Why was SEED developed in the first place?
South Korean legislation did not allow 40 bit encryption for
online transactions (and Bill Clinton did not allow for the
export of 128 bit encryption until December 1999) and the
demand for 128 bit encryption was so great that the South
Korean government funded (via the Korean Information
Security Agency) a block cipher called SEED.
Longer-term, one of the few rays of light for S. Korea is the work that is just starting around providing JS-based cypto in the browser (i.e. not via a plugin.)
If you are interested in helping to get S. Korea off Active-X, your help in getting WebCrypto developed and standardized is probably the best thing you can do (as a developer.)
Why wouldn't a stand-alone application or device serve this purpose much better? The requirement of a confirmation code generated by a simple piece of electronics not more sophisticated than a pocket calculator or a mobile app could side-step this completely.
I would say it changed a lot, especially after iPhone was released in Korea. By laws, government websites now have to support multiple browsers and laws, and several banks now offer "Open Banking" which supports Mac and Linux.
The problem is that the law still requires these websites to use "firewall" and "anti-keylogger", so they just implemented those programs for Mac and Linux in NSAPI form. This is still far from "web standard", but at least they are trying. =(
Exactly. I am hoping, one day they'd realize it doesn't make sense to waste money writing plug ins for each browser and platform, and just use the standard, but...
How do you enforce a ban on encryption? Weren't the algorithms mostly open source by 1999? Or why aren't other countries like Japan & Canada in the same position?
The browser (which implements the encryption) would be banned. I remember I could choose between US only version (128-bit encryption) and international version when I download Netscape. Of course I could just download the US version, but Korean government couldn't enforce banks to use 128-bit officially. (not to mention IE bundled with Korean Windows would not have supported it.)
The ban wasn't on the algorithms, it was on products using them. You could write a book describing RC4 or Blowfish and ship it anywhere, but you couldn't ship a web browser that implemented it outside the US until 1996.
By classifying it as a munition and using those laws. Which don't apply to books like "Applied Cryptography" by Bruce Schneier, due to the First Amendment. Even if they have source code printed in their appendices.
Oh, you mean effectively? Uh... I suppose we'll have to get back to you on that.
Back in the day, someone printed up a T-shirt that had a 4-line Perl script that did RSA and so was a munition. (Later reduced to 3 lines.) There was a barcode that contained the bits for the script, which you could use to automatically read the program into a properly configured computer, so the T-Shirt was indeed a munition under those regulations.
It isn't just IE that is a problem. The encryption scheme developed by the government is largely broken (due in no small part to IE and ActiveX vulnerabilities). South Korean banks and other organisations are losing money due to fraud and blackhat activity but there is next to nothing they can do about it. It's really a huge mess. That and the government's encryption app is closed source and not peer reviewed.
As always, the cause is that you are never smart enough to roll your own encryption standard. Any time someone asks you to roll your own encryption pinch yourself and smash your head on the desk, if you still want to code it smash your head again.
> South Korean banks and other organisations are losing money due to fraud and blackhat activity but there is next to nothing they can do about it.
Do you have any source to back that up? I talked to some security people and they used to tell me, although ActiveX is a pain, we are having much less damage from Internet banking. I'd love to have something that says this isn't the case.
> That and the government's encryption app is closed source and not peer reviewed.
The encryption algorithm itself (SEED) is open and is peer reviewed.
"As South Korea falls further and further behind in this regard, trapped in its fossilized world of ActiveX, it may well come to be seen as warning to other governments to adopt true open standards, if they want to avoid a similar fate."
A warning to governments who put forms in ms office formats on their web sites.
If I could up vote this twice I would. MS Office 'standards' are one of my biggest complaints about tech implentations in both government and enterprise. I would prefer PDFs or even just text files.
Governments ought to keep their noses out of the internet for the benefit of all.
They have all the precedents and all the advice that they could ever want, all pointing to the disastrous effects of centralisation and monopolies and yet they keep pushing for them. I, for one, find it hard to sustain the belief that these kinds of decisions are 'innocent mistakes'.
Unfortunately the more likely explanation is that they care a lot more about their own power enhancement than about the general benefits of their subjects. I don't even mean any particular government. This is endemic for them all.
Additionally, in the particular case of encryption, they are terrified that someone might criticise them behind their backs and thus they keep trying to control encryption.
Do you understand that "the government" funded the internet in the first place?
Mandating standards is one of the things that a government should do. The Korean government did a job with downsides in this case, but given that the decision was taken in the nineties, it was not that bad.
At the time, the US government had embargoed all the cryptography with keys that had more than 40 bits. What Koreans attempted was to workaround this limitation.
Most relevant to this discussion is www and that came out as a side effect of physics research at CERN, so it can hardly be described as an intensional government funded program. The US government's ARPANET plans prior to www never envisaged letting every Tom Dick and Harry do their banking (or anything) online.
Even at the time of the embargo, there was PGP and it worked just fine. The problem was, and is, the close relationship between the bankers (and other monopolists) and the government(s), whereby the public is forced to use what they mandate, rather than the other way round.
In a different world, it would not be technically difficult for people to download an open source application a la GPG, generate and keep their own private keys, and the governments, banks, and software monopolists working with it, rather than against it. The banks could look up their customers' public keys to establish secure communications and the big software producers could make it easier to use. All it needs is some goodwill, sadly lacking as it weakens centralised control.
I think that the problem was that nobody had experience with online banking the last millennium. The sad thing is that Koreans kept the system after they knew that it was a really bad idea, instead of evolving it into something better.
Do I think that it would have been better if no government intervention had occurred? I have no reason to believe that.
You can downvote me all you want but you can not prove me wrong. Why do governments want to be the only issuers of personal certificates, enforce their own closed source encryption, and make secretive deals that prefer a monopoly?
To a much lesser effect, I find it true in Israel as well. I recently bought an iPad for my mom as she uses the computer just for browsing, emailing and skype. Turns out that even now, two websites she frequents (a workers' committee website and some state sponsored mutual fund website) are IE only and in a way that they truly don't work otherwise.
In my experience this is still true... I still haven't found a word processor/presentation software for Mac OS X (including Office 2011) that is compatible with my university's word and ppt files.
Moreover, the ministry of education is a big costumer of MSFT, giving kids and teenagers early exposure to MS tools (think the 90s, where not every kid had a computer at home).
Don't confuse "best" with "traditionally used". I've always found OS X to have much better support for internationalization than Windows ever has, but it's non-traditional.
We have the same problem in Norway actually, just not nearly as bad. The banking industry has standardized on a technology called BankID for authentication, almost all banks use it.
The problem is that the tech sucks. It's based on two components:
* A keychain code generator (if you lose/forget it then you're screwed)
* A Java applet where you enter the code from the keychain code generator
So, if you either don't have your code generator device with you or are on something without Java (like a smartphone or tablet), then you're screwed.
Thankfully the use of BankID isn't required by law so a few banks offer other way more practical ways of authentication. My bank sends a random code to my cell phone through SMS that I have to enter in a normal web form. Much simpler and works everywhere.
GSM is a pretty horrid standard, and it has plenty of security issues of its own to the point that the title of a talk on GSM security at CCC was "SRSLY?":
This was also the case in China when I was leaving there a year ago (and I guess it still is). A lot of website were working on IE only, and even if it worked on other platform to do a payment or access your bank account you needed an activex.
The problems of monopolies arising through network effects, and the negative effects of the lock-in that results, are familiar enough.
But then it goes on to talk about the problems of a monopoly that was created not by network effects, but because of governmental dictate.
The lesson here ought to be that government ought not to be so heavy-handed, because it can't change its own regulations quickly enough to address the naturally-changing business and technological environment.
> created not by network effects, but because of governmental dictate.
Let's assume Microsoft had nothing to do with convincing South Koran government it would be a great idea to use a government dictate to further their network effects.
The real lesson here is that governments should never get in bed with the private sector and, when they do, both sides should be punished. Severely.
This is the (not-so) fun downside of government getting too engrossed in business transactions.
Most "good" laws in this area would specify the desired outcome (secure online transactions), and let people devise their own methods.
An analogy: this is like the Korean government mandating banks use a specific model of vault door (Securico 2000), where the rest of the world merely state "banks must ensure vaults are secured to a reasonable standard". If a fault exists in the Securico 2000, most banks will (eventually) update, lest they be sued for negligence in event of someone breaking into the bank and stealing valuable property. Korean banks would be perfectly safe from legal recourse, since they are following state law.
Of course, this is not unique to government-mandated technology. Monopoly groups can cause the same distortion e.g. Verified by Visa.
Downside to government getting involved in business transactions poorly, at least.
Denmark has quasi-standardized on a two-factor online security solution, NemID, which works fairly well, and is now used for login to most government services and most banks. Previous to the government getting involved, there were some truly horrid ActiveX and Java plugin solutions in use at most banks. The actual technology is developed by a private company, though; it was selected for implementation by the government, but not developed in-house.
But let us not forget that it took the Danish Government two tries to get it right.
First they tried to push digital signatures on everyone, with the idea that people should use their personal certificate to login to banks and government systems. However the banks would have none of it, because of the bad user interface (ever tried to use client-side certificates in any browser).
They then adopted a system that was a mix of systems already in use by a number of banks. Key-cards to be distributed by snail-mail and entered trough a Java plugin. Why they didn't go for a Javascript solutions is sad, but I would guess that some banks (such as Danske Bank) would have trouble adjusting.
So the lesson is probably that (some) governments are good at standardizing already (good) practices.
PS: Also note that some Companies (like Telmore, one of the largest online shops), who offered the old system (client-side certificates), won't use the new because of the absurd cost associated. (They have to pay per registered user, not by how much each user is using the system)
I had to install 4 different programs, which are constantly running in the background, just to be able to use online banking for my Korean account.
From a users perspective this is really bad, since you have no idea if the installed programs are valid and what they actually do.
In addition to that I once tried using my bank's online banking app for the iPhone.
It took me quite a while to figure out why it wasn't working, because you cannot actually use it without going to the bank and receiving a valid encryption key for your access.
Then there's online purchases in South Korea, which are of course most of the time limited to IE only again as well.
It also often requires having a South Korean cellphone number, since activation codes are sent via text message instead of email.
Setting up an account for a website service also means providing a Korean ID number, due to their online access policies.
Overall it took me the course of a day simply trying to order something from outside Korea and then failing at the last step due to the site not accepting foreign credit cards.
Overall the online experience for South Korean sites is extremely bad. If you're not using a Windows PC there, then you're out of luck without using VMs or a separate Windows partition on it.
As a long time Mac user I never encountered ActiveX. Or at least I don't remember anymore. Is this still in use at major websites apart from korea? And what is ActiveX exactly: Something to execute code like Java or JavaScript?
Essentially, it allows the delivery and execution of native code in the browser. From what I've seen it's still fairly widespread on corporate and academic networks (to enable services such as remote desktop in the browser).
Native code, that is trusted on the basis of having been signed by a special editor cert which the user has to accept. You may have encountered it if you've ever used windows update. Not sandboxed at all, unlike Java.
ActiveX is (among other things) used to run JScript in the browser. JScript can be viewed as a super set of JavaScript and will allow you to interact with the file system and such.
I've seen code (and still have the mental scars) that used VBScript on the client to open a database connection directly from the web client to the DB server - including the database username and password in the client code (this was, of course "sa").
Given that, Ahn Chul-soo, one of the two candidates with most public support in the upcoming Presidential election is founder of an anti-virus software company, I think days of 'Paying the Price' will end soon and abruptly.
I don't think it matters if he wins or loses. He can catapult this issue up high enough to trigger another governmental [over-re]action to undo the damage done.
> Given that, Ahn Chul-soo, one of the two candidates with most public support in the upcoming Presidential election is founder of an anti-virus software company, I think days of 'Paying the Price' will end soon and abruptly.
Are you kidding?! A Windows monoculture is on the basis of his businesses.
"...businesses, too, are hamstrung when it comes to innovation."
Maybe. At least for the particular case of an online purchase from a South Korean vendor. But when you look at a company like Samsung Electronics, which is "the world's-largest IT producer" according to Wikipedia, and makes very popular Android devices, I'm not too concerned about innovation in South Korea.
http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s