Security and Encryption

Some Problems with the Internet

Some of the problems the digital world faces are untrusted computer systems, non-trust worthy individuals, unclear laws, unclear policies (ex., no clear Spam policies), and challenged sovereignty regarding anonymity and confidentiality (i.e., depends on the country; in Russia, cryptography is not allowed).

 

Surprise Disclosures of Personal Information and Program Launches

Some recent software, viruses, and Internet vulnerabilities include the following:

Cookies – Stores information and helps a website recognize a user.  Do we want sites to know this information?

JAVA – Internet viruses have  been sent and are a big issue

Microsoft – Has built-in weaknesses including Word macro viruses and ACTIVE-X issues (Quicken has been known to do surprise bank transfers)

Browser vulnerabilities – Recent problems with Netscape 4.x; JAVA had to be disabled

Monitoring tools – Some of the existing Internet monitoring tools which monitor networks to look for problems have been used by hackers to break into systems

 

Who are the “Trustworthy” Persons?

How should we know whom to trust since “everyone” is connected to the Internet?  Who should be the trusted third parties?  Should it be the government or the CAs?  Two ways to prove “trust” are the following:

Use of digital signatures which are trustable encryption (they are legal tender and can be used to verify your signature)

Distributed architecture such as smart cards (currently used in Europe; they can store your CA and your encryption keys)

 

Law of the Net

Since the Internet is not “owned” by any entity, government or commercial; who has the right to its jurisdiction and how laws are to be enforced, are some of the issues that need to be addressed.  Should it be enforced by elected officials, ISPs, Internet vigilantes (ex., anti-Spam groups) or other entities?  Who is responsible for outlining Netiquette?

In one example, a cryptography policy cases faced constitutional issues (regarding law enforcement and national security), privacy issues, export policies, and jurisdictional issues.  Cryptography policies address the implementation of digital signature and privacy policies.  One potential solution is the “Clipper Chip Solution”, designed by the Federal Government, it allows law enforcement officials to listen in on private conversations in electronic media.  It is a proposed system that addresses the idea that different organizations should hold the access keys to prevent abuse of access to information (ex., government has access to a wire tap, however another government agency must allow access before the wiretap access is granted).  One argument for mandatory key escrow is – What if the government had access to encrypted data that would have prevented the Oklahoma City bombing?  Shouldn’t the government have access to that data?

The Four Horsemen of the Apocalypse (Cypherpunks Version)

History has shown us that whenever there are new technologies, some of the first to use it are the “bad guys” such as nuclear terrorists, child pornographers, money launderers and drug dealers. 

 

NAS/NRC Crypto Policy Report Highlights

Some of the major NAS/NRC Crypto Policy Report highlights include addressing commercial use of cryptography, the exportation of cryptography, key escrow, and knowledge of classified material.  Specifically, the report provided the following:

Commercial use – Need to present the commercial use of technologies that can prevent unauthorized access to electronic information

Exportation – Should allow export of DES to provide an acceptable level of Internet security

Escrow – Its too premature to address mandatory key escrow

Classified material – Discussion about Crypto policy should be open to anyone and not require knowledge of classified information

 

Current Encryption Legislation

Current encryption legislation includes SAFE and Pro-Code, of which would both prevent mandatory key escrow by the government, not require an export license for public domain and ensure availability of encryption software. 

  As a class, we needed to think about confidentiality, the protection of data communications, the protection of privacy, the question of access to data other than the designated parties, and information integrity because we are not just building a home page, we are building a business.