House of Commons - Trade and Industry

Select Committee on Trade and Industry Seventh Report

II CRYPTOGRAPHY

What is Cryptography?

9. When individuals and organisations communicate with each other they must trust the form and means of communication, in different ways. The parties to a communication might need to rely on:

the authenticity of the message, that it is sent by whoever purports to have sent it
the integrity of the message, that nothing has been omitted from or added to the message by anyone other than the purported sender
the confidentiality of the message, that no-one has seen the message other than those authorised to do so.

Authenticity, integrity and confidentiality are not always required and, where they are needed, might not be guaranteed. A written signature can authenticate a letter, the integrity and confidentiality of which can be preserved by the use of a sealed envelope. Signatures can be forged and post intercepted, however, and written communications can be sent without a signature and without being sealed in an envelope and may still be trusted. Some communications, including commercial transactions, must be capable of non-repudiation. A contract will be invalid if one party to it can plausibly suggest that he or she never signed the contract, or agreed to a different set of terms than those later claimed by the other party. Confidentiality may also be a crucial requirement of many communications, including commercial transactions and dealings with official authorities.

10. The authenticity, integrity and confidentiality of electronic communications are important influences on the development of electronic commerce.[19] They may all be essential elements in persuading individuals and firms to enter into contracts and to interact with Government electronically. As with off-line communications, authenticity, integrity and confidentiality may not all be necessary elements of every electronic communication but, where they are required, two techniques are commonly employed:

electronic signatures, which can authenticate the originator of an electronic communication and, in some cases, guarantee the integrity of the message sent
encryption, to ensure the confidentiality of the communication.

Public-Key Cryptography

11. Although electronic signatures and encryption are distinct processes, they can be achieved by means of the same technology — public key cryptography. Each user of public key cryptography has both a private key, which is kept secret, and a public key, which can be published.[20] The "keys" are long numbers which cannot be derived from each other, but which are related through the application of mathematical functions.[21] Public-key cryptography works in the following way:

if person A wishes to encrypt a message so that only person B may read it then A scrambles the text with B's public key. Only B's private key can be used to decrypt the message
if person A wishes to sign a message then A's private key can be used to encrypt a digest of the message, which can be sent with the full message. B, or anyone else, can decrypt the digest with A's public key, thus proving that A was the originator. The integrity of a message can be demonstrated by comparing the decrypted digest with a digest of the text sent — any differences must have been created after the original text was signed off by A. These functions together ensure that A cannot repudiate the content of the message nor claim that he or she did not send it. This type of electronic signature is a digital signature.

12. Public-key cryptography's primary strength is that it can provide for confidentiality and non-repudiation over open networks — A and B do not need to meet to exchange keys or to establish each other's credentials before beginning to communicate. This is a significant advantage over other forms of cryptography which may require prior exchange of private keys (private-key cryptography). It can be seen that a document signed with a digital signature has an advantage over a conventionally signed one: the digital signature is intimately bound to the whole document whereas with a conventional multi-page document which is manually signed on the final page there is a greater possibility that, after signing, alterations may have been made on some of the earlier pages. Conversely, however, a document signed with a digital signature may also be less convincing to a recipient than one signed with a conventional signature because the linking of the signer's identity to the signature depends not on some unique physical quality — handwriting — but on a reliable publication which associates the public key with a specific person. Written signatures are tightly associated with people and weakly associated with documents, whilst digital signatures are tightly bound to documents and weakly bound to individuals (or identities).

Policy Issues

13. The prospect of the widespread use of cryptography over open networks raises a number of new, if not entirely unfamiliar, issues for governments to consider. Three broad issues can be identified:

certification of public keys, to ensure that a public key belongs to a named holder

key management, including arrangements for generating, distributing, storing and recovering keys
- law enforcement concerns, particularly timely access to decrypted communications, either in transit or stored.

Certification Issues

14. A digital signature, by itself, does not confirm the identity of the creator of the signature because a digital signature can be forged, stolen or created for a fictitious identity. A range of cryptographic services can be envisaged which facilitate trust in the use of digital signatures across open networks. Such services might include:[22]

registration of the identity and credentials of applicants for a public key certificate
certification of public keys
revocation of certificates, in the event of death or breach of contract by the certificate holder or other circumstances
time stamping of certificates, so that they can be more effectively used in contractual disputes, for instance
the provision of public key directories.

These services could each be offered separately in the market place, or firms might emerge which each offer several certification services. The market for certification services is immature and no conclusions can yet be drawn about its likely future shape, although the Post Office, British Telecommunications and the British Chambers of Commerce have all indicated that they will offer certification services.[23] We will refer in this Report to any organisation offering any certification service as a Certification Authority (CA).

15. CAs might not themselves be trusted institutions. There would be nothing to stop criminals setting up their own CAs to certify public keys for fictitious individuals or organisations in order to perpetrate crimes such as fraud. A hierarchy of CAs might emerge, with CAs operated by trusted institutions (the Post Office or professional organisations such as the British Chambers of Commerce or the Law Society, for instance) accrediting small-scale CAs operating perhaps in particular localities or in relation to specific sectors. The Government has identified trust as a key issue in relation to certification. It has stated that "users will require a high level of trust before the use of such services becomes widespread, especially for 'open' transactions...Building such trust, virtually overnight, in the electronic world will not be easy".[24] Consequently, it has proposed the establishment of a voluntary licensing regime for CAs, which we will consider in more detail later.[25]

Key Management Issues

16. Good management of keys is essential in order to maintain the authenticity, integrity or confidentiality of data. We list some of the aspects of key management below:

Although some users might be able to generate their own public and private keys, others might prefer to turn to firms to generate such keys. CAs might be well suited to this task where a public key, once generated, needed to be publicised via a directory, but it could be considered bad practice for anyone to allow their private key to be created by a third party[26]
Unlike private and public key pairs used for providing digital signatures, key pairs which are used for confidentiality might only be generated in relation to a specific communication.[27] Such "session" keys would not normally be need to be stored. A third party might facilitate their generation and might also help recover encrypted material, or the session keys themselves, at a later date
Private keys should be backed-up, in order to protect against their loss; arrangements must also be made to ensure that they are not compromised and, if they are, to deal with the resulting liability issues. Users might be able to store securely copies of their own keys, or they might engage a third party to carry out that function. Where a third party holds private keys the procedure is known as key escrow.[28] The third party is under a duty to keep the private keys confidential until served with a notice to release them. Such a notice might come from a legitimate owner who has lost a key but can provide evidence of who they are — this is an example of a key recovery service. A notice might also be served under warrant or judicial order — this notion has formed an important part of the Government's plans to support the needs of law enforcement.[29]

In this Report we will refer to any organisation storing private keys, or managing session keys required for confidentiality, or facilitating key recovery as a Trusted Third Party (TTP). As with CAs, the TTPs' market is not well developed. Many organisations seeking to offer cryptographic services will wish to be both a CA and a TTP.[30] Due to this confusing overlap we will follow the Government in using the term Trusted Service Provider (TSP) to describe any firm offering cryptographic services of any kind.

17. From the users' perspective, the primary issue relating to the development of the TTPs' market is trust, particularly in the security of any facilities used to store private keys. The Government has suggested that TTPs, like CAs, should be licensed on a voluntary basis. Amongst the licensing criteria proposed to apply specifically to TTPs are those intended to facilitate law enforcement access to decrypted text, either stored or in transit, when appropriately authorised. We consider the needs of law enforcement agencies in further detail below.

Law Enforcement Issues

18. Encryption, when used by criminals, can seriously hamper the activities of law enforcement agencies.[31] That it does so now only relatively infrequently is a function of the current incipient nature of electronic commerce and cannot be relied upon as an indication of the potential threat. The agencies told us that "encryption has the potential to give [criminals] an unassailable advantage".[32] Organised and serious crime, particularly drug trafficking, terrorism and paedophilia, might be most assisted by use of encryption.[33] Humberside Police told the Government during its recent consultation exercise that the "widespread use of encryption is a threat to public safety".[34] There are two situations in which law enforcement agencies do at present and would in future come across encrypted material:

when they seize computer hardware and software, usually with the knowledge of the suspect
during the interception of data communications, which normally occurs without the knowledge of the suspect.

19. Law enforcement agencies can, in broad terms, choose from three options when they wish to make use of encrypted material found during the course of their investigations. They can:

attempt to crack the cryptographic system by direct means.[35] This can be a lengthy, costly, and sometimes unsuccessful, process, and is unlikely to ensure real-time access to decrypted data[36]
attempt to decode encrypted material by exploiting weaknesses in the way in which cryptography had been deployed. Dr. Anderson, of Cambridge University Computer Laboratory, told us that "attacks on real systems almost never involve cryptoanalysis, they usually involve the exploitation of bugs in the system software [or] blunders made by the operators".[37] Such weaknesses are not guaranteed to be present and, again, timely access to decrypted material is unlikely to be achieved
acquire the key to the cryptographic system, either by requesting it from a suspect or from a TTP. The legal means of acquisition could include key escrow or a legal power to compel a user to surrender a key.

When decrypted material cannot be decoded, other options exist including requiring the plain text of the encrypted message to be handed to the law enforcement agencies and relying on non-encrypted material to secure a conviction.

20. The issue of law enforcement access to cryptographic keys, particularly to facilitate covert, real-time interception of data communications, has been central to the debate about electronic commerce policy. The law enforcement agencies told us that they would prefer a "mandatory worldwide licensing system" for TTPs which would ensure that they could enjoy timely access to private encryption keys, when appropriately authorised to do so.[38] Much of the evidence we received commented on:

technical difficulties associated with key escrow
the cost of developing key escrow facilities
the likelihood that private key storage facilities would become the targets of criminal activity
the improbability of a worldwide key escrow network being developed
privacy and civil liberties concerns.

We will consider these points later.[39]

21. Without key escrow, or related processes such as key recovery, law enforcement agencies might rely on requesting or requiring that suspects, or TTPs, hand over relevant private keys, or decrypted text, to assist investigations. Such requests might be easily circumvented, however, and could lead to legal problems associated with self-incrimination. Several witnesses suggested that law enforcement concerns with encryption would require a more "sophisticated and practical" police approach to computer technologies than exists at present.[40] The law enforcement agencies, while acknowledging the importance of enforcement officers' computer skills, argued that key escrow is required simply to maintain present crime-fighting capabilities.[41]

International Perspective

22. Governments across the world have faced up to the policy challenges posed by cryptography in recent years.[42] There has been activity to deal with such challenges both in international fora and by individual nation states.[43]

International Fora

23. Various international and regional organisations have recently undertaken to tackle the cryptography agenda.

the European Union published its "European initiative in electronic commerce" on 15 April 1997 and a policy paper dealing specifically with digital signatures and encryption on 8 October 1997.[44] The Telecommunications Council of Ministers agreed a common position on the Electronic Signatures Directive on 22 April 1999[45]
the United Nations Commission on International Trade Law (UNCITRAL) has an electronic commerce working group which decided in 1996 to commence work on Uniform Rules for digital signatures and CAs[46]
the Organisation for Economic Cooperation and Development (OECD) organised a ministerial conference in Ottawa, Canada, in October 1998 arising from which a detailed work programme was commenced, including discussion of "emerging technologies and business models for authentication and certification". A non-ministerial conference is planned for October 1999 to review progress[47]
the Wassenaar Arrangement, signed by 33 countries, covers controls of the export of cryptographic products[48]
the Council of Europe set up a Committee of Experts on Crime in Cyber-Space in January 1997 and is preparing a Convention on Cyber-Crime which is likely to deal with encryption issues[49]
Asia-Pacific Economic Cooperation has established a task group to consider authentication (but not encryption) issues.[50]

National Governments

24. Several countries have either implemented laws relating to cryptography, made legislative proposals or established expert committees to consider possible legislative options.:

Australia appointed a Committee of Experts to consider the legal framework for electronic commerce, whose work contributed to the draft Electronic Transactions Bill published in January 1999.[51] The Federal Government is considering the establishment of a national authentication authority. Australian encryption policy was reviewed in 1996, since when the Federal Government has adopted the OECD's guidelines on cryptography as a basis for policy[52]
Canada aims to become the "most connected nation in the world" by 2000 and various cryptography initiatives, including a liberal policy on encryption, have recently been announced[53]
France announced on 19 January 1999 that its strict controls on cryptography, which included a key escrow policy, would be relaxed[54]
Germany passed a Digital Signature Law in June 1997, which established a licensing regime for CAs and which enabled digital signatures supported by a certificate from a licensed CA to have legal effect[55]
United States policy is based on the Framework for Global Electronic Commerce issued by the President on 1 July 1997 which included policies to promote a worldwide legal framework relating to electronic commerce and a common approach to authentication.[56] On encryption, the US has relaxed export controls for cryptographic products incorporating key recovery capabilities.[57]

25. The UK Government has stated that "electronic commerce is essentially a global, rather than a national, issue" and emphasised the importance of monitoring electronic commerce initiatives in other countries and in international organisations "to ensure consistency with our own policies".[58] The Minister told us that Government policy was being driven by "our own perceptions of what this country needs to achieve our objectives".[59] Many witnesses and respondents to the Government's consultation document emphasised the importance of the Government's proposals adequately reflecting the international policy dimension.[60] In order to help the UK become the best environment in which to trade electronically by 2002, the Government should keep a close eye on international electronic commerce policy developments and adopt best practice from elsewhere when appropriate.

19 Electronic communications include e-mail, file transfer protcol (FTP), telnet, usenet and gopher Back

20 A private key can also be known as a signing key and a public key as a signature verification key Back

21 The most widely used private-key cryptography technique is known as RSA, although alternative and potentially more efficient techniques have recently been devised - see Times, 13 Jan 99, p1; Guardian, 14 Jan 99, section 2 p5; Guardian, 11 Feb 99, Online section p5; also Ev, p236 Back

22 Consultation 99, p17 Back

23 Qq425, 431; Ev, p151 summary point 3, p322 paragraph 2.1; response to Government from the British Chambers of Commerce p1; Evening Standard, 12 Mar 99, p41; Daily Mail, 17 Mar 99, p33; the Australian Post Office has recently closed its CA service due to it not being commercially viable, The Australian, 13 April 1999, on the internet at technology.news.com.au/techno/4231452.htm; and see Ev, p230 Back

24 Consultation 99, paragraph 33 Back

25 See from paragraph 59 Back

26 See response to Government from British Computer Society p5, for instance Back

27 For instance Secure Sockets Layer (SSL) in transactions using the Netscape web browser Back

28 Escrow is an obsolete legal term, given a new lease of life in the 1990s by the cryptography debate. Originally meaning a deed or bond, it has been used since the 19th century in the US to mean a deposit held in trust or on a security. It is now often used as a verb as well as a noun Back

29 See paragraph 83; also see definition by Post Office in their response to Government, paragraphs 7.5-7.6 Back

30 Q430 Back