- Email: [email protected]
The Changing Face of International Cryptography Policy
TALES FROM THE CRYPT
The Changing Face of International Cryptography Policy Part 15 – Trusted Third Parties David Herson, Chase Infosec Services, Cheltenham, UK
In September, in a change from my usual format in this series of articles on the changing face of international cryptography policy, I attempted to outline some of the more technical aspects of both RSA and its application to the field of Digital Signature. I did this by way of an example using very small numbers and a short numeric message, although the method would have worked just as well using very much larger numbers and a normal length message or identification code. Given the strong political push that has been given to this powerful technology by so many national administrations and international bodies, it is surely somewhat surprising that we have not yet seen it deployed more widely. Why should this be? Without doubt, Digital Signatures have the potential to solve many of the secure identification and authentication problems that bedevil E-commerce. For example, one might have expected the banking sector to be using this technology today for enabling access to private bank accounts over the Internet rather than the archaic use of human generated passwords which can be so easily guessed or discovered by exhaustive search. Nonetheless, I am sure that this will come about very soon. In fact, I believe that it will be absolutely critical to the widespread acceptance of E-commerce. I concluded the earlier article by showing how Public-Key Certificates (or Digital Certificates) are able to generate trust in Digital Signatures. These certificates are an essential basic element in building a, so-called, Public Key Infrastructure (or PKI). Such an infrastructure is little more than a (possibly virtual) network of Certification Agents (or, more generally, Trusted Third Parties) that are able to exchange certificates between one another, with confidence. Historically, a hierarchical infrastructure was envisaged but this is not strictly necessary and more flexible networks, involving lateral as well as vertical links can also 6
be constructed. The network may be closed in that it has only a defined (possibly fixed) set of members or it may be open so that a Digital Certificate coming from any source has the potential to be recognized and accepted. Perhaps it is the difficulty of building suitable PKIs that has been the block so far? All the many studies on Digital Signatures and the related technologies during the past decade have shown that there are no shortage of legal problems either. Despite the essential reliability of the technology, actually proving a certificate or, indeed, the underlying digital signature in a court of law will be a significant challenge for any advocate. Convincing a judge is one thing, but a jury of twelve ordinary men and women, quite another! The legislative activities of several governments have primarily been aimed at resolving this question but one must wonder whether they have yet been successful? A third and perhaps crucial reason may be public acceptability of a technology that, for a great many folk, will be much too difficult to understand and, therefore, trust. Those of you who managed to work through my example last time may well agree that, in principle, anyone with a basic mathematics education could
understand how it works. However, practical experience tells us that very few, even well educated people, really trust a mathematical argument. Digital Signatures based on the positions of the stars in the Zodiac might be more convincing! To put the above arguments in a different perspective, it is worth posing some basic questions about the general concept of Trusted Third Parties, or TTPs as we shall call them. With luck, the answers will help to show the way as to how such services (including confidentiality services) may actually be provided?
Who can provide TTP services? First, who can provide TTP services? What kind of services will be available? It is anticipated that any organization that can demonstrate to its national regulatory authority (or, perhaps, professional body) that it meets the conditions which are listed in a model licensing agreement (still to be fully developed) will be able to offer such services. Analogy can usefully be drawn with the evaluation facility licensing rules currently operated within existing ITSEC Schemes in several EU Member States and also with the licensing arrangements appropriate to other professionals working in an environment of great personal trust; e.g. lawyers and doctors. Examples of organizations that might wish to offer such services are: banks, public network operators, ISPs, Postal Service providers, commercial evaluation facilities andpublic notaries. The basic TTP service is undoubtedly the Certification of Public Keys. Most other services will build on that basic competence. Secure generation of keys and revocation of certificates are examples of auxiliary services that most will wish to offer. At the next level, secure storage of private or secret keys is foreseen to be a possible future service requirement — primarily for insurance and emergency information recovery purposes. It is at this level that court-ordered warrants for disclosure of keys for law enforcement and national security purposes might exceptionally be required.
tales from the c rypt At a higher level, time-stamping and notarisation of documents are likely to be frequently required services as practical mechanisms to establish intellectual property and other legal rights. Like other professional service providers, TTPs may well offer a range of even higher levels of service such as client risk analysis, evaluation of client security procedures as well as training and advice on information security in general. In summary, TTPs are expected to emerge in response to the demands arising in the information market. An appropriate level of regulation and oversight will be required for at least the provision of the core services so as to establish the requisite degree of trust and user confidence.
Why use TTPs? Why would anyone use a TTP for confidential communications when they could use a publicly available encryption system, such as PGP, which does not need to involve a third party? The primary reason for using a TTP is Trust. Nationally licensed TTPs will operate under a common set of agreed rules and procedures. Each TTP is likely to be subject to initial Accreditation and regular Audit and periodic re -accreditation by a national regulatory authority (or professional body). All aspects of the security services provided by a TTP will thus be offered to a high standard. For instance, the end user will know that the staff employed by the TTP in critical roles are properly vetted and trained and that both the physical and electronic environments in which user keys are stored are under very strict access control. Users of TTP services will thus have an excellent basic level of confidence that the confidentiality or integrity of their information is assured. Besides the trust placed in the TTP itself, it will also be desirable to formally evaluate and certify the actual provision of the security service (as, for example, in the national ITSEC and CC Schemes). The industry has already developed products and associated systems to enable the provision of these services; such as the
Certification of individual Public Keys. Thus the basic level of confidence that users have when selecting a particular TTP as their security service provider will be significantly raised by the increased assurance derived from the formal evaluation and certification of such products, systems and services. The general use of TTPs is likely to lead to an important increase in the exploitation of high quality and assured cryptography without the traditional application of import, use or export controls (which are known to vary from country to country). For example, some well-known national security authorities have actively discouraged the use of very long keys for commercial and private applications of cryptography. Within a TTP based service, such constraints would no longer serve any useful purpose. Moreover, the actual encryption algorithms used or recommended by TTPs are likely to be fully evaluated and publicly certified as fit for the intended purpose. Even though providers of alternative encryption products might claim similar reliability, they would not necessarily have any way of demonstrating such claims. Associated with the Certification process comes the authentication of the association of a particular key with its user (or owner). This is an essential requirement when two people who do not previously know one another wish to communicate and, perhaps, do business together with real confidence. A truly global information infrastructure will enable information transactions to take place between people who could not possibly have done business together before. They will want a level of security with confidence at least equivalent to that which they believed was available in a paper-based environment. Finally, because TTPs will operate to such a high standard of physical, personnel, procedural and technical security, the risks of accidental or even deliberate disclosure of client’s keys will be greatly reduced. In consequence, TTPs will more easily be able to accept legal liability for such loss. The issue of legal liability is addressed in greater detail in the last question.
What are the legalities? How do you propose to deal with the problem of the legal liability of a TTP when keys held in trust are accidentally or maliciously disclosed with serious consequences? This question always rises to the top of any debate on the deployment of TTP services. It is not as frightening as many seem to think. The answers are to be found both in the legal and technical domains. Firstly, the existing laws relating to liability are equally appropriate in this new service domain. If any service provider does not take due care of the vital assets of his client, possibly leading to serious financial or other loss, then that service provider will normally have to make appropriate recompense as ordered or agreed. Clearly lack of due care would certainly be considered as grounds for revocation of a TTP licence. However, the reasons given above as to why TTP services should exist in the first place provide the main protection against possible loss and thus reduce the risk of liability claims ever arising. Thus the licensing of TTPs involving, as it will, their professional accreditation and routine audit, the evaluation and certification of the services provided and the use of the best encryption technology all help to build a position of genuine confidence between the TTP and the client. Certainly, the client will be able to freely choose between TTP service providers, not just on cost grounds but on reputation and other intangible confidence-building criteria. One way in which risk and thus liability can be significantly reduced is the use of, so-called, split-key escrow. In this situation, two (or more) different TTPs would hold part of their joint client’s key. Therefore no individual error could prejudice the client’s key and thus security. Whether or not a split-key approach would be generally available would be for the market to determine. Obviously, it is going to cost rather more to store keys in this manner. Split-key escrow is thus likely to be seen as a premium service appropriate to high-risk situations. 7
The Changing Face of International Cryptography Policy Part 15 – Trusted Third Parties David Herson, Chase Infosec Services, Cheltenham, UK
In September, in a change from my usual format in this series of articles on the changing face of international cryptography policy, I attempted to outline some of the more technical aspects of both RSA and its application to the field of Digital Signature. I did this by way of an example using very small numbers and a short numeric message, although the method would have worked just as well using very much larger numbers and a normal length message or identification code. Given the strong political push that has been given to this powerful technology by so many national administrations and international bodies, it is surely somewhat surprising that we have not yet seen it deployed more widely. Why should this be? Without doubt, Digital Signatures have the potential to solve many of the secure identification and authentication problems that bedevil E-commerce. For example, one might have expected the banking sector to be using this technology today for enabling access to private bank accounts over the Internet rather than the archaic use of human generated passwords which can be so easily guessed or discovered by exhaustive search. Nonetheless, I am sure that this will come about very soon. In fact, I believe that it will be absolutely critical to the widespread acceptance of E-commerce. I concluded the earlier article by showing how Public-Key Certificates (or Digital Certificates) are able to generate trust in Digital Signatures. These certificates are an essential basic element in building a, so-called, Public Key Infrastructure (or PKI). Such an infrastructure is little more than a (possibly virtual) network of Certification Agents (or, more generally, Trusted Third Parties) that are able to exchange certificates between one another, with confidence. Historically, a hierarchical infrastructure was envisaged but this is not strictly necessary and more flexible networks, involving lateral as well as vertical links can also 6
be constructed. The network may be closed in that it has only a defined (possibly fixed) set of members or it may be open so that a Digital Certificate coming from any source has the potential to be recognized and accepted. Perhaps it is the difficulty of building suitable PKIs that has been the block so far? All the many studies on Digital Signatures and the related technologies during the past decade have shown that there are no shortage of legal problems either. Despite the essential reliability of the technology, actually proving a certificate or, indeed, the underlying digital signature in a court of law will be a significant challenge for any advocate. Convincing a judge is one thing, but a jury of twelve ordinary men and women, quite another! The legislative activities of several governments have primarily been aimed at resolving this question but one must wonder whether they have yet been successful? A third and perhaps crucial reason may be public acceptability of a technology that, for a great many folk, will be much too difficult to understand and, therefore, trust. Those of you who managed to work through my example last time may well agree that, in principle, anyone with a basic mathematics education could
understand how it works. However, practical experience tells us that very few, even well educated people, really trust a mathematical argument. Digital Signatures based on the positions of the stars in the Zodiac might be more convincing! To put the above arguments in a different perspective, it is worth posing some basic questions about the general concept of Trusted Third Parties, or TTPs as we shall call them. With luck, the answers will help to show the way as to how such services (including confidentiality services) may actually be provided?
Who can provide TTP services? First, who can provide TTP services? What kind of services will be available? It is anticipated that any organization that can demonstrate to its national regulatory authority (or, perhaps, professional body) that it meets the conditions which are listed in a model licensing agreement (still to be fully developed) will be able to offer such services. Analogy can usefully be drawn with the evaluation facility licensing rules currently operated within existing ITSEC Schemes in several EU Member States and also with the licensing arrangements appropriate to other professionals working in an environment of great personal trust; e.g. lawyers and doctors. Examples of organizations that might wish to offer such services are: banks, public network operators, ISPs, Postal Service providers, commercial evaluation facilities andpublic notaries. The basic TTP service is undoubtedly the Certification of Public Keys. Most other services will build on that basic competence. Secure generation of keys and revocation of certificates are examples of auxiliary services that most will wish to offer. At the next level, secure storage of private or secret keys is foreseen to be a possible future service requirement — primarily for insurance and emergency information recovery purposes. It is at this level that court-ordered warrants for disclosure of keys for law enforcement and national security purposes might exceptionally be required.
tales from the c rypt At a higher level, time-stamping and notarisation of documents are likely to be frequently required services as practical mechanisms to establish intellectual property and other legal rights. Like other professional service providers, TTPs may well offer a range of even higher levels of service such as client risk analysis, evaluation of client security procedures as well as training and advice on information security in general. In summary, TTPs are expected to emerge in response to the demands arising in the information market. An appropriate level of regulation and oversight will be required for at least the provision of the core services so as to establish the requisite degree of trust and user confidence.
Why use TTPs? Why would anyone use a TTP for confidential communications when they could use a publicly available encryption system, such as PGP, which does not need to involve a third party? The primary reason for using a TTP is Trust. Nationally licensed TTPs will operate under a common set of agreed rules and procedures. Each TTP is likely to be subject to initial Accreditation and regular Audit and periodic re -accreditation by a national regulatory authority (or professional body). All aspects of the security services provided by a TTP will thus be offered to a high standard. For instance, the end user will know that the staff employed by the TTP in critical roles are properly vetted and trained and that both the physical and electronic environments in which user keys are stored are under very strict access control. Users of TTP services will thus have an excellent basic level of confidence that the confidentiality or integrity of their information is assured. Besides the trust placed in the TTP itself, it will also be desirable to formally evaluate and certify the actual provision of the security service (as, for example, in the national ITSEC and CC Schemes). The industry has already developed products and associated systems to enable the provision of these services; such as the
Certification of individual Public Keys. Thus the basic level of confidence that users have when selecting a particular TTP as their security service provider will be significantly raised by the increased assurance derived from the formal evaluation and certification of such products, systems and services. The general use of TTPs is likely to lead to an important increase in the exploitation of high quality and assured cryptography without the traditional application of import, use or export controls (which are known to vary from country to country). For example, some well-known national security authorities have actively discouraged the use of very long keys for commercial and private applications of cryptography. Within a TTP based service, such constraints would no longer serve any useful purpose. Moreover, the actual encryption algorithms used or recommended by TTPs are likely to be fully evaluated and publicly certified as fit for the intended purpose. Even though providers of alternative encryption products might claim similar reliability, they would not necessarily have any way of demonstrating such claims. Associated with the Certification process comes the authentication of the association of a particular key with its user (or owner). This is an essential requirement when two people who do not previously know one another wish to communicate and, perhaps, do business together with real confidence. A truly global information infrastructure will enable information transactions to take place between people who could not possibly have done business together before. They will want a level of security with confidence at least equivalent to that which they believed was available in a paper-based environment. Finally, because TTPs will operate to such a high standard of physical, personnel, procedural and technical security, the risks of accidental or even deliberate disclosure of client’s keys will be greatly reduced. In consequence, TTPs will more easily be able to accept legal liability for such loss. The issue of legal liability is addressed in greater detail in the last question.
What are the legalities? How do you propose to deal with the problem of the legal liability of a TTP when keys held in trust are accidentally or maliciously disclosed with serious consequences? This question always rises to the top of any debate on the deployment of TTP services. It is not as frightening as many seem to think. The answers are to be found both in the legal and technical domains. Firstly, the existing laws relating to liability are equally appropriate in this new service domain. If any service provider does not take due care of the vital assets of his client, possibly leading to serious financial or other loss, then that service provider will normally have to make appropriate recompense as ordered or agreed. Clearly lack of due care would certainly be considered as grounds for revocation of a TTP licence. However, the reasons given above as to why TTP services should exist in the first place provide the main protection against possible loss and thus reduce the risk of liability claims ever arising. Thus the licensing of TTPs involving, as it will, their professional accreditation and routine audit, the evaluation and certification of the services provided and the use of the best encryption technology all help to build a position of genuine confidence between the TTP and the client. Certainly, the client will be able to freely choose between TTP service providers, not just on cost grounds but on reputation and other intangible confidence-building criteria. One way in which risk and thus liability can be significantly reduced is the use of, so-called, split-key escrow. In this situation, two (or more) different TTPs would hold part of their joint client’s key. Therefore no individual error could prejudice the client’s key and thus security. Whether or not a split-key approach would be generally available would be for the market to determine. Obviously, it is going to cost rather more to store keys in this manner. Split-key escrow is thus likely to be seen as a premium service appropriate to high-risk situations. 7