Thus the first recommendation is to cease using the words ‘trust’ or ‘trusted’, in the interests of clarity and accuracy. For the rest of this document, the TTPs will be known as TPs (third parties).
The TPs are defined as carrying out the following functions:
It is this document’s contention that TPs are neither necessary nor sufficient to carry out these functions; in addition some of the functions are impractical or are not required. It is worth discussing each one.
Encryption ServicesThe services that TPs will provide are left open. Paragraphs 34 and 41 refer to key certification, and it clear that the document envisages TPs as being a network which supports key certification. Paragraph 42 mentions other services: ‘Time stamping, non repudiation, confidentiality and integrity . . .’. Paragraph 42 also implies that TPs will achieve interoperability and a common architecture.
It is not clear what services TPs will provide in addition to key certification. This has an impact on the whole aspect of licensing, and is covered below. What is clear is that different TPs may well provide different services (some may just provide key registration services, whilst others might provide a complete cryptographic infrastructure to clients).
It is notable that TPs are not mandated to provide encryption products; thus it is not clear that TPs will achieve interoperability and standardisation. It seems that users will still select their own encryption products, so there will be no drive towards standards except the results of competition provided by a free market. This is reinforced by paragraphs 42 and 45, which underline the voluntary use of TPs and confirm that TPs are not essential for cryptographic services, even though they may be useful.
TPs are meant to provide ‘trusted’ information on key holders. It is worth looking in detail at what this is and how it functions.
When a TP validates a cryptographic key, and issues some form of certificate, it is in effect saying:
‘on this date this person provided a specified amount of evidence as to his or her identity and key ownership; this cryptographic key was confirmed as belonging to this person on this date’.
The key certificate says nothing else. There are some important consequences of this:
TPs cannot, as such, provide guaranteed key certification. In addition, most users will still carry out their own checks if they are going to set up commerce with other parties. For example, banks will give their clients the appropriate permissions to carry out financial transactions: they will not just take TPs’ certifications. Thus the key certification services may be very limited. In addition, the DTI document does not cover the case when people accept TPs’ certificates, which are then found to be compromised. This will be discussed further in the liability section.
This is one of the most contentious areas of the document. It is proposed that the TPs should keep copies of the privacy keys of its clients (paragraph 37). The document accepts that the TPs would not keep copies of signing keys (paragraph 46). The purpose of this is to allow LEAs access to communications and stored data, with the use of a warrant. There are a number of issues and problems with this proposal, each of which is now discussed.
Certain types of cryptographic system (notably RSA, with PGP being a publicly-available implementation of RSA) use the same keys for confidentiality and signing. This could be regarded as a misuse of the system, as people should always have separate signing keys: however, some may not. If the legislation is implemented as proposed, the TPs would end up with the signature keys of some of their clients. This immediately compromises the signature key, as a TP could untraceably forge any transaction with that client’s signing key (consider Barings, BCCI and the Maxwell group, all of whom could have applied to be a TP). It is strongly recommended that TPs should never have copies of signing keys (even when they are also confidentiality keys), and this should be clearly stated in the proposed legislation.
Because the use of TPs will be voluntary, criminals will simply not register with them, which destroys the purpose of key escrow. It has been suggested that they would register for ease of use, but it should be noted that large criminal organisations are perfectly capable of organising complex support infrastructures for their operations (such as the Prohibition gangsters in the USA, and the cocaine barons in Colombia). However, if the Government intends to make the use of TPs mandatory it should say so: paragraph 47 is much too loose. It is recommended that the Government make its intentions clear.
3) Aims of key escrow would be unfulfilled
There seem to be two aims in the escrow proposal: (1) to recover information content from intercepted encrypted communications; and (2) to recover information content from stored encrypted data (paragraph 46). However, the proposals do not fulfil these aims. This is because use of TPs is voluntary – the keys will not be available. More importantly, even if the use of TPs is made mandatory, there are a number of ways that criminals can subvert the standards (discussed below). However, consider the case of the simplest way the criminals deal with mandatory registration: by simply ignoring it and using unregistered keys.
If the LEAs wish to access stored information under these conditions, they would have to use a warrant to make the criminals reveal their stored data (assuming any required legislation were in place), in just the same way as the Inland Revenue may now force businesses to reveal their records. If they wish to access communications for content they cannot: although they could obtain a warrant to force the criminals to reveal the content, again assuming the appropriate legislation existed.
The point is that key escrow will not help the LEAs, although there are other ways by which they can get the information. Note that by a simple manoeuvre the criminals have frustrated what is probably the real reason for key escrow: the covert monitoring of communications without the knowledge of the participants. However, LEAs can achieve most of what they require by means that effectively already exist: the use of warrants to force people into giving up information.
4) Mandatory use of TPs can be circumvented
Even if the use of TPs is made mandatory, criminals can circumvent the escrow controls in several ways (aside from just using unregistered keys). They can make it effectively impossible to check that they are using illegal encryption, or they can bend any likely proposed legislation to their benefit. Here are a few examples of how this can be done:
All these techniques can effectively invalidate the use of key escrow as proposed in the DTI document.
The proposals for key escrow also seem to be flawed with regard to public key cryptography. To quote paragraph 77: ‘The purpose of this central repository will be to act as a single point of contact for interfacing between a licensed TTP and the security, intelligence and law enforcement agencies who have obtained a warrant requiring access to a client’s private encryption keys’ (my italics). There seems to be an assumption that obtaining access to one person’s key is all that is needed: this is valid for symmetrical single-key cryptography, but is invalid for public-key systems.
Let us take RSA as an example in a key escrow system. Each person has a public key, which is listed and is fully available to all, and a private key kept at home, a copy of which is lodged with the TP. Assume that Bob is a criminal, and the LEAs are interested in him. The points to note are:
Thus the execution of a warrant means that the LEA gets access to Bob’s private key: they can now read all the messages sent to Bob. However, one would suspect that they would be at least as interested (or probably more so) in the messages Bob creates and sends to other people (these are presumably the messages that show Bob is an initiator in criminal activities). The LEA cannot decrypt these messages unless it gets a warrant to access each of the private keys of the people Bob communicates with. However, most of these people will not be the target of the investigation; in fact, there will be no evidence against these people, and thus how can a warrant be executed for their private keys?
Unless the Government is willing to countenance open-ended fishing expeditions in the TPs’ databases by LEAs, it is difficult to see how the proposed escrow system would work. Consider the international case: a foreign Government asking for the keys of forty or fifty prominent citizens, with no evidence against them, because they might receive a message from a local criminal. It seems unlikely that such a request would be granted.
The LEA could propose that communications with a criminal gives them the right to obtain a citizen’s keys – but, of course, all Bob has to do is send an innocuous message to a few thousand people all using their different public keys. The LEAs’ position becomes untenable.
Criminal communications to societyIt has been suggested that it is the criminals’ communications with ordinary legal citizens that can shed light on their activities. However, in the end criminals are going to be careful with messages to ordinary people. It seems unlikely that they would incriminate themselves. As noted above, criminals can also undermine the value of these communications to the LEAs by blanket-mailing thousands of people.
7) The value of covert monitoring
It has been stated that communications monitoring is essential for successful LEA operations. For example, Bayse (Assistant Director, FBI Technical Services Division) has said in [8], with regard to telephony legislation: ‘Indeed, for many types of serious and life-threatening crime, electronic surveillance is the only viable tool for law enforcement to use.’ (Italics his.)
In general, telephone tapping has been taken as the model for the future of interception and deciphering of encrypted communications, especially with regard to its validity. In other words, how useful has telephone bugging been to the law enforcement agencies? Presumably the answer to this would give an estimate for the value of key escrow, in terms of making encrypted information available to the LEAs.
Unfortunately, there seems to be very little objective evidence for the value of wiretaps; in fact, it would seem essential that the LEAs should provide the evidence to support their case for key escrow, especially if they want further legislation which removes the right of individuals to privacy. It should be a relatively simple matter to ascertain the number of warrants for telephone taps in a certain period, and the number that then supplied evidence in court, with the number of successful prosecutions (or even the number that contributed to operational intelligence).
There also is no evidence relating law enforcement effectiveness to wiretapping at the gross level: countries of the developed world use greatly different levels of wire tapping, ranging from almost zero in Japan up to the (apparently) relatively high levels in the UK and USA. It would seem to be invidious as well as impossible to attempt to list the world’s countries in order of law enforcement effectiveness in relation to wiretaps (despite Denning’s attempt in [9] to suggest that Japan suffers from a larger corruption problem than the USA!).
Interestingly Freeh, another Director of the FBI, made the following comments in [10]:
‘Today, this kind of debate continues in Washington and around the world on encryption. Again, at this point we can't point to a proliferation of examples where encryption, unbreakable encryption, has caused the loss of lives or shut down major investigations. But we know, with great certainly, that if that problem is not dealt with very quickly, the time will come that, as robust encryption proliferates without any recovery systems, law enforcement and national security will clearly be at risk.’
Thus there is no evidence that LEAs do require access to escrowed keys: only opinion that such access is necessary. Whilst the position should be monitored, and the debate continued, there is a simple recommendation: LEAs should justify their position on key escrow, and give evidence for it.
Another argument frequently put forward is that cryptographic technology is new, and disadvantages the LEAs. However, we live in a world where the technological landscape is constantly changing and evolving. Not every technological advance will be beneficial to the LEAs, nor should this be the case. Otherwise, the final outcome will be a completely controlled society, with all power resting with the authorities.
The LEAs have been helped by a number of new technologies, the following three examples just give a flavour:
In general, 20th century technology has helped LEAs at least as much as it has hindered them, and I believe that if anything LEAs have gained more than they have lost. Naturally, being human, LEAs will attempt to tip the balance as much in their favour as they can, and will try to outlaw technologies that make their investigations more difficult. However, balance is essential, and key escrow should not be enforced.
Because of all the arguments given here, it is believed that key escrow is inappropriate, would not work, and requires more evidence as to its value. We recommend that key escrow, and the use of TPs, be made entirely voluntary, mostly for data recovery reasons.
Organisations may wish to make use of key escrow for the purposes of data recovery. However, this should be part of their normal business operations and not be made mandatory, as indicated in the conclusions to the key escrow section. One important point to note is that TPs are not required for data recovery key escrow: many businesses can easily implement such systems in-house. Thus the recommendation in response to paragraph 82 is that the legislation should simply make provision for private contracts to allow access to cryptographic keys, and extend the current legislation that allows information access in the case of civil dispute (where legislation allows records to be revealed now, then the owner can be forced to reveal them if they are encrypted).
TPs will have to provide the LEAs with keys within one hour of the presentation of a validated warrant. This seems a very onerous condition, especially as the warrant could be asking for hundreds of keys. In addition there will be an international dimension, and in Annex B, paragraph 8, it is stated ‘It is recognised that this sort of procedure will introduce some delays into the process of obtaining keys, but that these should be considerably less than those which would arise from the provision of plain text’. Thus if the Government admits that delays can occur in international cases, it cannot expect TPs to yield keys in unreasonable times.
However, we hope that TPs will not need to give up keys at all, and thus the recommendation with regard to paragraph 81, regarding electronic warrants and key delivery is straightforward: it is perfectly acceptable to set such a system up as long as key escrow is not mandatory.
In conclusion, it has been demonstrated that TPs are neither necessary nor sufficient for the functions as proposed. As it is also not clear what services they will provide, and it is likely that not all TPs will provide the same services, it is believed that their use should be voluntary. In addition, the market should determine their development.
As noted above, TPs will provide different services which are currently difficult to define. For example, time stamping can clearly be seen to be essential, but so is key revocation (which is not mentioned in the DTI document at all and is crucial if digital signatures are to have validity). I believe that TP services will develop as the market develops and experience is gained.
This means that one single license for all TPs may not be possible. Thus consideration should be given to more than one sort of license for TPs. In addition, the Government believes that the market will decide if TPs will be used or not (paragraph 42). In this case, then the market should be as little regulated as possible. The recommendation is that unlicensed TPs providing services to the public should be allowed, and operate alongside licensed ones. This will have the following benefits:
Gladman [1] has also pointed out that under the current proposals, if one friend supplies another with a key, then a service has been provided and both have broken the law (one is providing a prohibited service, and the other is a knowing accomplice). Clearly any legislation must deal with this, and allowing unlicensed TPs deals with the whole issue quite effectively.
In essence, we believe that the market should be as deregulated as possible. Licensing, which may well have benefits in conferring quality levels on TPs, should be evaluated in an open market. We thus recommend that licensing be voluntary, and consideration should be given to more than one license type, as TPs may provide very different services.
The DTI document also asks for comments on other aspects of licensing; here are the recommendations:
In paragraphs 86 to 89 strict liability is proposed, and appeals and the Tribunal are covered in 90 to 93.
The strict liability proposal is probably acceptable, with a relatively low limit, for a new market (comment from Kelman [11]). However, there are a few provisos:
With regard to the appeals body as proposed in paragraph 90, TPs should be allowed to appeal against licensing decisions (where they have voluntarily applied to be licensed), and such a body should be created.
To help enhance confidence in the system, the proposed independent Tribunal should be created. If the proposed Tribunal found against an LEA, then the injured party (which depending on circumstances could be the client, the TP or an insurance company) should be able to sue for redress.
Subject to the comments above, I generally agree with the proposals in regard to the strict liability, the appeals body and the Tribunal. I also believe that unauthorised key exposure should be made a criminal offence. However, it is likely that a considerable amount of further analysis and discussion is needed before the legislation can be framed to cover these areas.
It is clear that TPs have a huge potential role in the storage and management of large public key databases, and can supply certification to certain levels of security (subject to comments above). This infrastructure support may well allow the use of digital signatures to proliferate, to the benefit of society as a whole.
In paragraph 54 comments are requested on legislation and digital signatures. The following are recommended:
In addition, a key item in this area will be training of the public and businesses. The implications of an electronic signature will be that it is legally binding, so people must be trained in the usage of the technology and the protection of their keys. Otherwise failure in usage could completely undermine the effectiveness of electronic signatures. With these provisos, I fully support Government legislation aimed at enhancing the validity of electronic signatures.
The OECD has released a set of eight principles [12], which are discussed in paragraphs 18 to 27, and actually listed in paragraph 24. An excellent analysis is also given by Baker [13]. In the OECD guidelines it should be noted that proposal 6, Lawful Access, is much weaker that proposal 5, Protection of Privacy and Personal Data (a ‘may allow lawful access’ phrase versus ‘The fundamental rights of individuals to privacy . . . should be respected’). In general the OECD policies are more balanced towards the privacy of the individual than the DTI proposals.
Given that the OECD represents a consensus of a number of nations, and given the concerns with the DTI proposals already covered, it is strongly recommended that the OECD policy guidelines be fully implemented in the Government proposals. In addition their balance should be followed in respect of privacy rights.
This should also encourage international agreements with regard to encryption, as the OECD document represents a communal position, with the following benefits:
[1] B Gladman, Updated UK Proposals for Licensing Encryption…, http://www.seven77.demon.co.uk/updated.htm
[2] C M Ellison, Establishing Identity Without Certification Authorities, http://www.clark.net/pub/cme/html/idnocert.htm
[3] NIST, A proposed federal information processing standard for digital signature standard (DSS), Tech Rep FIPS PUB XX, National Institute for Standards and Technology, Aug 1991. DRAFT.
[4] Who Holds the Keys: The Digital Signature Standard, Communications of the ACM, July 1992, Vol 35, No 7, pp 36-40.
[5] G J Simmons, Subliminal Communication is Easy Using the DSA, EUROCRYPT 93, Springer-Verlag, 1994, pp 218-232.
[6] B Schneier, Applied Cryptography, Second Edition, John Wiley & Sons, 1996, pp 534-536.
[7] W Diffie and M E Hellman, New Directions in Cryptography, IEEE Trans on Information Theory, 1976, 22, pp 644-654.
[8] W A Bayse, To Tap or Not to Tap, Communications of the ACM, March 1993, Vol 36, No 3, p 35.
[9] D Denning, To Tap or Not to Tap, Communications of the ACM, March 1993, Vol 36, No 3, p 44.
[10] L J Freeh, Speech to the 1997 International Computer Crime Conference, New York, 4 March 1997, http://www.fbi.gov/dirspch/compcrim.htm
[11] A Kelman, crypto/general2 #276, Compulink Information Exchange.
[12] OECD Council, Cryptographic Policy Guidelines, 27 March 1997, http://www.oecd.org/dsti/iccp/crypto_e.html
[13] S Baker, Decoding the OECD’s Guidelines for Cryptographic Policy, http://www.steptoe.com/comment.htm
The DTI document is structured as follows:
Section 7 is the request for comments, with a paragraph listing.