MyCERT 3rd Quarter 2011 Summary Report - CyberSAFE Malaysia

More documents

Recommendations

Info

8Legal Restriction on CryptographyBY | Liyana Chew Binti Nizam Chew, Abdul Alif Bin ZakariaIntroductionHistorically, a number of countries haveattempted to restrict the export or importof cryptography tools. This article aimsto give a general view on the existingrestrictions on cryptography tools.Export restrictions are totally differentfrom imports. Restrictions on exportsare referring to restrictions on exportingcryptographic tools out of countries thatproduce them. Meanwhile restrictions onimports refer to a country that receivescryptography tools for their needs. Thisarticle will also discuss the reasons whycertain countries do apply these restrictionswhile other doesn’t.Restriction On ExportThe export of cryptography is a transferof devices and technology related tocryptography from one country to anothercountry. In the early days of the Cold War,the U.S government developed an elaborateseries of export control regulationsdesigned to prevent a wide range ofWestern technology from falling into thehands of others. U.S non-military exportsare controlled by Export AdministrationRegulations (EAR). Encryption itemsspecifically designed, developed,configured, adapted or modified formilitary applications (including command,control and intelligence applications) arecontrolled by the Department of State onthe United States Munitions List.U.S government set a restriction on exportof cryptography product with strict limiton the key size. In general, products andtechnologies with exportable cryptographyprovide much less security than the nonexportableversion of the same productsand technologies. Non-exportable versionof cryptography product use longer keylength (128 bits) than exportable (40 bits or56 bits) version. Communication betweenthese two versions is limited to the longestkey length supported by the exportableversion. As reported in The New York Timeson December 1998, U.S and European Union(EU) officials have reached an agreement onexport controls for cryptography software.Both blocs agreed to restrict the export ofencryption software that uses keys of 64 bitsor more. U.S law currently forbids companiesfrom exporting software that uses that levelof encryption. That’s why US versions ofWeb browsers contain 128-bit encryptionto encode e-commerce transactions, butEuropean versions use a much lower levelof security (40 bits key). The agreement,reached by the 33 members of the WassenaarArrangement, will impose those exportrestrictions on European software suppliers.The more bits in the key, the harder it is tocrack. The US government claims 64-bit keysare sufficient for almost all uses. However,research proves that it is possible to breaka 56-bit code, albeit using a network ofhundreds of PCs operating in parallel. Muchtougher keys, including the 128-bit keyscommonplace in e-commerce applications,are thought to be virtually impossible tocrack using today’s technology through thenext few generations of processor.Until January 2000, the export restrictionsof Cryptography in the U.S becomemore relaxed. Export to end-users isapproved under a license except to foreigngovernments or embargoed destinations thelikes of Cuba, Iran, Iraq, Libya, North Korea,Serbia, Sudan, Syria, and Taliban-controlledareas of Afghanistan.e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved
Rationale to Export ControlSome countries have restrictions in theexport of cryptography because of thegovernment’s fear that their intelligenceactivities are hampered by the useof cryptography by scoundrel states.Governments in these countries tried toblock the access of these foreign entitiesto cryptography systems or cryptographycodes. It’s clear that these governmentswanted to deny their enemies the potentialsof cryptography technology. Monitoringdiplomatic communications will be difficultif no restrictions are in place. The reasonsfor controlling cryptography exports arebecause governments are worried aboutthe misuse of cryptography, where if itis misused it may be detrimental to theinterests of a country.The Controls That Are Contrary toWassenaar AgreementThe Wassenaar Arrangement wasestablished in order to contribute toregional and international security andstability, by promoting transparencyand greater responsibility in transfersof conventional arms and dual-usegoods and technologies, thus preventingdestabilising accumulations. Participatingstates seek, through their national policies,to ensure that transfers of these itemsdo not contribute to the developmentor enhancement of military capabilitieswhich undermine these goals, and are notdiverted to support such capabilities.The Wassenaar Arrangement is aninternational agreement between 33participating nations with the followingbeing one of its main objectives (copiedverbatim from the Initial Elements):“It is stated that the arrangement will notbe directed against any state or group ofstates and will not impede bona fide civiltransactions. Nor will it interfere with therights of states to acquire legitimate meanswith which to defend them pursuant toArticle 51 of the Charter of the UnitedNations.”This aim stated that it is not prohibited ifthe purpose is for self-defence. However,immediate emphasis will happen if anydevelopment which threaten regional orinternational stability and security. This aimclearly stated that the Wassenar Agreementis not to be used legitimately to obstructgenuine civil transactions. This means thatproducts that are designed for civil useshould not be restricted by control.There are several issues that relate toexport controls on cryptography under theWassenaar Agreement. The most importantissue is even if cryptography is assessed asimportant in military terms; it is a purelydefensive technology with no offensiveuses. Cryptographic products are entirelypassive products with a single purposeof defending and protecting informationassets from an aggressor who, for theirown reasons, seeks to gain access to them.Given its passive and entirely defensivenature, it is thus hard to see any case forthe control of cryptographic products underthe Wassenaar Arrangement – they simplyare not capable of being used offensively inany manner.Export controls over cryptographic productsalso affect public civil transactions andapplications. The protection of nationalinformation assets, the developmentof secure electronic commerce and theprotection of the privacy of citizens all nowdepend on civil cryptographic productsthat are subjected to existing exportcontrols. Export controls on cryptographicproducts have a severe impact on such civiltransactions. This is in direct contraventionof the aims that clearly stated that the9e-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved
Page 3: MyCERT 3 rd Quarter 2011 Summary Re
Page 6 and 7: 4compared to the previous quarter.
Page 8 and 9: 6Based on the statistics, there was
Page 12 and 13: 10Wassenaar Agreement “will not i
Page 14 and 15: 12transactions, electronically thro
Page 16 and 17: 14deciding if software is considere
Page 18 and 19: 16SPAM, the Annoying Culprit on the
Page 20 and 21: 18Figure 4: The distribution of spa
Page 23 and 24: “wire-once” settings pool bare-
Page 25 and 26: San Francisco, CA. McKesson has dou
Page 27 and 28: 3. Consistency:It means that the be
Page 29 and 30: Mathematics Operations in BinaryNum
Page 31 and 32: compare the difference between a bi
Page 33 and 34: divided, it will remain as remainde
Page 35 and 36: Criteria is in a better spot to pro
Page 37 and 38: ASPECTS PLAN EXECUTE ANALYSISObject

MyCERT 3rd Quarter 2011 Summary Report - CyberSAFE Malaysia

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?