chevron-down Created with Sketch Beta.
PRIVACY IN AN AGE OF ZERO TRUST WEBINAR SERIES

Zero Trust? Encryption and Other Approaches to Protecting Private Data and Communications

Intense debate for over two decades has focused on the proper balance between privacy, security, and law enforcement access to the personal and confidential data and communications of individuals and entities stored on electronic devices with strong encryption. New authentication, storage, and encryption technologies on PCs, smartphones, and other computing devices can make it impossible for law enforcement to access encrypted data, even with a valid search warrant. The government asserts that this situation is undermining national security and has suggested that the software on computing devices should have a “backdoor” that would enable law enforcement access to encrypted data. Critics charge that these backdoors would provide a means for hackers to compromise the devices and steal sensitive and private data. If backdoors are built in for law enforcement, they will be available to everyone. Blunt backdoor instruments represent uncontrolled cybersecurity threats. This panel describes the current state of the encryption debate and the positions of the various stakeholders. It outlines existing federal, state, and global encryption requirements, and identifies the available technology options for the protection of personal and confidential communications, including encryption. Panelists examine approaches for how law enforcement can fulfill its broad responsibilities to conduct investigations under civil and criminal laws, and identify gaps if strong encryption is used. The panel assesses U.S. and global “lawful access” laws and technology proposals to strike a proper balance between the use of strong encryption and the need to protect the public interest and national security.

Panelists

  • Eric A. Hibbard, Director, Product Planning - Storage Networking & Security, Samsung; Council Member, ABA Science and Technology Law Section
  • Susan Landau, Bridge Professor in Cyber Security and Policy, The Fletcher School and School of Engineering, Department of Computer Science, Tufts University

Moderator

  • Lucy L. Thomson, CISSP, Founding Principal, Livingston PLLC; 2012-13 Chair, ABA Science and Technology Law Section; Editor, ABA Data Breach and Encryption Handbook

Joint Sponsor: ABA Science and Technology Law Section

Co-Sponsors: ABA Center for Public Interest Law, ABA Criminal Justice Section

Resources

The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Third Edition
LIMITED TIME: 20% off with ABACYBER20

Keys Under Doormats Security Report | The MIT Press

Bugs in our Pockets: The Risks of Client-Side Scanning | arXiv

Listening In: Cybersecurity in an Insecure Age | Professor Susan Landau

Rethinking Encryption | Lawfare Blog

New Perspectives on the Future of Encryption | Lawfare Blog

Moving the Encryption Policy Conversation Forward | Encryption Working Group of the Carnegie Endowment for International Peace

Privacy on the Line: The Politics of Wiretapping and Encryption  | The MIT Press

How the Netherlands Is Taming Big Tech | The New York Times

CRSJ Chair Chat with Susan Landau on Encryption

ISO/IEC 10116:2017, Information technology — Security techniques — Modes of operation for an n-bit block cipher

ISO/IEC 15408-1:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 1: Introduction and general model

ISO/IEC 15408-2:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 2: Security functional components

ISO/IEC 15408-3:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 3: Security assurance components

ISO/IEC 15408-4:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 4: Framework for the specification of evaluation methods and activities

ISO/IEC 15408-5:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 5: Pre-defined packages of security requirements

ISO/IEC 11770-1:2010, Information technology -- Security techniques -- Key management -- Part 1: Framework

ISO/IEC PWI 17603, Confidential computing

ISO/IEC 18033-3:2010, Information security — Security techniques — Encryption algorithms — Part 3: Block ciphers

ISO/IEC 18045:2022, Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Methodology for IT security evaluation

ISO/IEC 18367, Information technology — Security techniques — Cryptographic algorithms and security mechanisms conformance testing

ISO/IEC 19790, Information technology – Security techniques – Security requirements for cryptographic modules

ISO/IEC 19896 (all parts), IT security techniques — Competence requirements for information security testers and evaluators

ISO/IEC 20540, Information technology — Security techniques — Testing cryptographic modules in their operational environment

ISO/IEC 20543, Information technology — Security techniques — Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408

ISO/IEC 20648, TLS specifications for storage systems

ISO/IEC 24759, Information technology – Security techniques – Test requirements for cryptographic modules

ISO/IEC 27040, Information technology – Security techniques – Storage security

ANSI INCITS 462-2010: Information Technology - Fibre Channel - Backbone - 5 (FC-BB-5)

NIST Federal Information Processing Standards (FIPS) Publications 140-3 (FIPS PUBS 140-3), Security Requirements for Cryptographic Modules

NIST Federal Information Processing Standards (FIPS) Publications 180-4 (FIPS PUBS 180-4), Secure Hash Standard (SHS)

NIST Federal Information Processing Standards (FIPS) Publications 197 (FIPS PUBS 197), Advanced Encryption Standards (AES)

NIST Special Publication (SP) 800-38A, Recommendation for Block Cipher Modes of Operation

NIST Special Publication (SP) 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality

NIST Special Publication (SP) 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC

NIST Special Publication (SP) 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices

NIST Special Publication (SP) 800-57 Part 1-3, Recommendation for Key Management

NIST Special Publication (SP) 800-88, Guidelines for Media Sanitization

NIST Special Publication (SP) 800-107, Recommendation for Applications Using Approved Hash Algorithms

NIST Special Publication (SP) 800-111, Guide to Storage Encryption Technologies for End User Devices

NIST Special Publication (SP) 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths

NIST Special Publication (SP) 800-132, Recommendation for Password-Based Key Derivation Part 1: Storage Applications

NIST Special Publication (SP) 800-140, Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759

NIST Special Publication (SP) 800-140A, CMVP Documentation Requirements: CMVP Validation Authority Updates to ISO/IEC 24759

NIST Special Publication (SP) 800-140B, CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B

NIST Special Publication (SP) 800-140C, CMVP Approved Security Functions: CMVP Validation Authority Updates to ISO/IEC 24759

NIST Special Publication (SP) 800-140D, CMVP Approved Sensitive Parameter Generation and Establishment Methods: CMVP Validation Authority Updates to ISO/IEC 24759

NIST Special Publication (SP) 800-140E, CMVP Approved Authentication Mechanisms: CMVP Validation Authority Requirements for ISO/IEC 19790 Annex E and ISO/IEC 24579 Section 6.17

NIST Special Publication (SP) 800-140F, CMVP Approved Non-Invasive Attack Mitigation Test Metrics: CMVP Validation Authority Updates to ISO/IEC 24759

NIST Special Publication (SP) 800-190, Application Container Security Guide

NIST Special Publication (SP) 800-208, Recommendation for Stateful Hash-Based Signature Schemes

IEEE 1619-2018, IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices

IEEE 1619.1-2018, IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices

IEEE 1619.2-2021, IEEE Standard for Wide-Block Encryption for Shared Storage Media

IEEE 2883-2022, IEEE Standard for Sanitizing Storage

IETF RFC 1334, PPP Challenge Handshake Authentication Protocol (CHAP)

IETF RFC 2246, The TLS Protocol Version 1.0

IETF RFC 2404, The Use of HMAC-SHA-1-96 within ESP and AH

IETF RFC 2406, IP Encapsulating Security Payload (ESP)

IETF RFC 2451, The ESP CBC-Mode Cipher Algorithms

IETF RFC 3686, Using Advanced Encryption Standard (AES) Counter Mode

IETF RFC 3821, Fibre Channel Over TCP/IP (FCIP)

IETF RFC 3723, Securing Block Storage Protocols over IP

IETF RFC 4171, Internet Storage Name Service (iSNS)

IETF RFC 4346, The Transport Layer Security (TLS) Protocol Version 1.1

IETF RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2

IETF RFC 7143, Internet Small Computer System Interface (iSCSI) Protocol (Consolidated)

IETF RFC 7144, Internet Small Computer System Interface (iSCSI) SCSI Features Update

IETF RFC 7146, Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3

OASIS Key Management Interoperability Protocol Specification Version 2.1

OASIS Key Management Interoperability Protocol Profiles Version 2.1

Storage Networking Industry Association (SNIA), Storage Security:  Fibre Channel Security, Draft

Storage Networking Industry Association (SNIA), Storage Security:  Sanitization

National Security Agency (NSA) Cyber Security Directorate (CSD), Commercial Solutions for Classified (CSfC) Data-at-Rest (DAR) Capability Packages (CP), V5.0

NVM Express Inc NVM Express™ Base Specification, Revision 2.0b, January 2022

PCI-SIG PCIe Base Specification

DMTF, Secure Protocol and Data Model (SPDM), Version 1.2

Support CRSJ

CRSJ provides free webinars and resources for legal professionals and advocates nationwide and relies on generous donor support and volunteer service. Your charitable gift ensures that we continue to address the deepening crises in our collective pursuit of advancing law and justice. Thank you!

Give Generously – Donate Today