CRYPTO-CONFUSION
Mutual Non-Comprehension Threatens Exploitation of the GII

Version of 26 May 1996

Updated information, of 8 September 1996

Roger Clarke

Xamax Consultancy Pty Ltd

and Visiting Fellow, Australian National University

Roger.Clarke@anu.edu.au

Published in Privacy Law & Policy Reporter 3, 2 (May 1996), pp. 24-27, 30-33

© Xamax Consultancy Pty Ltd, 1996

Introduction

Cryptography is the science of converting messages or data into a different form, such that no-one can read them without having access to a 'key'. Cryptology or cryptanalysis is the science of 'breaking' or 'cracking' encryption schemes, i.e. discovering the decryption key. 'Crypto' is central to any discussion of security, and hence important to particular aspects of the privacy debate. It is also closely linked to the question of anonymity and pseudonymity, which was addressed by this author in PLPR 2, 5 (Clarke 1995).

Some of the most important and potentially valuable applications of the global information infrastructure (GII) depend on various forms of security protections. Readers who are unfamiliar with the underlying concepts may well find the rest of this paper incomprehensible if they do not first acquaint themselves with those topics. For this reason, a substantial breakout box is provided.

There has been considerable development in both cryptography and cryptology during the last two decades. There have also been lively discussions about the ways in which the various techniques should be used. On one side are the libertarians, who style themselves 'crypto-anarchists', and on the other are the organisations and people that might reasonably be described as the 'crypto-authoritarian' [for an aside on these descriptors, see the footnote].

Unfortunately the views of these protagonists are polarised, to the extent that real discussion is seldom engaged. The issues are challenging enough, without the additional confusion that arises from vituperative attacks on one another's motives and values.

The purpose of this paper is to seek a reconciliation of the perspectives. The motivation is to overcome a threat to the development of important services that depend on data transmission security measures, including electronic payments, electronic purchasing and marketing, and electronic communications more generally, while at the same time ensuring protection of personal privacy.

The 'Crypto-Authoritarian' Perspective

The view is sometimes expressed, and often simply presumed, that the State has the right to intercept and decrypt any message. This is tantamount to granting the State the legal power and technical capability to overhear and record all telephone, fax and email transmissions, and by implication every conversation on every park-bench and street-corner, including all communications and documents that presently enjoy protections (such as those encompassed by the law of confidence, and the right not to incriminate oneself).

On occasions, this view appears to extend to a presumed right to acquire and decrypt any stored data, and by implication every letter, diary and address-book. In some expressions, such views are qualified by some phrase such as 'subject to due process of law'.

The clearest exposition of the argument is provided by a senior American academic, Dorothy Denning (see, for example, Denning 1995 and 1996 and the abbreviated article elsewhere in this issue of PLPR).

This perspective is most commonly associated with two classes of organisations. The strongest form of it emanates from national security communities, and especially those of the United States. A more moderate form of the argument is expressed by law enforcement agencies.

These communities have been fairly confident of gaining the support of the U.S. Congress for extreme measures: in late 1994 they succeeded in having the Digital Telephony Act passed, requiring all telecommunications operators to adapt their equipment to ensure that the FBI can conduct wiretaps on digital as well as analogue transmissions. For a particularly bitter review of the legislation and its passage, see van Bakel (1996).

Such presumptions are not confined to the U.S., however. For example, a Ministerial Declaration under the Commonwealth Telecommunications Act requires all Australian network providers to ensure that they can facilitate interception by designated government agencies. Moreover, the Barrett Report of 1994 recommended further extension of the Commonwealth's ability to intercept communications (Greenleaf 1994, in PLPR 1,9).

Cryptographic techniques threaten the presumed right of security and law enforcement agencies to access any message or data-store. Put briefly, the extreme 'crypto-authoritarian' position is that the use of cryptographic techniques should be permitted only if surveillance organisations are capable of decrypting any and every message that is sent from anyone to anyone else, and any and every piece of data that is stored by anyone. The (relatively) moderate 'crypto-authoritarian' position is that this should be possible, but generally subject to due process of law, where 'generally' means that at least national security agencies need to have a dispensation.

The 'Crypto-Anarchist' Perspective

A loosely-affiliated group of people who style themselves 'crypto-anarchists' argue in Internet forums and elsewhere that cryptography must be freely available to anyone who wants to use it, and the State must not be granted the power to impose on the community only emaciated, 'crackable' forms of cryptography.

They are therefore opposed to the various schemes put forward by national security and law enforcement lobbies to enable themselves to gain access to any transmitted or stored data. Their point of view is expressed in various forums, including May ( 1988 and 1995), and the Cypherpunks archive.

The crypto-anarchists' position is in part normative, i.e. 'government should butt out', and not impose constraints of any kind on behaviour in cyberspace. This stance is based in part on the belief that the State, governments, individuals government agencies, and their staff and contractors, are no more trustworthy than anyone else.

Beyond questions of political philosophy, the crypto-anarchists' position is also future-descriptive, i.e. 'it's inevitable that governments will be unable to control behaviour on the net'. They assert that 'strong' cryptography will be publicly available, irrespective of the efforts of the 'crypto-authoritarian' community.

The public domain product Pretty Good Privacy (PGP) has made 'strong' cryptographic techniques available worldwide. There are also many ways in which strict controls will be able to be circumvented, e.g. by using services which operate beyond the reach of the particular legal jurisdiction (as anonymous remailers do now), or by the sender encrypting the message using a strong encryption technique, before encrypting it again with a State-approved (and therefore nominally 'crackable') method.

Crypto-anarchists therefore consider that regulation is futile, and will merely make the process of electronic communications unnecessarily inefficient.

Beyond political philosophy and hard-headed practicality is a third element of crypto-anarchist concern: in their attempts to impose their views on society, both national security and law enforcement communities are prepared to use seriously repressive measures. An example of this is the campaign waged by U.S. law enforcement agencies against PGP's originator, Phil Zimmerman, during a 3-year period, 1993-96.

For reviews of the battleground, and of some of the personalities involved, see Levy (1995) and Lewis (1995).

Extreme Solutions

From the 'crypto-authoritarian' perspective, there are several acceptable solutions. One is that every encryption scheme should be designed with a 'trap-door' of some kind, for use only by approved organisations (i.e. a sub-set of government agencies and perhaps their private sector strategic partners). This requires that non-approved schemes be banned, and the ban enforced. This ground was traversed recently in Australia, when digital mobile telephony using the GSM standard was introduced, because GSM embodies relatively strong encryption.

Another approach is the restriction of 'strong' encryption mechanisms to approved organisations, and the limitation of other organisations and people generally to 'weak' encryption schemes. In this context, a 'weak' scheme is one which the NSA is confident it can crack in a reasonable time. At present, this is thought to correspond to symmetric keys up to about 40-56 bits in length, and up to somewhere below 1028-bits in the case of asymmetric keys. (The 'crackable' key-length is increasing with the growth in computing power - although ever more slowly , and with the occasional breakthroughs in cryptology techniques. Weaknesses in implementation can also create opportunities for 'crypto-crackers'. For a review of recent cracking activities, see Levy (1996)).

A third alternative is for all organisations and individuals to be required to use keys generated by an approved authority, and/or to escrow their private keys with such an organisation. The strongest form of this sees only one, or a very small number of such agents per country, each of them a government agency.

The U.S. Administration bans the export of devices incorporating strong cryptographic methods which can be used to encrypt data. To do so, it has deemed such things to be armaments for the purposes of the International Traffic in Arms Regulations (ITAR). It has also prevented export of a diskette containing the algorithms, even though they are expressed in books that are routinely exported ( Karn 1996). As a further link in this chain of control, it is also seeking to criminalise the use of strong encryption techniques unless the private key is escrowed.

The U.S. is not alone in seeking to impose such restrictions; for example, France, The Netherlands and Russia have also attempted to ban the private use of strong encryption, also with limited success.

From the crypto-anarchist perspective, on the other hand, there should be no limitations on what encryption schemes can be used by citizens and corporations, and no compulsory escrow of private keys. Individuals and organisations should be free to place their private keys in escrow or not, in whatever manner and with whomever they see fit.

They argue that this is not merely a civil libertarian need: they reason that it is not in the interests of corporations to use weak encryption, because it exposes them to the risk of industrial espionage, forgery and financial fraud.

Moderated Views and Intermediate Solutions

Electronic commerce is set to burst into life during 1996, as various implementations of relatively secure communication and value-transfer arrive on the net. There is concern among many people, particularly among individuals and in the private sector (e.g. IBAG 1995), that the ongoing arguments will hinder these developments.

It is in everyone's interests for the temperature of the exchanges to be lowered, and dialogue to be engaged in. This requires the following:

This author is not qualified to debate the appropriateness of intermediate solutions, and this paper is not the place to attempt it; but some of the approaches that appear worthy of consideration are:

Sources of information which reflect such middle positions include EPIC, a public interest advocacy organisation, Carl Ellison (1995), some elements of Denning (1996), and the Standards Australia Draft Standard ( (SA 1996).

Near-Future Developments

In the U.S., a private member's bill was introduced into the Senate in March 1996, called the Encrypted Communications Privacy 'Act'. It seeks to affirm the right of the public to use cryptographic methods of their own choice, and to use key escrow schemes only if they choose to. Meanwhile, the U.S. Administration juggernaut, driven by the national security community, rolls onwards.

In Australia, developments in relation to PKAF are in train, in the context of a Committee of Standards Australia. This includes representatives of industry and government, with considerable interest being shown by the Security Division of the Commonwealth Attorney-General's Department.

It is not clear to what extent the broader public interest will be represented in the Committee and in standards development. Given the importance of these developments to the emergent global and national information infrastructure, and to the economy and society that the GII is spawning, the limited role of public advocates' voices is disturbing and dysfunctional.


Short Bibliography

CACM (1996) Special Issue on Key Escrow Encryption, Commun. ACM (March 1996)

Carter S. (1995) 'Public/Private Keys and Digital Signatures - Universal Security Solutions for EDI and Electronic Commerce' Australasian EDI Report 3,3 (September 1995)

Clarke R. (1995) 'Transaction Anonymity and Pseudonymity' Privacy Law & Policy Reporter 2, 5 (June/July 1995) 88-90

CDT (1995), at http://www.cdt.org/crypto/

Cypherpunks archive, at: ftp://soda.berkeley.edu/pub/cypherpunks/Home.html, with recent issues mirrored at http://infinity.nus.sg/cypherpunks/

Denning D.E. (1995) 'Key Escrow Encryption: The Third Paradigm' Computer Security J. (Summer 1995)

Denning D.E. (1996) 'The Future of Cryptography' Proc. Joint Australian / OECD Conf. on Security, Privacy and Intellectual Property in the Global Information Infrastructure, Canberra, 7-8 February 1996, at http://www.cosc.georgetown.edu/~denning/crypto/Future.html

(Denning states that her personal position is moderate. However the expression in her papers leads many observers to interpret her as a spokesperson for the U.S. national security interest, e.g. "key escrow ... would assure no individual absolute privacy" (1996, p.1), her belief that 'weak encryption' is sufficient for most people (pp.6-7), and her support for licensing of encryption products only if they enable government to decrypt messages (p.7). On the other hand, and in common with crypto-anarchists, Denning explicitly contemplates a grey or even black market for unlicensed cryptographic products and key escrow schemes (p.8)).

EFF (1995), at http://eff.org/pub/Privacy/

EPIC (1995) 'Cryptography Policy Sources', at: http://www.epic.org/crypto/

Ellison (1995), at http://www.clark.net/pub/cme/html/in-out.html

Garfinkel S. (1995) 'PGP: Pretty Good Privacy' O'Reilly & Associates, 1995

Greenleaf G.W. (1994) 'The Barrett Review: A blueprint for expanding Australian telecommunications interception' Privacy Law & Policy Reporter 1,9 (November 1994) 161-4, 178-9

IBAG (1995) 'Commercial Use of Cryptography', Statement by the INFOSEC Business Advisory Group (IBAG), and at: http://guru.cosc.georgetown.edu/~denning/crypto/IBAG.txt

Karn 1996 'Karn v. US Department of State - The Applied Cryptography Case' At: http://www.qualcomm.com/people/pkarn/export/index.html

Levy S. (1995) 'Crypto-Rebels' Hot-Wired Electronic Magazine, at http://www.hotwired.com/wired/1.2/features/crypto.rebels.html

Levy (1996) 'Wisecrackers', Wired 4.03 (March 1996) 128-34, 196-202, at http://www.wired.com/4.30/netbreak

Lewis P.H. (1995) 'The NIST Conference', On The Net Column, New York Times, Monday, Sept. 11, 1995, and at: http://www.cdt.org/crypto/plewis.html

May T. (1988) 'The Crypto Anarchist Manifesto', original version at: gopher://locust.cic.net/00/Politics/Extropy.Institute/may.122892.gz, and revised version of 22 Nov 1992, at: http://www.isse.gmu.edu/~pfarrell/crypto.manifesto.html

May T. (1995) 'Crypto-Anarchy and Virtual Communities' various versions, incl. Internet Security (April 1995) 4-12, and at http://www.c2.org/~arkuat/consent/Anarchy.html

Orlowski, S. (1995) 'Security Imperatives - The Australian Context, IBC Security Conference, Sydney, November 1995, at http://www.anu.edu.au/people/Roger.Clarke/II/Orlowski3.html#pka

SA (1996) 'Strategies for the Implementation of a Public Key Authentication Framework in Australia' Standards Australia, DR96078, April 1996

Schneier B. (1996) 'Applied Cryptography' Wiley, 2nd Ed., 1996

SET (1996) 'Secure Electronic Transactions Specification', February 1996, at MasterCard and Visa

van Bakel (1996) 'How Good People Helped Make a Bad Law' Wired 4.02 (February 1996) 133-35, 181-86, at http://www.hotwired.com/wired/4.02/features/digitel.html


Footnote

'Crypto-anarchists' use the term 'crypto-fascist' to refer to people holding the diametrically opposed view to themselves. At least some of the people concerned are appalled by that term. Moreover, it has been used in other contexts in a somewhat different sense (meaning a hidden or surreptitious fascist). At the suggestion of the Editor, I've instead used the descriptive but less aggressive term 'crypto-authoritarian'.


Acknowledgements

This paper has benefited from many sources, and the comments of quite a few informal reviewers. Remaining technical errors, misleading expressions and evaluative comments are mine alone; indeed, some of the reviewers are likely to still be in serious disagreement with a few of the comments.


Update Information

In PLPR 3,2 (May 1996) (i.e. the paper above), I examined the way in which polarised views on the use of cryptography threatened electronic commerce generally.

The bodies that run the Internet have subsequently released a joint 'Statement on Cryptographic Technology and the Internet', which says much the same thing as my article of a couple of months earlier.

The two bodies "are disturbed to note that various governments have actual or proposed policies on access to cryptographic technology that either (a) impose export controls, (b) restrict commercial and private users to weak mechanisms, (c) mandate that private decryption keys should be in the hands of some third party, and/or (d) prohibit the use of cryptology" (abridged).

The bodies "would like to encourage policies that allow ready access to uniform strong cryptographic policies for all Internet users in all countries".

They are particularly concerned about escrow. They echo the article in saying that "certification authorities should not be confused with escrow centers ... Key escrow implies that keys must be disclosed in some fashion, a flat-out contradiction of [the major principle of system design that users never reveal their private keys to anyone] ... Keys used for signatures and authentication [and hence for non-repudiability] must never be escrowed".

'IAB and IESG Statement on Cryptographic Technology and the Internet', RFC 1984, August 1994 (text dated July 24, 1996), at http://ds.internic.net/rfc/rfc1984.txt

IAB is the Internet Architecture Board and IESG is the Internet Engineering Steering Group.


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 11 February 1996

Last Amended: 26 May 1996

Updated: 8 September 1996


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472