Adverts from Google:
Presentation 12 June 2001
Security and Encryption
With Central Law Training June 12, 2001
Symmetric Key Encryption
Core Technology - Encryption
- Encryption Technologies
- Regulation of Investigatory Powers Act 2000
- Electronic Communications Act 2000
- Others PACE/Terrorism Act 2000
- Symmetric Key Encryption
- Asymmetric Key Encryption
- Underlies all e-commerce
- Part of delivery of software
Also single key or private key encryption
Same key used both to encrypt (or scramble) the message, and to decrypt it.
Fast, Secure, easy to manage
Difficulty with keys
First communication must be secret to achieve secrecy.
Keeping the key secret.
Asymmetric Key Encryption
One key split in two
Private Key is kept absolutely private
Public Key can be distributed widely
Secure communication without prior arrangement
Electronic commerce- digital signatures
Complex must be understood
Privacy - Encrypt with
Recipients public key
Decrypted by recipient with
His own private key
Only he can read it, (not even sender).
Authenticity - Encrypt
With Sender's private key
Decrypted by recipient with
Sender's Public key
Can only come from sender. Has not been changed.
Attaches to the message
Trust in recipient
Secure first channel
Attaches to the person
No prior trust in, contact with addressee
Trusted Third Party
Software creates a short series of characters uniquely related to a document.
Post public key possibly certified by TTP
Generate MD for the document
Encrypt MD with own private key (the signature)
Send document in plain with the encrypted MD
Recipient can reverse the process with public key to verify the signature.
Combines all three techniques
Generate Private key one session /message only
the message with the session key
The session key with the recipients public key
Use his Private key to decrypt the session key
Uses session key to decrypt the message
RIP said to give particular significance to this form of encryption.
Very widely used but not RIP proof
Encryption technology can be secure.
But managing keys almost impossible.
Key is equal in value to what it protects.
Combining keys eggs and baskets
How can keys be looked after?
Third party systems No - Can only rely upon own memory.
How many keys?
Do not underestimate this as a problem
Use of physical attribute as key.
A very powerful solution. Appears to remove Key Management problems.
Considered for Passports, and e-conveyancing
Violates fundamental rule - the key is not revocable if compromised.
All systems must translate the attribute into electronic form and therefore copyable form.
What happens if someone copies that feature? Eg image taken of retina for eye test. Lifetime exclusion?
Regulation of Investigatory Powers Act 2000
Part I Regulates Interception of Communications
Part II Regulates Covert and Intrusive Surveillance
Part III Recovery of Encrypted Material
Provisions for Intelligence Services (not covered)
Extremely detailed and technical.
RIPA 2000 Part I Chapter I Interception
Extends restrictions on interception of materials to
Material gathered under a warrant is not evidence s17
Difficulties for employers. Lawful Business Practice Regulations/Data Protection Guidelines (soon
Facilities for tapping in to e-mail networks s12.
Echelon system outsourcing of interception?
RIPA 2000 Part 1 Chapter II and Part II Surveillance
Part I Chapter II Acquisition of Communications Data ss 21- 24
Traffic Data analysis of who is talking to whom not what is being said
Authorised under warrant - admissible
Part II covert and intrusive surveillance
Whole new system of authorisations
RIPA 2000 Part III Encryption
Much wider than encryption
Service of Notices requiring:
s49 Decryption (or 2 years) and/or
s51 Surrender of Key (s51), and/or
Secrecy Requirements (or 5 years)
Impossible balance between law-enforcement and privacy and business needs
Takes no account of value of encryption in preventing crime.
RIPA 2000 Part III Protections
s49(5) serve on senior employee
special situations and proportionate s50(4)
Signature Keys s49(9)
Burden of proof s53(2)
- Is intended to be used only as signature key and
- Has only been so used
- No real protection by definition officer believes has been so used
RIPA 2000 Part III Secrecy
s54 Tipping Off
Infects anyone who becomes aware of it
Inappropriately inherited from IOCA and other similar
Very different New Staasi
Served on private individuals, not trained professional
Greater number each recipient must be served
The innocent end of the communication
Affects privacy of other innocent parties
Whose keys and how many have been compromised?
Re-assurance revocation of compromised key is not tipping off.
Electronic Communications Act 2000 (ECA)
Part I Regulation of Encryption Service Providers
Part II Recognition of Digital etc Signatures
Part III Modification of Telecommunications Licences (not covered)
Implements EU Digital Signatures Directive
ECA 2000 Part I
Regulation of Cryptography Service Providers
Certifying Authorities/Trusted Third Parties
Digital Certificates, or
But may become involuntary.
No requirement for Key escrow s14
Facilitation of Electronic Commerce etc
S 7 Admissibility of
Digital Signatures, and
Certificates supporting signatures
Peculiar definition s7(2)
Modification of Legislation
To authorise or facilitate use of electronic communications/storage Piecemeal approach (cf Australia)
Companies Act, Local Government, Land Registry
Wassenaar Agreement Encryption is classified as Dual Use Weapon
Export Control Regimes
Relaxed, but not completely
Has been used to restrict and discourage use of encryption
US challenges to export of PGP
www.swarb.co.uk - Posted copy of this and similar presentations.
www.jsboard.co.uk Judicial StudiesBoard
www.scl.org - Society for Computers and Law Join - (Particularly C&L Jan 2000)
The Code Book Singh - excellent
www.cryptome.org International policy developments
www.fipr.org - Foundation for Information Policy
http://elj.warwick.ac.uk/jilt - Journal of Information Law and Technology
All information on this site is in general and summary form only. The content of any page on this site may be out of date and or incomplete, and you should not not rely directly upon it. Take direct professional legal advice which reflects your own particular situation.
| Two Doves Counselling
| Faulty Flipper
Copyright and Database Rights: David Swarbrick 2012
22 January 2013
http://www.swarb.co.uk/lawb/intEncReg010612.shtml 471 9 June 2010