Encryption Law And Your Server

Hayden Smith examines the effects that any actual legislation based around the UK Prime Ministers recent comments on encryption could have if they became law.

This week the UK Prime Minister, David Cameron, suggested a plan for banning the use of encryption in the UK.  There seems to be no actual legislation occurring behind this, but if there was the main objective would be to prevent anyone using encryption that doesn’t have a backdoor in it to allow the government to decrypt the communications themselves without having to ask the creator for the encryption keys.
At the moment the state can demand any encryption keys to decrypt data someone may have, and by law it is an offence not to divulge that key.  This new plan goes a step further, requiring that any encryption used can be broken by a third party.
If you run a server in the UK, then – if this law comes into force – you are going to find yourself affected by this change.
Firstly, let’s look at how you would configure your server.  Tools such as SSH for Linux and Remote Desktop for Windows both use encrypted communications, so they would be illegal.  So a return of Telnet for server configuration would occur, allowing easily bugged plain text configuration.
With regard to logins, password storage would have to change.  Passwords are generally stored using a type of encryption called ‘hashing’, and is not reversible.  As such, hashing algorithms would be banned and passwords would need to be stored in legible plain text.  The same would go for any previously hashed details such as software passwords and banking details.
Which leads us nicely on to ecommerce in the UK.  The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules outlining how businesses can handle debit and credit card data.  ey things in this standard are that card data needs to be encrypted and stored securely, and that all data transmissions should be securely encrypted.  The law change in banning all client-to-server encrypted traffic would mean there would be no way for card details to be transmitted to the server securely, and thus for any UK server to accept card data and be allowed to use it by the major card providers such as Visa, Mastercard, American Express and so on.  A solution there would be for a UK-only debit/credit card scheme to be devised that wouldn’t require the security standards of the PCI DSS and happily treat people’s financial data insecurely, if people could be persuaded to accept that..
Finally, the actual targets of the legislation proposal: secure communications.  Tools like PGP for encrypting email would be illegal.  Most instant chat services would be banned or would need to fall back to plain text communication only.  Also, Virtual Private Networks as they stand would be automatically illegal.
An olive branch could be extended in the form of government-approved encryption protocols.  However, the requirement for them to be decrypted by government – which would require some form of master key – would render any secure communications as insecure as plain text.  Rather than an attacker needing to figure out each person’s unique key, they have the simple non-moving target of the government’s own secure key.  Similar to Tolkein’s “one ring”, the one key that the government holds would give the holder immense power and would be a major target for the computing power of criminals and hackers to decrypt all of the UK’s traffic.
Either way, through insecure encryption or plain text communications, it would mean a large change for server owners in the UK.