联系我们
电话咨询:0371-56752222
传真:0371-55678321
地址:郑州市高新区科学大道中原国家广告产业园3号楼5层137号

关于英国要求服务器不加密所带来的影响

作者/整理:admin 来源:帝通科技http://www.ddvidc.com 2017-09-05

Hayden Smith examines the effects that any actual legislation based around the UK Prime Ministers recent comments on encryption could have if they became law.
 
This week the UK Prime Minister, David Cameron, suggested a plan for banning the use of encryption in the UK.  There seems to be no actual legislation occurring behind this, but if there was the main objective would be to prevent anyone using encryption that doesn’t have a backdoor in it to allow the government to decrypt the communications themselves without having to ask the creator for the encryption keys.
 
At the moment the state can demand any encryption keys to decrypt data someone may have, and by law it is an offence not to divulge that key.  This new plan goes a step further, requiring that any encryption used can be broken by a third party.
 
If you run a server in the UK, then – if this law comes into force – you are going to find yourself affected by this change.
 
Firstly, let’s look at how you would configure your server.  Tools such as SSH for Linux and Remote Desktop for Windows both use encrypted communications, so they would be illegal.  So a return of Telnet for server configuration would occur, allowing easily bugged plain text configuration.
 
With regard to logins, password storage would have to change.  Passwords are generally stored using a type of encryption called ‘hashing’, and is not reversible.  As such, hashing algorithms would be banned and passwords would need to be stored in legible plain text.  The same would go for any previously hashed details such as software passwords and banking details.
 
Which leads us nicely on to ecommerce in the UK.  The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules outlining how businesses can handle debit and credit card data.  ey things in this standard are that card data needs to be encrypted and stored securely, and that all data transmissions should be securely encrypted.  The law change in banning all client-to-server encrypted traffic would mean there would be no way for card details to be transmitted to the server securely, and thus for any UK server to accept card data and be allowed to use it by the major card providers such as Visa, Mastercard, American Express and so on.  A solution there would be for a UK-only debit/credit card scheme to be devised that wouldn’t require the security standards of the PCI DSS and happily treat people’s financial data insecurely, if people could be persuaded to accept that..
 
Finally, the actual targets of the legislation proposal: secure communications.  Tools like PGP for encrypting email would be illegal.  Most instant chat services would be banned or would need to fall back to plain text communication only.  Also, Virtual Private Networks as they stand would be automatically illegal.
 
An olive branch could be extended in the form of government-approved encryption protocols.  However, the requirement for them to be decrypted by government – which would require some form of master key – would render any secure communications as insecure as plain text.  Rather than an attacker needing to figure out each person’s unique key, they have the simple non-moving target of the government’s own secure key.  Similar to Tolkein’s “one ring”, the one key that the government holds would give the holder immense power and would be a major target for the computing power of criminals and hackers to decrypt all of the UK’s traffic.
 
Either way, through insecure encryption or plain text communications, it would mean a large change for server owners in the UK.
服务器加密
海登·史密斯(Hayden Smith)研究了英国首相最近对加密的评论如何成为法律的任何实际立法的影响。
 
本星期,英国首相戴维·卡梅伦(David Cameron)建议在英国禁止加密使用的计划。似乎没有实际的立法发生,但如果主要目标是防止任何使用加密的人没有后门,允许政府解密通信本身,而不必要求创作者加密密钥。
 
目前,国家可以要求任何加密密钥来解密某人可能拥有的数据,根据法律,不泄漏该密钥是违法的。这个新计划进一步,要求使用的任何加密可以被第三方破坏。
 
如果您在英国运行服务器,那么 - 如果这项法律生效,您将会发现自己受到这一变化的影响。
 
首先,我们来看看如何配置服务器。诸如SSH for Linux和Windows的Remote Desktop之类的工具都使用加密通信,因此它们是非法的。因此,将发生Telnet服务器配置的返回,允许轻松查看纯文本配置。
 
关于登录,密码存储将不得不改变。密码通常使用称为“哈希”的加密类型存储,并且不可逆。因此,哈希算法将被禁止,并且密码将需要以可读的纯文本存储。任何以前散列的细节(如软件密码和银行详细信息)也同样如此。
 
这使我们很好地在英国的电子商务。支付卡行业数据安全标准(PCI DSS)是一套规则,概述企业如何处理借记卡和信用卡数据。本标准中的事情是卡数据需要被安全地加密和存储,并且所有数据传输都应该被安全加密。禁止所有客户端到服务器加密流量的法律更改将意味着卡片详细信息无法安全地传输到服务器,因此,任何英国服务器都可以接受卡片数据,并允许主机使用它卡片提供商如Visa,万事达卡,美国运通等。解决方案将是一个英国的借记卡/信用卡方案,不需要PCI DSS的安全标准,并且不安全地对待人们的财务数据,
 
最后,立法建议的实际目标:安全通信。像PGP这样的加密邮件的工具是非法的。大多数即时聊天服务将被禁止,或者仅需要回到纯文本通信。此外,虚拟专用网络将会自动违法。
 
橄榄枝可以以政府批准的加密协议的形式进行扩展。然而,要求他们被政府解密 - 这将需要某种形式的主密钥 - 将使任何安全的通信作为纯文本的不安全。他们并不是需要找出每个人独特的钥匙的攻击者,而是拥有政府自己的安全密钥的简单的不动的目标。与Tolkein的“一环”类似,政府所拥有的一个关键是给予持有者巨大的权力,并且将成为罪犯和黑客计算能力解密英国所有流量的主要目标。
 
无论哪种方式,通过不安全的加密或纯文本通信,这意味着对于英国的服务器主人来说,这是一个很大的变化。


本文链接:http://www.ddvidc.com/sheji/348.html转载请注明。
标签:服务器托管