This is a report I wrote for a Canadian Studies course (required by APEGGA) at the University of Calgary. Node your homework!

Abstract:

This report examines the science of cryptography in Canada. A brief history of the use of cryptography in Canada is given, along with a description of what how cryptography works and what makes it important to Canada. The focus of this report is the Canadian Government's involvement with cryptography, including its cryptography policies and uses. A short exploration of interesting cryptographic research is also given, and we end with some questions about the use of cryptography and how to best implement cryptography policies.

Introduction

Cryptography is becoming more important in Canada, not only in the classical sense of national security, but also in the relatively new electronic commerce arena, and in commerce in general. Cryptography is used everyday. Every time you use a bank machine, or log into the University of Calgary's Infonet, you are using cryptography and not even knowing it. But as the importance of cryptographic technology grows, concerns over how to legislate and control cryptography are pitting privacy, civil rights, and commerce concerns against law enforcement and national security interests.

In World War II, the importance of cryptography suddenly became apparent. Allied forces called on the best mathematical minds of the time, some of whom were Canadian, to break the German and Japanese codes that kept those countries communications shrouded in secrecy (Granatstein, Stafford, 1990). After the war, the importance of gathering signals intelligence (SIGINT) and making sense of it did not wane; indeed, it became fundamentally important to the national security of many nations as the Cold War picked up. As the Cold War ended, security agencies began to focus on the terrorist threat, and were particularly concerned with the free availability of encryption technologies such as Pretty Good Privacy (PGP) (Levy, 2001) that can foil the best minds and the fastest computers. During the 1980's, developments in networking and communications for military purposes, such as ARPAnet, began to reach a more general audience. With the invention of hypertext by Tim Berners-Lee in 1991, electronic commerce became a economic force of its own. The rise of e-commerce during the late 1990's made cryptography increasingly important.

The invention of hypertext and the resulting ubiquity of the world wide web required encryption if sensitive information such as credit card numbers and business data was to be passed over the network in the process of conducting electronic commerce. Symmetrical cryptography, where the same key is used to encode and decode the message, would never work. There is simply no secure way to pass the keys between parties. This is especially true when there are a large number of parties involved, as in a modern commerce system (Levy, 2001). The innovation that made electronic commerce possible was the invention of public key cryptography, which is usually attributed to Whitfield Diffie and Marty Hellman (Levy, 2001).

To analyze the current state of cryptography in Canada, we will first look at Canada's part involvement with the science of cryptography. To facilitate our exploration of cryptography, we will examine the technologies and techniques involved to gain an understanding of how they work. We will then examine current users and producers of cryptographic technology and look at the research currently being conducted to get a sense of the current state of cryptography in Canada.

Cases examined in this report are primarily focused on Government departmental projects which involve cryptography. Most of these projects enable secure communications within the department or between the department and citizens that need to interact with that department.

This report makes use of a range of sources, but it relies heavily on web based information published mostly by the Government of Canada (GoC). Several books were also consulted, which were relied upon mostly to provide technical and historical details.

History of Canadian cryptography

Intelligence

The Communications Security Establishment (CSE), Canada's equivalent of the United States' National Security Agency (NSA), was founded as the Examination Unit, a branch of the National Research Council, in 1941. Its role during the Second World War was to help with the Allied Signals Intelligence (SIGINT) effort. In the early part of the war, the Examination Unit was particularly focused on the messages of Abwehr (German Intelligence) agents operating in South America. Oliver Strachey, a British expert in Abwehr codes, was imported to help get the Examination Unit started. By 1943, Abwehr intelligence was becoming less important, and was dropped as the Examination Unit focused its efforts on Japanese signals. Vichy French messages in Indo-China were soon added to the Examination Unit's target list. By the end of 1942, the volume of information being intercepted related to the Pacific theater became so great that a separate unit within the Examination Unit was established to handle it (Granatstein and Stafford, 1990).

After the end of the war, the future of Allied intelligence services was up in the air. Some saw no place for continued intelligence operations. This attitude somewhat mirrored that present after the First World War, when Henry Stimson reportedly said that ``gentlemen do not read each other's mail'' (qtd in Granatstein and Stafford, 1990). While other intelligence agencies went out of business, SIGINT operations were allowed to continue. President Truman blessed continued American SIGINT operations in September of 1945, and a meeting of diplomats and External Affairs officials on New Year's Eve secured the Examination Unit's place in the Allied intelligence community (Granatstein and Stafford, 1990).

Sometime after December of 1945, the Examination Unit was renamed as the Communications Branch of the NRC. SIGINT operations continued, as did collaboration with the United States and other Allies (Library of Parliament, 1994).

1947 brought the UK/USA Security Agreement, in which Canada, New Zealand and Australia were assigned secondary roles. They were to provide raw signals intelligence to the primary partners, the United States and the United Kingdom. Canada also signed a separate bilateral agreement with the United States in 1948 (Library of Parliament, 1994).

On April 1st, 1975, responsibility for Canada's newly renamed SIGINT unit was transfered by an Order in Council under the Public Service rearrangement and transfer of Duties Act from the National Research Council to the Department of National Defense. The SIGINT unit was now known as the Communications Security Establishment (CSE) (Library of Parliament, 1990).

As of 1990, the CSE had two primary roles. One was to perform signals intelligence (SIGINT), which is the interception and decoding of foreign transmissions, and the other was to provide information security (INFOSEC) to the Canadian government (Granatstein, Stafford, 1990).

Public Key Infrastructure

Public sector use of cryptography has been explored since 1993, when the Communications Security Establishment lead an initiative to develop a Public Key Infrastructure (PKI). With the support of department partners, a contract with the Secure Networks arm of Bell Northern Research was signed to develop the PKI. In 1995, one of the working groups of the Information Technology Security Strategy Committee of the Council for Administrative Renewal designed a business case outlining the need for encryption and digital signature capability, leading to approval for the first stage of development of the GoC PKI (GoC PKI, 2000).

By November of 1995, the Prime Minister had decided on the large scale structure for implementation and management of the government PKI. In particular, the CSE was to be responsible for the Canadian Central Facility, which would be the primary certificate authority for the PKI. The implementation and management would be overseen by an interdepartmental management committee, chaired by the Treasury Board of Canada Secretariat and reporting to the President of the Treasury Board (GoC PKI, 2000).

In May of 1996, the Government responded to the 1995 report of the Information Highway Advisory Committee, by recognizing concerns about privacy, security, legal validity, and authentication. The Government also reaffirmed its commitment to information technology, and assigned the Minister of Industry to work with other stakeholders to ensure various electronic systems were able to work together (GoC PKI, 2000).

Digital signature technology was recognized as being of fundamental importance to the Governments electronic programs in the Electronic Authorization and Authentication (EAA) Policy in July of 1996. December of 1997 saw the creation of the Electronic Commerce Task Force, and the Treasury Board of Canada Secretariat's report on Plans and Priorities for 1998-99 identified a secure environment for electronic service delivery as the most important infrastructure priority (GoC PKI, 2000).

An Interdepartmental Task Force was established in April of 1998 to support and co-ordinate the implementation of the Government of Canada Public Key Infrastructure. In December of the same year, the GoC PKI Policies document was published (GoC PKI, 2000).

In May of 1999, the GoC PKI Task Force was renamed to the GoC PKI Secretariat, and the Policy for PKI Management in the GoC was approved by Treasury Board Ministers (GoC PKI, 2000).

Canada's public key infrastructure is now in use in a number of Government of Canada departments (GoC PKI, 2000).

Public Key Cryptography

Brief History

The great breakthrough that really made it possible to secure communications was the development of the public key system, which is generally thought to have been invented by Diffie and Hellman of Stanford in 1975. Public key cryptography had actually been thought up ten years earlier, by a man named James Ellis, who was working for the British General Communication Headquarters (GCHQ); the British sister agency to the CSE in Canada and the NSA in the United States. The GCHQ didn't see any reason to pursue Ellis' idea; after all, the symmetrical cryptography they were using was proven and any change could introduce holes that might put sensitive information at risk (Levy, 2001).

Although Diffie and Hellman explored where no one in the cryptography world had ever thought to explore before, and had come up with the idea of public key cryptography, they didn't have any actual tools to make it work. That's where Rivist, Shamir, and Adleman of MIT came in. In 1977, the three mathematicians were able to conjure up an algorithm that made public key cryptography a reality (Levy, 2001).

Why public key cryptography?

The problem with conventional symmetric cryptography is that the two parties must have a method of exchanging a key. If the key is intercepted by an enemy party, a credit card thief for example, the whole transacting is compromised. If electronic commerce had to depend completely on symmetrical encryption, it would be impractical to secure anything, especially in a way that was transparent to the end user. Each electronic exchange of encrypted material would require a corresponding secure key exchange, meaning not through any method where the key could potentially be intercepted. The necessity of this key exchange which would eliminate any convenience gained from the use of an electronic information exchange in the first place. The solution to this problem is public key cryptography.

How public key cryptography works

The public key system conceived by Diffie and Hellman relies on pairs of keys; one private key, known only to the person who owns it, and one public key, which anybody can see and use. When one party, say Alice, wants to communicate securely with another party, say Bob, Alice can take Bob's public key and use it to encrypt the message, which can then only be decrypted with Bob's private key. If Bob hasn't given anyone his private key, and assuming that subversive elements haven't been able to steal it, only Bob will be able to decrypt the message that Alice sent to him.

The problem with this system is knowing for sure that the public key being used to encrypt the message is really Bob's. If a third party, say Eve, was to somehow replace Bob's public key with her own, and Alice then used that subverted public key to encode a message to Bob, Eve could intercept the message, decrypt it and read it, and then re-encrypt it with Bob's real public key, and send it on to Bob. In this manner, Eve would be able to intercept communications from Alice to Bob, and Alice and Bob would never even know. So the question becomes thus: how can Alice be sure that Bob's public key is really Bob's public key?

The importance of public key infrastructure

The answer to this question in the public key infrastructure (PKI). A PKI is a system which uses a side-effect of public key cryptography, the ability to create digital signatures, to guarantee the validity of a public key. If Bob were to use a PKI, he could go to his local Certificate Authority (CA), present his identification, and give the CA a copy of his public key directly. Alternatively, the CA could generate a key pair for Bob, and give Bob the private key, but this might allow the CA save a copy of Bob's private key and use it to decrypt any messages sent to Bob or forge digital signatures in his name. Once the CA had Bob's public key, they would digitally sign it using their own private key and publish it on a website or in various directories. Anyone who trusted that Certificate Authority could download Bob's key from the CA and verify the CA's signature on the key, and could then be confident that the key had not been tampered with (``GoC PKI Initiative'', 1998).

There are decentralized variations on this idea, which don't require a central Certificate Authority. A web-of-trust may be built up by individuals signing each other's keys, rather than a single CA signing all of the keys. In a web-of-trust, Alice and Bob can meet face to face and exchange keys on disk, or they can send them by email and verify them by reading hashes of the keys over the telephone. Once Alice is absolutely sure she has Bob's correct public key, she can digitally sign it using her private key. Now if a third party, Charlie, wants to send something to Bob, but can't directly verify Bob's public key, he can look at it and see that it has Alice's signature on it. Since he knows that he can trust Alice not to sign someone's key without verifying that person's identity, he can be confident that Bob's public key has not been tampered with. Charlie can now add his own digital signature to Bob's public key, and now other people who trust Charlie can trust Bob's public key too (``The GNU Privacy Handbook'', 1999).

Although web-of-trust arrangements work well on small scales, they would be impractical when used in the context of a large economy. While the web-of-trust system works well for small groups of people who don't want to place trust in a centralized authority, PKI systems work well for large groups of people who don't know each other and are willing to trust a centralized authority. The Government of Canada has recognized the importance of a large scale PKI system to ensure the security of its communications, and now has a full scale PKI system in place (``GoC PKI Initiative'', 2001).

Government of Canada Cryptography Use

Public Key Infrastructure

The Government of Canada Public Key Infrastructure has three main goals. The first is to help the government conduct business electronically as much as possible (e-government). The second is to facilitate the growth of electronic commerce, both within Canada and internationally. The last goal is to help make Canada the most wired nation in the world (``GoC PKI Initiative'', 2001).

A number of departments within the government are now using or planning to use the public key infrastructure. Departments which have programs using the PKI include Industry Canada, the National Energy Board, Human Resources Development Canada, Statistics Canada, the bank of Canada, and Government Telecommunications and Informatics Services, among others (``Pathfinder Profiles'', 2000).

Canada Customs and Revenue Agency

The Canada Customs and Revenue Agency (CCRA) has started to use the Government of Canada's public key infrastructure (PKI) programs in some of its projects. It also has other projects that don't directly make use the PKI, but use cryptography to protect communications between ordinary Canadians and the department.

Customs Internet Gateway

The most developed program at this point is the Customs Internet Gateway (CIG), which is a system which gives CCRA trading partners the ability to transmit sensitive data such as entry, release, and accounting information over the Internet. The system is designed to reduce the costs of using older CCRA electronic technologies that relied on dedicated networks. (``Customs Gateway'', 2000)

NETFILE

NETFILE is the system put in place by the Canada Customer and Revenue Agency to give Canadian citizens the ability to file their income tax returns over the Internet. It began in November of 1999 as a pilot project. The NETFILE project was on time, came in under budget, and was able to process returns in about 2 seconds, which is much faster than what the CCRA had expected. The pilot project invited 3.8 million Canadians to participate, of which about 380,000 were expected to participate. In fact, 443,654 1999 tax returns were filed using NETFILE. The success of the pilot project prompted the CCRA to make NETFILE a more permanent way of filing income tax returns, and for the 2000 tax season about 22 million Canadians were invited to file their returns with NETFILE (``About NETFILE'', 2001). The Canada Customs and Revenue Agency recently boasted about the security of NETFILE:

``The U.S. doesn't use anything that's close to us... We haven't had any incidents, and we don't really expect any incidents.''

(qtd. in ``Security of Canada's NETFILE envy of world'', 2001)

NETFILE is an excellent example of the Government of Canada successfully moving towards electronic government.

National defense and security

The Canadian government has a continued vested interest in the growth of Canadian online commerce, and in order to encourage the online economy and protect consumer privacy, has made cryptography laws relatively lax, and the government intends to keep it that way (``Cryptography Policy Backgrounder'', 2000). Law enforcement agencies see the ability of the private citizen and the online business to encrypt communications beyond their ability to decrypt them as a major threat. Law enforcement agencies argue that the ability for anyone to send encrypted information will hinder investigations, and will harm the agencies ability to effectively combat threats such as domestic and international terrorism (Levy, 2001).

Dr Ross Anderson (qtd. in Caelli 5), referring to the push to restrict the availability and use of cryptography says that

...the national signals intelligence agencies are being massively incompetent. Why? Because they should have kept quiet, kept their heads down and done nothing.

Until recently, the American Government, at the urging of the NSA had been attempting to enact draconian schemes to control cryptography. In contrast, Canada has continued a relaxed policy, allowing its citizens free and unrestricted use of any kind of cryptography. The now defunct Clipper Chip is an example of the NSA's attempts to control the technology that it felt it had a monopoly on. The Clipper Chip was supposed to help bring strong encryption to the masses while still allowing the American Government the ability to decrypt those communications.

The United States government has lifted its long held restriction on the export of the munition cryptography (``Encryption FAQ'', 2000), and is starting to realize that the rest of the world has at least caught up with the United States in the cryptographic field (Levy, 2001). An exceptional example of international cryptography is the US government's new Advanced Encryption Standard (AES), which is an algorithm named Rijndael, developed by Dr. Joan Daemen and Dr. Vincent Rijmen of Belgium (``AES Fact Sheet'', 2001).

The Department of National Defense

Canada's Department of National Defense (DND) is probably one of the biggest users of cryptographic technology in Canada. Cryptographic technologies in the DND are primarily controlled by the Information Management group (IM Gp) of the DND. This group ``provides direction, military operations support, products and services, to manage information as an essential component of the departmental mission and objectives'' (``IM Gp'', 2001). Within the Information management group, there exists the Information Operations group, which intern has three centers of excellence: the CF Signals Intelligence (SIGINT) Centre, the CF Electronic Warfare Centre (CFEWC) and the CF Information Protection Centre (CFIPC).

The CF SIGINT Center (obviously involved with signals intelligence) was established to be the domain of the Communications Security Establishment by the Library of Parliament Background Paper BP-343E. The ``control and supervision'' of the CSE was transfered by an order in council under the Public Service Rearrangement and transfer of Duties Act from the NRC to the DND on April 1st, 1975, so it's quite possible that the CSE has since been caught up in internal DND reorganization. A possible scenario would see the CSE retaining only its information security role, while the SIGINT operations were transfered to the CFIPC. This is based on a quote from the Information Operations website (emphasis added):

On the 1st of April 1998, the Canadian Forces Information Operations Group (CFIOG) was established by the Assistant Deputy Minister (Information Management) (ADM (IM)). The new group was created from a consolidation of Headquarters elements and the Supplementary Radio Systems. It is intended to provide a focal point for Information Operations within IM Gp.

As well, the CSE's website doesn't have any information at all about the it's Signals Intelligence role, although that could simply be due to the highly sensitive and top secret nature of the work. There is no detail about the CF SIGINT Centre on the Information Operations website either.

Also, SIGINT is a very specialized field, and I just can't see the DND having two separate agencies doing the same expensive and labour intensive work. However, concrete information is difficult to obtain, due to the secretive nature of the business, so it is possible that the CSE still operates as a SIGINT unit in parallel with the Canadian Forces SIGINT unit.

DND communications is heavily dependent on commercial products. Approximately 95% (``Information Operations'', 2000) of the defense communications infrastructure is based on commercial systems. A vulnerability in a commercial system is a vulnerability in Canada's national defense. As the Government of Canada's Public Key Infrastructure system is also largely based on commercial technology, Canada as a whole needs stability and growth in the information security sector.

Government Policy

For the Canadian government, cryptography policy has three main goals. The first is to encourage the growth of electronic commerce, the second is to allow Canadians to export their products within the frameworks formed by international arrangements, and the third is to make sure law enforcement can maintain public safety (``Cryptography policy backgrounder'', 2000).

Use of cryptography

The Canadian policy is to allow its citizens the ability to ``develop, import and use whatever cryptography products they wish'' (``Cryptography policy backgrounder'', 2000). While the government will not require mandatory key escrow, it does encourage industry to consider making key recovery possible. Not requiring key escrow is made explicit by the Canada Customs and Revenue Agency in its digital signature policy:

6.2.3 Private key escrow
Digital Signature private keys must not be escrowed.

6.2.4 Private key back-up
An Entity may optionally back-up its own Digital Signature private key. If so, the keys must be copied and stored in encrypted form and protected at a level no lower than stipulated for the primary version of the key.

(``Digital Signature Medium Assurance Certificate Policy'', 2000)

The CCRA also has a policy for encryption keys:

6.2.3 Private key escrow
No stipulation.

6.2.4 Private key back-up
The Issuing CA may back-up private keys. The Entity may also make a back-up of the key. Backed-up keys must be stored in encrypted form and protected at a level no lower than stipulated for the primary version of the key.

(``Confidentiality Medium Assurance Certificate Policy'', 2000)

Interestingly, the digital signature policy document makes it very explicit that keys are not to be escrowed, but may be backed up by the key owner (referred to as the Entity), while the confidentiality document makes no strong statement on key escrow, but allows both the Certificate Authority (CA) and the Entity to make backups of the keys. Private key backup by a Certificate Authority is eerily close to key escrow.

As part of its cryptography policy in electronic commerce, the Government of Canada intends to be a model user of cryptographic systems. The Government's success with its PKI and NETFILE programs shows how it is actively accomplishing this objective. With the support of the Government, the rest of the Canadian economy will be able to make the transition into electronic commerce a smooth one.

Export policy

Canada is bound by the Wassenaar Arrangement, which is an international agreement designed to control the export of ``conventional arms and dual-use goods and technologies'' (``Wassenaar Website'', 2001). Cryptography falls in the dual-use category, where dual-use means that it can be used for both military and civil purposes. Since a meeting in Vienna in December of 1998, the Wassenaar Arrangement has allowed the free export of products using symmetrical cryptography of up to 56 bits, asymmetric cryptography products or up to 512 bits, and other cryptography products such as elliptical curve, up to 112 bits. Also permitted is the export of goods to perform authentication, digital signature, and access control, goods implemented using analog technology, and goods for the purpose of financial transactions (``Serial 113 - Cryptographic Goods'', 1998).

Public safety

The promise of cryptography in the electronic economy and in the protection of personal information also brings with it the ability to conceal evidence and hide communications in the commission of a crime. To answer possible threats to public safety, the Government of Canada's cryptography policy lays down four basic rules regarding the use of cryptography.

The first of these is that it is illegal to wrongfully disclose cryptographic keys. An example of where this rule would come into effect is national security; consider a CSIS agent, call him Bob, who gives his or her private key to someone, call her Eve, who doesn't have the same security clearance as Bob. If some one else, Alice, were to send Bob a classified document, and Eve intercepted that document, then Bob has put national security at risk.

Consider a private sector example of wrongful key disclosure. Alice is an executive of an engineering company which is just about to wrap up a large project. Alice is going on vacation, so she gives her secretary, Eve, her private key so that Eve can respond to anything requiring immediate attention. While Alice is away, the project completes, and the client is so please with the work that they award another contract, worth a large sum of money. Bob, another executive, sends Alice a message telling her that when this new deal is announced, the stock price is going to go through the roof. Eve reads this message, which contains information she wouldn't normally have access too, and buys a lot of stock, and subsequently makes a lot of money, quits her job, and moves to Bermuda. The Securities Exchange Commission smells something fishy, and charges Eve with insider trading, but Alice is also responsible because she wrongfully disclosed her private key.

The last three items relating cryptography to public safety are:

  • deter the use of encryption in the commission of a crime;
  • deter the use of cryptography to conceal evidence;
  • apply existing interception, search and seizure and assistance procedures to cryptographic situations and circumstances.

(``Summary of GoC crypto policy'', 2000)

The wording of these last three policy items seems rather vague, probably because nobody is really sure how to implement these policies. How exactly the Government will be able to deter the use of cryptography to conceal evidence and still remain true to the stated policy of allowing Canadians free access to any strength of encryption is unknown.

Private sector

Canada has a growing information security industrial sector. By browsing corporate websites, it is clear that a number of companies working in cryptography, mostly by providing products to protect information. Some companies are producing public key infrastructure products and services to help other business' build a secure communications infrastructure. Both hardware and software products implementing various cryptographic technologies are being produced by Canadian firms.

Entrust Technologies

The most notable company, mostly because of its close relationship with the Government of Canada, is Entrust Technologies. Entrust began as the secure networks arm of Nortel Networks in 1994. Entrust Technologies Inc. was incorporated on December 16th 1996 in Maryland, and Entrust Technologies Limited, was incorporated as the Canadian subsidurary in Ontario on December 20th, 1996. In 1998, Entrust had its first initial public offering, and has since been listed on the Nasdaq exchange under the ticker symbol ``ENTU'' (Entrust, 2001).

Entrust is the firm that the Government of Canada is using to help create its public key infrastructure. Entrust provided PKI products to the government in 1995, and was awarded a development contract to extend those products to include features needed in enterprise (large scale) situations (``GoC PKI'', 2001).

Cryptography research

In Canada, cryptography is currently being researched at the University of Calgary and at the University of Waterloo in Ontario, and probably at many other institutions. Cryptography is a relatively easy field to start doing research in, since it requires only careful thought and an examination of what has come before. Contrast this with experimental physics, which requires millions of dollars in investment for new instruments. Cryptographic research may be practiced by any number of students and professors, but only a few have funding to do cryptography research as their full time jobs.

The research being conducted at the University of Calgary is mostly being done by Dr. Richard A. Mollin, a professor in the department of Mathematics and Statistics. Dr. Mollin has published several books, including one entitled ``Algebraic number theory'', which discusses the application of number theory to cryptography in the last section of each chapter. He has also published a complete introductory cryptography text called ``An introduction to cryptography'', which discusses in detail the workings of many crypto-systems and the history behind them. Dr Mollin's research interests lie in the fields of the theory of continued fractions, reduced ideals and prime-producing quadratic polynomials. Some of this research is then applied to cryptography (Mollin, 2001).

The research at Waterloo is a great example of a triple helix. The Center for Applied Cryptographic Research (CACR) is a joint project between the Government of Canada, the University of Waterloo, and a number of corporations. The CACR has a number of items in its missions statement. In particular, the CACR aims ``to be an internationally recognized center for research in applied cryptography and related areas of information security'' (CACR, 1998). The CACR also facilitates industrial participation, blends various disciplines, helps to train masters and Phd students, hosts international researchers, and gives industry access to University expertise (CACR, 1998).

Research conducted the the CACR is focused on things like computational number theory, quadratic fields, genetic algorithms as applied to finite abelian groups, pseudorandom sequences, elliptic curves, key distribution, secret sharing, provably secure protocols, electronic commerce, error control, and electronic publishing. The CACR is also interested in quantum computing, and is working with a separate quantum computing group at Waterloo (CACR, 1998)

Quantum computers have the potential to easily solve problems that would take literally thousands of years on todays ``classical'' computers. This makes it is a very important field of research.

Conclusion

Questions surrounding the use of cryptography

Some issues remain to be answered in the use of cryptography in Canada, particularly in the promotion of electronic commerce and in the protection of public safety.

  1. Is it realistic to expect export laws to prevent the spread of strong cryptographic algorithms and implementations to those deemed ineligible to receive them?
  2. Can the use of cryptographic technology to conceal evidence be controlled in a way that doesn't violate the freedom of Canadians to use cryptography as layed out in the Government of Canada's cryptography policy?
  3. What can the Government do to promote electronic commerce to Canadians?
  4. What can the Government do to increase consumer confidence in electronic commerce?

To really encourage the growth of electronic commerce and ensure the safety of Canadians, the Government of Canada must make and effort to address question like the ones posed here.

Source search successes

Of particular use was the book Spy Wars by Granatstein and Stafford. Spy Wars gives the uniquely Canadian perspective on the international intelligence community which is so often missing from other books. Most of the material on the Communications Security Establishment, an agency so secret that the Canadian public in general learned of its existence only after it had already been operating for 33 years, came from this book. The book was a joy to read, and is highly recommended to anyone interested in the intelligence industry; Canadian intelligence in particular.

Another very useful source was Steven Levy's book Crypto which provided much of the conceptual information on how public key cryptography and digital signatures work.

The internet was used a great deal to find much of the information contained in this report. The Government of Canada has a large buffet of web sites containing all kinds of information, much of it well written and pleasantly presented. Much of the information on the various web sites that were used correlate well, providing a degree of assurance that the information was correct. The web was a valuable tool for find the most up to date information; some sites had been updated only a day or two before I visited them.

Further work

Much more work could be done to quantify the current state of cryptographic research in Canada. The two examples I used, The Center for Applied Cryptographic Research at Waterloo and the independent Mollin at Calgary probably only scratch the surface of the research being conducted. Cryptography is a field which has relatively low entry barriers for a mathematician; mostly a lot of reading on the current state of the field. I would not be surprised to find cryptographers, either amateur or actively researching, working in math departments across the country and around the world.

By using the Access to Information Act (``Information Commissioner'', 2000), it should be possible to retrieve a much greater range of information about the early work of the Examination Unit. In fact, this is how Granatstein and Stafford got most of their information. The names of the ciphers that were broken, how that was done, what ciphers the Examination Unit produced for the Government, and so on, would make for an interesting paper all on its own. It may also be possible through Access to Information Act requests to get a clear picture of how SIGINT is currently handled in Canada; whether or not the Communications Security Establishment has actually turned its SIGINT responsibilities over to the Canadian Forces SIGINT group could possibly be resolved.

There are many government project now in place which use cryptography in some form. Continued investigation into government cryptography use could lead to interesting information. The depth of the Canadian cryptography industry also needs much greater exploration; there is more to it than Entrust Technologies.

Closing

From the early success of the Examination Unit in World War II, to the recent popularity of NETFILE, Canada's involvement in cryptography has been growing. Canada's military and government organizations have been benefiting from the use of cryptographic technology for some time, and now the private sector is beginning to see benefits as well. The Government of Canada wants to see Canada's marketplace grow, and recognizes the ability to communicate securely as a very important step. Canada's forward looking policies and programs bring it closer to more efficient government, and an expanding economic outlook.

Overall, cryptography is becoming more and more ubiquitous in Canada, mostly without the general public knowing about it. However, for electronic commerce to really grow in Canada, the general public must be made aware of the cryptography being used to protect online transactions, and must be able to trust cryptographic systems and technologies. Consumer confidence is of utmost importance to Canada's electronic marketplace, but so is ease of use. Cryptographic technology has slowly advanced to the point where the use of cryptography is transparent and painless to the end user, which makes one less hassle on the road to safe and secure electronic commerce.

References

  • Ashley, Mike. The GNU Privacy Handbook, Boston, MA: Free Software Foundation, 2000. 2 Apr. 2001 <http://www.gnupg.org/gph/en/manual.html>.

  • Caelli, William J., ``Open Forum - Cryptography: Personal Freedom and Law Enforcement, It it Possible to Get Agreement?'' Cryptography: Policy and Algorithms International Conference. Eds. Dawson, Ed, and Jovan Golic. Berlin: Springer-Verlag, 1995. LNCS 1029.

  • Canada. Canada Customs and Revenue Agency. About NETFILE. 12 Feb. 2001. 27 Mar. 2001 <http://www.netfile.gc.ca/about-e.html>.

  • Canada. Canada Customs and Revenue Agency. Confidentiality Medium Assurance Certificate Policy. 6 Sep. 2000. 27 Mar. 2001 <https://reg-pki-ext.ccra-adrc.gc.ca/pki/agreements/Ext_CP_Conf.pdf>.

  • Canada. Canada Customs and Revenue Agency. Digital Signature Medium Assurance Certificate Policy. 6 Sep. 2000. 27 Mar. 2001 <https://reg-pki-ext.ccra-adrc.gc.ca/pki/agreements/Ext_CP_DigSign.pdf>.

  • Canada. Canada Customs and Revenue Agency. NETFILE - Security. 30 Dec. 2000. 27 Mar. 2001 <http://www.netfile.gc.ca/security-e.html>.

  • Canada. Communications Security Establishment. Government of Canada Public Key Infrastructure White Paper. Ottawa: May 1997

  • Canada. The Department of Foreign Affairs and International Trade. Export controls on cryptographic goods. 23 Dec. 1998. 4 Apr. 2001 <http://www.dfait-maeci.gc.ca/ eicb/notices/ser113-e.htm>.

  • Canada. Department of National Defence. Information Management Group. 1 Dec. 2000. 27 Mar. 2001. <http://www.dnd.ca/img/>.

  • Canada. Industry Canada. Advantage Canada | Electronic Commerce Task Force. 10 Dec. 2000. 15 Feb. 2001 <http://e-com.ic.gc.ca/english/advan/94.html>.

  • Canada. Industry Canada. Canadian Strategy | Electronic Commerce Task Force. 14 Feb. 2001. 15 Feb. 2001 <http://e-com.ic.gc.ca/english/60.html>.

  • Canada. Industry Canada. Summary of Canada's Cryptography Policy: Backgrounder. 10 Oct. 2000. 1 Apr. 2001 <http://e-com.ic.gc.ca/english/fastfacts/43d7.html>.

  • Canada. Library of Parliament, Research Branch. The Communications Security Establishment: Canada's most secret intelligence agency Background paper BP-343E. Ottawa: Library of Parliament, 1994.

  • Canada. Privacy Commission. Privacy Commissioner's annual report 1997-1998. 1998. 15 Feb. 2001 <http://www.privcom.gc.ca/english/02_04_06_e.htm>.

  • Canada. Royal Canadian Mounted Police. Project SOLSTICE Report: Millennium rollover best practices rev 6.0. 25 Oct. 2000. 1 Apr. 2001 <http://www.rcmp-grc.gc.ca/html/solstice-e.pdf>.

  • Canada. Treasury Board of Canada Secretariat. Customs Internet Gateway Project. 14 Aug. 2000. 27 Mar. 2001 <http://www.cio-dpi.gc.ca/pki-icp/Path_profiles/cesg/customs/customs_e.asp>.

  • Canada. Treasury Board of Canada Secretariat. GoC Public Key Infrastructure. 20 Oct. 2000. 27 Mar. 2001. <http://www.cio-dpi.gc.ca/pki-icp/index_e.asp.

  • Canada. Treasury Board of Canada Secretariat. Pathfinder Profiles. 14 Aug. 2000. 5 Apr. 2001 <http://www.cio-dpi.gc.cz/pki-icp/Path_profiles/profiles_e.asp>.

  • Center for applied cryptographic research. 1998. University of Waterloo. 18 Mar. 2001 <http://www.cacr.math.uwaterloo.ca/>.

  • Communications Security Establishment | Centre de la sécurité des télécommunications. 1997. Communications Security Establishment. 27 Feb. 2001 <http://www.cse.dnd.ca/>.

  • Cryptography Policy: The guidelines and the issues. Paris: OECD 1997. 12 Feb. 2001 <http://www.oecd.org/dsti/sti/it/secur/prod/gd97-204.pdf>.

  • Entrust Technologies. 2001. Entrust Technologies. 25 Mar. 2001. <http://www.entrust.com/>

  • Granatstein, J.L, and David Stafford. Spy Wars: espionage and Canada from Gouzenko to glasnost. Toronto: Key Porter, 1990

  • Koops, Bert-Jaap. Crypto Law Survey. Jan. 2001. 2 Apr. 2001 <http://cwis.kub.nl/ frw/people/koops/lawsurvy.htm>.

  • Levy, Steven. Crypto. Harmondsworth: Viking, 2001.

  • Mollin, R. A. R.A. Mollin. 6 Sept. 2000. The University of Calgary. 27 Mar. 2001 <http://www.math.ucalgary.ca/ ramollin/>

  • Office of the Information Commissioner. 25 Oct. 2000. Government of Canada. 5 Apr. 2001. <http://infoweb.magi.com/ accessca/>.

  • PKI - Welcome page. Canada Customs and Revenue Agency. 27 Mar. 2001 <https://reg-pki-ext.ccra-adrc.gc.ca/pki/welcome.htm>.

  • ``Security of Canada's Netfile envy of world'', The Calgary Herald 26 Mar. 2001, C7.

  • United States. Bureau of Export Administration. Encryption FAQs October 2000. 19 Oct. 2000. 27 Mar. 2001 <http://www.bxa.doc.gov/Encryption/Oct2KQandAs.html>.

  • United States. National Institute of Standards and Technology. Advanced Encryption Standard (AES) Fact Sheet. 5 Mar. 2001. 26 Mar. 2001 <http://csrc.nist.gov/encryption/aes/round2/aesfact.html>.

  • United States. National Institute of Standards and Technology. Clipper Chip Technology. 30 Mar. 1993. 29 Mar. 2001 <http://csrc.nist.gov/keyrecovery/clip.txt>.

  • The Wassenaar Arrangement 21 Dec. 2000. 30 Mar. 2001. <http://www.wassenaar.org/>.

About this document ...

Cryptography in Canada

This document was generated using the LaTeX2HTML translator Version 2K.1beta (1.50)

Copyright © 1993, 1994, 1995, 1996, Nikos Drakos, Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney.

The command line arguments were:
latex2html -split 0 rp.tex


Node your homework!

Log in or register to write something here or to contact authors.