The Politics of Crypto Brian A. LaMacchia [email protected] [email protected] Portions ©...

The Politics of CryptoThe Politics of Crypto

Brian A. LaMacchiaBrian A. [email protected]@[email protected]@microsoft.com

Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.

March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 22

Why Talk About Crypto Why Talk About Crypto Politics?Politics? You can’t really avoid the political You can’t really avoid the political

aspects of crypto, especially if aspects of crypto, especially if you’re trying to ship a product that you’re trying to ship a product that depends on good cryptodepends on good crypto In the past, the regulations have been In the past, the regulations have been

so complex & time consuming that so complex & time consuming that companies had dedicated companies had dedicated individuals/departments for dealing individuals/departments for dealing with regs.with regs.

Often public pronouncements don’t Often public pronouncements don’t match realitymatch reality Just because a government body says Just because a government body says

“crypto is freely exportable” doesn’t “crypto is freely exportable” doesn’t make it somake it so


Topics in Crypto Topics in Crypto PoliticsPolitics Export ControlsExport Controls Key EscrowKey Escrow

The Clipper ChipThe Clipper Chip Copyright and the DMCACopyright and the DMCA


Caveats...Caveats... I’m going to present a U.S.-I’m going to present a U.S.-

centric view of the issuescentric view of the issues Each country deals differently with Each country deals differently with

these issues, but the U.S. typically these issues, but the U.S. typically leads in this policy arealeads in this policy area

These are These are national issuesnational issues – – nation-states are still important nation-states are still important to the discussionto the discussion

Much of what we have learned Much of what we have learned about the history of export about the history of export controls has come from FOIA controls has come from FOIA requestsrequests The government doesn’t like to The government doesn’t like to

give answers...give answers...


Export Controls in the Export Controls in the U.S.U.S. In the beginning, cryptographic In the beginning, cryptographic

hardware and software were hardware and software were considered “munitions” by the considered “munitions” by the U.S. government.U.S. government. Export of crypto was covered by Export of crypto was covered by

the same set of regulations that the same set of regulations that covered the export of other covered the export of other munitions, like nuclear weapons, munitions, like nuclear weapons, missiles, and the equipment that missiles, and the equipment that is used to make themis used to make them

These regulations were known as These regulations were known as ITAR (International Traffic in Arms ITAR (International Traffic in Arms Regulations).Regulations).


Export Controls (cont.)Export Controls (cont.)

Under ITAR, all exports of Under ITAR, all exports of crypto required a licensecrypto required a license If you were exporting “weak If you were exporting “weak

crypto” you could get a license.crypto” you could get a license. ““Strong crypto” couldn’t be Strong crypto” couldn’t be

exported at all.exported at all. ““Crypto with a hole” couldn’t be Crypto with a hole” couldn’t be

exported either.exported either. The distinction between “weak” The distinction between “weak”

and “strong” was generally based and “strong” was generally based on bit-length of the secret key or on bit-length of the secret key or public key moduluspublic key modulus


Crypto Export/Import Crypto Export/Import ControlsControls The export of cryptography is The export of cryptography is

currently restricted by the U.S. BXA currently restricted by the U.S. BXA (Commerce Dept. Bureau of Export (Commerce Dept. Bureau of Export Administration)Administration) Until January 2000, couldn’t export Until January 2000, couldn’t export

symmetric ciphers using keys > 56 bits symmetric ciphers using keys > 56 bits in length.in length.

Jan 2000: Clinton administration Jan 2000: Clinton administration rewrote the regulationsrewrote the regulations ““ITAR” became “EAR”, and the ITAR” became “EAR”, and the

regulations got a bit “looser” but regulations got a bit “looser” but they still existthey still exist

You can (generally speaking) export You can (generally speaking) export “strong crypto” without a specific “strong crypto” without a specific product licenseproduct license


Current Export Current Export RegulationsRegulations ““Monolithic applications” can Monolithic applications” can

export strong cryptography in export strong cryptography in binary form simply by sending binary form simply by sending the BXA a piece of e-mailthe BXA a piece of e-mail Example: secure e-mail client, web Example: secure e-mail client, web

browserbrowser ““Crypto libraries” can be Crypto libraries” can be

exported under an “open exported under an “open source” exemption, if they source” exemption, if they qualifyqualify

““Crypto with a hole” in Crypto with a hole” in commercial products is still commercial products is still tightly controlledtightly controlled


Example: Windows XPExample: Windows XP Windows XP ships with “strong Windows XP ships with “strong

crypto” baked in & enabledcrypto” baked in & enabled RSA to 4096 bits, TripleDES, etc.RSA to 4096 bits, TripleDES, etc.

Windows XP is exportable Windows XP is exportable because it’s a “monolithic because it’s a “monolithic application”application”

CryptoAPI, the Win32 crypto CryptoAPI, the Win32 crypto library that was designed to library that was designed to support plug-able support plug-able “cryptographic service “cryptographic service providers” is providers” is notnot freely freely exportableexportable If you want to plug into CryptoAPI, If you want to plug into CryptoAPI,

you need a license...you need a license...


The Regs are Still The Regs are Still AmbiguousAmbiguous In the .NET Framework, we have In the .NET Framework, we have

a class library for a class library for cryptography…cryptography…

It took BXA (really, NSA) 18 It took BXA (really, NSA) 18 months to tell us what the rules months to tell us what the rules were regarding export of our were regarding export of our class library…class library…


SymmetricSymmetricAlgorithmAlgorithm

TripleDESTripleDES RijndaelRijndael

TripleDESCryptoTripleDESCryptoServiceProviderServiceProvider

(CryptoAPI)(CryptoAPI)

RijndaelRijndaelManagedManaged

(C#)(C#)

RC2RC2

RC2CryptoRC2CryptoServiceProviderServiceProvider

(CryptoAPI)(CryptoAPI)

AbstractAbstractAlgorithmAlgorithmClassesClasses

Algorithm Algorithm Implementation Implementation ClassesClasses

AbstractAbstractBase ClassBase Class

.NET FX Crypto Object .NET FX Crypto Object ModelModel


The Regs are Still The Regs are Still AmbiguousAmbiguous In the .NET Framework, we have a In the .NET Framework, we have a

class library for cryptography…class library for cryptography… It took BXA (really, NSA) 18 months It took BXA (really, NSA) 18 months

to tell us what the rules were to tell us what the rules were regarding export of our class regarding export of our class library…library…

We could open up & let people We could open up & let people subclass the bottom abstract classes subclass the bottom abstract classes (like RSA) without a license(like RSA) without a license

Opening up AsymmetricAlgorithm Opening up AsymmetricAlgorithm was not allowed without an explicit was not allowed without an explicit licenselicense

Solution? Open source the code!Solution? Open source the code!


Key EscrowKey Escrow

The general topic of “key The general topic of “key escrow” is about archiving escrow” is about archiving copies of private keys with third copies of private keys with third parties.parties. This is also sometimes called “key This is also sometimes called “key

archival”archival” When the government is the When the government is the

archive, this is GAK (Government archive, this is GAK (Government Access to Keys)Access to Keys)

There are legitimate cases There are legitimate cases where you might need a key where you might need a key escrow schemeescrow scheme Stored data recovery in case of Stored data recovery in case of

accident/loss/termination of accident/loss/termination of employmentemployment


Key EscrowKey Escrow There are no legitimate cases (at There are no legitimate cases (at

least from a commercial least from a commercial perspective) for archival of secret perspective) for archival of secret session keys.session keys. If the data didn’t get transmitted If the data didn’t get transmitted

correctly during the session, send it correctly during the session, send it againagain

Governments care about session Governments care about session encryption key recoveryencryption key recovery Want to preserve their wiretapping Want to preserve their wiretapping

capabilitiescapabilities Government spent a lot of time Government spent a lot of time

trying to convince businesses that trying to convince businesses that the needs of stored data recovery & the needs of stored data recovery & session key recovery were the same session key recovery were the same


Digital TelephonyDigital Telephony

In the U.S., the digitization of In the U.S., the digitization of the nation’s telephone system the nation’s telephone system was seen by law enforcement as was seen by law enforcement as a threat to their ability to a threat to their ability to conduct wiretapsconduct wiretaps In the analog world, you just go In the analog world, you just go

tap a pair of wirestap a pair of wires In the digital world, you need to In the digital world, you need to

sift out the right bits from the sift out the right bits from the optical fiber.optical fiber. Even if you find the bits, they Even if you find the bits, they

could be encrypted!could be encrypted!


The Clipper ChipThe Clipper Chip

US Government attempt to US Government attempt to “stimulate” the market for “stimulate” the market for “voluntary” key escrow “voluntary” key escrow equipmentequipment Contracted w/ AT&T to produce Contracted w/ AT&T to produce

“Clipper phones” for government “Clipper phones” for government useuse

Phones would also be available for Phones would also be available for non-government usenon-government use

Encryption keys could be accessed Encryption keys could be accessed through the “Law Enforcement through the “Law Enforcement Access Field” (LEAF) in the Access Field” (LEAF) in the protocolprotocol


How Clipper WorkedHow Clipper Worked Clipper was implemented in a Clipper was implemented in a

tamper-resistant hardware device (a tamper-resistant hardware device (a single chip)single chip) Each chip was numbered and had a Each chip was numbered and had a

separate per-chip secret that was also separate per-chip secret that was also held by a “trusted agency” (read: US held by a “trusted agency” (read: US Gov’t)Gov’t)

Per-session keys were encrypted Per-session keys were encrypted with a Clipper family key and the with a Clipper family key and the per-chip key, and sent along as part per-chip key, and sent along as part of the data streamof the data stream

Someone listening in on the Someone listening in on the conversation would see enough conversation would see enough information to identify the chip used information to identify the chip used to encrypt, find the per-chip key, to encrypt, find the per-chip key, and recover the session keyand recover the session key


How Clipper Worked How Clipper Worked (2)(2) 128-bit LEAF contains session 128-bit LEAF contains session

key encrypted with family and key encrypted with family and per-chip keysper-chip keys

EncrEncrFF ChipIDChipID ChecksumChecksumSession KeySession KeyEncrCEncrC

32 bits 80 bits 16 bits

Key DB


Clipper in OperationClipper in Operation

Other party & third-party Other party & third-party decrypt LEAF with the family decrypt LEAF with the family keykey

Both parties check the Both parties check the checksum to detect bogus LEAFchecksum to detect bogus LEAF Bogus LEAF Bogus LEAF chip turns off, chip turns off,

refuses to decryptrefuses to decrypt Third party looks up chip key in Third party looks up chip key in

DB to decrypt session keyDB to decrypt session key


Clipper WeaknessesClipper Weaknesses The 80-bit session key was too The 80-bit session key was too

smallsmall The symmetric cipher The symmetric cipher

(SKIPJACK) was classified; no (SKIPJACK) was classified; no public scrutinypublic scrutiny Later, a “panel of outside Later, a “panel of outside

experts” was allowed to look at it experts” was allowed to look at it for a dayfor a day

Even later, after Clipper failed, Even later, after Clipper failed, SKIPJACK was declassifiedSKIPJACK was declassified

16-bit checksum could be 16-bit checksum could be defeated (Blaze ’94)defeated (Blaze ’94)

ChipID tagged every single ChipID tagged every single communicationcommunication


Opposition to ClipperOpposition to Clipper Opposition to Clipper was Opposition to Clipper was

widespreadwidespread The US Gov’t proposed it as the federal The US Gov’t proposed it as the federal

Escrowed Encryption Standard and Escrowed Encryption Standard and rammed it through NIST into FIPS 185 in rammed it through NIST into FIPS 185 in Feb ’94Feb ’94

During the public comment period, 300 During the public comment period, 300 comments received, only 2 supported itcomments received, only 2 supported it

No one bought ClipperNo one bought Clipper AT&T shut down its product line, offered AT&T shut down its product line, offered

leftover phones to employees to get rid leftover phones to employees to get rid of themof them

Oddly, the proposal probably did Oddly, the proposal probably did more to galvanize the strong-crypto more to galvanize the strong-crypto community than anything elsecommunity than anything else



CopyrightCopyright

More recently, cryptography More recently, cryptography has become an issue in the area has become an issue in the area of of copyrightcopyright..

Why?Why? The rise of digital rights The rise of digital rights

management (DRM) systems, all management (DRM) systems, all of which are based on strong of which are based on strong crypto.crypto. Break the crypto, break the DRM…Break the crypto, break the DRM…


Copyright & DRMCopyright & DRM Digital Rights Management (DRM) Digital Rights Management (DRM)

technologies limit access to digital technologies limit access to digital intellectual property.intellectual property. Example: A DRM-protected e-book might Example: A DRM-protected e-book might

let you read the book only a fixed let you read the book only a fixed number of times.number of times.

Example: A DRM-protected streaming Example: A DRM-protected streaming audio player could charge you based on audio player could charge you based on bandwidth & content.bandwidth & content.

Major issues:Major issues: How restrictive can a DRM be? How restrictive can a DRM be? How restrictive should a DRM be?How restrictive should a DRM be? How do DRMs interact with “fair use” How do DRMs interact with “fair use”

and other copyright rights reserved to and other copyright rights reserved to the public?the public?


Digital Millennium Copyright Digital Millennium Copyright Act (DMCA)Act (DMCA) Characterized by proponents as Characterized by proponents as

a “small, technical” change to a “small, technical” change to US copyright lawUS copyright law In reality, made major, sweeping In reality, made major, sweeping

provisions to the rules regarding provisions to the rules regarding digital contentdigital content

Incorporated into U.S. law at 17 Incorporated into U.S. law at 17 USC 1201 et. sec.USC 1201 et. sec. ““No person shall circumvent a No person shall circumvent a

technological measure that technological measure that effectively controls access to a effectively controls access to a work protected under [copyright]work protected under [copyright]…”…”


Anti-Circumvention Anti-Circumvention MeasuresMeasures The DMCA made it a crime to The DMCA made it a crime to

circumvent a “technological circumvent a “technological measure that effectively controls measure that effectively controls access to a work”access to a work” ““A technological measure ‘effectively A technological measure ‘effectively

controls access to a work’ if the controls access to a work’ if the measure, in the ordinary course of its measure, in the ordinary course of its operation, requires the application of operation, requires the application of information…with the authority of the information…with the authority of the copyright owner, to gain access to the copyright owner, to gain access to the work. work.

Limited exemptions forLimited exemptions for Encryption researchEncryption research Reverse-engineering computer Reverse-engineering computer

programs for interoperability.programs for interoperability.


DMCA cases/issues (1)DMCA cases/issues (1)

DeCSSDeCSS DVDs are encrypted. In order to DVDs are encrypted. In order to

play a DVD, a licensed DVD play play a DVD, a licensed DVD play must first authenticate to the DVD must first authenticate to the DVD disk.disk.

DeCSS is a program that DeCSS is a program that removes/bypasses the encryption, removes/bypasses the encryption, allowing the DVD to be played on allowing the DVD to be played on an “unlicensed” player, such as a an “unlicensed” player, such as a Linux box.Linux box.

MPAA sued, claiming DCMA MPAA sued, claiming DCMA violationsviolations

Upheld in NYUpheld in NY


DMCA cases/issues (2)DMCA cases/issues (2)

Blizzard v. BNetDBlizzard v. BNetD Felten v. RIAAFelten v. RIAA Macrovision v. 321 StudiosMacrovision v. 321 Studios

MGM v. 321 StudiosMGM v. 321 Studios US v. SklyarovUS v. Sklyarov Lexmark v. Static ControlLexmark v. Static Control Chamberlain v. SkylinkChamberlain v. Skylink

Date post:	13-Dec-2015
Category:	Documents
Upload:	kaley-clowes
View:	216 times
Download:	2 times

The Politics of Crypto Brian A. LaMacchia [email protected] [email protected] Portions ©...

Documents