crypto

This page considers cryptography.

It covers -

• introduction
• background
• keys, carriers and cracking
• government policy
• export controls and domestic regulation
• reading
• encryption and privacy
• and e-commerce

     introduction

Encryption of information, whether by government or by business and individuals, is a key technology for preserving security online and accordingly the centre of debate about policy, legislation and specific technical standards or mechanisms.

That debate reflects tensions that encompass -

• perceptions that there is a significant untapped consumer and business market for encryption products of varying degrees of sophistication
• support by some government agencies for growth of a local encryption industry
• concerns within other government agencies about access by criminals (inc tax evaders, terrorists, drug traffickers) to encryption products
• anxiety among some citizens that they are under surveillance by their government
• anxiety among governments that their information and communication is being illicitly captured by other governments, organisations or individuals
• concerns among connectivity providers such as ISPs and phone companies that they will be expected to monitor and even decrypt communications
• fears among some businesses and other organisations that their communications are being exploited by competitors (including information provided to competitors by governments other than their own).

Those tensions can broadly be characterised as disagreement about the 'ownership' of information: protecting mine, being free to see yours.

The technical nature of the debate (and the vehemence of some protagonists) has overshadowed the diffusion of encryption throughout the information economy, in particular its use in many online payment systems and in e-government.

     background

Mechanisms for protecting information through encryption date from the beginning of recorded history, as explored in works such as David Kahn's classic The Code Breakers (London: Weidenfeld & Nicolson 1967).

Encryption has attracted particular attention over the past century because of perceptions that information can offer a fundamental strategic or tactical advantage, because electronic communication networks (from the telegraph onwards) facilitate the rapid transfer and collection of large amounts of information, and because technologies such the personal computer have made it significantly easier to encrypt and decrypt electronic information.

Making sense of developments can often seem like wandering in a wilderness of mirrors, given polemic by advocates for different positions, uncertainty about claims made by government agencies and the difficulty of assessing balances between competing claims. Intelligence bodies are necessarily economical with the truth; law enforcement bodies seek statutory powers and resources to circumvent protection used by enemies of the state ... or potential enemies.

In the US argument continues about government restrictions on the domestic use and export of 'strong' cryptography, uniting the libertarian left and right with software/hardware manufacturers. 

Examples of that alliance are the Americans for Computer Privacy (ACP) - a commercial lobby group - and the Global Internet Liberty Campaign (GILC).

An example of fears is Brad Templeton's 2002 comment

Let me put on my EFF hat and say that in fact government regulation has been the biggest barrier to getting security deployed in the market. Some forces in the government are afriad of good security in computers, and so acted (with remarkable success) to regulate encryption and stop it from getting deployed in consumer products.

The Washington-based Electronic Privacy Information Centre (EPIC) has recently released its comprehensive annual global survey of cryptography policy.  Locally, Electronic Frontiers Australia has published the suppressed 1996 Commonwealth government Walsh Report on encryption policy.

The Certification Authority for the German Research Network has an outstanding 8 page list of Public Key Infrastructure links, along with pointers to SSL, SET, MIME and other security tools. In Australia the Government Public Key Authority (GPKA), established in 1999, deals with government aspects of PKA. 

For a succinct introduction to PKA we recommend the 1999 article by Jessica Polito on A Primer on Public-Key Cryptography.

In 1996 the US National Research Council produced an excellent report on Cryptography's Role in Securing the Information Society. 

For a global perspective on government approaches we recommend the 1997 OECD Cryptography Policy Guidelines & Background Report (CPG). The Limits of Trust: Cryptography, Governments & Electronic Commerce (Hague: Kluwer 1998) by Stewart Baker & Paul Hurst offers a contentious assessment of issues and approaches. 

Bert-Jaap Koops offers more temperate views in ICT Law & Internationalisation: A Survey of Government Views (Hague: Kluwer 2000), complementing his The Crypto Controversy: A Key Conflict in the Information Society (Hague: Kluwer 1998).

     export controls and domestic regulation

A global framework for restrictions on the export of 'strong cryptography' products is provided by the Wassenaar Arrangement and associated national legislation, discussed in a detailed note elsewhere on this site.

Simo-Pekka Parvaiainen's masters thesis on Cryptographic Software Export Controls in the EU describes the EU export regime.

     reading

David Kahn's The Code Breakers (London: Weidenfeld & Nicolson 1967, rev ed 1990) remains a valuable introduction to the nature and history of cryptography and cryptology. 

It has not been superseded by the more recent The Code Book (New York: Doubleday 1999) by Simon Singh. Cautions are provided in Rebecca Ratcliff's superb Delusions of Intelligence: Enigma, Ultra, and the End of Secure Ciphers (Cambridge: Cambridge Uni Press 2006), exploring how crypto is used and misused.  

For those seeking more detailed information about the mechanics of encryption we recommend Bruce Schneier's Applied Cryptography: Protocols, Algorithms and Source Code in C (New York: Wiley 1995). Schneier's new Secrets & Lies: Digital Security In A Networked World (New York: Wiley 2000) offers a more panoramic but equally insightful view of network security: issues, mechanisms, risk assessment. 

It is particularly valuable because of its holistic approach, avoiding reliance on isolated technological fixes such as PGP. 

Schneier and David Banisar co-edited The Electronic Privacy Papers (New York: Wiley 1997), a unique compilation of key US government and private sector documents about encryption, privacy policy, law enforcement and other matters. 

Cryptographic abundance and pervasive computing (CAPC) is a provocative paper by AT&T scientist Andrew Odlyzko, one of the more perceptive writers about online information pricing.

Information about encryption standards and the policy debate will be added shortly.

Michael Froomkin's paper It Came From Planet Clipper: The Battle Over Cryptographic Key 'Escrow' and paper on The Metaphor Is the Key: Cryptography, The Clipper Chip & the Constitution are stimulating, although we regard Dorothy Denning and Schneier as more convincing.

     encryption and privacy

Pointers to encryption as a tool for privacy (eg use of PGP) are supplied in our Privacy guide. 

     and e-commerce

[under development]



     next page  (authentication)