Download - Encryption and Globalization Professor Peter Swire IP Scholars Conference Chicago August 11, 2011
Encryption and Globalization
Professor Peter SwireIP Scholars Conference
ChicagoAugust 11, 2011
Overview
• Task: Update and explain why good encryption law/policy matters, 12 years after U.S. crypto wars ended
• Outline of paper:– India and China update– From wiretaps to the Internet
• Importance of strong crypto to the Internet– 2 arguments for strong crypto in globalized setting
• Crypto helps cybersecurity• Least trusted country problem
– Answer 3 objections made by those who oppose strong crypto– A proposed way to reconcile CALEA (foster wiretaps) and strong
crypto (limits effectiveness of wiretaps)
India
• 40 bit legal limit on key length, since 90s• Mumbai attack, 2008• RIM and newly vigorous enforcement• Security agencies insist on ability to wiretap in real time• Waiting for new policy– Maybe key escrow– Maybe new import license restrictions
China• Encourage domestic crypto
– Soft law that encryption ok only if it is not the “core function” • Microprocessors, PCs, mobile phones OK• VPNs are not OK, “core function” is crypto• Great uncertainty about meaning of “core function”
– China is trying to require home-grown encryption for hardware and software• Lack of peer review to date of their algorithms
– A goal appears to be to spread those algorithms throughout China and then into global supply chain
Background Part of Paper
• Paper gives background for those new to the debate:– Intro to wiretaps, for phone and online– Intro to encryption• Categories of attacks/vulnerabilities
– History of crypto wars in the 1990s• Administration changed position in 1999, can export
strong crypto• Lessons learned, apply to the globalized debate today
Bob ISP
Alice ISP
%!#&*YJ#$&#
^@%
%!#&*YJ#$&#
^@%
INTERNET AS INSECURE CHANNEL
Hi Bob!
Hi Bob!
Internet: Many Nodes between ISPs
Nodes: many, unknown, potentially maliciousWEAK ENCRYPTION = MANY INTERCEPTS
Alice
Bob
%!#&*YJ#$&#
^@%
%!#&*YJ#$&#
^@%
%!#&*YJ#$&#
^@%
%!#&*YJ#$&#
^@%
%!#&*YJ#$&#
^@%
%!#&*YJ#$&#
^@%
%!#&*YJ#$&#
^@%
%!#&*YJ#$&#
^@%
Problems with Weak Encryption
• Nodes between A and B can see and copy whatever passes through
• Brute force attacks became more effective due to Moore’s Law; 40 bits was already breakable in mid-90’s
• From a few telcos to many millions of nodes on the Internet – Hackers– Criminals– Foreign governments– Amateurs
• Strong encryption as feasible and correct answer– Scaled well for many applications (SSL, HTTPS, in chips) as
Internet users went over one billion
I. Crypto Essential to Cybersecurity
• Public awareness of cybersecurity grown a lot since 1999• Increasing importance of computing & thus cybersecurity• Crypto deeply embedded in modern computing:– SSL, HTTPS, VPNs, Skype/VOIP, Bitlocker, etc.
• Offense is ahead of the defense– The world is our bad neighborhood– Defense and the weakest link problem– Crypto as perhaps the largest category for effective
defensive – Don’t play cybersecurity with two hands tied behind your
back
II. The Least Trusted Country Problem
• 1990’s Clipper chip debate– Many expressed lack of trust in government access to the
keys• Globalization and today’s encryption debate– What if a dozen or 50 countries with the keys, or enforced
crypto limits?– What if your communications in the hands of your least
trusted country?• India/Pakistan; China/Taiwan; Israel/Iran
– Don’t create security holes in global Internet, especially for billions of people
Responses to Common Concerns
• “They” have a backdoor• “Going dark” vs. “golden age of encryption”– Paper concludes the latter is more accurate
• Trade policy and domestic industry
Possible Topics for Questions/Discussion• Lessons from the Crypto wars of the 1990’s• Strong crypto and insecure channel of the Internet• Crypto as important to cybersecurity• Least trusted country problem• Backdoors to “them” as excuse for limits on encryption• Going dark vs. modern surveillance advantages• Others?