IETF forslag mot PRISM-type masseovervåkning

Fredrik Øvergård,

IETF, Internet Engineering Task Force, er organisasjonen til de ingeniørerene som sørger for at internett fungerer. Organisasjonen består av en rekke arbeidsgrupper som jobber med spesifikke internettrelaterte utfordringer. Arbeidsgruppene kommer jevnt og trutt ut med nye forslag til standarder som så blir implementert av de aktørene som utgjør internett.

Fordi internett er i konstant endring blir ingen av IETF's standarder omtalt som en standard, men som utkast (eng: "draft") med en maksimal gyldighet på 6 måneder.

Den 11. september 2013 kom en IETF-arbeidsgruppe med et Internet-Draft med følgende tittel:

"PRISM-Proof Security Considerations"

Ravi Mandalia hos Parity News har følgende kommentarer til utkastet:

PRISM-Proof Security Considerations, a draft proposal to make it harder for governments to implement and carry out surveillance activities like PRISM, has been floated by the Internet Engineering Task Force (IETF) yesterday.

The draft highlights security concerns as a result of government sponsored PRISM-like projects and the security controls that may be put into place to mitigate the risks of interception capabilities. Authored by Phillip Hallam-Baker of the Comodo Group the draft is however very light regarding details on how the Internet can be PRISM-proofed.

Baker starts off by listing out the attack degree including he likes of information / content disclosure, meta-data analysis, traffic analysis, denial of service attacks and protocol exploits. The author than describes the different capabilities of an attacker and the ways in which an attack can be carried out – passive observation, active modification, cryptanalysis, cover channel analysis, lawful interception, Subversion or Coercion of Intermediaries among others.

Baker then highlights the controls that may be used to defend against the attacks including use of Perfect Forward Secrecy which tends to dramatically increase the cost involved with an attack; use of strong cryptography as a control against passive attacks; use of dual-layered public key exchange “using the credentials of the parties to negotiate a temporary key which is in turn used to derive the symmetric session key used for communications” among others.

The draft lists the final control as policy, audit and transparency; however, it notes that this area is “the most underdeveloped area of internet security to date.”

The thing that stands out in the draft is that it has been authored by just one person as against IETF’s tradition of involving a group of people.

Det blir spennende å følge med på utviklingen. Og ikke minst responsen til sikkerhetsorganisasjoner som NSA og andre som er blitt avslørt av Edvard Snowden på å innføre sikkerhetshull og bakdører i andre standarder og produkter.