Date post: | 13-Dec-2015 |
Category: |
Documents |
Upload: | kaley-clowes |
View: | 216 times |
Download: | 2 times |
The Politics of CryptoThe Politics of Crypto
Brian A. LaMacchiaBrian A. [email protected]@[email protected]@microsoft.com
Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 22
Why Talk About Crypto Why Talk About Crypto Politics?Politics? You can’t really avoid the political You can’t really avoid the political
aspects of crypto, especially if aspects of crypto, especially if you’re trying to ship a product that you’re trying to ship a product that depends on good cryptodepends on good crypto In the past, the regulations have been In the past, the regulations have been
so complex & time consuming that so complex & time consuming that companies had dedicated companies had dedicated individuals/departments for dealing individuals/departments for dealing with regs.with regs.
Often public pronouncements don’t Often public pronouncements don’t match realitymatch reality Just because a government body says Just because a government body says
“crypto is freely exportable” doesn’t “crypto is freely exportable” doesn’t make it somake it so
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 33
Topics in Crypto Topics in Crypto PoliticsPolitics Export ControlsExport Controls Key EscrowKey Escrow
The Clipper ChipThe Clipper Chip Copyright and the DMCACopyright and the DMCA
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 44
Caveats...Caveats... I’m going to present a U.S.-I’m going to present a U.S.-
centric view of the issuescentric view of the issues Each country deals differently with Each country deals differently with
these issues, but the U.S. typically these issues, but the U.S. typically leads in this policy arealeads in this policy area
These are These are national issuesnational issues – – nation-states are still important nation-states are still important to the discussionto the discussion
Much of what we have learned Much of what we have learned about the history of export about the history of export controls has come from FOIA controls has come from FOIA requestsrequests The government doesn’t like to The government doesn’t like to
give answers...give answers...
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 55
Export Controls in the Export Controls in the U.S.U.S. In the beginning, cryptographic In the beginning, cryptographic
hardware and software were hardware and software were considered “munitions” by the considered “munitions” by the U.S. government.U.S. government. Export of crypto was covered by Export of crypto was covered by
the same set of regulations that the same set of regulations that covered the export of other covered the export of other munitions, like nuclear weapons, munitions, like nuclear weapons, missiles, and the equipment that missiles, and the equipment that is used to make themis used to make them
These regulations were known as These regulations were known as ITAR (International Traffic in Arms ITAR (International Traffic in Arms Regulations).Regulations).
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 66
Export Controls (cont.)Export Controls (cont.)
Under ITAR, all exports of Under ITAR, all exports of crypto required a licensecrypto required a license If you were exporting “weak If you were exporting “weak
crypto” you could get a license.crypto” you could get a license. ““Strong crypto” couldn’t be Strong crypto” couldn’t be
exported at all.exported at all. ““Crypto with a hole” couldn’t be Crypto with a hole” couldn’t be
exported either.exported either. The distinction between “weak” The distinction between “weak”
and “strong” was generally based and “strong” was generally based on bit-length of the secret key or on bit-length of the secret key or public key moduluspublic key modulus
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 77
Crypto Export/Import Crypto Export/Import ControlsControls The export of cryptography is The export of cryptography is
currently restricted by the U.S. BXA currently restricted by the U.S. BXA (Commerce Dept. Bureau of Export (Commerce Dept. Bureau of Export Administration)Administration) Until January 2000, couldn’t export Until January 2000, couldn’t export
symmetric ciphers using keys > 56 bits symmetric ciphers using keys > 56 bits in length.in length.
Jan 2000: Clinton administration Jan 2000: Clinton administration rewrote the regulationsrewrote the regulations ““ITAR” became “EAR”, and the ITAR” became “EAR”, and the
regulations got a bit “looser” but regulations got a bit “looser” but they still existthey still exist
You can (generally speaking) export You can (generally speaking) export “strong crypto” without a specific “strong crypto” without a specific product licenseproduct license
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 88
Current Export Current Export RegulationsRegulations ““Monolithic applications” can Monolithic applications” can
export strong cryptography in export strong cryptography in binary form simply by sending binary form simply by sending the BXA a piece of e-mailthe BXA a piece of e-mail Example: secure e-mail client, web Example: secure e-mail client, web
browserbrowser ““Crypto libraries” can be Crypto libraries” can be
exported under an “open exported under an “open source” exemption, if they source” exemption, if they qualifyqualify
““Crypto with a hole” in Crypto with a hole” in commercial products is still commercial products is still tightly controlledtightly controlled
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 99
Example: Windows XPExample: Windows XP Windows XP ships with “strong Windows XP ships with “strong
crypto” baked in & enabledcrypto” baked in & enabled RSA to 4096 bits, TripleDES, etc.RSA to 4096 bits, TripleDES, etc.
Windows XP is exportable Windows XP is exportable because it’s a “monolithic because it’s a “monolithic application”application”
CryptoAPI, the Win32 crypto CryptoAPI, the Win32 crypto library that was designed to library that was designed to support plug-able support plug-able “cryptographic service “cryptographic service providers” is providers” is notnot freely freely exportableexportable If you want to plug into CryptoAPI, If you want to plug into CryptoAPI,
you need a license...you need a license...
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1010
The Regs are Still The Regs are Still AmbiguousAmbiguous In the .NET Framework, we have In the .NET Framework, we have
a class library for a class library for cryptography…cryptography…
It took BXA (really, NSA) 18 It took BXA (really, NSA) 18 months to tell us what the rules months to tell us what the rules were regarding export of our were regarding export of our class library…class library…
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1111
SymmetricSymmetricAlgorithmAlgorithm
TripleDESTripleDES RijndaelRijndael
TripleDESCryptoTripleDESCryptoServiceProviderServiceProvider
(CryptoAPI)(CryptoAPI)
RijndaelRijndaelManagedManaged
(C#)(C#)
RC2RC2
RC2CryptoRC2CryptoServiceProviderServiceProvider
(CryptoAPI)(CryptoAPI)
AbstractAbstractAlgorithmAlgorithmClassesClasses
Algorithm Algorithm Implementation Implementation ClassesClasses
AbstractAbstractBase ClassBase Class
.NET FX Crypto Object .NET FX Crypto Object ModelModel
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1212
The Regs are Still The Regs are Still AmbiguousAmbiguous In the .NET Framework, we have a In the .NET Framework, we have a
class library for cryptography…class library for cryptography… It took BXA (really, NSA) 18 months It took BXA (really, NSA) 18 months
to tell us what the rules were to tell us what the rules were regarding export of our class regarding export of our class library…library…
We could open up & let people We could open up & let people subclass the bottom abstract classes subclass the bottom abstract classes (like RSA) without a license(like RSA) without a license
Opening up AsymmetricAlgorithm Opening up AsymmetricAlgorithm was not allowed without an explicit was not allowed without an explicit licenselicense
Solution? Open source the code!Solution? Open source the code!
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1313
Key EscrowKey Escrow
The general topic of “key The general topic of “key escrow” is about archiving escrow” is about archiving copies of private keys with third copies of private keys with third parties.parties. This is also sometimes called “key This is also sometimes called “key
archival”archival” When the government is the When the government is the
archive, this is GAK (Government archive, this is GAK (Government Access to Keys)Access to Keys)
There are legitimate cases There are legitimate cases where you might need a key where you might need a key escrow schemeescrow scheme Stored data recovery in case of Stored data recovery in case of
accident/loss/termination of accident/loss/termination of employmentemployment
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1414
Key EscrowKey Escrow There are no legitimate cases (at There are no legitimate cases (at
least from a commercial least from a commercial perspective) for archival of secret perspective) for archival of secret session keys.session keys. If the data didn’t get transmitted If the data didn’t get transmitted
correctly during the session, send it correctly during the session, send it againagain
Governments care about session Governments care about session encryption key recoveryencryption key recovery Want to preserve their wiretapping Want to preserve their wiretapping
capabilitiescapabilities Government spent a lot of time Government spent a lot of time
trying to convince businesses that trying to convince businesses that the needs of stored data recovery & the needs of stored data recovery & session key recovery were the same session key recovery were the same
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1515
Digital TelephonyDigital Telephony
In the U.S., the digitization of In the U.S., the digitization of the nation’s telephone system the nation’s telephone system was seen by law enforcement as was seen by law enforcement as a threat to their ability to a threat to their ability to conduct wiretapsconduct wiretaps In the analog world, you just go In the analog world, you just go
tap a pair of wirestap a pair of wires In the digital world, you need to In the digital world, you need to
sift out the right bits from the sift out the right bits from the optical fiber.optical fiber. Even if you find the bits, they Even if you find the bits, they
could be encrypted!could be encrypted!
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1616
The Clipper ChipThe Clipper Chip
US Government attempt to US Government attempt to “stimulate” the market for “stimulate” the market for “voluntary” key escrow “voluntary” key escrow equipmentequipment Contracted w/ AT&T to produce Contracted w/ AT&T to produce
“Clipper phones” for government “Clipper phones” for government useuse
Phones would also be available for Phones would also be available for non-government usenon-government use
Encryption keys could be accessed Encryption keys could be accessed through the “Law Enforcement through the “Law Enforcement Access Field” (LEAF) in the Access Field” (LEAF) in the protocolprotocol
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1717
How Clipper WorkedHow Clipper Worked Clipper was implemented in a Clipper was implemented in a
tamper-resistant hardware device (a tamper-resistant hardware device (a single chip)single chip) Each chip was numbered and had a Each chip was numbered and had a
separate per-chip secret that was also separate per-chip secret that was also held by a “trusted agency” (read: US held by a “trusted agency” (read: US Gov’t)Gov’t)
Per-session keys were encrypted Per-session keys were encrypted with a Clipper family key and the with a Clipper family key and the per-chip key, and sent along as part per-chip key, and sent along as part of the data streamof the data stream
Someone listening in on the Someone listening in on the conversation would see enough conversation would see enough information to identify the chip used information to identify the chip used to encrypt, find the per-chip key, to encrypt, find the per-chip key, and recover the session keyand recover the session key
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1818
How Clipper Worked How Clipper Worked (2)(2) 128-bit LEAF contains session 128-bit LEAF contains session
key encrypted with family and key encrypted with family and per-chip keysper-chip keys
EncrEncrFF ChipIDChipID ChecksumChecksumSession KeySession KeyEncrCEncrC
32 bits 80 bits 16 bits
Key DB
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1919
Clipper in OperationClipper in Operation
Other party & third-party Other party & third-party decrypt LEAF with the family decrypt LEAF with the family keykey
Both parties check the Both parties check the checksum to detect bogus LEAFchecksum to detect bogus LEAF Bogus LEAF Bogus LEAF chip turns off, chip turns off,
refuses to decryptrefuses to decrypt Third party looks up chip key in Third party looks up chip key in
DB to decrypt session keyDB to decrypt session key
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2020
Clipper WeaknessesClipper Weaknesses The 80-bit session key was too The 80-bit session key was too
smallsmall The symmetric cipher The symmetric cipher
(SKIPJACK) was classified; no (SKIPJACK) was classified; no public scrutinypublic scrutiny Later, a “panel of outside Later, a “panel of outside
experts” was allowed to look at it experts” was allowed to look at it for a dayfor a day
Even later, after Clipper failed, Even later, after Clipper failed, SKIPJACK was declassifiedSKIPJACK was declassified
16-bit checksum could be 16-bit checksum could be defeated (Blaze ’94)defeated (Blaze ’94)
ChipID tagged every single ChipID tagged every single communicationcommunication
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2121
Opposition to ClipperOpposition to Clipper Opposition to Clipper was Opposition to Clipper was
widespreadwidespread The US Gov’t proposed it as the federal The US Gov’t proposed it as the federal
Escrowed Encryption Standard and Escrowed Encryption Standard and rammed it through NIST into FIPS 185 in rammed it through NIST into FIPS 185 in Feb ’94Feb ’94
During the public comment period, 300 During the public comment period, 300 comments received, only 2 supported itcomments received, only 2 supported it
No one bought ClipperNo one bought Clipper AT&T shut down its product line, offered AT&T shut down its product line, offered
leftover phones to employees to get rid leftover phones to employees to get rid of themof them
Oddly, the proposal probably did Oddly, the proposal probably did more to galvanize the strong-crypto more to galvanize the strong-crypto community than anything elsecommunity than anything else
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2222
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2323
CopyrightCopyright
More recently, cryptography More recently, cryptography has become an issue in the area has become an issue in the area of of copyrightcopyright..
Why?Why? The rise of digital rights The rise of digital rights
management (DRM) systems, all management (DRM) systems, all of which are based on strong of which are based on strong crypto.crypto. Break the crypto, break the DRM…Break the crypto, break the DRM…
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2424
Copyright & DRMCopyright & DRM Digital Rights Management (DRM) Digital Rights Management (DRM)
technologies limit access to digital technologies limit access to digital intellectual property.intellectual property. Example: A DRM-protected e-book might Example: A DRM-protected e-book might
let you read the book only a fixed let you read the book only a fixed number of times.number of times.
Example: A DRM-protected streaming Example: A DRM-protected streaming audio player could charge you based on audio player could charge you based on bandwidth & content.bandwidth & content.
Major issues:Major issues: How restrictive can a DRM be? How restrictive can a DRM be? How restrictive should a DRM be?How restrictive should a DRM be? How do DRMs interact with “fair use” How do DRMs interact with “fair use”
and other copyright rights reserved to and other copyright rights reserved to the public?the public?
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2525
Digital Millennium Copyright Digital Millennium Copyright Act (DMCA)Act (DMCA) Characterized by proponents as Characterized by proponents as
a “small, technical” change to a “small, technical” change to US copyright lawUS copyright law In reality, made major, sweeping In reality, made major, sweeping
provisions to the rules regarding provisions to the rules regarding digital contentdigital content
Incorporated into U.S. law at 17 Incorporated into U.S. law at 17 USC 1201 et. sec.USC 1201 et. sec. ““No person shall circumvent a No person shall circumvent a
technological measure that technological measure that effectively controls access to a effectively controls access to a work protected under [copyright]work protected under [copyright]…”…”
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2626
Anti-Circumvention Anti-Circumvention MeasuresMeasures The DMCA made it a crime to The DMCA made it a crime to
circumvent a “technological circumvent a “technological measure that effectively controls measure that effectively controls access to a work”access to a work” ““A technological measure ‘effectively A technological measure ‘effectively
controls access to a work’ if the controls access to a work’ if the measure, in the ordinary course of its measure, in the ordinary course of its operation, requires the application of operation, requires the application of information…with the authority of the information…with the authority of the copyright owner, to gain access to the copyright owner, to gain access to the work. work.
Limited exemptions forLimited exemptions for Encryption researchEncryption research Reverse-engineering computer Reverse-engineering computer
programs for interoperability.programs for interoperability.
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2727
DMCA cases/issues (1)DMCA cases/issues (1)
DeCSSDeCSS DVDs are encrypted. In order to DVDs are encrypted. In order to
play a DVD, a licensed DVD play play a DVD, a licensed DVD play must first authenticate to the DVD must first authenticate to the DVD disk.disk.
DeCSS is a program that DeCSS is a program that removes/bypasses the encryption, removes/bypasses the encryption, allowing the DVD to be played on allowing the DVD to be played on an “unlicensed” player, such as a an “unlicensed” player, such as a Linux box.Linux box.
MPAA sued, claiming DCMA MPAA sued, claiming DCMA violationsviolations
Upheld in NYUpheld in NY
March 7, 2006March 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2828
DMCA cases/issues (2)DMCA cases/issues (2)
Blizzard v. BNetDBlizzard v. BNetD Felten v. RIAAFelten v. RIAA Macrovision v. 321 StudiosMacrovision v. 321 Studios
MGM v. 321 StudiosMGM v. 321 Studios US v. SklyarovUS v. Sklyarov Lexmark v. Static ControlLexmark v. Static Control Chamberlain v. SkylinkChamberlain v. Skylink