(Fwd) Encryption Survey Results

From "stu" <lsi@space.net.au>
Date Sun, 14 Nov 1999 23:45:03 +0800

[: hacktivism :]

------- Forwarded message follows -------
Date sent:      	Mon, 08 Nov 1999 14:44:08 +0000
To:             	(Recipient list suppressed)
From:           	"Markku J. Saarelainen" <mjsion@earthlink.net>
Subject:        	Encryption Survey Results

In this summer, I asked your input to the encryption survey. I did receive
few responses, but not very many. However, I do have some results. 


The story of a small boy ....

About twenty years ago, there was a small boy (9-11 years old or so), who
had his penpals around the world - the Soviet Union, the United Kingdom,
Australia, Germany and many other European nations. He wrote his letters on
a paper and then mailed these letters in sealed envelops and he received
letters from his international friends in sealed envelops. He did not use
postcards. In today's world, there are many executives in governments,
businesses and other organizations, who email their secrets in postcards.
How has the world changed? Or was this young child just smarter than many
today's executives? 


"Encryption and many cryptography technologies are very important for any
future electronic commerce applications and implementations. It is the
recommendation to decline the acceptance of any Wassenaar Agreement
(http://www.wassenaar.org) terms on encryption controls and to support the
strongest cryptography in all commercial internet communications globally.
The role of one internet is already critical in most international
enterprises and corporations. However, due to the open infrastructure and
individuals' principal lack of the security knowledge and consciousness,
quite often critical business messages are sent without any encryption
protection, which makes corporations extremely vulnerable. It is a common
public knowledge that some specific intelligence agencies are using the
Internet and other intelligence collection methods to acquire and collect
specific technology and business intelligence for specific commercial and
business enterprises. Some of most popular encryption applications have
backdoors and their development projects have been supported and influenced
by certain specific intelligence-interest groups. In the future's
electronic commerce environment these encryption methods and technologies
shall become even more important for any corporation anywhere around the
world and it is highly recommended to avoid using any of the most popular
and free encryption applications for any business and commercial purposes."

------------ SURVEY RESULTS ------------ SURVEY RESULTS ------------ SURVEY


   MAY, 1997

Note: This survey summary contains raw survey results that have NOT been
analyzed, evaluated or prioritized. The results are based on comments and
opinions (all of which may not be facts) that were received from many
individuals who responded to the original (October 1996) survey.

QUESTION 1: In your opinion, what are main developments in the adoption of
encryption technologies in commercial enterprises since October, 1996?

"The continued government attempts to get 'key recovery', and a certain
amount of reluctant willingness from business."

"Purely for e-commerce reasons have there been any advancements. The rest
of the encryption world (privacy/freedom etc.) have been appallingly
backward and most governments will tend to hold them back."

"Network Computers (NCs)."

"Slight easing of export restrictions. Development of several payment
protocols. Increasing adoption of retail commerce over the net as evidenced
by recent IPO of one company."

"There is some movement towards more advanced mathematics.  The market is
searching for patent free/royalty free encryption.   Governments are
attempting to halt it, but are failing miserably."

"Electronic payment via The Internet."

"C2's bypass of the export regulations. The broader adoption of SSL. Email
application plugins for a strong and reliable encryption."

"-SSL has been widely used for the securing of data for a number of on-line
Internet banks.   -Encrypted tunneling products which extend the corporate
Intranet/LAN are now becoming widely available. -Smart cards are finally
appearing in North America.  In Canada alone Visa Cash, Exact (Proton?),
and Mondex are going through trials. -SSL is now widely used to protect
credit card transactions on a number  of internet retail sites -The US
government continues to support key escrow for exported encryption.  -Major
players (i.e. banks, IBM, MS, HP, VeriFone) are taking steps to integrate
SET into their range of products. -Future
browsers are going to allow smart cards to Interface with the Internet."

QUESTION 2: In your opinion, what are 5-10  main barriers currently that
may prevent the successful implementation and utilization of encryption
technologies in commercial enterprises?

"-Legislation and government intervention for strong encryption.
-Unfamiliarity with the technology will produce mistrust of its
reliability. -Safe key-management processes are difficult to achieve. This
will  reduce the security of cryptography and thus its usefulness for many
applications. -Cryptography is not user-friendly right now. Until it
becomes so  than it is unlikely to achieve widespread usage. -Licensing
fees for cryptographic algorithms are not cheap.  Until patents expire for
things like the RSA public key algorithm the  costs of developing reliable
cryptographic products will remain high. - There are a large number of
cryptographic products with no clear standards in sight."

"Export regulations."

"Lack of perceived need."

"Lack of expertise among engineers and technicians."

"a) Lack of interest in security b) Concentration on cost c) Lack of
ready-to-use cheap tools d) Legislation and potential legislation e)
Patents and licensing issues"

"Government inadequacies in legislation, Vendors propensity to hand private
keys to government (extrapolate that to insecurity when a person working
for a vendor is bribed to give out a private key), Costs, Public reluctance
in encryption (FUD factor)"

"Threats to roles of traditional players (e.g., SET's effect on card
issuers)., Seamless integration into products., Education of users.,
Regulatory obstacles. Widespread availability."

"1) ease of use, 2) cost of real security, 3) an understanding of security
details, 4) a lack of understanding the difference between cryptography and
security 5) uncertainty as to what the government rules are"

"- exportability (permissions are needed if a product implements
cryptography, and 2 or more versions of the software has to be build), -
patents (can't exploit algorithms without negotiating royalties)"

"The governments export restrictions on strong cryptographic algorithms."

" It is not a question of availability of software, but of interoperability
between systems made/sold in different regions of the world."

"Government FUD. Ease of use. Cost of training etc. Worry about leakage of

QUESTION 3: What are activities and projects that can be initiated and
taken to lower and reduce above barriers (see the question 2.)?

"a)     Wider accurate  publication of security lapses.
  b),c)  Cheap tools fitted for a job.  I just read a Sun catalogue
       where much of the software (including security software)
       has laughable prices.   Get a straightforward Virtual
       Private Network from 100 pounds for a start.
d)     Do strong lobbying and occupy lawmaker's time with other stuff
       when they seem to be going in the wrong direction.
e)     Wait for some important expiry dates.
       Have more reasonable contact with license-holders.
       Bypass licenses by producing new methods that get less

"Continued integration into key products such as web browsers. Perhaps even
into OSes."

"Lowering the barriers to deploying certification authority infrastructures
for use w/in intranets.  (in terms of cost, ease of administration, etc.),
Further efforts at deregulation."

"Lobby governments, Do not place restrictions for vendor based key
management, Push for totally private key systems"

"A not for profit, global, public education group should be created whose
purpose is to help educate businesses.  Secondarily it should educate the
public on the issues of privacy, but the primary goal should
be to get all businesses (mainly the small ones) to understand that simple
pains can give a great deal of security, and that the cost is worth the
money and time saved from fraud and theft."

"An e-mail program that a "stoned hippy" could use and still not leak
information is needed.  It would not allow too much flexibility, but it
would give "the masses" a hands on feel for what security is and how crypto
plays a role in their everyday life.  Six year old kids and their
grandmothers could be using even this simple security level for e-mail. It
would go a long way because people will ask many questions, and they will
get many answers.  It would more rapidly diffuse the information and
education over the populace (world wide)."

"Develop simple and user-friendly ways to use cryptography and manage keys

"Reduce the ability for corporations to patent cryptographic processes,
key-management techniques, and anything other than completely unique
cryptographic algorithms.  We don't need research into new cryptography we
need open access to refinements of what exists.  If people can patent
those refinements then it reduces the access people have to these new
technologies at the expense of society at large."

"Eliminate export barriers on strong encryption."

"Education (public): crypto is used for authentication as well as privacy.
It is *not* military or espionage technology.  It is (required) enabling
technology for tomorrow's information superhighway."

"Education (professional): principles of information security taught in all
relevant courses.  (e.g. computing, telecom, electronics, etc)."

-------------- Results of the original survey in October, 1996

        SURVEY SUMMARY:  Encryption in Commercial Enterprises

                                        October, 1996


                                  M. J. Saarelainen

SURVEY METHODS BRIEFLY: Three specific questions were sent to several
mailing lists and news groups. The great number of responses was received.
These responses were compiled as received to the list (without any
priorities) below. No detailed analysis or evaluations were completed at
this time. Please, review these questions and responses and let me know, if
you like to add, remove or change something. Thanks.


QUESTION 1. In your opinion, what are the 5-10 most significant
applications of encryption technologies currently in commercial enterprises?

RESPONSES (# of responses =  29) TO QUESTION 1:

1. Secure E-Mail / Secure E-mail SMTP/POP3 mail client
2. Secure Internet-Shopping
3. Encrypt the entire internet ( encrypting routers etc. )
4. Encrypted file systems - partition for laptops
5. Encrypted voice (cellular, cordless, wireline, voice-over-internet)
6. Secure FAX
7. Point-to-point encrypted links, for corporations using the Internet as a
8. EDI (both encryption & authentication), Electronic Data Interchange (EDI)
9. Secure FTP client/server software
10. Secure FTP client only software
11. Secure UNIX FTP server software
12. Secure File based encryption for HD and Floppy
13. Accounting departments need to ensure their data can't be changed
14. Engineering needs to ensure competition doesn't easily steal ideas
15. Secure login (and insecure, in the case of Unix)
16. Network traffic encryption
17. Local file/data protection (incl. backup protection)
18. Protection of proprietary information while allowing company use of it.
19. Crypto applications as an element in the information security system
20. Regional and national electric power exchanges between companies
21. Large investment banks who want to coordinate across their own
organizations and others in significant numbers
22. Healthcare cries out for encryption
23. The military for sensitive non-classified information.
24. Law enforcement is a natural for the internet, if they could agree on a
common security solution.
25. Online banking, online sales and commerce, data protection on
commercial database servers, secure transfer of govt. information, ie. tax
information on citizens.
26. The most widely spread encryption technologies and proprietary hardware
solutions by different providers etc. SSL is now upcoming.
27. Protection and storage of Archives
28. Person to person communication within an organization.
29. Secure remote communications (over the Internet)


QUESTION 2. In your opinion, what are 5-10  main barriers currently that
may prevent the successful implementation and utilization of encryption
technologies in commercial enterprises?

RESPONSES (# of responses = 22)  TO QUESTION 2:

1. Cryptic user interfaces
2. ITAR regulations, Government regulation or restrictions of use of strong
encryption, Government export restrictions for strong encryption. 
3. Ignorance ( pegasus provides REAL encryption )
4. Lack of knowledge of resources available to Business.
5. Misunderstanding that encryption is complicated.
6. Misunderstanding that encryption is costly.
7. General lack of knowledge as to how to write *strong* encryption
8. Lack of integration of strong encryption so that the user must
learn/know too much in order to use it properly
9. General lack of understanding of the necessity of *strong* encryption
10. Difficult to use
11. Slow speed
12. Complexity makes choices difficult since no one can be a full expert
13. Workers have to wait for a supervisor
14. A lack of understanding of the technology
15. The lack of good cost-benefit analysis data
16. On the product development side, few companies have both the
engineering and the marketing/industry expertise to successfully make good
secure products which meet real market needs and demands
17. Key Management. The ability for a user to gain authentification for use
of cryptographic programs, to access information for which that person is
authorized. Passwords can be forgotten, or copied, verifying a
user easily is very difficult. 
18. Lack of standards, and most of all lack of good certification
19. The second barrier derives from a missing standard interface in E-Mail,
ftp ...  solutions.so transparently embed widely spread encryption
20. Lack of knowledge of encryption is a big hurdle to it's implementation.
 Non-technical people are required to evaluate the use of a technological
product they may not understand completely.  It's difficult to put your
trust in an algorithm when you don't understand how it works.
21. Many enterprises may not be aware of how easy it is to begin using
encryption within their organization.
22. Many organizations may not recognize the need to protect information
within their organization.  Some may not be aware of how easy it is to tap
into electronic communications.


QUESTION 3. What are activities and projects that can be initiated and
taken to lower and reduce above barriers (see the question 2.)?

RESPONSES (# of responses = 27) TO QUESTION 3:

1. Integrated mail reader with strong crypto capabilities, easy to use
2. Spreading awareness of how useful strong crypto really is.
3. Spreading awareness of exactly *why* governments seeks to prevent the
spread of crypto.
4. Writing strong encryption software and placing it in the public domain.
5. Proving by actual demonstration that existing encryption is inadequate.
6. Encouraging wealthy crypto advocates to speak freely.
7. Education of users and vendors of the issues
8. Lobbying of governments by aforementioned enlightened users/vendors
9. Different products need to be created which can interoperate
transparently to the user, but not deliver data unless operator is valid
10. Smart cards which attach to every terminal, the cards go with the
person and they can validate themselves at any terminal
11. Overcoming the complexity barrier requires patient teaching of each client
12. A set of brochures and pamphlets needs to be created which describes
most systems in use for a particular level of security
13. A major project would be to simply educate the managers of most
companies about crypto, to remove the magic and bring the whole thing down
to earth
14. Manufacturers need to go to more trouble talking with customers before
designing products and be more creative in finding ways to meet market needs
15. Security companies also need to audit themselves and demonstrate that
they are trustworthy
16. Better turnkey low-cost enterprise-wide solutions to common problems
(network encryption, for example) are needed.
17. Make applications easier to use, Build easy to use encryption into
applications so that it is smooth or even transparent to users
18. Universal standards for dual key encryption
19. Reduce strength of encryption to increase speed
20. Large groups of customers must get together and dictate standards to
the security industry.
21. The first thing is to implement a transparent interface to encryption
function to all data transfer services.
22. The second would  be to get all suppliers of encryption technologies to
confirm to this standard.
23. I think the best  thing is to initiate a workgroup at The Open Group
responsible for encryption interfaces.
24. Public Software should be widely available.  The more people are
experienced with this software the more likely they are to use and trust it.
25. Making encryption software widely available means more than just making
sure copies of it are accessible. It also means making it user-friendly
26. Education is also required.  I find that very few people really know
about these  issues.
27. People need to promote awareness of the current situation.


------- End of forwarded message -------
. ^                         Stuart Udall
.~X\                   s_udall@yahoo.com
.~ \  http://members.xoom.com/loosekrew/

Merry Krishnas! ... and a happy new year

[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]