Security

EVERYTHING needs crypto says Internet Architecture Board

Calls for all new protocols to protect privacy, all the time, everywhere

Random numbers

The Internet Architecture Board (IAB) has called for encryption to become the norm for all internet traffic.

Last Friday, the IAB issued a statement saying that since there is no single place in the Internet protocol stack that offers the chance to protect “all kinds of communication”, encryption must be adopted throughout the protocol stack.

The statement reflects earlier, more piecemeal moves in the Internet Engineering Task Force (IETF) to start “spook-proofing” the Internet.

Rather than looking at a particular protocol proposal, the IAB statement is designed to lay down a fundamental principle for designers: encryption, the board says, should be “the norm for Internet traffic.”

“Encryption should be authenticated where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance”.

The statement strengthens a long-held view within the Internet Engineering Task Force articulated in 1986 in RFC 1984, which stated that government policies to monitor the Internet “are against the interests of consumers and the business community, are largely irrelevant to issues of military security, and provide only marginal or illusory benefit to law enforcement agencies”.

This year, RFC 7258, described pervasive monitoring as an attack.

Even where a protocol's own operation doesn't need encryption, the IAB wants protocol designers to think beyond their immediate problem, because “information leaked by one protocol can be made part of a more substantial body of information by cross-correlation”.

In other worlds, even if a protocol doesn't particularly deal with user traffic, such as one handling negotiations between routers, its designers should adopt encryption to ensure it doesn't reveal information that does somehow compromise privacy.

“We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic”, the statement continues.

And in an acknowledgement of the challenges that lie in front of the industry, the statement adds: “We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload.” The IAB says it will “work with those affected to foster development of new approaches”.

The call from the IAB won't be welcomed by the world's spooks. Both the GCHQ and the NSA have accused tech companies like Google, Apple and Facebook of supporting terrorists by encrypting more of their customers' traffic. ®

Sponsored: 2016 Cyberthreat defense report