Presentation is loading. Please wait.

Presentation is loading. Please wait.

Encryption Policy & Market Trends By Dorothy E. Denning, professor of Computer Science at Georgetown University Presented by Yves Lepouchard.

Published byWesley Morgan Modified over 8 years ago

Similar presentations

Presentation on theme: "Encryption Policy & Market Trends By Dorothy E. Denning, professor of Computer Science at Georgetown University Presented by Yves Lepouchard."— Presentation transcript:

1 Encryption Policy & Market Trends By Dorothy E. Denning, professor of Computer Science at Georgetown University Presented by Yves Lepouchard

2 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 2 Outline Driving forces (code making / code breaking) Market trends United States policy Foreign policies (OECD, France, UK, Japan) Conclusion

3 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 3 Code Making = development of encryption products 1.protecting proprietary information from corporate and economic espionage, 2.protecting individual privacy, 3.protecting military, diplomatic secrets and information relating to criminal investigations, 4.preventing crimes which might be facilitated by eavesdropping, 5.selling encryption products and service, 6.pursuing the intellectual aspects of code making and advancing the state of the field. Driving Forces

4 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 4 Requirements of Code Making What do users want? strong, robust encryption easy to use and maintain encryption integrated into their application/network products that they can trust and which protect them from competitors must be cost effective What do manufacturers want? build products at the lowest possible cost unencumbered by government regulations What do researchers want? study encryption without constraints Driving Forces

5 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 5 Code Breaking =acquiring access to the plaintext of encrypted data by some means other than the normal decryption process 1.protecting corporate information from loss, 2.protecting personal records from loss of keys, 3.acquiring the military and diplomatic secrets of foreign governments, 4.conducting lawful communication intercepts, 5.selling code breaking products and services to the owners of data and governments, 6.Pursuing the intellectual aspects of code breaking 7.testing whether one’s own codes are strong Driving Forces

6 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 6 Dilemma of encryption National interests are served by both code making and code breaking governments vs. corporations and citizens national security and law enforcement vs. security, privacy and economic competitiveness Before encryption performed by governments against foreign governments Now, growth of e-commerce gives new reasons for corporations and governments to break domestic codes and for manufacturers to sell strong encryption products internationally Driving Forces

7 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 7 Global Proliferation December 1996, there were already: 1393 encryption products worldwide 823 (56%) in the USA 44% with the DES 862 companies in 68 countries > 100 millions, it is the number of RSA crypto engines estimated for the first quarter of 1997 fast expansion through the Internet from web sites which do not control exports Market Trends

8 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 8 Application & Network Integration Encryption is integrated into software applications: word processors, database systems, web browsers … network protocols: IPSec, SSL, Secure Electronic Transactions  to build secure network applications and VPN (Virtual Private Network) via tunneling Integration facilitated by Cryptographic Application Programming Interface (CAPIs) leave the low-level cryptographic algorithms to software cryptographic engines, used to build higher-level APIs (e.g. authentication, certificate management …) Market Trends

9 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 9 Multiple methods & Interoperability Software supporting: multiple methods of encryption (66-bit DES, 40-bit RC4 …) multiple public-key certificate formats multiple protocols key recovery or not Interoperability between products: protocols negotiating to find the strongest method they have in common or leave the choice to the user useful for the encrypted communication between domestic and exportable methods (global interoperability) Market Trends

10 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 10 Key length key lengths are far in excess of what could be cracked (brutal force unfeasible) reasons why such long keys are used: advances in computer technology continually reduce the security afforded by any given key, performance degradation is not consequential, public perception, much faster algorithms for factoring. key length is not the only factor of the strength of an algorithm: Paul Kocher showed that under suitable conditions, a key could be cracked by observing the time it took to decrypt or sign with that key. Market Trends

11 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 11 Key recovery = encryption products’ feature which protect users from lost or damaged keys different approaches, all involve archiving individual or master keys with officers of the organization or with a trusted third party other uses of key recovery: corporate-wide key recovery mechanisms for all encrypted data  Enable criminal investigations of employees. less user demand with systems used only for transient communication (not stored data) Market Trends

12 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 12 Clinton Administration Initiatives (1) encryption policy based on key recovery, liberalization of export controls for products that provide key recovery steps of this gradual liberalization: 1993 Clipper chip August 1995: 64-bit software encryption allowed for exports when combined with an acceptable key recovery system End of 1996: speeding up of the process  No longer need a key recovery system for exports but just a plan for implementing it  encryption products no longer classified as munitions and jurisdiction transferred to the Department of commerce USA Policy

13 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 13 Clinton Administration Initiatives (2) Immediate consequences of these new rules: Formation of an alliance under the CSPP (Computer Systems Policy Project), to define an industry-led standard for flexible cryptographic key recovery. January 1997: 48 companies had joined the CSPP Creation of a President’s Export Council Subcommittee on Encryption May 1997: exports of non-recoverable encryption with unlimited key length for products related to financial transactions and commercial products USA Policy

14 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 14 Clinton Administration Initiatives (3) Bill of the Clinton Administration: to promote the establishment of a Key Management Infrastructure (KMI) KMI would issue and manage certificates for users’ public keys, registration of certificates authorities (CA) and key recovery agents (KRA) wishing to participate in the KMI specifications of the conditions of the recovery of information requirements of minimum standards of security and performance for CAs and KRAs registered under the act USA Policy

15 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 15 Challenges to the Clinton Administration’s bill Feb 1997: 3 bills introduced in the 2 nd session of the 104 th Congress to liberalize export controls on encryption these bills would all lift export controls The CSPP estimated that as much as $60 billions in revenues was at stake by the year 2000 The NRC (National Research Council) agreed that export controls should be released Challenges to the constitutionality of export controls: 3 lawsuits example of Electronic Frontier Foundation against the State Department in February 1995 USA Policy

16 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 16 Updates : liberalization! Regulation in force in 1999: see "Easy Guide to Encryption Export Controls" by Dorothy E. Denning and William E. Baugh, Jr. September 25, 1999  complex and confusing September 16, 1999: administration's announcement of plans to release a new policy to liberalize export controls January 14, 2000: The Department of Commerce announced the amendment of the EAR to "allow the export and reexport of any encryption commodity or software to individuals, commercial firms, and other non- government end-users in all destinations" (source www.cdt.org) USA Policy

17 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 17 OECD policy OECD = Organization for Economic Cooperation and Development has issued guidelines for cryptography: 1.trust in cryptographic methods 2.choice of cryptographic methods 3.market driven development of these methods 4.standards for cryptographic methods 5.protection of privacy and personal data 6.lawful access (however national policies must respect the other principles) 7.liability protection 8.international cooperation Foreign Policies

18 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 18 Foreign policies France: licenses still needed for all imports and exports domestic regulation: licensing or keys must be escrowed with government-approved key holders United kingdom: Project of Trusted Third Parties providing encryption to the general public No regulation of private use of encryption Japan: has tightened their export controls Hitachi/Fujitsu plan to jointly develop key recovery technology in conformance with US policy Foreign Policies

19 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 19 Conclusion (1) encryption is spreading worldwide encryption is becoming a standard feature of applications international interoperability despite export controls key lengths prevent brute force cracking trend to provide emergency decryption through a key recovery system key recovery can be a potential solution to the encryption dilemma the former Clinton Administration’s policy was: to leave the US domestic market unregulated to ease export controls with acceptable key recovery Conclusion

20 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 20 Conclusion (2) this position had been challenged both by Congressional bills and lawsuits Dorothy E. Denning thought that key recovery services could become standard business practice by: implementation of strong safeguards to protect organizations and individuals from improper use of key recovery system multilateral agreements between countries which could allow any government to conduct an investigation within its jurisdiction even when the keys needed for decryption are held outside its borders. Conclusion

21 Market Trends USA Policy Foreign Policies Conclusion Driving Forces 03 March 2000Encryption Policy and Market Trends CS551 Seminar – Software Security 21 Updates CSPP (www.cspp.org) applauded the decision of the Administration supposed to "reassert U.S. leadership in Internet security" and "to bring about a world of near universal encryption" From "The Risks of Key Recovery, Key Escrow & Trusted Third Party Encryption" of the Center For Democracy & Technology (www.cdt.org/crypto/risks98/), as in mid-1998, although "efforts have been made over the last year to design key recovery systems for commercial purposes", no substantive solution addressing this feature in a satisfactory and safe way has been implemented Conclusion

22 Questions? What is your opinion about encryption exports? controlled or liberalized?

Download ppt "Encryption Policy & Market Trends By Dorothy E. Denning, professor of Computer Science at Georgetown University Presented by Yves Lepouchard."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.

Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.
EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.

EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.
Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.

Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
High Tech Products and Intellectual Property Erinn Woodcock Rick Nortz Paula Ramko Lance Gomes.

High Tech Products and Intellectual Property Erinn Woodcock Rick Nortz Paula Ramko Lance Gomes.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Cryptography and Public Policy Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Cryptography and Public Policy Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Encryption Export Controls in the US Preliminary Research.

Encryption Export Controls in the US Preliminary Research.

Similar presentations

Ads by Google