I. T. Consultancy Limited – Response to DTI
I. T. Consultancy Limited, which is based offshore in Jersey and already provides some cryptographic services over the Internet free of charge, comprising a PGP Timestamping Service incorporating email proof of posting certificates, has made the following formal submission to the DTI.
Our reference L2313
By facsimile & post
Mr Nigel Hickson
Information Security Policy Group
Communication & Information Industries Directorate
Department of Trade & Industry
151 Buckingham Palace Road
London SW1W 9SS
31 May 1997
Dear Mr. Hickson,
I refer to your Department's document "Licensing of Trusted Third Parties for the Provision of Encryption Services" (the "Consultation Document") to which this letter is a formal response. In making this response reference shall be made to the following additional documents:-
- DTI's Paper on Regulatory Intent Concerning Use of Encryption on Public Networks
- OECD Guidelines for Cryptographic Policy
- Charles Lindsey's open letter to your colleague Mr. David Hendon together with Mr. Hendon's reply
- The Labour Party's document on the Information Superhighway at http://www.labour.org.uk/views/info-highway/
- A paper entitled "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption" by Hal Abelson, Ross Anderson, Steven M Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G Neumann, Ronald L Rivest, Jeffrey I Schiller & Bruce Schneier available at http://www.crypto.com/key_study/report.shtml
- As a number of people have noted the Consultation Document is not particularly well drafted. Indeed in places it is so unclear as to obscure its meaning. In light of this it is difficult to have an informed debate on its finer points.
- It is to be noted that the Consultation Document was prepared for the UK's previous Conservative government, a Labour government having come to power during the consultation period. The Labour Party's view that "Attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long-term economic value of information networks", appears to be substantially at variance with the major thrust of the Consultation Document.
- Both the DTI's " Paper on Regulatory Intent Concerning Use of Encryption on Public Networks" and the Consultation Document place reliance on being able to decrypt communications which have been legally intercepted under the provisions of the Interception of Communications Act 1995. Indeed the Paper on Regulatory Intent specifically refers only to traffic on public networks". In paragraph 46, the Consultation Document appears to extend this to "legal access to private encryption keys ... required by the authorities ... for lawful access to data stored and encrypted by clients of licensed TTPs", an important matter which I have yet to see commented upon in public.
- It appears that the major thrust of the Consultation Document is the creation of key escrow and key recovery facilities for "legal access" purposes. It is proposed that this is achieved by the licensing of TTPs who must escrow all confidentiality keys which they authenticate. The Consultation Document is drafted entirely on the basis of a Public Key Infrastructure using asymmetric cryptographic keys each with a public and a private component. It also allows for different key pairs to be used for "confidentiality" and "authentication", with authentication only keys being free from the requirement of escrow by a TTP.
- The proposals are fundamentally flawed insofar as they assume the existence of a confidentiality key authenticated by a TTP, an assumption which is wholly invalid.
- Two schemes immediately spring to mind which would permit users to have TTP validated authentication keys and engage in confidential communications without any form of key escrow. The first is simply to use a confidentiality key which has not been authenticated by a TTP, but which has been validated by the user's authentication only key which has in turn been validated by a TTP. The second is to use TTP validated authentication keys online to guarantee the authenticity of both parties and then to use an algorithm such as Diffie-Hellman to establish a common secret session key which could be used for encryption. Both these schemes would use keys TTP validated authentication keys only for authentication purposes, but would allow encrypted communications without the possibility of key recovery.
- It is clearly stated, both in the Consultation Document and in Mr. Hendon's reply to Charles Lindsey, that the use of TTPs (and hence any key escrow) is voluntary and that the use of encryption is not to be regulated in any way. Mr. Hendon specifically concedes that "a proportion of confidentiality keys will not be accessible via the warrant process because they have not been escrowed", a view which presumably supercedes paragraph 47 of the Consultation Document.
- In effect what appears to be being proposed is a voluntary key escrow scheme, perhaps a rather curious concept. One has to ask whether any self-respecting criminal, going about his or her nefarious business, is likely to choose to use TTP validated and escrowed secrecy keys, when unescrowed keys are freely available. Such issues would appear to offer a rich source of material for satirical lampooning, the details of which I will leave to the reader's imagination.
- There therefore appears to be no benefit in having TTPs validate confidentiality keys, which rather circumvents the whole of the proposals for key escrow.
- Paragraph 24 of the Consultation Document describes "Lawful Access (outlining the Government's right to legally access data - whether or stored or in transmission - and encryption keys)" [my emphasis] as one of the eight key principles of the OECD's cryptography guidelines "which any national encryption policy (including industry's development of products) should observe" [my emphasis].
- This is grossly misleading as the OECD guidelines actually say "National cryptography policies may allow lawful access to plaintext, or cryptographic keys, or encrypted data. These policies must respect the other principles contained in the guidelines to the greatest extent possible" [my emphasis]. It is clear therefore that this guideline is entirely optional, permitting access to either plaintext or keys. It is unfortunate that the Consultation Document claims otherwise.
- It is interesting to note that the Consultation Document offers no argument whatsoever in support of the requirement to be able to decrypt lawfully intercepted messages. One would have thought that such an argument would be a prerequisite for any meaningful consultation on the subject.
- Naturally the use of key escrow has the potential to weaken the security and add risks. The paper entitled "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption" discusses this matter in some detail and I would be grateful if the issues raised could be considered as part of this formal response. It is interesting to note that no large scale key recovery system has yet been deployed; the long term security of such systems remaining unknown.
- Whilst being important, matters of cryptographic policy are somewhat dull to the general public, although key and crucial to privacy. One should perhaps therefore consider the reactions of the "passenger on the Clapham omnibus" to the proposals. If asked "should one have to lodge one's secret codes used for secure communication between users, for example between a person and their doctor or lawyer, so that the authorities can read the messages", it would be surprising if the majority view was "yes".
- The requirements of the Consultation Document that foreign TTPs offering services to UK customers must both be registered and have a UK address are patently ridiculous and entirely unenforceable, especially in light of the global nature of the Internet as a whole.
- The Consultation Document makes much of mandetory regulation of TTPs, which is entirely desirable were they to be holding secret key information under escrow or actually encrypting clients' data themselves. In all other cases it appears that voluntary regulation (or indeed a code of practice) would be more appropriate. Most of the complexity and detail of the proposals appears to surround key escrow and key recovery. Without this, the need for mandatory regulation substantially diminished.
I do hope these comments are useful to you in determining ongoing policy in this area, a matter which I am sure quite a number of people will be observing with some interest.
Matthew Richardson <firstname.lastname@example.org>
I. T. Consultancy Limited, Jersey, Channel Islands
Last updated: 01 June 1997