The Australian Crypto FAQ
Last Updated: 30 April 2005
Scope
This FAQ provides information about the laws, policies and politics related to cryptography usage and export in Australia. By way of background, it also contains some basic information about why people use cryptography and the technology of cryptography software.
The original Australian Crypto FAQ was prepared by Glenn Pure <Glenn.Pure@pcug.org.au> and Greg Taylor <gtaylor@efa.org.au> in 2001, and the FAQ was updated & revised in 2004 by Nick Ellsmore <nellsmore@efa.org.au>.
Table of Contents
1.
What is cryptography and how does it work?
2.
Why is cryptography so controversial?
3.
What restrictions are in place to limit use of crypto in
Australia?
4.
Does the Australian government have a current public policy
on domestic use of crypto?
5.
Who are the current users of crypto domestically and why is
it significant?
6.
What crypto resources are available to domestic users?
7.
What impact have US export controls on crypto had on
Australian usage?
8.
What laws or restrictions exist regarding export of
encryption products from Australia?
9.
What is the Wassenaar Arrangement?
10.
What conditions must be met to obtain an export
license?
11.
Is there a significant domestic industry making crypto
products and where can I find them?
12.
What standards exist for use of crypto in Australia and
internationally?
13.
What is key recovery and why is it causing a fuss?
14.
What is a digital signature?
15.
What is a public key infrastructure and why is it
important?
16.
What progress has been made in Australia in setting up a
public key infrastructure?
17.
What is EFA policy on encryption?
18.
What is the policy of other industry organisations?
1. What is cryptography and how does it work?
Cryptography, in its classic form, is a technology used to "scramble" information into an unreadable form. A newspaper cryptogram is a simple form of cryptography, although one which is trivially easy to break. Computers have revolutionised cryptography and have enabled incredibly powerful ciphers to be deployed.
Computer ciphers have two chief components: a method (or algorithm) and a key. The two are used together to encrypt a message or file. The algorithm is public but the key is kept secret. Anyone who has the key can used the decryption algorithm for the cipher to unscramble a message or file. The key is usually just a big number.
Ciphers come in several different types. The two main ones of interest are:
secret key cryptography - this is also called symmetric cryptography because the same key is used for encryption and decryption. Common symmetric algorithms include DES, Triple-DES (3DES), IDEA, and the Advanced Encryption Standard (AES), Rijndael.
public key cryptography - this is also called asymmetric cryptography because different keys are used for encryption and decryption. Public key systems usually rely on key pairs, one of which is the public key which can be given to anyone and the other being the private key which must be kept a secret by its owner. Asymmetric encryption algorithms include RSA, El-Gamal, and Eliptic Curve.
Computer cryptography is already in widespread use, although not many people may realise this. Common applications include:
protection of information transmitted during electronic banking transactions, such as automatic teller machine transactions, EFTPOS purchases and Internet transactions.
encryption of email sent over the Internet for confidentiality and integrity – ensuring that there has not been tampering with the message in transit
encryption of files stored on computers - again to protect their confidentiality
public key cryptography forms the basis of digital signatures which are an essential part of Internet electronic commerce and provide for message integrity and authentication
provision of encrypted communications links between geographically diverse offices of an organisation, or between organisations, to provide secure communications and assurance that each site is talking to the correct party at the other end
Cryptography is now an essential tool for many businesses and governments to protect valuable confidential information both when it is stored in their computer systems and when it is transmitted from one location to another over public networks. Without cryptography, it would be very difficult or very expensive to protect this information. For individuals, it is an extremely valuable tool to protect private information or communications.
For a backgrounder on cryptography see The art and politics of cryptography by Glenn Pure, and Cryptology: Law Enforcement & National Security vs Privacy, Security & The Future of Commerce by Nick Ellsmore.
2. Why is cryptography so controversial?
Sophisticated cryptographic software is readily available now to virtually anyone who wants it, and often at little or no cost. It is readily and legally available from sites on the Internet hosted in a variety of countries. Much of this software is extremely powerful, to the point where it would be difficult, time consuming and expensive – if not impossible – for many governments or their defence agencies to retrieve the original message without access to the key.
Historically, the greatest use for cryptography has been in the military. As a result, cryptography was carefully restricted by governments and their military intelligence organisations, which meant that it was easy for governments to 'control' the privacy of individuals and accessibility of communications. In doing so, governments could be fairly confident that an intercepted communication could be understood because very few people used encryption.
The wide availability of strong cryptography has fundamentally shifted the power base. Individuals & friends can now control their own privacy if they so desire. Governments and their law enforcers are uncomfortable about this recent shift in power. In response, the governments in some countries have attempted to control access to strong cryptography. However, this is by no means a practical solution. The reality is that cryptography is an essential tool for honest businesses and individuals to protect commercial and other information stored electronically or transmitted over networks (including the Internet) - which is how business is being increasingly conducted today.
3. What restrictions are in place to limit use of crypto in Australia?
There are currently no direct controls limiting the import of cryptographic software or hardware to Australia, nor for the domestic use of cryptography within Australia (export of cryptographic technology is a different story). Even so, there are some limits in place or currently planned which can have a similar effect.
The Telecommunications Legislation Amendment Bill 1997 was passed by the Senate in November 1997. For a good analysis of the Bill, see Nigel Waters’ article “Telecommunications Interception - extending the reach or maintaining the status quo?”, published in 4 Privacy Law & Policy Reporter 110, November 1997.
The purpose of the bill was to amend several existing Acts including the Telecommunications (Interception) Act 1979. The amendments implemented requirements for carriage service providers (CSPs) to provide, at the CSP's expense, access to any data or communications which they transmitted for their customers. CSPs include a wide range of telecommunications service providers including telephone service providers and Internet Service Providers (ISPs).
Importantly, the amendments required the CSP to decrypt any data which the CSP was responsible for encrypting for a customer. The legislation did not require the CSP to decrypt data or messages which the customer personally encrypted - ie encryption which did not involve the CSP.
Nevertheless, end-user encryption is often easy to perform, especially for computer-generated messages such as email. Software packages are readily available for this purpose. Telephone and fax can also be encrypted by end-users, but this generally requires a hardware black box from a commercial supplier. As Voice over IP (VoIP) uses standard Internet protocols, it can also be encrypted using readily available software packages.
Prior to the November 1997 amendments, the government still had mechanisms for gaining access to the plain text of any data or messages encrypted by a CSP. The government could withhold the approval for any new telecommunications service which a CSP proposed to supply unless the service was capable of providing access for authorities to the plaintext of any message. A recent example of the application of this was the rollout of Telstra's revamped ISDN OnRamp service in 1997. Availability of the new service was delayed until systems were in place for interception of any traffic transmitted using this service. A similar delay occurred with the introduction of GSM mobile phones.
While encryption can be used freely within Australia, the Cybercrime Act 2001 includes provisions for law enforcement to compel the disclosure of encryption keys, passwords, and any other details necessary to obtain evidence in a protected or encrypted state. Penalties up to and including imprisonment can be imposed if a person does not comply with such an order. This reverses the situation prior to the introduction of the Act, whereby a user could refuse to provide encryption keys necessary to decrypt data if such an act would result in incriminating one’s self.
4. Does the Australian government have a current public policy on domestic use of crypto?
There has been silence from the federal government for some time on broader cryptography policy. Activity in this area tends to occur via the executive arm of Government, particularly the Defence Signals Directorate (DSD), who have been active recently in updating the associated regulations.
In 1996, the Federal Government did make substantial steps towards developing a policy on the use of cryptography in Australia. A report was commissioned from Mr Gerard Walsh, a former deputy head of the Australian Security Intelligence Organisation (ASIO). On one side of the debate is the argument that free access to cryptography by the general public enables them to fulfil their right to protect the privacy of their communications, including commercially valuable data. On the other side, the government argues that it needs to control the use of cryptography to enable eavesdropping on phone calls, email etc, as well as access to data stored on seized computer systems as part of its law enforcement activities.
The planned release of the Walsh Report for public comment was withheld by the Attorney-General's department. EFA eventually obtained a redacted copy of the report under the Freedom of Information (FOI) Act and has published it on the EFA Web site. As indicated on the Walsh Report pages of the EFA site, subsequent to the FOI release, an uncensored version of the document was obtained, and the previously unavailable material was added to the site and highlighted.
The Walsh Report comes out in favour of free access to cryptography by the public. The conclusions in the report are especially interesting in view of Mr. Walsh's background with ASIO. Some have suggested that the report was withheld because it did not reach the "right" conclusions that use of cryptography should be restricted. The status of current thinking in the government is unknown. Subtle changes to the regulatory regime around the export of cryptographic software and hardware have occurred over the last few years, however these have not been explained in the context of any broader policy in this area.
5. Who are the current users of crypto domestically and why is it significant?
Cryptography has now matured to the point where individual computer users are now commonly using the technology to ensure their privacy and security. The Office of the Federal Privacy Commissioner (OFPC) has released guidance notes recommending that users implement encryption software as a “Privacy Enhancing Technology”.
In addition to home users, major users of cryptography in Australia exist both in government and business. In the business community, cryptographic software is used very widely, with industries such as banking & finance, insurance, telecommunications, and health & welfare, using the software asa a crucial part of their information security and privacy strategy.
Many widely deployed software applications include cryptographic capabilities. All popular Internet browsers, such as Microsoft Internet Explorer, Netscape Navigator, Mozilla Firefox and Opera, provide such capability, to allow for secure electronic commerce.
For email encryption and digital signatures, the current de facto standards are PGP (Pretty Good Privacy), for which an open-source version known as GPG is also available, and S/MIME which has been integrated into most mainstream e-mail packages. There is also a wide range of other commercial, shareware and freeware software available for file or message encryption, and digital signatures.
6. What crypto resources are available to domestic users?
A large amount of software is available as freeware or shareware from Internet sites and computer bulletin boards. A good example is Pretty Good Privacy (PGP) which is widely used for email encryption and digital signatures, and variants such as the GNU Privacy Guard (GnuPG). When downloading cryptographic software, it is important to ensure that the software has not been ‘weakened’ as a result of the export laws in the country of origin.
Within Australia, encryption software can be freely used and exchanged within national boundaries. A number of local firms also produce cryptographic software and hardware.
Until a few years ago, most available versions of Internet browsing software were limited to providing 40-bit encryption – a level that is widely accepted as being inadequate for sensitive transmissions. However, with easing of export restrictions in the USA, most versions of Internet browsing software are now not only capable of 128-bit encryption, but a large number of Internet sites will not accept connections using only 40-bit encryption.
A number of open source crypto “toolkits” are available, with one of the best known being OpenSSL. OpenSSL is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The OpenSSL home page is http://www.openssl.org and contains a large amount of valuable material both for developers, researchers, and end users of cryptographic systems.
7. What impact have US export controls on crypto had on Australian usage?
The large market share of US computer software and hardware developers also places them in the front seat for controlling computing and network standards. Since cryptography requires both the sender and the receiver(s) to communicate using the same protocols (ie standards), any US limits on cryptography might affect standards, which in turn might affect the types or strength of encryption available to users in many other countries including Australia.
The US limits have had an effect in Australia, but in an indirect way to date. Because of the large international market share held by some US software companies, many of the products of these firms have become defacto standards. Cryptographic modules are an important part of some software packages. Internet web browsers provide a good example. The most widely used browser in the world is Internet Explorer (Microsoft), which was developed in the US and contains cryptographic components that can be used for secure Internet communication (for example to make a credit card purchase over the Internet). In the past, exported versions of this browsers contained severely weakened encryption in order to comply with the export controls.
Over time the US have considerably eased the restrictions in place with respect to export of cryptographic software. The most recent easing has resulted in:
- Any crypto of any key length can be exported under a license exception, after a technical review, to non-government end users in any country except specified “terrorist countries” (at the date of writing, six countries were specified: Cuba, Iran, Libya, North Korea, Sudan, and Syria). Exports to governments can be approved under a license.
- Retail crypto (crypto which does not require substantial support and is sold in tangible form through retail outlets, or which has been specifically designed for individual consumer use) of any key length can, after a technical review, be exported to any recipient in non-terrorist countries.
- A license exception is introduced for export of any crypto product to any end user (government or non-government) in the 15 EU countries, Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland, and Switzerland. Such crypto (of any key length) can be exported to these countries prior to the technical review being completed, so long as the technical review has been registered with the Bureau of Industry & Security.
An additional impact of the US export controls has been the encouragement provided for development of cryptographic products to occur outside the US. RSA have a development lab in Queensland, SSH was developed in Finland, Checkpoint is based in Israel, and there are many other examples.
8. What laws or restrictions exist regarding export of encryption products from Australia?
The Australian position on cryptographic export controls can be found in the Customs (Prohibited Exports Regulations) - Schedule 13E and the Customs Act 1901 Section 112 (Prohibited Exports). Items prohibited under this legislation are listed in the Defence and Strategic Goods List of the Australian Controls on the Export of Defence and Dual-Use Goods (last updated December 2003). Crypto software is identified under Part 3, Category 5/2 of these controlled goods.
These controls are administered by the Defence Trade Control and Compliance (DTCC) Section within Industry Division of the Defence Materiel Organisation who have the authority to approve permits and licenses. Those goods which require a Defence permit or license are listed in the “Defence and Strategic Goods List” (DSGL). The Australian controls are based on the international Wassenaar Arrangement. Evaluation of license applications is carried out by Defence Signals Directorate, who provide technical advice to Defence Trade Control and Compliance, Australia's licensing authority.
In the Defence and Strategic Goods List issued in October 2003, it is indicated that Australian export controls do not apply where software/hardware meet all of the following conditions (known as the “Cryptography Note” in the DSGL):
- Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
- The cryptographic functionality cannot easily be changed by the user;
- Designed for installation by the user without further substantial support by the supplier; and
- When necessary, details of the goods are accessible and will be provided, upon request, to the competent authorities of the Member State in which the exporter is established in order to ascertain compliance with conditions described in paragraphs a. to c. above.
In Australia, first time exporters have been required to submit a “One-Time Review Application Form” to comply with part ‘d’ above. This form appears to have been removed from the Internet and it is suggested that prospective exporters contact Defence Trade Control and Compliance (DTCC) for details. If the goods are assessed as controlled items, applicants are required to lodge an Export Application Form.
An exception to the rules is the Personal Use Exemption, which allows encryption software to be taken out of the country under defined conditions, e.g. installed on a notebook computer. No permit is required in this case. There are also exemptions for authentication-only products and limited application devices such as ATMs and smartcard readers as well as a broader exemption for the banking & finance industry.
See the official Department of Defence Export Controls website for further details.
9. What is the Wassenaar Arrangement?
The full name of this international agreement is The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. The Dual-Use section of the Arrangement forms the basis for most national controls over the export of cryptography products. It does not have treaty status in Australia. A copy of the Wassenaar Arrangement is available from the Wassenaar Secretariat site in Vienna.
According to a Foreign Affairs document from April 1996:
The Wassenaar Arrangement is the successor regime to the Co-ordinating Committee for Multilateral Export Controls (COCOM) established by NATO in 1949 to control the export of military equipment and dual-use technologies to Warsaw Pact states. Negotiations to establish a successor regime to COCOM commenced in 1993 and COCOM was terminated in March 1994.The basic objective of the Wassenaar Arrangement is to prevent the acquisition of conventional arms and sensitive dual-use technologies for military end-uses by States whose behaviour is, or becomes, a cause for serious international concern. It is designed to complement existing weapons control and non-proliferation regimes (the Missile Technology Control Regime, the Nuclear Suppliers Group and the Australia Group) and is not intended to impede bona fide civil transactions.
The 33
participating states are:
Argentina, Australia, Austria,
Belgium, Bulgaria, Canada, Czech Republic, Denmark, Finland,
France, Germany, Greece, Hungary, Ireland, Italy, Japan,
Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal,
Republic of Korea, Romania, Russian Federation, Slovak Republic,
Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom and
United States.
Source: Wassenaar
Secretariat, Vienna.
The Wassenaar Arrangement (WA) controls are contained in the munitions list and the dual-use goods and technology list. Encryption software is controlled under Category 5 (Part 2) on the List of Dual-Use Goods and Technologies. Refer to the Australian Controls on the Export of Defence and Dual-Use Goods for more detailed information.
10. What conditions must be met to obtain an export license?
The Instruction Sheet for the Export Application Form details the requirements for completing the application for an export licence or permit. The one-time review of cryptographic goods has previously involved the provision of technical specifications and/or brochures that accurately describe the equipment, goods or technology. It is not clear as to the specifics that are examined in a review, other than assessing compliance to the Cryptography Note:
b. The cryptographic functionality cannot easily be changed by the user;
c. Designed for installation by the user without further substantial support by the supplier
However, information gleaned from various sources indicates that:
Applications for export to specific end users in "friendly" countries have a good chance of approval.
Applications for products using well known cryptographic algorithms and common key-lengths present few problems.
Export via the Internet is regarded as requiring a license, even though the Customs Act does not appear to cover "intangibles".
11. Is there a significant domestic industry making crypto products and where can I find them?
A significant and growing part of the burgeoning IT sector in Australia is involved in the development of general and special purpose cryptography and information security products.
A list of known suppliers is provided as an appendix to this FAQ. This list is made available for general information purposes only and is not intended to be an endorsement of the quality or suitability of any product for its intended purpose.
12. What standards exist for use of crypto in Australia and internationally?
A wide range of standards exist both for the mathematical algorithms used in an encryption system, and for the way those algorithms are applied.
Algorithms
The Data Encryption Standard (DES) is a 56-bit key algorithm adopted as a FIPS standard in the late 1970s, however this FIPS accreditation was removed in 2004 as the integrity of the ageing algorithm was compromised. DES remains widely used in the banking and financial sector, however has been exposed as vulnerable to a brute-force attack using a purpose-built computer. Very few new deployments within critical industries such as banking & finance use the DES algorithm and within Government the DSD have indicated that the algorithm will no longer be acceptable after 1 January 2005. However, a variant known as “Triple DES” (3DES), effectively using a 168-bit key, has extended the lifespan of the algorithm considerably. Many new system deployments are using the Advanced Encryption Standard (AES), Rijndael, which was explicitly selected as the next generation standard to replace DES & 3DES.
Applications / Uses
The following standards take encryption algorithms such as those mentioned above, and apply them to meaningful business problems. In turn, the use of the algorithms in such a fashion, itself becomes a standard.
- SSL/TLS: An important exisiting protocol is the Secure Sockets Layer (SSL). This is not an official standard but is widely used in major Web browsers to conduct encrypted exchanges over the Internet. TLS (Transport Layer Security) which is the successor to SSL is an official standard of the IETF. Generally speaking, when shopping or banking on the Internet, when the ‘padlock’ appears in your Internet browser window, SSL or TLS encryption is being used.
- SSH (Secure Shell): A secure alternative to insecure protocols such as Telnet and FTP. While these protocols transmit user ID and password information in an unencrypted form, SSH establishes an encrypted connection similar to SSL, prior to sending any authentication data. Similarly, SCP (Secure Copy) provides a secure version of the ‘rcp’ protocol, through a Secure Shell.
- IPSec (Internet Protocol Security); A standard for security at the network or packet processing layer of network communication. Earlier security approaches have inserted security at the application layer of the communications model. IPSec is especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks.
- PGP (Pretty Good Privacy): A proprietary product that is very widely deployed and has become a de facto standard for e-mail and file encryption. A number of open-source implementations of the PGP product have also been developed, including GNU Privacy Guard (GPG).
- S/MIME: A non-proprietary approach to e-mail encryption, also widely used and integrated by default into most major e-mail clients. Both PGP and S/MIME have been formally endorsed as industry standards.
The suite of communications standards called X.509 has some encryption 'components', notably a specification for public key certificates which provide a means for storing and transmitting the public cryptography keys along with the identity of their owners.
13. What is key recovery and why is it causing a fuss?
A number of governments, including those in the US and UK, have proposed key escrow or key recovery schemes. The aim of the schemes is to allow authorised officials to decrypt intercepted messages. Law enforcement and intelligence agencies argue that without this ability, criminals can abuse cryptography to conceal illegal activity from the law.
Under key escrow, it would be mandatory for everyone using encryption products to provide a copy of their key to the government for law enforcement access. Under key recovery, the key would be kept by a third-party, generally a commercial service provider. Both systems generally claim that keys and/or plaintext would only be available to law enforcement with a court warrant.
The basis of key escrow and key recovery is that all encryption keys are stored in key repositories where government officials can obtain copies of them for use in decrypting messages. There are significant privacy concerns with this approach. There are also major risks in having large numbers of keys stored in central locations. Honest mistakes, corruption and criminal hacking all pose major threats.
A recent report by an ad hoc group of cryptographers claims that key escrow and key recovery schemes represent grave security risks and and technically unworkable, particularly for ephemeral session keys.
14. What is a digital signature?
A digital signature is a block of text appended to a message which has some special properties:
it depends on the contents of the message, so if the message changes, so will the signature. If the message changes after it is signed, the signature will be invalid and the recipient will be alerted to the message having been tampered with
it can only be generated by the sender and would be very difficult for anyone else to forge
it can easily be verified by the receiver, providing assurance of the origin of the message, and the integrity of the message content
Digital signatures are based on public key cryptography. Public key cryptography relies on each user having two related keys. One is the private key and must be kept a secret. The other is the public key and it can be given to anyone. A sender uses their private key to encrypt the digest of the message being sent. (The digest is a specially generated number which depends on the entire contents of the message. Special cryptographic functions called hash functions – such as MD5 and SHA-1 are used to generate the digests.)
The signature can't be forged because the sender's private key is only known to them. Anyone who has that person's public key can decrypt the signature and compare the result with their own digest of the message to prove that it matches the digest that the sender 'signed'.
As these signatures have the capacity to identify the “sender” of a message, they can also effectively be used as authentication credentials in place of a password.
A more detailed explanation of a digital signature can be found in the cryptography FAQ.
15. What is a public key infrastructure and why is it important?
Public key cryptography requires a user to possess two keys - a private key which must be kept secret and a public key which is usually posted in a public place where other users can obtain a copy of it (see the cryptography FAQ for an explanation of public key encryption and digital signature systems). In short, the purpose of a PKI is to provide the necessary regulation and structure around an encryption system, such that when a digital signature is used that claims to belong to “Person A”, the recipient of the signature has reason to believe that “Person A” has been correctly identified, has managed their key securely, and uses the key in good faith.
The participants in a PKI – including “Certification Authorities” (CA) who issue digital certificates – complete a wide range of tasks including:
They must have a means for providing confidence that a particular public key belongs to a particular user. The way this is usually done is for the person who wants to lodge their key to show up in person at an office of the CA and produce proof of their identity. The CA will then take their public key and digitally sign it with the CA's own key (in a tamper-proof way) to prove that the CA has verified the key belongs to its correct owner.
CAs must have a way of revoking certificates if a user happens to lose or compromise their private key (just as a credit card owner who loses their card needs to cancel it as quickly as possible). The most common way this is achieved is through a “Certificate Revocation List” (CRL).
They must store old digital certificates so that for example, in the event of a dispute at some time in the future, the old public key can be retrieved and used to settle the dispute.
The development of PKIs around the world is in its infancy and a number of different models are being used. Some models are relatively simple and require the key owner to take responsibility for key revocation and key archiving. Other systems provide a full range of services to users.
16. What progress has been made in Australia in setting up a public key infrastructure?
A number of international Certificate Authorities, operated by private companies, are available for use in Australia. These include Verisign, CyberTrust and Thawte (who have established a ‘web of trust’ to provide for localised verification of identity).
The Australian federal government itself progressed the establishment of a public key infrastructure for its own use. This initiative, called Gatekeeper, is managed by the Department of Finance & Administration.
In acknowledging that public key infrastructure is not a solution for all authentication problems, in 2003 the Government redirected its focus to an initiative known as the Australian Government Electronic Authentication Framework. According to the AGAF website:
The Government is working towards the implementation of an Australian Government Authentication Framework (AGAF) that provides a whole-of-government approach to authentication. The Australian Government recognises that different authentication techniques are needed for different types of transactions, depending on how much risk is involved. The AGAF aims to ensure that Australian Government agencies apply a consistent approach when making decisions about appropriate authentication methods. The AGAF will ensure that Australian Government agencies implement authentication mechanisms that correspond with the level of risk in the transaction.
17. What is EFA policy on encryption?
Electronic Frontiers Australia (EFA):
supports the widespread availability of strong crypto.
opposes government-mandated key escrow or key recovery.
opposes export controls on cryptography products.
EFA's position is based on the following observations:
the current export controls are a failure because strong cryptography software is already widely available throughout the world.
Australia is one of the few countries in the world that refuses to apply the Wassenaar Arrangement General Software Note waiver to the export of mass market and public domain crypto software.
the current regulations impose unnecessary constraints and costs on business while doing little to achieve their aim of restricting availability of cryptographic software.
the key escrow and key recovery concepts currently encouraged as unofficial policy are fundamentably unworkable and a risk to data security.
no objective case for the benefits of imposing such controls has been made public.
current regulations are stifling Australian initiatives in developing secure communications protocols.
the restrictions on deployment of strong cryptography increase the risk of criminal or terrorist attack on vital infrastructure such as banking, electricity supply etc.
18. What is the policy of other industry organisations?
Almost all major national and international organisations involved in the information industry have publicly supported the relaxation of strict controls over the use and export of encryption products. Among these are:
International
Federation for Information Processing
(IFIP)
http://www.ifip.tu-graz.ac.at/TC11/
Ad
Hoc Group of Cryptographers and Computer Scientists, 1998.
http://www.crypto.com/key_study
US
Association for Computing Machinery (USACM)
http://www.acm.org/usacm/crypto/
Institute
of Electronics and Electrical Engineers (IEEE)
http://www.ieee.org
American
Association for the Advancement of Science
http://www.acm.org/usacm/crypto/joint_crypto_letter_1997.html
The
Internet Society (ISOC)
http://www.isoc.org
Australian
Information Industry Association (AIIA)
http://www.aiia.com.au
The
Australian Computer Society (ACS)
http://www.acs.org.au/news/caelli.htm
Government and political statements supporting strong crypto:
OECD
Cryptography
Guidelines
http://www.oecd.org/document/34/0,2340,en_2649_34255_1814690_1_1_1_1,00.html
Telecommunications
Legislation Amendment Bill 1997.
Second reading debate,
House of Representatives, 19th November 1997.
Mr. Martyn
Evans, Shadow Minister for Science and Information Technology
http://parlinfoweb.aph.gov.au/piweb/view_document.aspx?id=541570& table=HANSARDR
Review
of policy relating to encryption technologies - the Walsh
Report.
Commonwealth Attorney-General's Department
1996.
http://www.efa.org.au/Issues/Crypto/Walsh/