Internet and Information

Security
The industry of computer and information
security is thriving

(c) 2004 West Legal S

Challenges of Internet and

Information Security
In 2000, 2 Billion users and 200 million
computers. (U.S. Computer Emergency
Response Team)
Global interconnection of computers
overwhelms any individual countrys
efforts to completely secure computers
and networks.
Commerce is impeded by security
(c) 2004 West Legal S

People want privacy - but the

internet is one big party line.

(c) 2004 West Legal S

Goals of Security of Computers,

Systems, and Information
Confidentiality - keep certain information
private - no unauthorized party gets in or
lets information out
Authenticity - make sure of who you are
talking to
Integrity - make sure unauthorized
changes are not made to the information
(c) 2004 West Legal S

Balance the Goals of Security

Against Usability and
Government Over-Control
Security cant make it is so hard to use
that people will not use the system or the
data
Some think security shouldnt make it
impossible for the government to insure
that the internet is not used for illegal
purposes (for, example, terrorism)
(c) 2004 West Legal S

Top Security Products

Firewalls
Access Controls
Encryption
Client/Server security
LAN/WAN Security
Web Security
Network/Communications Security
Disaster Recovery
Email Security
Mainframe Security
(c) 2004 West Legal S

Firewalls
Moat with gateways
VPNs = private intranets and networks that
the public cannot get to
Offers protection from outside, but not from
inside security breaches
Firewall may be defective = liability

(c) 2004 West Legal S

Access Control
Checkpoints
Password Protection/Script-based Single
Sign-On (SSO)
Certificate Authorities and Digital Certificates
Attribute certificates can be created to allow
access to only certain parts of data
Biometrics
Tokens
(c) 2004 West Legal S

Checkpoints
Checkpoints along the way while traveling
into and out of the secure area
Secure data and information as it is being
transmitted

(c) 2004 West Legal S

Password Protection/Script-based
Single Sign-On (SSO)
People forget the passwords
SSO usually not usable between external
users such as clients and business
partners.

(c) 2004 West Legal S

10

Certificate Authorities and Digital

Certificates
Certificate Authorities issue and manage
digital Ids or passports
Only those who can authenticate their
identities and authority through the Certificate
Authorities may access the secure data

Attribute Certificates
can be created to allow access to only certain
parts of data
(c) 2004 West Legal S

11

Biometrics
Authenticates users by employing
technologies that capture human
characteristics for identification purposes:
face, iris, voice, or signature, fingerprints
or retinas, palm prints, hand or finger
geometry, and DNA

(c) 2004 West Legal S

12

Other Security Measures

Tokens = digipasses, hand-held password, fits into computer

Smart cards = digital credentials, but can also store and retrieve data,
contains and imbedded processor and operating systems = used in
telephones

Holography = holographic images embossed or incorporated into a

photopolymer process - hidden or apparent - hot-stamped foil rainbow-colored
wrappers

Processor serial numbers - the serial numbers of that particular computer

authenticate the information, and information can be traced back to that
particular computer

Time-stamping digital signature

Electronic signatures

(c) 2004 West Legal S

13

Cryptography
Private Key Encryption : System of coding and
then de-coding the message
Encrypt the plaintext by use of a mathematical
algorithm and stores it in ciphertext. Then transmit.
Then de-code it or decrypt it back into plaintext after
transmission.
Need the same key to decode it - to solve the
mathematical algorithm and reassemble the message
(c) 2004 West Legal S

14

Cryptography- Originally Used to

Transmit Classified Military
Information

It was originally classified as munitions under

the State Departments Office of Defense Trade
Controls.
Government totally controlled cryptography and
possessed all of the keys to decode information.
Government used private key or symmetric
encryption in which same key is used to code
and decode.
(c) 2004 West Legal S

15

U.S. Govt.. Adopted Data

Encryption Standard (DES) in 1977
Standard encryption algorithm for many official
applications.

Replaced by Advance Encryption Standard

(AES)
Originally created by IBM which encrypted plain text
into blocks of 64 bits with 56-bit keys.
One supplier and many users = The government
could dispense and keep track of the keys.
If the key gets out, there is no security.
Now used are 512-bit strength encryption programs
and 1024-bit programs soon
(c) 2004 West Legal S

16

Cryptography Began to be Used in

Commercial Transactions
President Clinton: Executive order 13026
(61 Federal Register 58767 (1996)
transferred jurisdiction of commercial
cryptography to the Commerce
Department

(c) 2004 West Legal S

17

Public Key/ Private Key Encryption

1976 Cryptographers Duffie and Hellman invented public
key/private key theory
the theory that it is possible for someone to announce
the precise method of coding a message while at the
same time retaining a secret private key for decoding it.
3 mathematicians patented their RSA-Algorithm, the
public asymmetrical two-key encryption system in use
today.
the sender and receiver do not share the same key,
the parties use their own keys that are mathematically
related, but not discoverable to each other.
Government does not have control
(c) 2004 West Legal S

18

Encryption and Decryption

Have become extremely strong or secure
through the complexity, and thus the key length,
through the introduction of more bits.
Is behind the PKI technology and Secure
Electronic Transactions (SETs) used by business
today
Can post material on a public website that it can
only be available to certain users
(c) 2004 West Legal S

19

Constitutional Amendments Issues

1st amendment: is cryptography speech
and thus protected under the 1st
Amendment?
4th Amendment: can law enforcement
control access to recovery/decoding keys
without a warrant?
5th Amendment: self incrimination( can
they make you reveal the key?) and
substantive due process (is the law fair?)
(c) 2004 West Legal S

20

1st amendment Rights

If it is speech, Can the government control
cryptography?
What kind of speech is it?
Commercial speech is less protected than personal speech
here the government only has to have a rational substantial
government reason for the control as opposed to non-commercial
speech where the government has to have a real good reason for
control

1st Amendment favors subsequent punishment of speech rather

than prior restraint on that speech
courts begin with the presumption that prior restraint is
unconstitutional
only legal where the control is narrowly tailored to the speech
involved and government demonstrates a compelling interest in
regulating this speech
China (in contrast) controls all secrecy speech

(c) 2004 West Legal S

21

Case
Universal City Studios, Inc., Paramount
Pictures, Metro-Goldwyn-Mayer, Tri-Star
Pictures, Columbia pictures, Time Warner
Entertainment, Disney Enterprises,
Twentieth Century Fox v. Corley

(c) 2004 West Legal S

22

1998 Regulation
Regulation controlled the export of certain
software: downloading or causing the
downloading of controlled encryption
course code and object code to locations
outside the United States; must get
government approval
Case law on cryptography is in flux
(c) 2004 West Legal S

23

1998 Junger v. Daley

(6th Cir. 2002)
Approval needed for exporting items on
its Control List.
Jungers postings were subject to this
regulation
Junger filed suit: violation of 1st
Amendment rights

(c) 2004 West Legal S

24

Junger cont.
1st Amendments purpose: to foster the spread of ideas
and to assure unfettered interchange of ideas.
Court held:
expressive software contains an exposition of ideas
functional software is designed to enable a computer to do a
designated task. It does not explain a cryptographic theory or
describe how the software functions - it merely carries out the
function of encryption.
Used to transfer functions, not to communicate ideas - doesnt
tell how to do it, but does it
Not protected
Not a prior restraint because not directed at expressive conduct

(c) 2004 West Legal S

25

May 1999 Bernstein v. Department

of Justice:
The Ninth Circuit said cryptography was
Speech and protected by the 1st
amendment - the court invalidated federal
regulations that allowed the government to
restrain speech indefinitely with no
articulated criteria for review. Ninth Circuit will rehear this case.

(c) 2004 West Legal S

26

Conflict: Government versus

Business
Businesses are saying this regulation is
hindering U.S. businesses from competing
with other makers of encryption software
who have no export controls
Law enforcement personnel say regulation
is needed to break into communication
involving drugs trafficking and terrorism
(c) 2004 West Legal S

27

1999 Encryption Policy Changed

Transcript of White House Crypto-briefing
Revised U.S. Encryption Export Control
Regulations January 2000
Submitted to Congress: Cyberspace
Electronic Security Act of 1999 (CESA)

(c) 2004 West Legal S

28

New Rules:

Balance 4 values: national security, public safety privacy, and commerce.

Permit industry to export any 64-bit encryption product or software under a

license exemption for commercial non- governmental use, except to Cuba,
Iran, Iraq, Libya, North Korea, Sudan, and Syria.

Retail products exceeding 64-bits may be exported under a license

exception to all users including government, except to the seven states

U.S. will support modernization of multilateral encryption export controls

New category of retail encryption commodities and software.

Must still report post-export for any products exceeding 64 bits to the
government

(c) 2004 West Legal S

29

Still Problems: Can Export, But Still

Have to Get Govt. Approval
Is very costly
Discourages academia and start-up
companies
Electronic Privacy Information Center,
Electronic Frontier Foundation, and
American Civil Liberties Union concur that
defects remain - can freely send on paper,
what you cannot send electronically
(c) 2004 West Legal S

30

Scheme still discretionary

Cant post source code if know it is going
to be read by one of the seven states
Cant provide information on how to create
encryption technologies, but can provide
information on other source code

(c) 2004 West Legal S

31

Govt. Has Proposed a National

Plan for Information Systems
Protection
Govt. would get a copy of the decoding to
protect against money laundering tax
fraud, bribery, racketeering, terrorism
corruption, espionage, and economic
crimes

(c) 2004 West Legal S

32

(D.C. N.D. Calif. 2002) Bernstein v.

U.S. Department of Commerce
New case to continue to challenge
restrictions on export of encryption
technology

(c) 2004 West Legal S

33

Steganography
Process of hiding messages within a text
or graphic
Not apparent that there is a message at all
Commercially water marks
Used by terrorists to hide instructions

(c) 2004 West Legal S

34

Fourth Amendment:
Govt. collecting of recovery keys is equal
to a warrant less search and seizure?
Katz v. United States: reasonable
expectation of privacy in a public phone
booth
Is just collecting the the keys and not
using them a violation of the 4th
Amendment?
(c) 2004 West Legal S

35

Businesses Beware
Businesses should know the encryption
policies of governments around the world
if you are going to do business using
encryption in these countries

(c) 2004 West Legal S

36

Kyllo v. United States

(c) 2004 West Legal S

37

9/11
Department of Homeland Security
Chief of Cybersecurity
U.S. Patriot Act

(c) 2004 West Legal S

38

U.S. Patriot Act (October 2001)

Gives govt. greater authority to track and intercept
communications without a warrant
Intercept to and from a trespasser within the system ( with
system consent)
Nationwide execution of court orders for access to stored
communications
Permits nationwide pen register and trap and trace orders for
electronic communications like e-mail

Now data mining is allowed as a basis for generating

suspicion to start an investigation
Creates new crimes, two types of forfeiture procedures,
harder on aliens, disclosures of suspicious transactions
by financial institutions, increases penalties for terrorism
(c) 2004 West Legal S

39

Two Surveillance Technologies

Carnivore/DCS-1000 installed on ISPs;
reads and analyses packets of data
Key Logger Systems: Magic Lantern
keystroke recoding software
United States v. Scarfo

(c) 2004 West Legal S

40

5th Amendment: Protects Against

Self Incrimination
Is compulsory registration and disclosure
of algorithm keys violative of the right
against being compelled to give selfincriminating information?
Is an algorithm code key testimony? Or is
it just like a house key, the means to get to
the testimony or information
(c) 2004 West Legal S

41

Fifth Amendment: Affords Due

Process
Substantial Due Process
Is the law fair?
Balance right against government reason
if not fundamental right, government does not have to be a
compelling reason

Procedural Due Process

Is the process of the law fair?
Should there be a hearing in encryption licensing for
export challenges?
Government cant just be capricious, arbitrary, and
unreasonable in the hearing
If for national security, this is probably not capricious, etc.

(c) 2004 West Legal S

42

Karn v. Department of State

Submitted a commodity jurisdiction request to
export the book Applied Cryptography by Bruce
Schneier.
Granted

Submitted a commodity jurisdiction request to

export the disk Applied Cryptography by Bruce
Schneier.
Denied

Court found that the governments decision was

rational - disk being treated differently than was
rational
(c) 2004 West Legal S

43

Privacy, Security, and Crimes: the

Evolving Legal Environment

Patchwork of laws
No boundaries
Have to balance with usability
Most systems out there are vulnerable

(c) 2004 West Legal S

44

International Efforts to set out

policy
Clintons A Framework for Global Electronic
Commerce to protect the Global Information
Infrastructure
June 2002 European Commission Published
Network and Information Security : Proposal for
a European Policy Approach
April 2002 European Commission proposed the
Council Framework Decision on Attacks Against
Information Systems effective Dec. 2003
(c) 2004 West Legal S

45

Encryption and Cryptography

Systems
EU publication Ensuring Security and
Trust in Electronic Commerce notes the
importance of security and trust in open
networks
Cryptography and Liberty Survey rates
nations of the world as to their restrictions on
use of cryptography
(c) 2004 West Legal S

46

Organization for Economic

Cooperation and Development
(OECD) Guidelines 2002

30 nations - Nine principles recommended:

Awareness
Responsibility
Response
Ethics
Democracy
Risk assessment
Security design and implementation
Security management
Reassessment
(c) 2004 West Legal S

47

Encryption is Still Considered

Military Technology
In treaties: Wassenaar Accord:
reinforced this definition in the agreement
among western and former Soviet nations
to increase stability and security through
export controls on conventional arms and
military technology
Encryption (munitions) is still subject to
government controls
(c) 2004 West Legal S

48

Other Countries Policies

UK
China
Japan

(c) 2004 West Legal S

49