5.8 LEGAL ISSUES

Previous page
Table of content
Next page
Team-Fly

5.8 LEGAL ISSUES

There are some legal issues to keep in mind when using cryptographic techniques. In particular, there are patent claims; regulations for the import, export, and use of cryptography; and legislation for electronic and digital signatures. Some legal issues are briefly mentioned next. You may refer to [31, 32] for more information about the legal implications of using cryptographic techniques.

5.8.1 Patent Claims

Patents applied to computer programs are usually called software patents. In the U.S. computer industry, software patents are a subject of ongoing controversy. Some of the earliest and most important software patents granted by the U.S. Patent and Trademark Office were in the field of cryptography. These software patents go back to the late 1960s and early 1970s. Although computer algorithms were widely thought to be unpatentable at that time, cryptography patents were granted because they were written as patents on encryption devices built in hardware. Indeed, most early encryption devices were built in hardware because general-purpose computers simply could not execute the encryption algorithms fast enough in software. For example, IBM obtained several patents in the early 1970s on its Lucifer algorithm, which went on to become the DES [16]. Today, many secret key cryptosystems also are covered by patent claims. For example, DES is patented but royalty-free, whereas IDEA is patented and royalty-free for noncommercial use, but requires a license for commercial use. Later in the 1970s, many pioneers in the field of public key cryptography filed and obtained patents for their work. Consequently, the field of public key cryptography is largely governed by a couple of software patents. Some of them have already expired or are about to expire soon.

Outside the United States, the patent situation is quite different. For example, patent law in Europe and Japan differs from U.S. patent law in one very important aspect. In the United States, an inventor has a grace period of 1 year between the first public disclosure of an invention and the last day on which a patent application can be filed. In Europe and Japan, there is no grace period. Any public disclosure instantly forfeits all patent rights. Because the inventions contained in the original patents related to public key cryptography were publicly disclosed before patent applications were filed, these algorithms were never patentable in Europe and Japan.[6]

Under U.S. patent law, patent infringement is not a criminal offense, and the penalties and damages are the jurisdiction of the civil courts. It is the responsibility of the user of a particular cryptographic algorithm or technique to make sure that correct licenses have been obtained from the corresponding patent holders. If these licenses do not exist, the patent holders can sue the user in court. Therefore, most products that make use of cryptographic algorithms or techniques include the licenses required to use them.

Finally, it is important to note that the IETF has a special requirement with regard to the use of patented technology in Internet standards track protocols. In fact, before approving a protocol specification for the Internet standards track, a written statement from a patent holder is required that a license will be made available to applicants under reasonable terms and conditions.

5.8.2 Regulations

There are different regulations for the import, export, and use of cryptographic techniques. For example, the United States has been regulating the export of cryptographic systems and technical data regarding them for quite a long time. These regulations have gone far beyond the Wassenaar Arrangement on export controls for conventional arms and dual-use goods and technologies.[7] More specifically, U.S. export controls on commercial encryption products are administered by the Bureau of Export Administration (BXA) in the Department of Commerce (DoC). Regulations governing exports of encryption are found in the Export Administration Regulations (EAR). Consequently, if a U.S. company wants to sell cryptographic systems and technical data overseas, it must have export approval by the BXA according to the EAR.

Unfortunately, the laws that drive the U.S. export controls are not too clear, and their interpretation changes over time. Sometimes vendors get so discouraged that they leave encryption out of their products altogether. Sometimes they generate products that, when sold overseas, have encryption mechanisms seriously weakened or removed. It is usually possible to get export approval for encryption if the key lengths are shortened. So, sometimes vendors intentionally use short keys or cryptosystems with varying key lengths. Probably the most widely deployed example of this kind is browser software (e.g., Netscape Navigator and Microsoft Internet Explorer) that comes in two versions: the U.S. domestic version that uses strong encryption with 128-bit RC4 session keys, and the international version of the same product that uses encryption with only 40-bit RC4 session keys. Because of some recent cryptanalytical attacks and breakthroughs, it seems that a lower bound for a key length that protects against a brute-force attack is 80 bits [33]. This value may still serve as a good rule of thumb.

On January 14, 2000, the BXA published a regulation implementing the White House's announcement of a new framework for U.S. export controls on encryption items (the announcement was made on September 16, 1999).[8] The policy is in response to the changing global market, advances in technology, and the need to give U.S. industry better access to these markets, while continuing to provide essential protections for national security. The regulation enlarges the use of license exceptions, implements the changes agreed to at the Wassenaar Arrangement in December 1998, and eliminates the deemed export rule for encryption technology. In addition, new license exception provisions are created for certain types of encryption, such as source code and toolkits. There are some countries exempted from the regulation (i.e., Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria). In these countries, some or all technologies and products mentioned in this book will not be available. In all other countries most technologies and products mentioned in this book will be available.

5.8.3 Electronic and Digital Signature Legislation

In the recent past, many countries have enacted electronic or digital signature laws in an effort to facilitate electronic commerce (e-commerce) and e-commerce applications:

  • In the European Union (EU), the European Parliament and the Council of the European Union adopted Directive 1999/93/EC on a community framework for electronic signatures[9] on December 13, 1999. The purpose of the directive was (and still is) to facilitate the use of electronic signatures and to contribute to their legal recognition in Europe. According to the directive, EU "member states shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive before 19 July 2001." As of this writing, several EU member states already have an electronic signature law or are about to draft and enact one.

  • In the United States, former president Bill Clinton signed the Electronic Signatures in Global and National Commerce Act (E-SIGN) on June 30, 2000. The E-SIGN Act implements a national uniform standard for all electronic transactions that encourages the use of electronic signatures, electronic contracts, and electronic records by providing legal certainty for these instruments when signatories comply with its standards. The E-SIGN Act became effective on October 1, 2000.

In addition, many countries outside the EU and the United States have enacted electronic or digital signature laws or are about to work out the legal details thereof.

Unfortunately, the formal specification of requirements for both certification service providers (i.e., CAs) and cryptographic devices that can be used to securely store private keys and generate digital signatures (e.g., smart cards or USB tokens) is very difficult and challenging in practice. For example, how do you measure and quantify the security and trustworthiness of a commercial certification service provider? What criteria are relevant? How do you take into account organizational criteria? Similarly, how do you measure and quantify the security of a cryptographic device that is used to store private keys and/or digitally sign documents? Does the device, for example, really sign what the user sees on the screen (i.e., "what you sign is what you see") or can it be spoofed with wrong input data? Keep in mind that the cryptographic device runs in a potentially hostile environment and that any kind of spoofing attack is possible there. The requirements for certification service providers and cryptographic devices tend to be either too strong or too weak:

  • If the requirements are too strong, their implementation may become too expensive and prohibitive in practice. This is basically what happened in Germany when the first version of a signature law was put in place some years ago.

  • If the requirements are too weak, their implementation—or the security thereof—may be challenged in court. Consequently, the legal value of the resulting electronic or digital signatures may not be very high.

Against this background, it will be interesting to see the requirements of future electronic and digital signature legislations. In either case, there is still a long way to go until we use electronic or digital signatures the same way we use handwritten signatures in daily life.

[6]As a consequence of the lack of patent claims, public key cryptography has been more widely adapted in European countries and in Japan.

[7]The Wassenaar Arrangement is a treaty originally negotiated in July 1996 and signed by 31 countries to restrict the export of dual-use goods and technologies to specific countries considered to be dangerous. The countries that have signed the Wassenaar Arrangement include the former Coordinating Committee for Multilateral Export Controls (COCOM) member and cooperating countries, as well as some new countries such as Russia. The COCOM was an international munitions control organization that also restricted the export of cryptography as a dual-use technology. It was formally dissolved in March 1994. More recently, the Wassenaar Arrangement was updated. The participating countries of the Wassenaar Arrangement are Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, The Netherlands, New Zealand, Norway, Poland, Portugal, The Republic of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom, and the United States. Further information on the Wassenaar Arrangement can be found on the Web by following the URL http://www.wassenaar.org.

[8]http://www.bxa.doc.gov/Encryption

[9]http://europa.eu.int/comm/internal_market/en/media/sign/

Team-Fly

Previous page
Table of content
Next page
Internet and Intranet Security
Internet & Intranet Security
ISBN: 1580531660
EAN: 2147483647
Year: 2002
Pages: 144
Authors: Rolf Oppliger, Rolf Oppliger
BUY ON AMAZON
Project Management JumpStart
MySQL Cookbook
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Ruby Cookbook (Cookbooks (OReilly))
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
.NET-A Complete Development Cycle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy