8 June 1999: Add Mr. Gladman's updated text.
7 June 1999
From: "Brian Gladman" <email@example.com> To: <firstname.lastname@example.org> Subject: Re: Germany Frees Crypto Date: Sun, 6 Jun 1999 19:30:07 +0100 > As someone working on an Echelon story asked elsewhere, just what > strength of crypto can NSA crack these days. [Updated by Mr. Gladman 8 June 1999] In my view this question has to be posed and answered carefully. The reality is that most crypto cracks are not done by breaking the algorithms but by exploiting weaknesses in their implementation. It fairly clear that we are already using algorithms that would be way beyond NSA's ability to break by brute force if they were implemented perfectly and operated in a perfect environment. We already use 128+ bit keys in many of our algorithms and yet it is very clear that few if any applications come even close to the levels of security that such key lengths offer. In the work on AES several papers show how easy it is to get at keys on smartcards and Markus Kuhn at Cambridge has recently published an excellent paper on this (see: http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf). And, of course, software is several orders of magnitude easier to subvert so we can see that we really do not have to worry about algorithm strength but rather the strength of implementations. These have a ***LONG*** way to go before they even come close to matching the security offered by current algorithms and key lengths. Having worked on military systems the one thing that I can with confidence is that the only area in crypto where the 'government machine' remains ahead of the open world is in the issue of implementation assurance. Governments have learnt from a lot of practical experience how easy it is to undermine algorithm security during implementation. The open world still has to learn much of this. I believe that this will happen at a rapidly increasing rate so I don't think this advantage will last much more than a few more years but it is there now and it means that key length just gives an unlikely upper limit on the security that applications offer. But a wider issue is that the question has to be asked in a context. If NSA conducts a targeted attack on a specific message it can clearly break keys a great deal longer than 56 bits (using DES as a benchmark). But if we achieved a situation in which all email was truly protected to even 40 bits then much of the internet would be instantly out of NSA's reach since to do 'keyword' searches and the like requires a huge volume of traffic to be decrypted and here even 40 bit encryption would pose an insurmountable barrier. So if we could find ways of achieving, as a matter of routine, ***ACTUAL*** cryptographic security at even DES strength, much of the 'State Sponsored Information Piracy' we currently hear about would not be possible. IMHO this won't happen, not because it cannot be done, but rather because most users prefer functionality over security and, given the chance to put processor and software improvements into one or the other, the market will, for the present at least, continue to be driven by functionality. Of course there are applications that, used properly, give good security but they are used by a very small fraction of the user community, most of whom will continue to be content to exchange email in the clear. This is made worse by the fact that most large companies don't seem to be aware of the need for good implementation assurance in offering security solutions and hence provide solutions that seem to offer security performance but which, in reality, are worse than useless because they give user's a comfortable feeling while offering no real protection. My own hope is that a convergence of the open source software and cryptographic communities will now bring a rapid change in this situation. The technical community can offer the world good protection and government's are powerless to stop this happening if we choose to do it. Frankly I have stopped short of pushing this line vigorously in public but I am fed up with the UK government's protestations of being positive about crypto whilst doing all it can 'behind the scenes' to prevent its spread. Good evidence of this is the UK government's stance in Wassenaar, an arrangement that states clearly that it cannot be used to used to justify actions which impede genuine commercial transactions. Yet despite this clear statement, the UK government - the DTI no less - has continued to use this agreement to seek restrictions on the export of civil cryptographic products that cannot even remotely be considered to fall within its provisions. And if anyone doubts the UK government's desire to hide its actions in Wassenaar from the public eye, just look at the recent paper on 'Encryption and Law Enforcement' issued by the PIU (see: www.cabinet-office.gov.uk/Innovation). Here export controls on cryptography are ***not even mentioned*** even though it is very clear that they fall at the heart of the study remit as a major consideration in the relationship between encryption and e-commerce. But worse than simply not covering export controls, this paper actually ***LIES*** about government actions by saying: "However, apart from the OECD Guidelines on Cryptography Policy, there has been remarkably little co-ordination of policy on encryption matters." when almost everyone on this list knows very well that the government has had a long standing role in a host of international efforts designed to restrict the spread of cryptography. I am amazed (maybe I shouldn't be) that the government would tell such deliberate and shameful lies in a document with a preface signed by the Prime Minister. In fact I have been so taken aback by this that I have been at a loss about how best to react to it - it is hard to know where UK citizens can turn when there is such deliberate dishonesty and lack of ethics right at the heart of government. It will be interesting to find out whether the Prime Minister and the Head of the PIU are aware of the fact that a document put out in their name contains such deliberate distortions of the truth. I hope that journalists on the ukcrypto list will do what they can to discover the level within government at which this attempt to mislead the UK public has been orchestrated. Brian Gladman
Date: Sun, 6 Jun 1999 16:36:31 -0400 From: Nigel Hickson <email@example.com> Subject: Re: Germany Frees Crypto To: firstname.lastname@example.org Brian Just seen; the PIU document was talking about coordination on encryption policy; not on export controls. Why should we lie about Wassenaar? We were simply trying to make point (something I thought you wd be in favour of) that there has been little coordination on broad encryption policies in the round. Nigel Hickson [DTI]
Hi Nigel, [Snip Nigel Hickson message.] Thank you for your quick reaction to my flame. The remit given to the PIU was: * to study the needs of law enforcement agencies and of business; * to examine the merits of the current encryption policy (and in particular key escrow, which is explained in chapter 5); and, if necessary, * to identify proposals that would satisfy both the need to promote encryption for electronic commerce and the Government's duty to ensure that public safety is not jeopardised. Although there is clearly an emphasis on key escrow, it says 'current encryption policy' and here it is not sensible to omit coverage of export controls when many of us have been saying for years that these are impeding the development of e-commerce. I am also very confident that one of the arguments used in promoting Wassenaar crypto controls has been law enforcement requirements so this again shows the relevance of Wassenaar within the remit of the PIU study. I hence maintain my surprise that the document makes ***no mention*** of the crypto export control issue, something that is quite amazing given the study remit. In terms of international co-ordination of encryption policy, various arms of the UK government machine, especially GCHQ, have a long standing set of international relationships within which policies on encryption are discussed. Moreover within Europe, the Senior Officials Group on Informaton Security and the EU Cryptography Working Group are attended by the UK. The UK has been heavily involved in continuing discussions with the US (Aaron et al) on the topic of encryption controls. And the GCHQ/NSA axis continues to discuss in detail the issues involved in trying to limit the spread of cryptography. Moreover a number of nations co-operate 'behind the scenes' in such bodies as ETSI to limit the strength of the encryption technologies deployed within telecommunications systems. But despite this extensive international coordination of encryption policy the PIU document claims that there is "remarkably little international co-ordination"! I don't often accuse the government of barefaced lies but on this occasion there is no other word to describe what the PIU document has said. I would certainly support a statement that said "there has been remarkably little ***open and publicly accountable *** international co-ordination of encryption polices" and this might be what was meant but this is NOT what the PIU report says. Most often I believe that these situations are the result of mistakes rather than conspiracies but on this occassion I find it ***VERY*** hard to see this as anything but a deliberate attempt to divert attention from one of the key issues in the development of e-commerce. When someone is stamping on your toes (crypto export controls) and beating you over the head with a sledge hammer (key escrow), it is a relief when they give up the sledge hammer but it is important not to forget that they are still stamping on your toes! Key escrow can be seen as an excellent way of diverting attention from the export control issue and the PIU study provides a clear insight into this intention. Those of us who want these controls removed should not allow our attention to be diverted in this way. Perhaps you or David can explain why you consider encryption export controls to be outside the remit of this PIU study? Brian
To: email@example.com Subject: `Germany Frees Crypto' - do you believe it? Date: Mon, 07 Jun 1999 11:34:51 +0100 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> Some people are under the impression that France and Germany have freed crypto. However, export controls look like being tightened. Guess who organised that? As Brian eloquently puts it: > Moreover within Europe, the Senior Officials Group on Informaton > Security and the EU Cryptography Working Group are attended by the UK. > The UK has been heavily involved in continuing discussions with the US > (Aaron et al) on the topic of encryption controls. And the GCHQ/NSA > axis continues to discuss in detail the issues involved in trying to > limit the spread of cryptography. Moreover a number of nations > co-operate 'behind the scenes' in such bodies as ETSI to limit the > strength of the encryption technologies deployed within > telecommunications systems. After last year's DTI white paper on export controls proposed to control `intangible exports' as in the USA (but worse), there was an explosion of outrage; a report from the Trade and Industry Select Committee trashed the idea. Officials said that we shouldn't worry as there was no parliamentary time for a bill this century. However the relationships to which Brian refers above seem to have been exploited to cause the EU to issue a draft regulation in much the same terms as the bill (see http://www.cl.cam.ac.uk/users/rja14/#Lib for details). When speaking to the relevant DTI wallahs, I detect a distinct note of gloating to the effect that `we outsmarted you by doing this through Europe - you can't stop us now'. GCHQ's agenda is obviously to stop people like Brian and me having crypto source code on our web pages. They don't seem to have understood that: (a) the public domain exemption will apply to the Serpent home page which will still be there. If the exemption is removed, the Serpent home page will still be available in Norway, Israel, Taiwan ...; (b) there will be enormous harm done to industrial R&D and to university teaching <http://www.cl.cam.ac.uk/~rja14/export.html>. Essentially everything we do in the School of Technology, and much of what's done in the School of Medicine, will fall under the net, so we'll have to get personal export licences for an awful lot of foreign students. The system may just collapse unless we take our courses fully public domain (I have done this: check out http://www.cl.cam.ac.uk/Teaching/1998/Security/). But fully public domain research would undermine the DTI's efforts to make us do all our research in collaboration with industry; (c) the absurdity and chaos will bring the arms control regime into disrepute. At present, judges confronted with an arms smuggler throw away the key; but given a couple of years of confrontation with RSA T-shirts and newspaper stories of ludicrous official decisions, the DTI will be laughed out of court; (d) even with an EU regulation, they can't create a new criminal offence - of unlicensed talking to a foreigner - without primary legislation. However, with an EU regulation in place, the UK government will find itself compelled to introduce this. Those clever people at the DTI clearly hoped that, in going via Europe rather than sponsoring UK legislation directly, they could avoid a confrontation that might embarrass ministers. But they have merely ensured that the confrontation will happen on the worst possible terms. Once the regulation is passed, the government will have been painted into a corner by Brussels; they will have to legislate; they won't be able to delay and obfuscate, as with crypto policy, in the hope that the problem will go away somehow; the apparent `European' source of the stupidity will ensure that the Tories savage it; its intrusive and disproportionate nature will get the Lib Dems up in arms; the DTI's finesse of the select committee will upset Labour back benchers (who are divided anyway because the hard left want all arms exports banned); and the furore will be even worse than with crypto policy as it will affect many more people. For example, the metallurgy people next door to us use a focussed ion beam machine to prepare samples for electron microscopy. This is an export controlled device (you can also use it to break smartcards); until now all that meant was filling a form when you bought it and another when you put it in a skip seven years later. But under the new regime, every foreigner with access to the software will need a personal export licence - that's most of the research students and some of the undergrads. Also, the current practice of swapping programs with metallurgists in other countries will be choked off. Stand by for some very unhappy materials scientists (and engineers and chemists and physicists and medics and botanists and ...). Nigel, you used to be at export control before you moved to crypto policy. I bet you're glad you escaped in time! Ross