Slashdot Mirror
Encryption Market Opening Up
MeriaDuck writes "Found this article on Cryptome,
the Clinton administration plans to announce next week that it
will permit U.S. software companies to sell their most sophisticated encryption systems to countries in the European Union without any licensing or review." Well its a start anyway.
Encrypted poorly, however. GSM encryption was broken in 1998, quite easily. It seems the spooks got to the protocol designers. Check here for details. Further, the encryption is over-the-air only. Once on the land lines, the conversation can be tapped the usual way.
Don't let the word "encryption" lull you into a false sense of security.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Cypherpunks and others predicted many years ago
that the government would slowly relinquish
control over crypto as more and more of a commercial market developed.
PGP was never much more than a curiosity -- no
one used it for large-scale commerce systems,
and most of the users could be pointed to by
the government as privacy nuts or criminals.
SSL, despite inherent weaknesses, has made
crypto essential in e-commerce. The e-commerce
lobby (sites, vendors, end-users) exposed the
masses to crypto, and now depends upon crypto.
When users started demanding 40 or 128bit crypto
to keep their credit card numbers secure, that's
when crypto became widely deployed.
The next step is building crypto into the very
fabric of the Internet, in IPsec, and then making
that a "checklist item" for purchasing decisions.
Once people are only willing to buy products with
security designed in, the government will have
little choice but to allow its widespread use and
export.
(I'm waiting for encrypted cellphones, like
those being designed by Starium, to
be available...)
pardon for not knowing the link offhand, but there was a case where the FBI was able to recover data that had been rewriten over approximately 100 times using such a tool. I remember reading a paper on this (I think it was at Counterpane Labs, but I could be wrong). I'll hunt for the URL and repost.
For people who are serious about using encryption, the question is not whether in the future they will be able to use a method of encryption that can beat the methods of decryption then available, it is how long their secrets, transmitted today, will remain secret.
Some forms of encryption are good for discouraging casual novices. Some take a little time and are fine for short-lived secrets. Some will cause the NSA to blink. Some will last for a good while.
But the standard public-key encryption mechanism in use today will not survive the potential of quantum computers. So, for instance, digitally signed documents have a lifetime of a few decades before the signatures can be forged.
This is fine for credit card purchases. It may not be fine for some kinds of legal contracts.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
What I'm waiting for is them to open up restrictions enough to let these guys get their patches added to the main linux kernel tree. I think it's a shame that linux is lagging behind OpenBSD due to our country's legal hangups over crypto. This is good news.. I just hope it's enough.
From the article:
"Software experts said that although many new encryption systems cannot be broken, their U.S. makers are cooperating with federal law enforcement and intelligence agencies. Somewhere in the future, they said, are so-called quantum computers a billion times more powerful than existing home computers. These would be able to break the most sophisticated encryption systems available today."
Haven't the anonymous software experts thought that their quantum computers will also allow for the existence of encryption systems far more sophisticated than those in existence today? Or do they think we have already reached "the end of cryptograhpy" (in the same sense we had reached "the end of phisics" in 1890)?
You are obviously correct, but about a different aspect of the problem. In the context of the article, the unnamed "software experts" were talking about the threat of encryption use by criminals, terrorists, etc. In this context, the time frame allowed is usually pretty small, days, weeks on the outer reach. There is very little use for the information about some bombing plans or drug shipment after the fact.
Don't make the assumption that these people are stupid, they aren't. They are smarter than 95% of the public.
They are perfectly aware that the North Koreans, and whoever else is the bad guy of the month, can download and use strong cryptography from the Internet. They aren't worried about geeks running some obscure operating system like Linux or OpenBSD.
What they have successfully accomplished is preventing strong cryptography from becoming a transparent, easy-to-use component of commodity software like Outlook Express and Windows 98. They have also been extremely successful at keeping strong cryptography out of the standards for wireless telephones.
Ask yourself, what percentage of my email and telephone calls use strong cryptography?
Mea navis aericumbens anguillis abundat
No, I'm not kidding. However the purpose is because I expect the US government to continue to have some kind of bureaucracy involved in the exporting process. That's the nature of the beast. Ideally there should be none at all. Realistically I expect there to be some, and my suggestion is what form that should be. Sorry, I should have made that clearer.
Of course you're right, it can easily be circumvented. The point I was making was that if the government is going to require we do something to prevent export to those countries, they should allow us to do it in a way that does not impose on those who are not in those countries. For example I just recently downloaded SecureCRT and had to fill in a form attesting that I was located in the United States. I want to get rid of that process altogether. The government may not want to get rid of all processes, hence my suggested alternative.
In the long run, I expect that pro-business George W. Bush will become the next president, and these export restrictions will eventually evaporate. Even still, there will probably be some kind of restriction to those "hated" nations. I have no idea what they might be.
now we need to go OSS in diesel cars
Louis Freeh was never able to show that if the Unite States blocked all its encryption products from export, that this would result in terrorists being unable to get that encryption. His agenda was pure fantasy.
And these things are entirely possible to no less a degree even with a total ban on all export restrictions. But take a look and his reference to "fairly unsophisticated operators". That description sure sounds to me like it also fits script kiddies. With his logic, we should suspend free speech to stop such crime. Better yet, suspend the whole US Constitution. That is what many in the upper levels of law enforcement actually want.
Or, make new encryption systems which would have no hope of ever being broken.
If he acquired this technology by means of encryption exported from the USA, then it might give the FBI some level of credibility here. If he did, but could have just as easily acquired it from somewhere else, that credibility is just shot back down. In fact, he was actually in the United States, and could have easily acquired the technology domestically. The only argument the FBI could logically derive from these events is that all encryption must be suppressed by all governments, and a massive world wide search conducted to expunge every bit of it from every corporation and individual on the planet. And we know how easily they could accomplish that. They probably know, too, so I wonder what their real agenda was, other than to just stir up emotions.
It remains to be seen just what level of bureaucracy will be imposed on this export. The article says "sell". Does that mean we don't get to give it away (in reference to what is already legally free)? Just how much will we be required to put people through to let them download strong encryption software? Will we be able to contribute source code to crypto projects located outside the US?
I suggest that the State Department provide a list of IP addresses which they want download refused for, and no more than that. It should be possible to get the addresses connecting "Cuba, Iran, Iraq, North Korea and others considered America's foes". This is sufficiently practical to manage and can be smoothly automated. Any more than that and I will certainly see it as excessive government interference in the private sector.
now we need to go OSS in diesel cars
OpenBSD now has encryped swap space. The keys are randomly generated by the kernel and stored only in memory, so nothing in swap is accessible after a reboot. The same could be done (might be already) for other files (e.g. an O_CRYPT). Secure deletion is easy: fopen, flock, fstat (|| fseek, ftell, fseek), { fwrite, fseek } (until satisfied), unlink, flock, fclose. Relatively portable, too. It's a shame the GNU rm(1) doesn't have this option; perhaps I'll see if they're interested in the possibility.
Gates' Law: Every 18 months, the speed of software halves.
Who needs to sell encryption technology when we have OpenBSD?
We've all heard of the nastiness with people snooping around our hard drives.. Since automated bootup's are important, I don't think it's practical to require a password JUST to decrypt stuff to start up the machine. Even if users can use encrypted loopback filesystems to encrypt stuff, there are other places where stuff can hide.
Here's what I'd like for linux:
Encrypted swap file. It doesn't get cleaned out regularily, there's no easy way TO clean it out, and it's something you can easily miss. As an alternative, clean it on boot and slowly overwrite unused pages. (Say, nuke one free page every X seconds.) Or encrypt and overwrite, to make things harder to backtrace.
Secure delete. Have the ability to secure-delete files, on a per-file or per-partitian basis. (I'd nominate '/var' for this.) Or, have a way to slowly run through free harddrive space and nuke anything sitting there. Best yet, have both.
Secure storage of old logfiles. Logfiles can be a goldmine, squid, httpd, mail, process accounting, lastlog, etc. You want to save them around, but you don't want anyone nosey to be able to look at them. How about secure deleting them and then running them through a user-chosen PGP key for storage, or making several different archival backups on different PGP key's. That way, I can keep the last week's logs on my pgp key, and secure-delete them after a week, while keeping the archival logs on a PGP key that isn't even physically located near the computer. (In a bank, or a friends house.)
Encrypted
None of these require a non-automatic bootup.
For semi-important stuff that you don't want people to look at easily (shell history, other history, email), you can store it in an automatically-generated encrypted file. Each file is encrypted with a seperate key. The inode stores the file-key XOR'ed with a user-key, a group-key, a root-key and an 'any-key'. Having a root-key on every file means that the contents can be compromised if root's password is compromised. This isn't much of a problem because any really important files can be in an encrypted partitian. Leaving it out doesn't buy you much either.
The group-key is stored in
This type of encryption is a good choice for something like ~/.bash_history, or ~/.ssh, or ~/.pgp. The 'any-key' is a the plaintext key, it exists if the file is readable to the public, It also must exist for any encrypted file that's required for bootup. (such file may be phsyically encrypted, but must be logically plaintext). All files are subject to normal access permission, and the above keys are altered appropriately and automatically on a chmod.
As we still want to retain automatic boot, some files must remain physically unencrypted, or logically unencrypted. (encrypted with a key, but a key that's stored unencrypted on the drive.) log files in
Unless I'm mistaken, the above, or a variant of the above won't prevent automatic booting. Also, it doesn't require anything extra from user-level code and it'll keep even very nosey people away.
Finally, you have encrypted filesystems. Real encrypted filesystems that are mounted manually by the user. These could be immune from everything but a hardware sniffer, or a root sniffer.
Personally, I can't wait to see some or all of these.. First priorty for me is encrypted swap file, secure deletion, and secure storeage of old logfiles. There is already a (hackish) implementation of encrypted filesystems. With that, you can hack an encrypted
Scene: Linux Expo, Andover Booth, Rob and the gang are playing Diablo 2 on their win2k boxes.
Rob"Guys, go to tux screensaver here comes some SlashBots!!!"
All hit their hotkeys. Up comes Joe Slashbot, With a CD full of Slashcode, looking for an autograph.
Joe"Hey guys, uhh remember me? I uhh, like posted that +5 insigtful comment about why Microsoft will never be as cool as Linux?"
Rob"Yeah sure right uh huh."
Joe"Yeah my karma is up over thirty now, and I have the +1 bonus!! Now everyone can see what I right!!
Rob and company nod and smile, and begin to crack jokes as the Slashbot wanders off. Once he is safely out of range Rob goes back to checking his E*Trade account, and the rest go right back to Diablo 2.
End Scene
Each time one branch of the US govt wants to loosen up on the crypto regs, another branch starts complaining. Last time it was Janet Reno, and then Louis Freeh. Now the IRS.
Minor detail, but there are only three branches of the federal government, the Executive, Congress and the Judiciary. The IRS, DoJ (Reno) and the FBI (Freeh) all are part of the Executive, they can't countermand what the top Exec. says. (They can try to influence his decisions, but that's it.)
Do a search on pgpi.org for free versions of PGP for the Mac which contain PGPdisk. PGPdisk was included in the free/international versions up to, I believe, 6.02. Personally, I use the Windows version of 6.02ckt which contains PGPdisk even though it's free--and the newer versions add no actual functionality over the 6.02 series, either; in fact, PGP hasn't changed all that much since 5.5 or so. I have a friend who also uses Macs, and we encrypt all our e-mails to one another, and I pointed him to pgpi.org where he got just what I was talking about: Mac binaries with PGPdisk included.
"The more corrupt the state, the more numerous the laws."--Tacitus, *The Annals*
There's zero chance that I'd trust the U.S. companies to have not made deals with the NSA/FBI/CIA triad, especially if they've been exporting crypto even before the relaxation of export restrictions. It was common practice for the NSA to send a man around to U.S. crypto vendors hinting that if they'd make a few changes to the code here, or alter the S-Box there, they'd get an export license for their 128-bit etc. product.
Granted, there are a few noteworthy cases of the U.S. tainting foreign crypto vendors, like the Crypto AG fiasco in which the Swiss(?) firm inserted a back door which allowed the U.S. access to messages encrypted with their very, very expensive hardware crypto devices. But I'd still trust a European vendor over an American one, though these days the important thing is having access to the source code.
For example, why use a PGP binary provided by Network Associates when you could either download the full-strength PGPi version from overseas, or better yet if you actually know your code you could dload the source and compile it yourself. Getting a binary from an American company just adds one more layer of uncertainty to the mix.
My favorite product for disk encryption is a perfect example. There are many American companies which offer encryption utilities, but why use one of those when I can download Scramdisk from www.scramdisk.clara.net along with the source code? It isn't GPL, but the source is still available for inspection and for personal use. Scramdisk comes from Britain, whose own crypto regulations are getting insane, but still Britain doesn't have the same long tradition of sabotaging their own domestically produced crypto products, as well as international ones, that the U.S. does.
Buying U.S. crypto, unless you have access to the source code and the skills to verify it, is just asking for trouble.
"The more corrupt the state, the more numerous the laws."--Tacitus, *The Annals*
Oh yeah, tricky stuff like "My passphrase is 'I killed Jane Doe' so I can't be forced to divulge it" won't fly in court. Judges don't think that kind of thing is cute at all. If you refuse to obey a Judge's order, you can be held in Contempt of Court indefinitely. However, after a few years the Judge might release you if he believes there isn't a reasonable chance of you coughing up the keys. If the alternative is a mandatory-minimum 25 year or more sentence resulting from the newly discovered evidence, it might be a worthwhile strategy.
It's important to use perfect forward secrecy whenever possible. In perfect forward secrecy, the private/public key pair is not used to encrypt the session key, but only to authenticate it. The session key is then emphemeral and never stored. That means later recovery of the private key will not allow the attacker to decrypt previously recorded communication (only conduct future man-in-the-middle attacks and other authentication based attacks). Of course, this is not terribly useful for stored data. That's why you should store your sensitive data in your brain, or Sealand, where it is out of reach of the court.
Burris
The Gov. can already break all these encryptions
Not true. There's an ongoing case (sorry, forget who) where the U.S. government won't return a computer they seized because the guy encrypted his hard disk and won't give them the key. They want to make sure it doesn't contain 'harmful' material. As I recall, one of the arguments his attorney was going to make was that forcing him to divulge this info in order to recover his property would violate his constitutional protection against self-incrimination. Don't know if this will fly, but my point is, if they can decrypt everything, why haven't they in his case? They clearly think he's hiding something prosecutable, so they have a great incentive to bring all their powers to bear.