CFP96 Paper

For the plenary session: International Developments In Cryptography

Nick Mansfield

ISCH/4
Technology Consultancy Information Services
Shell International B.V.
Postbus 162
2501 AN Den Haag Netherlands
31-70-3776778 fax 31-70-3776805
100126.3211@compuserve.com

Commercial Use Of Cryptography

The views in this paper are those of the author and not necessarily those of Shell International B.V. or any other Shell Group Company. Shell Petroleum Company Inc. (USA) is independent within the Shell Group. This independence includes security matters. None of the contents of this paper applies to Shell Oil Company USA.

Shell Companies

Shell companies together now form one of the largest business enterprises in the world. The several hundred operating companies around the world are engaged in various branches of oil, natural gas, coal, chemicals, metals and other businesses. Many of the companies are joint ventures in which Shell companies own some of the shares while the remainder are held by government, by companies outside the Group, or by private investors. Service companies, variously located in the Netherlands or UK provide specialist advice and services to other Group and associated companies.

Information Security in Shell Group Companies

Group information security advisers are located in The Hague and London central office service companies. Group security policy states that "Procedures must be implemented and tested to assure the security of information and the continuity of business in the event of a disaster." This policy is implemented by following best practices as baseline security standards. "A Code of Practice for Information Security Management", published as British Standard 7799, is the principle source of these practices.

The Business Cases For the Use of Cryptography

Confidentiality

Cardinal de Richelieu once said "Secrecy is the first essential in affairs of the State." (Testament Politique, "Maxims" (1641).) In an increasingly competitive world confidentiality is becoming more essential in the affairs of business. The reasons are as follows.

(1) Government intelligence gathering:

Since the end of the Cold War new trends have emerged: economic competitiveness of nations and its impact on the role of national intelligence agencies have become matters of public debate. There are indications of intelligence capabilities re-directed to targets in business and industry. Retired members of these communities are entering the market place offering intelligence and security consultancy in one breath. Scientific, technological and commercial information in key sectors such as energy will be at risk as ever.

"Neither the FBI nor the rest of the intelligence community can definitely state the breadth and depth of the problem of economic espionage. We do know that over 50% of the countries in the world finance the use of intelligence to collect some aspects of our nation's plans, programs, institutions or individuals. This amounts to over 90 countries in the world."
--David G. Major, FBI Intelligence Division from a speech to ASIS 39th Annual Seminar (1993)
Our commercial competitors do not pose a threat. The scope and scale of enterprise relationships are such that it is not in the interests of any partner to jeopardise relationships for short term advantage.

(2) Organised crime:

The scope and scale of contracting inevitably attracts undesirable attention. There are rings of highly professional information brokers seeking to manipulate the placement of contracts for gain. In some instances the level of sophistication is very high as these brokers attempt to obtain the key information.

(With thanks to our security colleagues in EXXON)

(3) Legislation:

Several countries have passed laws which require the protection of personal information. When personal information is stored or communicated electronically across international borders encrypting it is the only way to meet legal obligations. Clustering by some companies results in information technology (IT) services operating seamlessly across international borders. (Global Information Infrastructure (GII), Industry Recommendations to the G7 meeting in Brussels February 25/26, 1995)

(4) Civil unrest:

The threats of kidnapping, terrorism, civil unrest and even wars are ever present somewhere in the world. Secure communications play an essential part in the response to these situations. They can contribute to the confidence to continue to do business under difficult circumstances. An example is the encryption of travel details where the threat from kidnapping is very high. Authentication

Electronic business communications play an increasingly key role in maintaining competitive edge. This means exploiting all forms of electronic communications available. It also means continually reducing costs and maximising the benefit. Historically Shell companies exploited telex communications during a period of over 50 years. A Shell telex conveyed management authority as well as content. To make telex efficient service company specialist staff operated a private automated network. The level of trust in the telex system was such that the operating or service company Reference Indicator as a signature on a message was good enough to prompt action. Traditional paper contracts and confirmations were rigidly maintained in case of a dispute.

Recently other forms of electronic business communications have progressively replaced telex. Shell companies were very early in exploiting electronic data interchange. Migration to electronic mail from telex ended in 1994. The business benefits are direct access to a global communications service and significant cost reductions. Business e-mail business communications now comprise individual company e-mail services interconnected by international message services. Gateways to public e-mail services have also been established, including to the Internet.

New Business Environment

Remote sites, mobile users, companies cluster, partnerships, Value added networks, public networks, Internet, Customer and Vendor connectivity, Third party support

Migration to new forms of electronic communications has necessitated re-engineering some business activities. Use of paper to authenticate electronic communications is becoming increasingly untenable. Mindful of the difficulties in dual use encryption technology, it has been announced that Shell operating companies will use the Federal Information Processing Standard 186, Digital Signature Standard. This decision takes the least line of resistance. Enterprise partners are encouraged to follow the example.

All international enterprises need digital signature standards which will not be caught up in privacy and export issues. The only exceptions to this view are those with vested interests, such as banks. Some wish to protect their investments in rival standards. Others seek to exploit their privileged access to restricted technology to market new services. Authentication of the origin and contents of electronic business communications is only one step. Computer based networks, services and applications are increasingly shared across enterprises which are dynamically changing. The business response is gradual movement towards a distributed computing environment based on open standard technologies such as the Open Software Foundation DCE. The business benefits of using DCE depend on the availability of public key cryptography to support confidentiality and authentication. The present single security domain authentication and symmetric encryption mechanisms, based on Kerberos and DES, are inadequate. Authentication based on public key certificates and following the CCITT X.509 standard is probably the only practical approach to a solution.

Organisation of the use of cryptography

Cryptography has been described as a sharp weapon of the state. This is well understood and cryptography is therefore strictly controlled. The myriad and diversity of government controls on export, import and usage of cryptographic equipment must also be negotiated carefully. Group information security advisers have specific responsibilities for selecting and planning use of cryptography. To maintain a proper segregation of duties operational control is carried out by another service company. Chief executive officers (CEOs) are personally responsible for cryptographic equipment and its proper use within their companies. In many cases the CEOs are end users as well so there is no difficulty in convincing them that this is one responsibility they cannot delegate.

Just as in a state, the ability to control internal affairs is central to business requirements. In this respect the internal controls within Shell companies reflect those in a responsible state. Cryptographic technology and key management are centrally controlled.

The procedures for obtaining and using cryptography demonstrate how seriously the responsibility to exercise control is taken. Requests for crypto equipment must include a business justification, generally a validated threat assessment as per the Code of Practice. A request may be refused on grounds that the company is about to leave the Group. If a request is accepted a purchase order is prepared and the company asked to complete an end user statement for the export license application. In some cases this process is made easier because the equipment is unique to the Shell Group, consequently there are fast track arrangements in place. Ownership of crypto equipment is not allowed to leave a Shell company. Equipment is recovered before any company leaves the Group. There is always a feature in the equipment which makes it useless unless supported from within the Group. Generally this will be the uniqueness of the algorithm or some part of the key management mechanism.

Compliance with local import and usage regulations is the responsibility of the local CEO. Group information security advisers help when requested. In most cases CEOs are able to manage compliance unaided. In one country a CEO was given permission to import and use crypto equipment after personally signing a letter to the prime minister undertaking that it would only be used for proper business purposes. In other countries the operating company may be given permission on the grounds of a mutual security interest with the local government. As a shareholder in a company a local government may insist that sensitive information is properly protected.

There have been few difficulties deploying or using equipment. Care has been taken in sourcing crypto equipment to minimise the costs of applying for export licenses.

Experience in the use of cryptography

Shell companies have used cryptography for many years. The scale and diversity of deployment has moved in response to changing threats. Telex encryption used to be the principle method of protecting sensitive or personnel messages transmitted between companies. This has been replaced by voice, facsimile and computer file encryption. Cryptographic equipment is always independently evaluated, including the algorithm, before being taken into service. Untested "black boxes" with secret contents are never used. A specialised key management scheme is usually required to satisfy the diversity of business environments. Centralised key management provides for operability between companies and an instrument of control. Details about equipment, keys or the algorithm, are never revealed. Care is also taken to ensure that if a compromise occurs exposure is localised.

Considerable experience in managing export control issues has been accumulated. This has gradually reduced the effort required to deploy new equipment. Good relations have also been built up with national authorities through co-operation.

The difficulties of making encryption equipment operate reliably over diverse telecommunications environments have often been much greater than deployment or maintaining security.

Future directions

"The 21st century will be marked by information wars and increased economic and financial espionage. All sorts of knowledge will become strategic intelligence in the struggle for power and dominance. The race for information of all kinds will be motivated not only by the desire to lead but will be required to avoid obsolescence. It is information that will be the moving force in the 21st century."
-- Alvin Toffler

The threats posed by governments, organised crime and civil unrest outlined earlier are unlikely to change in the future. Companies will continue to need to protect confidentiality according to their business needs. Demand for the protection of personal information held on computers means that more countries are expected to introduce data privacy legislation. At the same time concerns over maintaining law and order are resulting in pressures to introduce stricter controls on encryption technology. The requirement to protect personal information is likely to become universal. There is a requirement for an encryption standard to protect personal data. The growth in computer literacy and the pervasiveness of networking means that business must give more attention to security aspects. In some instances inadequate security is inhibiting business development.

Proprietary encryption solutions restricted to a particular application or business sector are expensive to deploy and maintain. The scale of deployment means that continuously upgrading minimum security, to keep pace with technology, cannot be cost justified or sustained. This leads to a requirement for high level security including strong cryptography.

Computer security requires strong authentication to clearly identify entities. Only when this is in place will controls operate effectively. Strong authentication of the integrity of data is particularly required for safety critical applications. Both are required for secure electronic commerce. Adoption of the DSS is a step forward, however a global public key infrastructure to support it is missing. Significant reduction of operational costs of complex and diverse networks can only be achieved by reducing the number of application management systems. Ideally, a single security management facility would be able to grant access to all applications and interoperate with other enterprise security management facilities. This implies that there is a requirement for a standard logical "passport" recognised and widely accepted. The "passport" can then be used to carry access "visas" or privileges. The X.509 certificate format is the preferred standard.

State concerns about law and order extend downwards into business. Enterprises must have the means to control themselves. Encryption can be a two edged weapon so key escrow is essential to ensure business information is not irretrievably lost or denied. In this sense government concerns, to have independent access to encryption keys to maintain law and order, and business interests are the same. What is missing is trust that an access mechanism cannot be abused or cause false evidence. A trustworthy international key escrow infrastructure based on X.509 certificates will meet fundamental present and future business needs (see GII Industry Recommendations).


Back to CFP96 plenary session page

Back to CFP96 home page


Last updated June 26, 1996
cfp96@mit.edu