Law Forum
  Law Books

Adverts from Google:
 
 
Google
 
Web www.swarb.co.uk

Encryption Regulation
Presentation 12 June 2001
Security and Encryption
David Swarbrick
With Central Law Training June 12, 2001
Summary
    • Encryption Technologies
    • Regulation of Investigatory Powers Act 2000
    • Electronic Communications Act 2000
    • Others – PACE/Terrorism Act 2000
    Core Technology - Encryption
  • Symmetric Key Encryption
  • Asymmetric Key Encryption
  • Combinations
  • Underlies all e-commerce
  • Part of delivery of software
  • Identity
  • Privacy
  • Signing
  • transactions
Symmetric Key Encryption
  • Also ‘single key’ or ‘private key’ encryption
  • Same key used both to encrypt (or scramble) the message, and to decrypt it.
  • Fast, Secure, easy to manage
  • Difficulty with keys
  • First communication must be secret to achieve secrecy.
  • Keeping the key secret.
    Asymmetric Key Encryption
  • One key split in two
  • Private Key – is kept absolutely private
  • Public Key – can be distributed widely
  • Enables
  • Great flexibility
  • Secure communication without prior arrangement
  • Electronic commerce- digital signatures
  • Complex – must be understood
    Asymmetric Use
  • Privacy - Encrypt with
  • Recipient’s public key
  • Decrypted by recipient with
  • His own private key
  • Only he can read it, (not even sender).
  • Authenticity - Encrypt
  • With Sender's private key
  • Decrypted by recipient with
  • Sender's Public key
  • Can only come from sender. Has not been changed.
    Comparison
  • Symmetric
  • Attaches to the message
  • Can be
  • Simple
  • Speedy
  • Secure
  • Requires
  • Trust in recipient
  • Secure first channel
  • Asymmetric
  • Attaches to the person
  • Can be
  • Flexible
  • No prior trust in, contact with addressee
  • Complex
  • Requires
  • Trusted Third Party
  • Enables
  • E-commerce
    Message Digest
  • Software creates a short series of characters – uniquely related to a document.
  • Post public key – possibly certified by TTP
  • Use
  • Generate MD for the document
  • Encrypt MD with own private key – (the signature)
  • Send document in plain with the encrypted MD
  • Recipient can reverse the process with public key to verify the signature.
    Session Keys
  • Combines all three techniques
  • Generate Private key – one session /message only
  • Encrypt
  • the message with the session key
  • The session key with the recipient’s public key
  • Recipient
  • Use his Private key to decrypt the session key
  • Uses session key to decrypt the message
  • RIP said to give particular significance to this form of encryption.
  • Very widely used – but not RIP proof
    Key Management
  • Encryption technology can be secure.
  • But managing keys almost impossible.
  • Key is equal in value to what it protects.
  • Combining keys – eggs and baskets
  • How can keys be looked after?
  • Third party systems – No - Can only rely upon own memory.
  • How many keys?
  • Do not underestimate this as a problem
    Bio-Metrics
  • Use of physical attribute as key.
  • A very powerful solution. Appears to remove Key Management problems.
  • Considered for Passports, and e-conveyancing
  • Violates fundamental rule - the ‘key’ is not revocable if compromised.
  • All systems must translate the attribute into electronic form and therefore copyable form.
  • What happens if someone copies that feature? Eg image taken of retina for eye test. Lifetime exclusion?
    Regulation of Investigatory Powers Act 2000
  • Four parts
  • Part I Regulates Interception of Communications
  • Part II Regulates Covert and Intrusive Surveillance
  • Part III Recovery of Encrypted Material
  • Provisions for Intelligence Services (not covered)
  • Extremely detailed and technical.
    RIPA 2000 Part I – Chapter I Interception
  • Extends restrictions on interception of materials to
  • E-mails, and
  • Private networks
  • Material gathered under a warrant is not evidence s17
  • Difficulties for employers. Lawful Business Practice Regulations/Data Protection Guidelines (soon … real soon)
  • Facilities for ‘tapping’ in to e-mail networks s12.
  • Echelon system – outsourcing of interception?
    RIPA 2000 Part 1 Chapter II and Part II – Surveillance
  • Part I Chapter II – Acquisition of Communications Data ss 21- 24
  • ‘Traffic Data’ analysis of who is talking to whom – not what is being said
  • Authorised under warrant - admissible
  • Part II ‘covert’ and ‘intrusive’ surveillance
  • Previously unregulated
  • Whole new system of authorisations
    RIPA 2000 Part III – Encryption
  • Much wider than ‘encryption’
  • Service of Notices requiring:
  • s49 Decryption (or 2 years) and/or
  • s51 Surrender of Key (s51), and/or
  • Secrecy Requirements (or 5 years)
  • Extreme Controversy
  • Impossible balance between law-enforcement and privacy and business needs
  • Takes no account of value of encryption in preventing crime.
    RIPA 2000 Part III – Protections
  • Commercial concerns
  • s49(5) serve on senior employee
  • Keys
  • ‘special situations’ and proportionate s50(4)
  • Signature Keys s49(9)
    • Is intended to be used only as signature key and
    • Has only been so used
    • No real protection – by definition officer believes has been ‘so used’
  • Burden of proof s53(2)
    RIPA 2000 Part III – Secrecy
  • s54 Tipping Off
  • Infects anyone who becomes aware of it
  • Inappropriately inherited from IOCA and other similar
  • Very different – ‘New Staasi’
  • Served on private individuals, not trained professional
  • Greater number – each recipient must be served
  • The innocent end of the communication
  • Affects privacy of other innocent parties
  • Undermines e-commerce
  • Whose keys and how many have been compromised?
  • ‘Re-assurance’ revocation of compromised key is not tipping off.
    Electronic Communications Act 2000 (ECA)
  • Part I – Regulation of Encryption Service Providers
  • Part II – Recognition of Digital etc Signatures
  • Part III – Modification of Telecommunications Licences (not covered)
  • Implements EU Digital Signatures Directive
    ECA 2000 Part I
  • Regulation of Cryptography Service Providers
  • Certifying Authorities/Trusted Third Parties
  • Digital Certificates, or
  • Secure/Private Storage
  • Voluntary register
  • But may become involuntary.
  • No requirement for Key escrow s14
  • Part II
  • Facilitation of Electronic Commerce etc
  • S 7 Admissibility of
  • Digital Signatures, and
  • Certificates supporting signatures
  • Peculiar definition – s7(2)
  • cf RIP
  • Modification of Legislation
  • To ‘authorise or facilitate use of electronic communications/storage’ Piecemeal approach (cf Australia)
  • Companies Act, Local Government, Land Registry
    Export Controls
  • Wassenaar Agreement – Encryption is classified as Dual Use Weapon
  • Export Control Regimes
  • Unpredictable consequences
  • Relaxed, but not completely
  • Effects
  • Has been used to restrict and discourage use of encryption
  • US challenges to export of PGP
    Resources
  • www.swarb.co.uk - Posted copy of this and similar presentations.
  • www.jsboard.co.uk – Judicial StudiesBoard
  • www.scl.org - Society for Computers and Law – Join - (Particularly C&L Jan 2000)
  • The Code Book – Singh - excellent
  • www.cryptome.org – International policy developments
  • www.fipr.org - Foundation for Information Policy
  • http://elj.warwick.ac.uk/jilt - Journal of Information Law and Technology
  • Important: Please note that our law-bytes are retained for archival purposes only. The law changes, and these notes are often, now, out of date. You must take direct advice on your own personal situation and the law as it currently stands.
    All information on this site is in general and summary form only. The content of any page on this site may be out of date and or incomplete, and you should not not rely directly upon it. Take direct professional legal advice which reflects your own particular situation.
    Home |  lawindexpro |  Forum | 
    | Two Doves Counselling | Faulty Flipper
    Copyright and Database Rights: David Swarbrick 2012
    18 October 2013 http://www.swarb.co.uk/lawb/intEncReg010612.shtml 471 18 October 2013