Elsevier

Digital Investigation

Volume 4, Issues 3–4, September–December 2007, Pages 113-115
Digital Investigation

RIPA part III – The intricacies of decryption

https://doi.org/10.1016/j.diin.2007.07.003Get rights and content

Section snippets

Hand over the keys in the name of the law

However, although the new powers are clearly aimed at helping the battle against terrorism, paedophilia, organised crime and fraud, they open up a whole host of new problems in turn.

While data files may come from suspects themselves, in many cases they will be demanded from other third parties who may be in possession of relevant information. Since it is very hard to know the content of encrypted files before they are opened, it is likely that law enforcement officers will spread their nets

Mishandled keys could criminalise the police

Finally, RIPA part III explicitly states, in Section 55(4), that failure to adequately secure evidentiary keys which in turn leads to loss or consequential damage is actionable against the law enforcement officers concerned and their superiors – right up to the Secretary of State. So, clearly any keys revealed under RIPA powers must be protected and managed with the utmost care.

Taking a lead in key management best practice from business

Cryptographic keys are widely used in the business world to protect data from illegal or illicit access while stored or when being transmitted over the Internet – such keys are therefore in fact as valuable as the data they protect. For example, the key used to protect an online shopping basket is considered less valuable than the one to protect the credit card information used to pay for the goods, which in turn is less valuable than the one used to protect the credit card settlement system

ID theft risk

Besides direct financial loss, there is also the issue of identity theft to consider. Since companies can be held liable for the accidental or negligent disclosure of customer information, keys used to protect customer data can be nearly as valuable as those used for their banking transactions.

In the face of these risks to high-value cryptographic keys, businesses already take great pains to protect them from being compromised and high-quality procedures for secure back-up and recovery are

HSMs

Firstly, cryptographic keys are frequently protected in specialised Hardware Security Modules, also known as HSMs, which are engineered to be difficult to break into. These devices are essential because keys simply stored in software on a server, or even on a separate removable disc or memory device, are constantly exposed to attack.

Multi-party control

Secondly, ‘multi-party controls’ require multiple authorised operators to be physically present in order to access and use a key. This ensures that compromising a single individual is not sufficient to put a key at risk.

These techniques for good key management, while not universally deployed, are widely accepted. In fact, the US Government publishes technical standards both for the security of HSMs and for key management techniques, which have become generally accepted as the baseline for

Duties and safeguards under RIPA part III

Section 55 of the Act lays down the framework for safeguarding keys handed over as a result of a request under RIPA. It applies to everyone who might ever be in charge of gaining access to keys for law enforcement purposes, right up to the very top. So what exactly are they responsible for?

Industrial-grade key management

The bottom line is that failure to maintain security for seized keys at least as good as their owners would have provided is likely to be considered negligent and, in the event of the keys being compromised, would be actionable. Given that liability in the case of a data breach may run to millions of pounds, it seems clear that using anything short of industrial-grade cryptographic key management for protecting keys under RIPA would be a very rash move indeed.

A powerful tool – in safe hands

Part III of RIPA will give the police and other law enforcement officers a powerful tool for combating modern day crime or terrorism. Criminals are increasingly encrypting their data with common, easy-to-use tools. The power to force the disclosure of those keys will, in many cases, allow convictions to be progressed where it might previously have been impossible.

That said, like all-powerful tools RIPA part III must be used with care. The keys protecting the financial transactions of a bank, or

Dr Nicko van Someren is the Chief Technology Officer of nCipher. As chief technology officer, he leads nCipher's research team and directs the technical development of nCipher products. An nCipher co-founder, he has 20 years of experience in cryptography, software and hardware product development, and holds a doctorate and First Class degree in computer science from Trinity College, Cambridge, UK. nCipher protects critical enterprise data for many of the world's most security-conscious

First page preview

First page preview
Click to open first page preview

References (0)

Cited by (0)

Dr Nicko van Someren is the Chief Technology Officer of nCipher. As chief technology officer, he leads nCipher's research team and directs the technical development of nCipher products. An nCipher co-founder, he has 20 years of experience in cryptography, software and hardware product development, and holds a doctorate and First Class degree in computer science from Trinity College, Cambridge, UK. nCipher protects critical enterprise data for many of the world's most security-conscious organizations. http://www.ncipher.com.

View full text