Immaterial Transfers with Material Consequences
Last year, a colleague pointed me to an article by Roland L. Trope in September/October 2006 IEEE Security & Privacy, Immaterial Transfers with Material Consequences. From the abstract:
The need for such regulations is clear, but many firms underestimate the challenges of complying with the defense trade controls embodied in the US International Traffic in Arms Regulations (ITAR). Companies hoping to enter into defense contracts must therefore redefine their basic approach to technical data because the ITARs require that they control the destinations of their communications. For example, the ITARs prohibit unlicensed communications of sensitive data to foreign destinations (another country or a foreign national).
Trope recounts a fictitious company’s plans and their problems with ITAR and IT. Based on real events, in March 2006 The Boeing Company and L-3 Communications agreed to pay civil penalties of $15 million and $7 million USD respectively for not complying with ITAR. The consequences and fines for illegal exports are real. If the Directorate of Defense Trade Controls determines a violation(s) were unintentional, it can impose a civil penalty up to $500,000 per violation. If it determines violations to be intentional, it can impose up to $1 million for each violation. This can spell numerous violations and result in huge fines if for example, over the course of one day hundreds of emails are exchanged between engineers who are both US Citizens and foreign nationals.
The company planned to encrypt all sensitive traffic and use code names for email attachments containing sensitive data. They believed using code names to disguise data would minimize the risk, but in reality, engineers would select select names from a theme for one project, and names from another theme for another. It wouldn’t take long for someone to group the emails into their respective project. Many companies adopt a policy and reliance on encryption for protecting their most sensitive data. If a laptop goes missing, it is deemed not a risk because it was encrypted with X algorithm. Not in the eyes of the ITAR, which must distinguish between procedures that retain control over data and procedures that relinquish control. By making it available to a foreign national to obtain a copy, you are committing an export. Encryption is not enough to comply with ITAR because it is not a durable safeguard. I think we can all agree on this, that given enough computing power and time, a determined attacker will crack the encryption.
The article also brings up the issue of disclosure and transfer of data. Data can be disclosed orally or visually through any number of means such as email, instant message, presentations, etc. If one makes it possible for a foreign national to obtain a copy of sensitive data during transmission, an export has occurred. The company in the story stored sensitive data in an unlocked closet at one of their locations. Foreign nationals visiting from other countries would be allowed to store their briefcases in that closet, and consequently give them access to ITAR-controlled data.
Protecting sensitive data, whether it be ITAR-controlled, classified, or restricted internal communication is important for every company. Much of the policies and solutions we implement ignore the problems that arise when people need to decide on the fly which files contain sensitive information. It’s a huge undertaking to classify existing data, but you gotta start somewhere — create a (scalable) data classification policy and start with all new data.
“I think we can all agree on this, that given enough computing power and time, a determined attacker will crack the encryption.”
??, no - there are definitely cryptosystems for which cracking is impossible (ex. otp) and many more for which it’s infeasible well beyond the lifetime of the data’s usefulness…
however, in the context of government or military secrets, rubber-hose cryptography is definitely something that needs to be considered and encrypting data certainly doesn’t do anything in itself to diminish that threat…
What crypto is impossible to crack? Every crypto algorithm that I know of has been cracked, or would just take a long time to crack given the computing power an attacker is likely to have.
No program or prng is random just similar to random. Random can not be recreated. It is not the amount of time or period between repeats that is the problem, it is the randomness properties of the string involved. There are many cases where OTP’s are reused which makes them perfectly breakable. Afterall as you said the purpose is to create something strong enough to out live the lifetime of the data’s usefulness…
@marcin:
“What crypto is impossible to crack?”
otp (one time pad) is uncrackable if used properly (ie. the ‘one time’ in one time pad is very, very important)…
“Every crypto algorithm that I know of has been cracked, or would just take a long time to crack given the computing power an attacker is likely to have.”
if by long time you mean the age of the universe then sure… brute forcing a 256 bit key is theoretically possible but practically infeasible…
@landon lewis:
“Random can not be recreated.”
no but it can be sampled from natural systems known to behave in a random way, then recorded and shared between 2 parties for use as key material…
“There are many cases where OTP’s are reused which makes them perfectly breakable.”
but they were only breakable because they were misused (reused)…
“Afterall as you said the purpose is to create something strong enough to out live the lifetime of the data’s usefulness…”
and barring cryptographic breakthroughs that render aes (for example) broken, a secret encrypted with aes using a 256 bit key should out live not only it’s usefulness but everyone alive today as well…
of course cryptographic breakthroughs are a possibility too, but that’s unrelated to brute force attacks that would require ‘enough computing power and time’…
But you cannot take a sample of a natural system and reproduce it in a random way. I hate to be a defeatist, but I don’t believe we can ever create a prng that produces real random numbers.
Anyways, this topic of discussion isn’t so much related to my blog post. Under the ITAR, encrypting sensitive, controlled information is not enough for compliance. Ahh! the c-word! If a foreign national is given access to encrypted ITAR-controlled information without a license, an export has been committed illegaly. No ifs, ands, or buts!
@marcin:
“But you cannot take a sample of a natural system and reproduce it in a random way. I hate to be a defeatist, but I don’t believe we can ever create a prng that produces real random numbers.”
??? you don’t have to create a prng that does that… you sample a truely random source at a time when it’s convenient and record the sampled data for use at some other time when it’s convenient to use it… there’s no need to reproduce the randomness itself…
“Under the ITAR, encrypting sensitive, controlled information is not enough for compliance”
indeed, but not because of susceptibility to brute force cracking… rather, because the enemy almost certainly has ways of extracting the data that are easier than computational brute force… logical access controls don’t count for much without physical access controls…
How do you go from a naturally random source to digital? And if your “source sample of randomness” is compromised? What then?
In the end encryption != security, and is not a durable safeguard for ITAR-controlled information. This is important because companies have been planning and adopting risk mitigation strategies around laptop encryption as their savior. Might work for SOX, but not ITAR.
ugg, sorry for the late responce - keeping up with this comment thread would be easier if co.mments.com worked here…
“How do you go from a naturally random source to digital?”
pretty much the same way you measure anything in nature…
“And if your “source sample of randomness” is compromised?”
compromised how? compromised in the sense that other people have access to it? you’re in worse shape if other people have access to the sample than if they have access to the source, generally, but obviously neither are ideal and physical access controls are needed to prevent this kind of thing from occurring…
“In the end encryption != security”
of course not… encryption is just a logical access control… logical access controls without physical access controls (ie. keeping the secret, encrypted or not, out of the enemy’s hands) are clearly not secure enough on their own (at least not when you’re talking about the kinds of secrets the government or military keeps)…
brute force is still not the weak point of the logical access control for modern ciphers, though… i’m not disagreeing with your conclusion, just one step of how you got there…