The Legal Threat to Comsec

[Ross Anderson <rja14 () cl cam ac uk>]

In article <hwYnt*s40 () world std com>, cosell () world std com (Bernie Cosell)
writes:

|> It *could* put NSA in a very unfortunate position: if they really did
|> use a version of one of their super-strong, classified algorithms to
|> make the civilian-available algorithm quite strong and secure, and the
|> result is a series of legal challenges that threatens to compromise
|> classified crypto information.

In that case, the NSA should pay a bit more attention to what goes on in the
real world. 

Banks use DES encryption boxes with their ATM systems for legal rather than
military reasons; they want to be able to stonewall customers who complain 
about phantom withdrawals. The idea is that the key which derives your PIN 
from your account number is kept in this secure hardware, so no bank employee 
can ever find out your PIN. Thus (say the banks) the only person who knows the 
PIN is you (unless you've been negligent).

However, about 1 ATM transaction in 10,000 still goes wrong, and then the poor 
customer is told that she must have been ripped off. These accusations can
sometimes cause serious trouble.

Last week, we got a Great Yarmouth taxi driver off a charge of theft. He had
taken a customer to an ATM and she'd left her purse in the taxi afterwards.
The driver handed it in to the taxi office, but a phantom withdrawal took place
later that day and, as he had no alibi, he got arrested for it. We broke the
case by filing for a disclosure order on the bank's computer security systems.

Last month, we used the same tactic to beat a similar charge against a lady in 
Plymouth. In that case, one of her colleagues at work had had the phantom.

The implication for the legal system appears to be that you can't convict
anyone 
where you have to rely on a bank's computer systems, and where the
defendant has 
a competent expert witness and a combative lawyer. Our two clients both 
convincingly maintained their innocence; but the disclosure tactic would work 
just as well for a Mafia defendant.

The implication for governments is worse; they buy their comsec gear from the 
same firms who make the banks' DES boxes. These firms are just as vulnerable to 
court orders as the banks are: at any time, lawyers working on a theft or fraud 
case could walk into their labs and seize their design notes, schematics and 
source code for examination by hostile experts.

Claiming a clearance mismatch won't work; one of the UK's most prominent
defence contractors got raided a few years ago by lawyers looking for pirated 
PC software, and their security guards were not prepared to do jail time for 
contempt of court. I understand that the Ministry of Defence got rather upset.

If a government demands a classified algorithm, it should probably insist that 
its comsec suppliers be separately incorporated companies, on separate sites, 
which do no other business at all. What this would do to their costs,
though, is 
another matter,

Ross