Privacy and Security - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Privacy and Security

Description:

government and public response in the US. government response in the UK ... news/world/asia/sentenced-to-death-afghan-who-dared-to-read-about-womens-ri ghts-775972.html ... – PowerPoint PPT presentation

Number of Views:457
Avg rating:3.0/5.0
Slides: 25
Provided by: DSmi4
Category:

less

Transcript and Presenter's Notes

Title: Privacy and Security


1
Privacy and Security
  • ECDL / Vocational Computing

2
Introduction
  • discovery of Public Key Cryptography
  • government and public response in the US
  • government response in the UK
  • the RIP Act and the criticisms made of it
  • plans for further monitoring of internet activity
  • problems for the future

3
Discovery of Public Key Cryptography
  • before public key cryptography, all ciphers were
    secret key, symmetrical systems
  • the cipher key had to be passed secretly
  • encrypting and decrypting were similarly complex
    problems the more difficult to crack, the more
    difficult to encode
  • eg Enigma cipher used by Germany in WW2
  • Public Key Cryptography was a completely new
    paradigm
  • first discovered by researchers at GCHQ 1970
  • they invented a process for an encryption cipher
    which they termed non-secret encryption
  • but it was kept hidden by the UK government until
    1997 -

4
Similar developments in the US
  • 1976 - Diffie-Hellman key exchange
  • described in a paper called New Directions in
    Cryptography
  • solved the practical logistics side of
    implementing a public key system
  • GCHQ breakthroughs discovered independently in
    1977 by researchers at MIT
  • published in 1978 in a paper called "A method for
    obtaining Digital Signatures and Public Key
    Cryptosystems"
  • became known as the RSA system (after its main
    investigators Rivest, Shamir and Adleman)
  • solved the remaining problems by providing an
    asymmetric cipher
  • easy to encrypt, but very difficult to decrypt
    without the key -

5
US government reacts
  • US Government realised the implications of public
    key cryptography
  • National Security Agency (NSA) responded with
    key escrow
  • escrow refers to a legal arrangement where a
    trusted third party holds something of value
    pending a decision
  • NSA would require cryptographic keys to be held
    in escrow until government agencies established
    their authority to listen
  • effected with a hardware addition to
    communications -

6
The Clipper chip
  • a secure communication chipset (designed to cost
    16) to be built into electronic devices
    (telephones, PCs, etc)
  • would use Diffie-Hellman key exchange
  • would use an 80-bit key with a symmetrical cipher
  • subsequently the password would enable the agency
    to decrypt and view / listen to the information
    passing to and from the device
  • US Government seemed to be suggesting that all
    encryption would eventually require key escrow
  • 1991 Senate Bill 266 shall ensure that
    communications systems permit the government to
    obtain the plain text contents of voice, data,
    and other communications -

7
US citizens react
  • there was a backlash from US citizens who feared
    for their privacy
  • that it would open individuals to surveillance
    from the government
  • that details about the encryption itself were
    secret, and therefore not subject to public
    scrutiny
  • that it would in any case be futile, because
    strong encryption devices would be used by
    criminals anyway
  • pressure groups sought to raise public awareness
    key surrender Electronic Frontier Foundation
  • if encryption is outlawed, only outlaws will
    have encryption Phil Zimmerman -

8
Pretty Good Privacy
  • Zimmerman wrote a simple to use public key system
    called Pretty Good Privacy (PGP) and published it
    on the Internet in 1991
  • In his paper Why I wrote PGP he explains his
    reasoning
  • In 1993 Zimmerman was subject to a criminal
    investigation by the US government
  • encryption with a key length over 40 bits was
    classed as munitions
  • when Zimmerman put PGP on the Internet he
    exported it exporting munitions carries very
    severe penalties -

9
The citizens fight back
  • Zimmerman fought the case by publishing a
    printout of the program in a hardback book
  • published by MIT Press
  • anyone could buy the book for 60, scan the text
    and compile the program into machine code
  • they would have exactly the same application as
    if they had downloaded it from Zimmermans
    internet server
  • but the publishing of a book is protected in the
    US under the First Amendment! -

10
Protests gather pace
  • other activists joined in, eg Adam Back,
    University of Exeter
  • wrote a strong encryption program in just a few
    lines of code
  • people included his program on the bottom of
    their emails
  • each time an email was sent to someone outside
    the US, the sender had exported munitions
  • novel applications of the principle appeared
  • mugs, clocks, etc with strong encryption
    algorithms printed on them sent as gifts to
    friends in other countries
  • printed t-shirts so that travellers boarding
    planes out of the US were also exporting
    munitions -

11
Backs RSA script
  • !/bin/perl -sp0777iltXdlMLalN0dsXxlMlN/dsM
    0ltjdsj /unpack('H',_)_echo
    16dio\Uk"SK/SMn\EsN0plN1 lKd2Sa2/d0Ixp"d
    cs/\W//g_pack('H',/((..))/)

12
US government gives up
  • by 1999 the US government had abandoned its
    efforts to enforce key escrow
  • legal cases were dropped without charge
  • export restrictions were removed on cryptography
    products to all destinations (except 7 named
    countries and a list of individuals) -

13
The UK Governments Approach
  • The Regulation of Investigatory Powers Act 2000
  • bill was introduced into the House of Commons 9
    February under Jack Straw as Home Secretary
  • the Act was passed less than six months later on
    26 July
  • provides powers and limitations to government
    agencies in monitoring communications, including
    the internet
  • requires ISPs to install equipment that will
    allow monitoring and recording of a customers
    internet activity
  • enables mass surveillance of communication
  • allows employers to monitor email and internet
    use
  • prevents the existence of warrants and
    information from being revealed in court
  • enables the government to demand private keys to
    encrypted information (up to 2 years imprisonment
    if the key is not produced) -

14
Criticisms and reassurance
  • civil liberties groups feared that the Act would
    go too far, but were reassured by the government
  • that access to the information would only be
    available to 9 government agencies (eg MI5)
  • that warrants to access the information would
    require the personal approval of the Home
    Secretary
  • that a serious crime must be suspected, or that
    national security must be threatened
  • that keys would be demanded only in special
    circumstances
  • that the security services would have to prove
    that the accused is or has been in possession
    of the key
  • that there would be a defence of forgetting or
    losing the key provided it was judged that the
    individual had done all they could to help the
    authorities retrieve the key -

15
Act becomes law, is soon extended
  • Following the governments reassurances the Act
    was passed into law and received its Royal Assent
    28 July 2000
  • 2003 David Blunkett as Home Secretary - announced
    an extension to those allowed to see information
    collected under RIPA which to include
  • 474 local councils
  • 318 other organisations including NHS trusts,
    Fire authorities, Royal Mail, Food Standards
    Agency, Schools Inspector, etc
  • access granted with the permission of a senior
    official eg Chief Constable, Senior Executive,
    etc.
  • Statutory Instrument 2003 No. 3172 on 5 December
    2003 -

16
Further extensions made
  • The Regulation of Investigatory Powers
    (Communications Data) (Amendment) Order 2005 was
    made by Statutory Instrument 2005 No. 1083 on 4
    April 2005
  • The Regulation of Investigatory Powers
    (Communications Data) (Additional Functions and
    Amendment) Order 2006 was made by Statutory
    Instrument 2006 No. 1878 on 12 July 2006.
  • The Regulation of Investigatory Powers
    (Acquisition and Disclosure of Communications
    Data Code of Practice) Order 2007 was made by
    Statutory Instrument 2007 No. 2197 on 26 July
    2007 and the code of practice itself was
    published in October 2007 seven years after the
    Act came into force.

17
Reversing the Burden of Proof
  • Some fear that part 3 of RIPA (disclosure of
    private keys), which was only recently
    activated has reversed the burden of proof
  • prove that youve really forgotten your
    password, and are not just lying to us
  • the Act provides a defence if you are judged to
    have forgotten or lost your password, you will
    not face penalties
  • but in having to seek to be judged to have
    forgotten are you in effect being forced to
    prove that you are innocent?
  • penalty for not providing password
  • 2 years imprisonment
  • increasing to 5 years imprisonment if the charge
    relates to national security -

18
Court rejects self-incrimination defence
  • R v S A police raided S as he was typing in
    his password
  • his equipment was seized and he was ordered to
    hand over the password
  • he argued that to do so would require revealing
    information for which he would be prosecuted,
    thus incriminating himself and thereby infringe
    his Human Rights
  • laws derived from English Common Law provide
    safeguards against self incrimination helps to
    prevent the use of forced confession, etc
  • 15 October 2008 England and Wales Court of Appeal
    Criminal Division ruled that
  • the key to the computer equipment is no
    different to the key to a locked drawer. the
    prosecution is in possession of the drawerThe
    lock cannot be broken or picked, and the drawer
    itself cannot be damaged without destroying the
    contents. -

19
Further programmes in development
  • Interception Modernisation Programme
  • currently in planning stage with GCHQ and MI6
    leading
  • 2007
  • 57 billion text messages
  • 18 million internet connections
  • 3 billion emails per day
  • GCHQ ISPs will not bear cost of holding data
    unless compelled to
  • government will make an initial 12 billion
    pounds available (5 billion last year for
    existing measures) -

20
Is the RIP Act being used fairly?
  • Copeland Council took surveillance photographs of
    a residents wheelie bin
  • the lid was raised a few centimetres ie
    overfilled
  • ordered to pay 110 fine, court awarded
    additional 115
  • a couple and their three children under
    surveillance for two weeks by Poole Borough
    Council
  • suspected them of using false address for a
    school place application
  • 2006 253,557 requests
  • errors not reported
  • 2007 519,260 requests
  • 1,182 made in error
  • 2008 504,073 requests
  • 595 made in error - change in reporting includes
    only errors resulting in intrusion upon the
    privacy of an innocent third party

21
Has the governments problem finally been solved?
  • public key cryptography allowed individuals to
    keep secrets from the government
  • ...which gave criminals the power to hide
  • a technological solution (key escrow) was
    probably unworkable and rejected on principle by
    US citizens
  • UK government gave judiciary the power to demand
    password or clear-text, and to imprison those who
    refuse
  • so we gave up much of our privacy, but now the
    criminals cannot hide from the law and we are
    safe? -

22
Steganography
  • the science of hiding pieces of information
    inside other pieces of information
  • a file will have large areas of 0s and 1s
    that can be compressed
  • eg a sequence that repeats 100 times can be
    compressed to repeat the following one hundred
    times and hence take up fewer bits
  • the resulting spare bits can be used to store
    the 0s and 1s of a piece of criminal
    information
  • theres no way to tell that the hidden
    information is there
  • take a photograph, hide your message in the image
    file using the appropriate public key, send it to
    your accomplice or upload it to a web page
  • your accomplice uses his or her private key to
    extract the message no one else can detect the
    presence of a message, let alone read it!

23
Plausible Deniability
  • Truecrypt was designed to help those who are in
    areas where human rights are poor (ie do not
    coincide with our definition of what human rights
    should be observed)
  • eg Sayed Pervez Kambaksh, Afghanistan, sentenced
    to death for reading material about womens
    rights on the internet
  • a Truecrypt encrypted file allows you to create
    multiple containers with different keys
  • place innocent material in one container
  • place criminal material in another
  • surrender the key to the container containing
    innocent material
  • deny the existence of any other containers
  • its difficult to see how the RIPA will cope with
    this -

24
Sources
  • http//cryptome.org/ukpk-alt.htm
  • http//www.philzimmermann.com/EN/essays/WhyIWroteP
    GP.html
  • http//www.opsi.gov.uk/acts/acts2000/ukpga_2000002
    3_en_1
  • http//www.surveillancecommissioners.gov.uk/
  • http//www.guardian.co.uk/world/2000/oct/24/qanda
  • http//www.bailii.org/ew/cases/EWCA/Crim/2008/2177
    .html
  • Ron Rivest, Adi Shamir and Len Adleman, "A method
    for obtaining Digital Signatures and Public Key
    Cryptosystems, Communications of the ACM, Feb.,
    1978
  • http//www.cypherspace.org/adam/
  • http//news.bbc.co.uk/1/hi/england/dorset/7343445.
    stm
  • http//news.bbc.co.uk/1/hi/uk_politics/7230476.stm
  • http//www.timesonline.co.uk/tol/news/uk/article48
    82622.ece
  • http//www.independent.co.uk/news/world/asia/sente
    nced-to-death-afghan-who-dared-to-read-about-women
    s-rights-775972.html
  • http//www.official-documents.gov.uk/document/hc06
    07/hc03/0315/0315.asp - commissioners report
    2006
  • http//www.official-documents.gov.uk/document/hc07
    08/hc09/0947/0947.asp - commissioners report
    2007
  • http//www.official-documents.gov.uk/document/hc08
    09/hc09/0901/0901.asp - commissioners report
    2008
Write a Comment
User Comments (0)
About PowerShow.com