Crypto in Europ e | Markets, Law and Policy
Ross J Anderson
Cambridge University Computer Lab oratory
Email:
rja14@cl.cam.ac.uk
Abstract.
The public debate on cryptography p olicy assumes that the
issue is b etween the state's desire for eective p olicing and the privacy
of the individual. Weshow that this is misguided.
We start o by examining the state of current and proposed legislation in
Europe, most of which is concerned with preserving national intelligence
capabilities by restricting the exp ort, and in cases even the domestic use,
of cryptography, on the pretext that it may be used to hide information
from law ocers. We then survey the currently elded cryptographic
applications, and nd that very few of them are concerned with secrecy:
most of them use crypto to prevent fraud, and are thus actually on the
side of law enforcement.
However, there are serious problems when we try to use cryptography
in evidence. We describ e a number of cases in which such evidence has
been excluded or discredited, and with a growing proportion of the world
economy based on transactions protected by cryptography,thisislikely
to b e a much more serious problem for law enforcement than o ccasional
use of cryptographyby criminals.
1 Intro duction
The US Clipper chip initiative has fuelled extensive and acrimonious debate on
the privacy versus wiretap issue, and this has spread to other countries too. At
this conference, for example, an ocial from the Australian Attorney General's
oce has prop osed that banks should use escrowed crypto, while ordinary people
and businesses should be forced to use weak crypto [Orl95].
We provide an alternative view by lo oking at the state of play in Europe.
We will rstly describ e the political situation, then lo ok at what cryptographyis
actually used for, and nally discuss the real problems of cryptography and law
enforcement. Along the way,we will challenge a number of widely held beliefs
about cryptology which underpin much research in the sub ject and condition
the public policy debate. These include:
1. the primary role of cryptology is to keep messages secret. So if it is made more
widely available, criminals will probably use it to stop the p olice gathering
evidence from wiretaps;
2. its secondary role is to ensure that messages are authentic, and here it pro-
vides a useful (if not the only) means of making electronic evidence accept-
able to a court. It is thus indispensible to the future development of electronic
commerce.
2 Euop ean Law and Policy on Cryptography
Some Europ ean countries, including Switzerland, Belgium and Germany,used to
supply considerable quantities of cryptographic equipmentto developing coun-
tries. This trade appears to have been tightened up recently as a result of Amer-
ican pressure, and now all Europ ean countries app ear to enforce exp ort controls
on cryptographic hardware. Some even control its use domestically.
The country taking the hardest line is France. There, the "decret 73-364
du 12 mars 1973" put cryptographic equipment in the second most dangerous
category of munitions (out of eight); any use required authorization from the
Prime Minister, which could not be given to criminals or alcoholics. The "de-
cret 86-250 du 18 fevrier 1986" extended the denition to include software, and
specied that all requests be sent to the minister of the PTT with a complete
description of the "cryptologic pro cess" and two samples of the equipment. The
"loi 90-1170 du 29 decembre 1990" states that export or use must be authorized
by the Prime Minister unless used only for authentication [Gai92].
Few people in Franceseemtobeaware of these laws, which are widely ig-
nored. A hard line is still taken by SCSSI, the lo cal signals agency, according to
whom the use of PGP even for signatures will never b e permitted [Bor95]; but
when one looks at the actual text of the Loi No 90-1170 as it appeared in the
Journal Ociel on 30th December 1990
1
, it is unclear that digital signatures are
covered at all.
Germany has no legal restraints on the domestic use of cryptography [Heu95];
indeed, Dirk Henze, the chief of the BSI (the information security agency), rec-
ommended that companies which cannot avoid sending data over the Internet
should encrypt it, and the interior minister sees encryption as a precondition for
the acceptance of electronic communication. However, Henze's predecessor Otto
Leibrich took the view that security should rather b e provided as a service by
network operators in order to stop crypto equipment b eing available to villains
[CZ95]; and a number of p oliticians, such as Erwin Marschewksi (home aairs
spokesman of the CDU), argue for an outright ban [Moe95]. Meanwhile a law
has just been passed forcing all telecomms companies to provide wiretap access
to government agenices, including various call tracing services [Eis95].
Denmark, Finland, Sweden and Latvia have no domestic restrictions at present
[Bor95] and no particular controversy which has come to our attention. But not
all northern European countries are so relaxed; the Norwegian governmentis
introducing its own encryption standard called NSK, which will b e tightly li-
censed; Norwegian Telecom will manage the keys of line encryptors which use
these chips and will be able to provide access to the intelligence services [Mad94].
Russia seems to b e reverting to the policing traditions established under the
Tsars and continued under the Soviets; a recent decree by PresidentYeltsin has
1
Art 28. - On entend par prestations de cryptologie toutes prestations visant a trans-
former a l'aide de conventions secretes des informations ou signaux clairs en infor-
mations ou signaux inintellig ibles pour des tiers, ou a realiser l'operation inverse,
grace a des moyens, materiels ou logiciels concus a cet eet.
made cryptography illegal without a licence from the local signals agency [Yel95].
At the other extreme, the traditionally liberal Dutchgovernment tried to imp ose
a ban on civilian crypto in 1994 but was forced to backdown at once by banks,
petrol companies and other business interests.
The UK is mildly liberal at present. Prime Minister John Major stated in
a 1994 parliamentary written reply to David Shaw, the member for Dover and
Deal, that the government do es not intend to legislate on data encryption. How-
ever, a spokesman for the opposition Labour party|which app ears likely to
form the next government | said that encryption should only be allowed if the
government could break it [Art95]. This caused a storm on the Internet, and a
subsequent policy document backed down on this issue; it did however propose
to makewarrants for the interception of communications muchmoreeasytoget.
At present, these are only available to investigate serious arrestable oences; a
future labour governmentwould makethem available for all oences, for `racism'
and for the `protection of minors' [Lab95].
Even without a change in government, there is still occasional confusion in
governmentpolicy. On the one hand, GCHQ p ermitted the export of over $35m
worth of tactical radios to Iraq, which used them against allied forces in the Gulf
War; on the other, it has made eorts to suppress academic research in cryptog-
raphy.Interference with research is also common with the EU in Brussels, whose
crypto policy is driven by SOGIS, the Senior Ocials' Group (Information Se-
curity), which consists of signals intelligence managers. A typical EU project
was Sesame, a Kerberos clone supp osed to provide authenticity but not secrecy,
and to b e adopted by European equipmentmanufacturers. However its many
aws make this unlikely [ano95]: at the insistence of SOGIS, DES was replaced
with xor, but the implementers did not even get a 64-bit xor right. Sesame also
generates keys by repeated calls to the compiler's random number generator.
Another pro ject was RIPE (the RACE integrity primitives pro ject), whose re-
searchers were paid to devise a hash function (since attacked) but forbidden to
do work on encryption. Close observers say that defective pro jects are approved
deliberately to provide an excuse to refuse funding for more worthy prop osals.
So the overall picture in Europe is one of confusion. Governments, and in
particular by their signals intelligence agencies, claim to b e concerned that the
growth of commercial and academic cryptography might threaten intelligence
and law enforcement capabilities. These fears are rarely articulated coherently;
in addition to the contradictory behaviour of GCHQ, wewould note that the
current conference's paper from the Australian attorney general (cited ab ove)
says on the one hand that the use of encryption by criminals is not seen as a
threat, but on the other hand that controls on crypto should be imp osed.
Is there a real case here, or are we just seeing a panicky defensive reaction
from bureaucratic establishments for whom the end of the Cold War means the
loss of jobs and budgets, and who are looking for something to do? In order to
assess the threat to law enforcement op erations, we shall have to look rst at
what cryptography is actually used for.
3 Europ ean Applications of Cryptography
Many research pap ers on cryptography assume that two parties, traditionally
called Alice and Bob, are sending valuable messages over an untrusted network.
The idea is usually to stop an intruder, Charlie, from nding out the contentof
these messages. This application, message condentiality, has historically gener-
ated perhaps 85% of research pap ers in the eld.
Condentiality has indeed b een importantin the government sector. The
available information suggests that the NATO countries' military communica-
tions systems have about a million nodes, with the USA accounting for over
half of this. This would appear to makegovernments the main users of cryptol-
ogy, and they conduct the debate in these terms: for example, a recent report
on crypto p olicy, one of whose authors is Assistant to the Director of the NSA
[LKB+94], says `
cryptography remains a niche market in which (with the excep-
tion of several hundred mil lion dollars a year in governmental sales by a few
major corporations) a handful of companies gross only a few tens of mil lions of
dol lars annual ly
'.
This assessment is just plain wrong. The great ma jority of elded crypto
applications are not concerned with message secrecy but with authenticityand
integrity; their goal is essentially to assure Bob that Alice is who she says she
is, that the message he has received from her is the one she sent, or both. Here
Charlie may try to imp ersonate Alice, or Alice might try to avoid paying for
services rendered.
The main commercial cryptographic applications include the following.
Satellite TV deco ders:
There are tens of millions of these worldwide, with
BSkyB having elded 3.45 million in the UK alone by mid 1994 [Ran94]; they
may be the largest single installed base of cryptographic terminal equipment.
They are also the one nonmilitary application of cryptography whichhas
attracted sophisticated and sustained technical attacks.
Automatic teller machines:
ATMs have been around since 1968, and world-
wide there are somewhere between 300,000 and 500,000 of them; over 100,000
are installed in Japan and 70,000 in the USA [AP94]. ManyATMs are net-
worked together, and cryptography is used to manage personal identication
numbers (PINs) | in fact this was the rst large scale commercial applica-
tion of cryptography [MM82]. The Europ ean ATM p opulation is of the order
of 100,000 [CI94].
Electronic funds transfer at point of sale (eftp os)
. There is a lot of over-
lap b etween ATM, eftp os and credit card systems. In some countries (such
as France and Australia) the ATM and eftpos networks are well integrated,
with customers using PINs rather than signatures in shops; in others (like
Britain), signatures are used to authorise retail transactions, but cryptogra-
phy is still used to make the cards themselves harder to forge. The installed
base of eftpos terminals has overtaken that of ATMs in most countries.
SWIFT:
Based in Belgium, this is probably the oldest high security commercial
computer network. For the last twentyyears, it has transmitted paymentin-
structions b etween the several thousand banks whichown it, and its primary
use of cryptography is to calculate a message authentication co de (MAC) on
eachpayment message [DP84]. The MACkeys used to b e exchanged manu-
ally, but are now managed using public key protocols [ISO11166].
Telephone cards:
These range from prepaid cards for public telephones to the
much more sophisticated `subscrib er identity mo dules' (SIMs) used in GSM
digital mobile phones. The SIMs are smartcards which identify the user of
a telephone to the network for billing purposes, manage keys for encrypting
the conversation [Rac88], and mayeven let the subscriber perform banking
functions [Rob93] and place bets on horse races [Llo94]. Although only 4
million GSM phones are in use | mostly in Europe | the market is growing
at 70% per annum, and 61% of new mobile phone subscrib ers in the UK now
opt for GSM rather than the analogue alternatives [New94]. The market
should groweven more quickly once GSM is elded in countries suchas
China and India whose land based telephone systems are inadequate.
Utilitytokens:
The UK has ab out 1.5 million prepayment electricity meters,
using two proprietary cryptographic schemes, and 600,000 gas meters us-
ing DES in smartcards. They are mainly issued to bankrupts and welfare
claimants. Other European countries have smaller installations; France, for
example, has about 20,000. However, prepayment meters are a growth in-
dustry in developing countries; technical information on such systems can
be found in [AB94].
Computer access tokens:
The market leading supplier of software protection
dongles, RainbowTechnologies, has sold seven million units since 1984; from
this business base, it took over Mykotronx, the manufacturer of the Clipp er
chip [Rai95]. There are also several vendors of one-time password generators.
Wehavenooverall gures for the total Europ ean sales of dongles and other
access tokens, but they must be in the millions of units.
Building access control tokens:
Although many early devices (from metal
keys to magnetic cards) do not use cryptography, smartcard vendors are
starting to make inroads in this market [Gir93].
Burglar alarms:
Under draft CENELEC standards, class 3 and 4 alarm sys-
tems must provide protection against attacks on their signaling systems
[Ban93], and some manufacturers are already taking steps in this direction.
The market leading burglar alarm pro duct in the UK claims to use `high-level
encrypted signalling' [BT93].
Remote lo cking devices for cars:
These are starting to incorporate crypto-
graphic techniques to thwart the `sniers' whichcanintercept and mimic
the signals of rst generation lo cking devices [Gor93].
Road toll and parking garage tokens:
Some countries may issue these to-
kens to all their motorists [Sin95]; others mayuse multipurpose tokens, as
with a German scheme to enable road tolls to be paid using the subscriber
identity modules of car telephones [SCN94]. As well as a number of pilot