6 September 1999
From: "Brian Gladman" <firstname.lastname@example.org> To: "UK Crypto List" <email@example.com> Subject: Re: NSA key in Windows Date: Mon, 6 Sep 1999 14:23:33 +0100 I am always surprised about just how long it takes to recognise the political implications of simple technological decisions. The Microsoft CAPI issue is well over ***three years old*** and to illustrate this here is a URL for a paper that I wrote in early 1996 to try and get action from the UK government and from the EU when this issue first arose: http://www.seven77.demon.co.uk/capi.pdf [HTML below] In my view the real issue here is not an NSA backdoor (I doubt that one exists in the form postulated) but rather the principle that Microsoft should allow the US government to impose its cryptographic export controls on other sovereign countries by controlling access to the relevant interfaces for integrating cryptographic Service Providers (CSPs) into Windows. When this was topical back in 1996 I objected vigorously to this approach (with ***support*** from GCHQ/CESG!) It took a lot of effort but the UK, at least, did establish a Microsoft UK based capability for signing cryptographic modules separate from that in the US. I might also add that I had access in the UK to the Microsoft CSPDK (Cryptographic Service Provider Developer Kit) in 1997 and the keys now being discussed were openly a part of the CSPDK at the time. If this was an NSA backdoor then they did not make a very good job of hiding it! Hence, while I believe that Microsoft should be criticised for allowing itself to be used by the US government to impose extra-territorial controls on crypto, I am very doubtful that they co-operated in the provision of any backdoor of the form now proposed. Brian
6 September 1999. Thanks to Brian Gladman
Source: http://www.seven77.demon.co.uk/capi.pdf (69K, 7 pp.)
The International Cryptography Experiment
The Third Workshop
Dr. B. R. Gladman, 7th Draft, 22nd February 1996
A Paper for the ICE Workshop by Dr Brian Gladman
Recently Microsoft have published a Cryptographic Application Programming Interface (CAPI) for 32 bit applications running on Windows NT (and, possibly, Windows 95). This interface will be provided as a part of the 32 bit applications interface and will allow separate Cryptographic Service Provider (CSP) modules to be plugged into these operating systems.
Microsoft has announced its intention to digitally sign supplier provided CSP modules for two reasons:
The first of these requirements is straightforward and sensible and will not be discussed further here. The second reason for signature is, however, contentious for reasons which will be discussed below.
This paper is concerned, in particular, with the impact of the Microsoft proposals on CSP suppliers and users outside the United States and Canada.
It is well known that many nations control the provision, use, import and export of cryptographic and related products. The extent of these controls vary from one nation to another but a common practice is that of controlling the export of such products without constraining directly any domestic provision or use. This is the situation in the United States, the United Kingdom and a number of European countries.
It is less well understood that these export control laws not only constrain cryptographic and related products but also any products which are specifically designed to interface to, or integrate with, cryptographic products. In effect, therefore, the very principle of openly available Cryptographic Application Programming Interfaces (CAPI) is in direct conflict with the existing export control provisions in many countries. Thus, to integrate a CAPI into their operating systems without making them subject to export control Microsoft has had to establish some rigorous CAPI control procedures.
It is important to recognise that this situation is not of Microsofts making. In publishing and promoting a CAPI for use with their products Microsoft has gone as far as it can under US law to establish an improved basis for the provision of cryptographic information security when using their products. The procedures discussed below are the provisions which the United States administration has imposed in order that Microsoft can offer their operating systems in world markets without being subject to US export controls.
For these reasons nothing in this paper should be seen as in any way critical of Microsofts efforts to advance the state of the art in this vitally important area.
In announcing its CAPI Microsoft has indicated its intentions in respect of the relationship between Microsoft and the prospective suppliers of independent CSP modules. The actions required are different in each of the three situations set out in the following sub-paragraphs.
3.1 CSPs Produced in the United States and Canada for Domestic Use
3.2 CSPs Produced in the United States and Canada for Export
3.3 CSPs Produced Outside the United States and Canada
The basis on which the United States administration will give permission for Microsoft to sign a CSP from a supplier outside the United States or Canada is unclear at present. In response to an earlier version of this paper Microsoft have stated:
It is our understanding that [all] CSPs intended for sale in US or Canada and limited to sale in that region will be eligible for signature. No supplier should expect however that the CSP sold in the US or Canada will be eligible for sale outside the US or Canada. That limitation puts all suppliers on a strictly equal footing with regard to sales in US or Canadian domestic markets.
From this statement it seems very likely that there will be no United States government constraints on either domestic or foreign CSP suppliers who supply only within the US and the Canadian domestic markets. This statement is also strongly suggestive of an intent by the United States government to use its powers over Microsoft signature to control the availability of good cryptography outside the United States and Canada.
Thus, in clarifying the intent of the United States administration in respect of US and Canadian domestic markets, this statement leaves the position of CSP suppliers outside the United States (and Canada) unclear in several important respects. An immediate question is:
In practice it would be naïve to expect the United States government (or any other government) not to act to the advantage of its domestic companies (it is entirely reasonable that they should do so).
The controls which Microsoft propose for their CAPI will have a number of consequences for CSP suppliers outside the United States and Canada which will put them at a commercial disadvantage in respect of their North American cousins. In particular they will suffer from the following disadvantages:
These factors will put suppliers outside the US and Canada at a disadvantage in world markets because their CSP development plans will be subject to more delay than is likely for US and Canadian suppliers. Extra delays arise because the Microsoft Software Development Kit for CSP modules is export controlled and this gives a US or Canadian supplier a head start in the development process. Worse still, CSP suppliers outside the United States and Canada need to get their plans approved by the United States government before CSP development can even be started.
Thus, even though Microsoft have made it clear that they will do everything possible to reduce or eliminate the impact of these imbalances, it seems inevitable that the existing proposals will act to the disadvantage of overseas suppliers in these respects.
A second obvious question is:
The likely US position on this point is illustrated by a comment in the Microsoft response to a request for overseas release of the CSP Development Kit where it is suggested that signatures on CSPs will be possible for
General purpose data encryption which would be deemed exportable from the U.S. However, at present the U.S. allows only 40 -bit private or 512-bit public keys in exportable software, and foreign developers will not generally limit themselves to this. CryptoAPI is not a viable mechanism to enable strong security for general purpose data encryption. However, it may be possible to work with foreign vendors seeking to develop encryption systems for vertical markets in certain countries (e.g. a medical records system for health care providers in the European Union).
Microsoft have also indicated:
For suppliers who want to maintain the same product across all markets, North American and everywhere else, the most attractive strategy remains to develop CSPs outside the US or Canada and outside CryptoAPI.
This is again a clear recognition on Microsofts part that it will NOT be possible to use their CAPI to support the general availability of good cryptography outside the United States and Canada.
From these observations it is clear that Microsoft expect the United States administration to use its powers over Microsoft CSP signature to constrain the development and use of cryptographic capabilities outside the United States. Thus:
In terms of practical effect the mechanisms for the control of CSP signature will be used by the United States administration to extend the scope of US export controls to cover CSP modules produced for domestic use in other countries even when there is no legal basis for such domestic control either in the United States or in the country concerned.
The extensive and widespread use of Microsoft 32 bit operating systems (Windows NT and Windows 95), when combined with a convenient plug and play interface for cryptography, is certain to have a big market impact within the United States (and Canada).
The whole point about CAPIs is that they allow cryptography to be more easily integrated with standard operating systems and applications and this will mean that in the unconstrained US (and Canadian) domestic markets there will be vigorous competition between CSP suppliers with the result that very high quality CSP modules will be generally available on the open market.
In contrast, in the rest of the world, the US administration will constrain generally available cryptography capable of operating with Microsoft products to the current 40 bit key limit which can be circumvented by amateurs in a few days and by professionals in hours or even minutes. Thus, whilst everyone in the United States (and Canada) will have open access to good cryptography with Microsoft products, the rest of the world will have nothing of any real value except in specialised application approved by the United States administration.
Given the strength of Microsoft products within world information systems markets we can thus expect that the US government controls on CSP signature will lead to the following situation:
This in turn will lead to a national information infrastructure in the United States which is well protected whilst the information infrastructures of other countries (except Canada) will remain highly vulnerable because good cryptography will not be generally available as in the United States.
Whether by accident or design the US policy on CAPI signature will lead to a situation in which the US national information infrastructure is well protected whilst that of the rest of the world is wide open to easy exploitation.
The rapid growth of electronic information exchange as the industry norm, combined with the trend for all developed economies to become increasingly information based, will mean that the result of this US export control policy will be to put the economies of developed countries increasingly at the mercy of those in the world with hostile or criminal intent. It is hard to believe that this is truly in the interests of the United States and it certainly isnt in the interests of the countries involved. No doubt this is not the intended result of the policy but this does not make it any more acceptable.
The original intent of the export control laws, applied in unison by many western countries, was to prevent cryptography a critical defence technology getting into the wrong hands. But things have now changed. Firstly the technology is now as important, if not more so, in the commercial world. Secondly, as a result of the dominance of the US companies within global information systems markets, US export controls, in preventing this technology getting into the wrong hands, also prevent its beneficial exploitation within many of the countries which these laws were designed to protect.
Because of changes in world markets, defence related export controls are now having a completely different impact from that for which they were designed. In a modern world they have become blunt and indiscriminate weapons which damage friends much more than they ever do enemies. An unconstrained market in the United States (and Canada) will mean that the hostile and criminal elements in society will easily obtain good cryptography for use anywhere in the world. In contrast, legitimate users in industry and commerce outside the United States (and Canada) will not be able to obtain good products because of the controls envisaged. We will thus be in the bizarre situation where export controls will allow criminals and those with hostile intent easy access to good protection whilst denying it to legitimate users!
Thus the saying if cryptography is outlawed, only outlaws will have cryptography will soon become true outside the United States and Canada because of, rather than in spite of, export controls! This will serve only to alienate those living in countries which share US values and cannot see any reason why they should be denied the levels of protection generally and openly available within the United States. Again, this is a situation which cannot truly be in the interests of the United States.
These pressures have been building up for some time but the introduction of a Microsoft CAPI is certain to have a powerful effect on global markets and will accentuate and accelerate these developments. For this reason it is now vital to develop CAPI control proposals which will lead to a more balanced global market for cryptographic products.
If the proposals set out by Microsoft are unacceptable, what form of control could be contemplated for an International CAPI? I would suggest the following requirements need to be met:
1. Control of the use of the CAPI within products should be subject only to the laws of the country in which this use takes place.
2. Government control of the CAPI in the country where this use takes place should only be exercised where this has a basis in law.
3. The use of the CAPI within operating systems and applications which provide support via such a CAPI for separately supplied cryptographic modules should not themselves be subject to any domestic or export controls which apply to cryptographic and related products.
4. The provision, signature and use of cryptographic modules supporting the CAPI should be subject only to the laws of the country in which module suppliers and module users reside.
5. Where operating systems (or applications) suppliers provide information, tools or technical support to aid CSP development and integration, these are to be provided on the same basis for domestic use1 and for use in countries which have equivalent (or more restrictive) controls on the export and re-export of such products and equivalent (or less restrictive) controls on their domestic use.
____________________1 That is by a CSP supplier in the same country as the operating system or applications supplier.
6. A CSP supplier in one country should be able to export his CSP to a recipient in another country where the latter has equivalent (or more restrictive) controls on the export and re-export of such products and equivalent (or less restrictive) controls on their domestic use.
Some of these provisions, for example, the last two, would extend the existing relationship between the United States and Canada to apply also to other countries such as, for example, the United Kingdom.
A way in which the Microsoft proposals could be changed to meet the above principles would be for:
Microsoft subsidiaries to have the authority to digitally sign CSP modules, subject to control only by the government of the country in which the subsidiary resides and only then when the law of this country requires this.
Such delegated signatures could be restricted to those countries with equivalent export controls to those of the United States. A proposal along these lines should be able to meet principles 1 to 4 above and, even without principles 5 and 6, this would be a considerable improvement over the current Microsoft (and US government) proposals. Whilst this alternative has been set in a Microsoft context it could apply more generally to any companies whose products require digital signatures.
If, in addition, principles 5 and 6 could also be established, we would then have a much improved basis for providing adequately secure products within the open international markets operated by and between the democratic countries of the world.
Since ICE started there has been much technical progress in the development of CAPI principles and there can no longer be any doubt (if there ever was) about the technical validity of the concepts involved.
At the same time, however, it is now clear that CAPI control provisions introduced by the United States administration could have a highly divisive impact on the global information systems market. For this reason we now need to make progress on the political aspects of CAPIs, without which there is no prospect that we will be able to provide the good cryptography which global electronic commerce and the global information infrastructure of the next century will require.
Resolving this issue must now become a central and overt objective of ICE.
My sincere thanks go to many colleagues who have commented on earlier drafts of this paper. I am most grateful for their advice and for their support with its overall aims. My thanks also go to my Microsoft colleagues for their perseverance in answering my many questions during the preparation of this paper.
HTML by JYA/Urban Deadline.