Encryption - Key issues

Just how far Tony Blair wants to take his Government into the heartlands of EC cooperation has yet to be seen, and the issue of community-wide policing of encrypted electronic messages is probably low on the agenda.

But ticking away like a time bomb is an unresolved debate on whether the state should be allowed to interfere in the free commerce of business communication and Internet traffic.

In the US, where civil liberties and freedom on the Internet go hand in glove, the issue is a political hot potato - not just because of the Clinton government's insistence that any effective encryption methods should be denied an export licence, but also because of the constraints placed on a medium whose success arguably depends on its borderless and apolitical nature.

In recent months, the US dominance of encryption technology has suffered a devastating blow. An EC-wide project has introduced encryption standards that are far more effective than anything the Americans can offer. Moreover, the project has no strings attached, unless Blair and his European counterparts think otherwise.

Germany's Siemens-Nixdorf and France's Bull Information Systems have introduced virtually unbreakable encryption coding. In so doing they have opened a can of worms in the UK. Siemens' TrustedWeb software, which employs a 128-bit key, and Bull's Secureware IP hardware, which uses 9Mb encryption, have both stolen a march on the US, whose export ban on systems using anything more than 56-bit keys have so far helped it retain a firm grip on the world's Internet traffic.

The new products also proved to be the catalyst that forced the Conservative government to draw up controversial proposals to regulate the provision of encryption services. They include a proposal that users should deposit their keys to a 'trusted third party' (TTP). This would allow the state access to encrypted data if national security was under threat or if crime was suspected. The third-party bodies could be new, specially created organisations or existing institutions such as banks, and the scheme would be a voluntary.

The DTI's public consultation paper, 'Licensing of Trusted Third Parties for the Provision of Encryption Services', released in March, says that organisations should buy encryption services for their electronic commerce from these third parties, which will be licensed by the Government.

The paper has caused concern among IT companies - including the providers of encryption software. They fear that civil liberties, companies' commercial secrets and electronic commerce as a whole will be put at risk by legislation.

The Siemens Nixdorf and Bull products evolved from a collaborative exercise which also involved ICL. Called the Sesame project, it was 50% funded by the EU, and came to an end in early 1996. It developed software to provide security features for computer networks.

Siemens' Dublin-based subsidiary SSE went on to develop TrustedWeb on the back of the Sesame project. 'We moved in that direction because the Web is where the money and the interest are,' explains Mike Brady, manager of secure messaging at SSE.

It took SSE six months and less than #500,000 to develop TrustedWeb, which started its beta programme in April. The software serves a dual purpose: it provides access control and an encryption code so secure as to be 'computationally impossible' to break, according to Brady.

TrustedWeb also breaks new ground in providing access control based on a user's role rather than purely on identification.

'Intranets contain sensitive and confidential data. At the moment, access to those intranets is controlled by who users are. When you are talking about a thousand-plus users, that is impossible to control,' explains Brady.

With TrustedWeb, identification is based on users' functions and information requirements. The data is stored on the security server and access is granted to individual users according to this data.

It is TrustedWeb's 128-bit encryption key that has raised government concerns over the potential ability of criminals and foreign military powers to send data in unbreakable code across the Internet.

Brady admits that TrustedWeb has effectively rendered useless the US' export ban on systems using more than 56-bit encryption, negating its efforts to prevent foreign military powers from using encoded messages it could not break.

'The US has a code to match ours but only for use within the US. This has opened up a world market for us because we're an independent company and can export our product where we want,' says Brady.

'The US is not the world's policeman on this and it can't control the rest of the world's software vendors. although it might try at a political level. For example, it might attempt to make the EU agree that the US is entitled to the keys of TrustedWeb wherever it is used.'

TrustedWeb is scheduled to hit the UK market in July, at a cost of less than u60 per user, dropping down to less than #6 per user in bulk volumes.

But it is not the only uncrackable code to be hitting the UK market.

Bull has also been busy since the Sesame project. Secureware IP hit the European market in October 1996 and has just been launched in the UK.

Secureware IP is a hardware solution based on multiprocessor RISC technology.

Consisting of boxes sitting at either end of the network, one to encrypt messages and one to decrypt, it authenticates the source of data frames and filters IP addresses by application and by predefined access rights.

It also has 9Mbit data encryption. The product, which costs #10,000 for two boxes, is already in widespread use across Europe. Customers include government departments, the military, banking networks and businesses. Bull developed the black box Secureware IP solution in conjunction with the French army, which grants Bull licences to sell only on condition that the keys are known to the military should it ever need access to the code.

'It changes its encryption algorithm every two minutes and it would take the best decryption computer 14 months to decrypt it,' says Terry Schraider, UK Internet business manager at Bull. 'We like to think that it's practically unbreakable.'

Schraider acknowledges the French military's central control over the system and the UK's concerns. But he says: 'My personal view is that it's none of the government's business and I wonder if they would have the resources, even if they had the keys, to examine data. I think the whole Web community is fighting shy of government interference.'

Concern is also mounting in the business and IT sectors at government plans to legislate on encryption. The Source, an IT media information service, is coordinating a campaign to bring the DTi's proposals into the public arena so that their implications can be openly debated.

Daryl Willcox, managing director of the Source, says many people fear that the proposals are not only a threat to civil liberties, but that they will also restrict user access to encryption services, threaten electronic commerce and effectively destroy the UK encryption industry.

Willcox wants to see a better compromise between national security and secure communications on the Internet than that offered by the Government's consultation paper. 'National security is, of course, an issue but saying that they want the power to be able to examine any electronic commerce at any time will stifle Internet commerce,' Willcox says.

'Because this is electronic commerce, it makes the Government less accountable to the public,' he adds. 'All it would take would be for someone at the Home Office to press a button at any time to be able to examine a communication, whereas now the Government has to get a warrant first.'

Willcox argues that a better system would be to issue warrants only for specific items. The company or organisation holding the information would be required to open it up to the warrant holder for examination but would retain its own key.

Willcox's doubts are shared by others. Keith Osborne, principal IT security consultant at ICL says, 'The Trusted Third Party system would be open to abuse. Once trust has been broken by one, the TTPs won't ever get it back. Companies want to be able to transmit data securely and with secrecy and they don't want their liberty compromised. It's a question of getting the balance right between that and national security, and it's going to be extremely difficult to achieve that balance.'

Osborne believes that while the TTP system, in common with other industry standard schemes, might technically be a voluntary one, companies will be coerced into joining it for fear of losing business if they don't.

The business sector's concern is reflected by the fact that the CBI's 55-strong information security panel has been preparing a submission on the DTi's consultation paper.

'We're looking at the implications for business,' says Sarah Bales, senior policy adviser in the CBI's technology group. 'For example, what are the mechanisms by which a third party will give up software keys to the Government?

'We take this very seriously because a balance needs to be achieved and a framework established within which the business sector can work.'

Willcox points out that there are other issues at stake: 'If organisations can only get encryption via licensed suppliers, it will be very expensive.

It will stifle commercial access to electronic commerce because not everyone will be able to afford encryption. It will also stifle the encryption market itself because many potential suppliers who can't comply with all the government requirements will be pushed out.'

Whether the policy will survive the change of government is not yet clear. In the run-up to the general election, then shadow IT spokesman Geoff Hoon spoke broadly of the need to reconcile national security with network confidentiality.

However, the Labour party's only formal policy on the matter - which was published way back in 1994 - implies a rejection of the Conservative government's proposals to allow law enforcement agencies access to encryption keys. Instead, it proposes the mandatory decoding of data when the holder is presented with a warrant.