Information Warfare The operational need for national cryptology solutions – a user‘s view

Information Warfare

• The operational need for national cryptology solutions – a user‘s view

Contents

• Industrial Espionage

• Waasenaar Arrangement

• Crypto Policy

• Key Management Infrastructure – Key Escrow

What do we talk about ?

• Information warfare is the use and management of information in pursuit of a competitive advantage. It comprises

• collecting information,
• assurance that one's own information is valid,
• spreading of propaganda or disinformation,
• undermining the quality of opposing force information,
• and denial of information collection opportunities to others.

With friends like this ...

ECHELON

• Australia, Canada, New Zealand, UK and USA operate under th 1948 UKUSA-Agreement to

• monitor international telecommunication satellites – INTELSAT,
• intercept non - INTELSAT communications,
• tap land based or sub-sea communication cables plus microwave communications.

National Security Agency /Central Security Service – NSA/ CSS

• 60 – 100.000 collaborators

• world‘s largest employer of

• mathematicians

• CSS controls all US Signal Intelligence ( SIGINT )

• budget in excess of US $ 30 billion ( 1998 27 billion )

• beyond democratic control

ECHELON Report

• On Sept. 05th, 2001, G. Schmid, rapporteur of the Temporary Committee on the ECHELON Interception System, presented his report to the European Parliament.

• „The existence of a global system for intercepting communications, operated by) the USA, the UK, Canada, Australia and New Zealand under the UKUSA Agreement, is no longer in doubt.“

ECHELON Site

• Misawa, Japan

FAPSI

• Federalnoje Agenstwo Prawitelstwennoj Swjasi i Informazij

• tasked, inter alia, with economic-technological espionage

• ground-stations only in CIS, except Socotra Island, Yemen

• SIGINT aircraft ( four outside-CIS bases ) and ships

• service provider to western industry

FAPSI

DGSE

• Direction Générale de la Sécurité Extérieure operates

• nine SIGINT stations in mainland France

• stations in Djibouti, la Réunion, Kourou, Nouvelle-Calédonie, United Arab Emirates (?)

• Co-operates with the Bundesnachrichtendienst

• HELIOS Photo & SIGINT satellites

DGSE

• Domme, Périgord

ONYX

• The Swiss COMINT system ONYX is run by the Ministry of Defence in:

• Heimenschwand
• Leuk
• Zimmerwald ( Operations Centre )
• for broad surveillance of military and civilian communications ( downlinks of INTELSAT, INMARSAT, EUTELSAT, PANAMSAT, ARABSAT, GORIZONT )

ONYX Sites

• VERESTAR in Leuk

The Solution

• To protect information we need national cryptology solutions not under control of the “big spy nations”.

• Is this really the solution ?

• If yes, how far ?

Export Controls

• The Waasenaar Arrangement of 1995, to which Luxembourg is a signatory, imposes export control on systems, equipment and components using the following (either directly or after modification):

• symmetric algorithm using a key longer than 56 bits; or
• a public-key algorithm, in which the security of the algorithm is based on one of the following:
• (1) the factorisation of integers higher than 512 bits (e.g. RSA),
• (2) discrete log computations in the multiplicative group of a finite

• field larger than 512 bits,

• (3) discrete log computations in a group other than those mentioned above, and which is larger than 112 bits.

Countries under export control

• Afghanistan, Angola, Armenia, Azerbaijan, Bosnia-Herzegowina, Burundi, Cuba, Eritrea, Ethiopia, Iraq, Iran,

• D R Kongo, Lebanon, Liberia, Libya, Mynamar (Burma), Nigeria, North Korea, PRC (except Hong Kong), Ruanda, Sierra Leone, Somalia, Sudan, Syria, Tansania, Uganda.

Crypto Policy – GLIC* Report 1998

• A survey yielded 76 responses:

• 30 Green ( no restrictions )
• 19 Green / Yellow ( no restrictions, but respect Waasenaar Arrangement )
• 12 Yellow ( domestic controls plus Waasenaar Arrangement )
• 3 Yellow / Red
• 1 Red / Yellow
• 6 Red ( tight controls )
• 5 Unknown / no Response
• * Global Internet Liberty Campaign

Key Management Infrastructure ( KMI )

• A large ( unknown ) number of countries requires national KMI.

• NSA still requires world-wide KMI under their control.

• Access to keys by national authorities based on applicable national and international law.

• Governments‘ respect of national and international law ranges from „flexible“ to non-existent; under „anti-terrorism“ everything goes.

Key Escrow

• Governments need to fight crime – access to key escrow is understood.

• Nobody really knows who actually will have access.

• No western government can resist the „friendly approach“ of the NSA for access.

My shopping list

• Crypto solution that is not recognized as such

• „Ad hoc“ keys ( individualized crypto )

• On the spot key generation

• Any „illegality“ shall be invisible

• Steganography with file formats other than .bmp

We may need to look into a different direction

Into which direction ?

• Operate beyond the reach of a particular legal jurisdiction.

• Find legal loopholes – need to be the same in sending and receiving country.

• Use strong encryption with „non-escrow“ keys.

• „Super encrypt“ with a state approved - therefore „crackable“ – key ( or with steganography ).

The government syndrome

• Governments agree that industry should be protected from espionage with the help of strong crypto means,

• but not strong enough to prevent governments to spy on industry.

• Governments want legal access to encrypted information,

• but frequently do not respect international or national law.

The dilemma

The conclusion

• Il est dangereux d‘avoir raison

• quand le gouvernement a tort.

• François Marie Arouet (Voltaire)

• It is dangerous to be right

• when the government is wrong.