暗号アルゴリズムの国際標準化

情報セキュリティの政治と暗号標準

抄録

Cryptographic techniques are an important means by which security of information and info-communication networks is ensured. Yet it was not until the mid-2000s that the world's largest developer of standards, the International Organization for Standardization (ISO), issued ISO/IEC 18033 on encryption algorithms.
The purpose of this article is to explore a relatively understudied aspect of international standardization by focusing on demand for encryption standards. Drawing on the global governance literature, it argues that the demand for cryptographic standards may be generated not only to address the coordinating problem of technological compatibility but also to address the common problem of information security.
It is assumed that the demand for international cryptographic standards will be generated by the businesses, particularly those engaged in electronic commerce, as they are interested in enhancing the security of the network where they hold transactions. It is also assumed that on-line privacy advocates will support the standardization of encryption techniques. However, the commercial interests in cryptographic standardization may be in conflict with national security interests. Just as encryption technology can be used to protect financial information and personal data, it can be used to protect confidential information of foreign governments and other organizations. Therefore, spread of cryptographic techniques through standardization can be detrimental to national security activities.
Indeed, ISO's early attempt to establish encryption algorithm standard was frustrated by the objection raised by the US government, which was concerned with the standard's implication to national security. In the 1990s, however, the international business community began to pressure government hard to liberalize cryptographic use so that they could take full advantage of the commercial opportunities provided by the exponential growth to the Internet. The commercial interests succeeded in having its preferences reflected in the Organization for Economic Cooperation and Development (OECD) Guideline for Cryptographic Policy of 1997. The guideline, in turn, provided the ISO with an opportunity to launch once-prohibited standardization of encryption technology as it recommended the setting of standards for cryptographic methods at national and international levels. The ISO eventually produced ISO/IEC 18033 to promote the deployment of “state-of-the-art” encryption technology worldwide.
Standards and standardization are often dismissed as technological details in the study of International Relations. However, international standardization of encryption sheds light on the new security dilemma in the information age. Most important of all, the evolution of international cryptographic standards highlights the changing balance between national security and commercial interests in encryption.