http://www.fvit-eurobit.de/pages/eurobit/position/pos004.htm

IBAG Statement on the Availability of Commercial Cryptography

[No date; retrieved November 12, 1996]

1. The INFOSEC Business Advisory Group (IBAG) views with concern the slow progress being made towards agreement on controls on cryptography that permit international business to operate securely and efficiently.

2. IBAG members are increasingly exploiting global communications and distributed systems not just to benefit their own business, but also to do business electronically with other companies. Products and services are being made available, many of which conform to open standards, that enable such activities to be carried out securely. However, this security is usually achieved by use of cryptographic techniques, and is thus subject to national government control. Most nations control export of such technology, and many also control import and use.

3. IBAG is concerned that current trends appear to be to tighten up on such controls, notwithstanding the increasingly widespread availability in many countries of implementations in hardware and in software of the common algorithms, such as DES and RSA. Further, the ability of national authorities to police effectively the movement of such technologies across national boundaries, either as product or as components, is demonstrably limited.

4. IBAG recognises the legitimate needs of national authorities to be able to enforce the rule of law, and to maintain national security, but industry has an equal right to protection of know-how and information and of personal data under the same stringent safeguards from Government misuse as already exist for paper communications, telephony and the like. A proper balance between statuary and self regulation needs to be established through a dialogue between national authorities and industry. This is already a clearly understood principle in, for example, the financial services industry where regulatory reporting requirements to combat money laundering are well established.

5. While IBAG would prefer no controls on the use of commercial cryptography, it is recognised that some form of control will probably be imposed. In these circumstances IBAG is strongly in favour of a solution that combines processes accredited by national authorities, or their agents, with voluntary conformance by law-abiding users. We suggest that this solution be based on Trusted Third Parties (TTPs), similar to the key Certification Authorities already being set up to certify public keys, but with additional responsibilities. They could be accredited to have access to user's master keys and algorithms via agreed secure procedures and, under appropriate legal controls, provide those keys to national authorities or law enforcement agencies. Such TTPs would be appropriately regulated and trusted commercial operations, and users could select which TTP to use based on commercial decisions. Alternatively, large organisations or industry service organisations (such as SWIFT for financial services) could become accredited TTPs for their own business or industry. While use of such TTPs would be voluntary, it could be encouraged by relaxation of controls on the use of cryptographic technologies where such facilities were used.

6. It would be necessary for nations to develop mutual arrangements for TTPs in different countries to exchange key information, again under suitable legal controls, to allow for the situation where communication is taking place across national boundaries. Industry would prefer that the master keys for a business, or trading relationship between businesses, be accessed only via one TTP. While in theory such keys could be lodged in a TTP in each nation involved, this would become very difficult to administer where companies operate across a majority of the world's nations. Where the organisation, or industry service, is also the TTP this international dimension would be much simplified.

7. This solution is, in the view of IBAG, the most cost-effective of a range of solutions based on the idea of TTPs. The attached Figure [not with document] shows this range graphically and they are explained briefly below. The pros and cons of each are listed in Paragraph 8 below.

The Baseline is that no controls exist for commercial cryptography. This has least cost to the user but, we understand, is not considered to provide adequate effectiveness for law enforcement.

Method A is that described above in Paragraph 5. It will increase the cost to the user, but will, in our view, provide adequate effectiveness for law enforcement.

Method B assumes only approved cryptographic technologies that have an "interface" for tapping into the information in clear can be used; the relevant information will be lodged with an accredited, commercial TTP or Escrow Agent where it will be available to law enforcement agencies without the prior knowledge of the user.

Method C assumes in addition that all users of encryption must first obtain approval. This approval will only be given where the method and keys are disclosed to the Authorities, and only approved equipment, sanctioned by the Authorities, is used. In all cases, where a requirement is mandated, circumvention of that requirement is illegal, even if that requirement is only conformance to procedures with an accredited TTP.

8. IBAG prefers no controls, but would support Method A for the following reasons:

No Controls: Would facilitate low cost international interworking for industry, but appears unacceptable for law enforcement.

Method A: Has high effectiveness for law enforcement, and low cost for industry. Is internationally applicable. Leaves room for easy inclusion of technological advances and new products.

Method B: Has high cost (added onto product, business system implementation and management cost) and increases effectiveness for law enforcement only marginally over Method A. Approved equipment, unless internationally harmonised, has only a national market, and will thus be expensive. It will also be difficult for businesses to operate internationally unless the approved equipment is harmonised internationally. Developers of advanced crypto equipment will be restricted by the approval processes necessary. Exploitation of major technological advances in capability may be inhibited by the need to develop new approved crypto technologies.

Method C: Has all the disadvantages of Method B, and adds additional cost and time for registration and approval for use. The cost will be very high if hardware solutions are mandated. The gain for law enforcement is marginal when compared to the cost to law-abiding industry, and it is not clear why those with criminal intent should exploit this mandated technology.

9. IBAG recognises the different sensitivities of the use of encryption techniques for integrity (including authentication, electronic signature, non-repudiation, etc) and for confidentiality. A phased approach where an international scheme to address the need for integrity was introduced initially, followed by confidentiality mechanisms once the basics of operating accredited trusted third parties had become established could be considered.

10. IBAG calls upon national Governments in Europe, and Institutions of the European Community, to work together with Industry and users to develop a comprehensive policy on control of encryption and advanced telecommunications technology. IBAG commends the approach described in Paragraph 5 above as a practical starting point for such discussions, and urges SOGIS and the European Commission to provide the focus for these discussions, including co-operation with nations outside Europe. IBAG is ready to play its part in these discussions.

See earlier IBAG statement.

See related OECD press release.