How Would Crypto Back Doors Work?

frantzdb writes "We've been hearing about adding crypto back doors for the govement to snoop on us, but how would they work? Would there be one key that could be cracked opening up all such traffic? Also, how would/does the government know wether a bitstream is random bits, or encrypted data?"

Simple

[nate1138]

Simple Answer:

Crypto backdoors won't work ;) (At least not for their intended purpose)

Re:Simple

[imp]

The problem with weakening crypto is that anybody
may be able to recover the keys, not just the
folks that mandated the back door. Also, there
are long term issues with this. What if a trusted
party today becomes an untrusted party in the
future? What do we do when the current threat is
over? What if the bad guys figure out the backdoor? Would you have worse problems from them
than you have now with the folks blowing things up? What if the US government gets weird and
refused to give up the back door once the crisis
is over?

And finally: What about the huge delpoyed base of strong crypto?

One more finally: Little evidence has been given
that strong crypto is being used today as a shield
for the communications with this group. Why should we give up our rights based only on the
say so of the Government, one that has lied to
us in the past?

Re:Simple

[einhverfr]

The reason they are placing these backdoors is to stop terrorism and other crimes from occuring... now I don't know about you, but if I was to fly a plane into a large building I would be sure as hell to use my own crypto not some algorithm with a backdoor from the government. I mean please, people like bin laden have billions of dollars you don't think they could get a kid to code something for them? All this is going to do is make the government get on the backs of innocent people using "illegal" crypto.

In addition, if the remote control features of the planes that they are talking about today were also in place and used legal cryptography, then if I were a terrorist, I would not even have to hijack the plane, if I obtained one of the master keys! This backdoor idea is about the least intelligent thing I have ever heard.

Re:Simple

[Tim+C]

What if the US government gets weird and refused to give up the back door once the crisis is over?

"What if"? Why would they?

Why would they give up such a valuable advantage in the fight against <insert current object of villification>? Terrorists, drug smugglers/dealers, criminals, communisits, dissidents - all have had war declared on them at some point, by some country or other, and all could benefit from the unrestricted use of strong crypto.

Even if the war against terrorism is won, this legislation would stay in place, to aid the war against the next great evil.

What if a trusted party today becomes an untrusted party in the future?

That's exactly the problem I have with this, and all privacy-limiting developments. Here in the UK, as I'm sure you're aware, we have more than our fair share of CCTV cameras on the streets. Every argument in favour of them seems to revolve around the same core assumptions:

1) They help cut crime, thus making everyone safer
2) You can trust the Police and the Government

I have to agree, up to a point. They do cut crime, at least in the covered areas, and I can trust the police and government, now. How do I know I'll still be able to trust them in 20 years time?

I don't. I just have to hope that I will be able to, because the way things are going, if I can't, I'm going to be in serious trouble. The same is true in this case - if legislation like this is passed now, it makes a future rogue government's job all the easier.

What about the huge delpoyed base of strong crypto?

That's easy. It would become illegal to use it.

If the agency monitoring communications (NSA, MI5, KGB, whoever wherever you are) acquired a message that they could not read, you'd be arrested, and ordered to decrypt it. (There is already provision for pretty much this to happen in UK law, thanks to the Regulation of Investigatory Powers Bill)

At best, on proving that it's an innocent message, you'd get a slapped wrist and threats of bad things happening if you continued to use strong crypto. At worst, you'd do time just for using crypto they couldn't break.

Cheers,

Tim

Escrow

[FatRatBastard]

I?d assume that one of the ideas would be to revive the idea of key escrow. All generated keys would have to be ?registered with the state.?

I can?t wait until I can purchase a ?You?ll get my 1024 bit private key when you pry it out of my cold, dead Palm? bumper sticker.

One key?

[Sir_Real]

I certainly hope not... My guess is that upon generating a key, a seperate key is also generated. This key (the other half of which the NSA has) could be used to encrypt the original sender's private key. This would allow the NSA (I don't know which tla will hold the keys, just substitute your favorite one in here...) to be able to retrieve the private key and decrypt the transmission... This is pure speculation...

Private Key Registrations

[GrEp]

The government would either have to issue everyone a private key, or pass a law making it a crime not to hand over the keys. Although this only relates to detectable encryptions.

If you were a terrorist you would probably hide messages via a digital watermark in an image file/video file to get around this. Therefore making the laws useless.

Re:Private Key Registrations

[Salsaman]

"pass a law making it a crime not to hand over the keys"

Unfortunatley we already have this law in the UK - it's called the RIP Act. The penalty for not handing over a key, even if you have forgotten it, is a two year jail sentence.

Re:Private Key Registrations

[sulli]

But if it's a dynamic session key (as in IPSec) your PC will have long since forgotten it when some jackbooted government thug asks you for it!

How backdoors work

[Chakat]

A lot of the technology behind the last time congress/the prez tried to cram crypto backdoors down our throat is unfortunately classified, but the basic way it would work is that each key would have its own identifier it shouts out in the process of sending packets back and forth. Upon court order (or not, if there are crooked lawmen), the mandatory escrow part, which is how most what modern crypto backdoor setups work, is used to get the private key and decrypt the message.

Steven Levy's excellent book "Crypto", which was reviewed here a few months back has the basic gist of the technology. As the technology is mired in classified work and patents, it's a minefield that will have to be carefully traversed

Re:How backdoors work

[mickwd]

"As the technology is mired in classified work and patents....."

Odd that a process designed to keep something secret (classifying it) should be combined with a process designed to make something public knowledge (patenting it).

Re:Plain Text

[Salsaman]

Good idea. What's your credit card number :-)

Key Escrow

[SirStanley]

The Government tried to implement Key Escrow A while ago.
Basically. When you generate your keys you must submit the key to the governement so they have a copy. Its kind of like your landlord.

You have a key for your apartment. So does he. If you get locked out he can come on in and let you back in. If you're growing a Pot Farm he can give it to the feds when they have the search warrant and let them in with out bustin no doors down.

Implementing a mechanical backdoor other than key escrow would suck. Short of the US Governement getting hacked your keys should be safe with them (unless of course you believe the US Governement's sole purpose in life is to get you) If you implement a mechanical back door just wait until it gets reverese engineered. All hell will break loose.

If Backdoors are implemented. Im a fan of Key Escrow.

However whats to stop a terrorist for writing their own version of a public cryptosystem such as RSA and not give anyone keys? Guess there will also have to be a law that says if your key isn't registerd and your communicating with it then the governement can arrest you.

Re:Key Escrow

[ocie]

You could use the government's public key to encrypt your private key, sort of like a registering your car, you would have to register your key. The problem is that you could send them any old crap and say it was your key. The only way they would know is if they tested it by decrypting a message.

This is all beside the point, because terrorists won't register their keys. If the US government can't stop spam, what makes them think they can stop encrypted messages?

Re:Key Escrow

[ocie]

There have been several bills that try to impose a fine for spam, but this has not eliminated spam.

Re:Key Escrow

[sql*kitten]

However whats to stop a terrorist for writing their own version of a public cryptosystem such as RSA and not give anyone keys?

Why, nothing at all, of course. While terrorists (and paedophiles, the other usual suspects) are a problem for society, key escrow makes no more sense than a Federal law requiring the use of postcards and banning envelopes.

Don't imagine for a second that the government doesn't know this. Just as it is natural for a corporation to seek to expands its share of the market, it is natural for a government to attempt to take more and more control over its citizen's lives. But with a corporation, you are free not to buy its products - there are no armed guards forcing people to buy Gap clothes and McDonalds burgers. Governments, on the other hand, don't give you the choice.

They won't help

[levendis]

Crypto backdoors sound good, but in reality they won't help at all. The biggest part of the problem, as you pointed out, is just figuring out what is encrypted and what isn't. According to this article, the hijackers were sending each other unecrypted emails. If they couldn't even intercept unencrypted messages, how do they think backdoors will help?

One basic assumption of crypto backdoors is that people will actually use crypto that has the backdoor capability. Its like trying to limit encryption to 128 bits or 4096 bits or whatever it is these days. You can just write your own encryption program (or download & hack the source to some existing program) and create 65536 bit encryption if you want. Sure, its illegal, but if you don't want the feds to find out about your nefarious plans, so what?

Believe me, we can expect a lot more stupid, reactionary legislation in the coming weeks & months (am I the only one who doesn't feel any safer knowing that the guy on the plane next to me doesn't have his Bic disposable razors????). Thank god we haven't locked up all the Arab-Americans because they could be terrorists...

Re:They won't help

[iabervon]

Even more fundamental and larger is figuring out what is interesting and what isn't. The unencrypted emails you mention were probably exchanging flight info, planning when they wanted to fly, where they should go, where they would come form, and so forth. Reading the email in advance probably wouldn't give anything away to someone not part of the group-- it would be profoundly stupid for them to read email that could incriminate them in a public library, where, even if it weren't examined by the FBI, someone waiting for the computer could simply happen to look over their shoulder.

It's an essentially unbreakable end-to-end chaffing system: only say things that are just like what anyone would say if they were doing ordinary things, but have some shared understanding that only the people involved know about (like, when we're all on planes at the same time, we'll hijack them).

Re:They won't help

[coats]

...I wonder how feasible it would be to modify a cryptosystem so that when the government used their backdoor, the message decrypted into some aribtrary text chosen by the individual, but when decrypted through the proper channels, the message is the intended one...

Unfortunately, this involves solving simultaneous number-theory equations, multiple equations of the sort that would be necessary to break the code algorithmically in the first place by calculating private keys from public keys. If it is computationally infeasible to do that, what you suggest is far harder!

Well..

[cmowire]

For one, the government would most likely be going after the manufacturers of encryption software instead of the users of encryption software.

Which means the law will be useless because encryption is already out.

The backdoor will probably be in the form of a key or a series of keys that one or more entities has. To make it seem better, multiple authorities will have portions of the key, so that you can't just grab one repository.

You can do statistical analysises and generally figure out if something has a likelyhood of being encrypted. It's a cold-war technology that probably got much usage back then. But it's not the kind of thing you could deploy across the entire network.

Now, I'm not a privacy whacko. I don't encrypt my hard drive. I'm not anti-government. I'm generally pretty pragmatic. But even I don't think that we should have backdoors on encryption software. Does the government have backdoors on our safes? Do the cops have a key to my appartment's door?

Re:Well..

[MrKevvy]

"Does the government have backdoors on our safes? Do the cops have a key to my appartment's door?"

They have oxyacetylene torches for your safe, and a battering ram for your door. This is why they are considering the legislation: there is no way of realiably cracking properly-done strong crypto in a reasonable amount of time (less than billions of years.) You can't force your way to a key, or buy it, like you can force a door or buy a better torch to get into safes faster.

The feds had Mitnick's laptop(?) for five years and made no progress in breaking the encryption he used...

Re:Well..

[aozilla]

What's different about encryption is that even if they do get a warrant to look at the data contained in an encrypted file, they can't break the encryption with current technology (at least in a reasonable timeframe).

50% of the time if they broke in the key would be right there unencrypted on the computer. 45% of the time the key would be protected by an easy to crack password. The other 5% of the time the police could plant a key capture device and get the password.

Key escrow is much much worse than the government having a key to your apartment. It is equivalent to having a ban on possessing private thoughts. Consider a simple encryption scheme which could be done in your head. This plan would make it illegal to memorize a number without telling it to the government. It's that scary.

As with most laws to prevent crime...

[ConceptJunkie]

This will only stop the unsophisticated users. While the government is backdooring into some 1337 h4x0r script kiddies' communications, terrorists cells will be communicating through steganographic messages with non-government-approved encryption on the local pr0n site.

To educate yourself

[friday2k]

There is no easy answer to this question. It certainly depends on the alogorithms used. It depends on who implemented it, tamperfree devices, and much more. Here are a couple of links that might give the interested reader some points to start:

Peter Gutmann's excellent crypto tutorial
Some information on Blind Signatures
A very nice link page for privacy and encryption
Ron Rivest's (the R in RSA) homepage with an excellent link section
And a link to buy Applied Cryptography, even if the stories lack accuracy it is a good read

Happy reading!

Answer: they could never work

[Gregoyle]

They could never work.

The simple reason is that as long as there is an algorithm that cannot be penetrated, either by force or by escrow, that algorithm can hide data. On this, at least, the cat is out of the bag.

One of the more likely scenarios which could possibly keep criminals away from data while allowing governments to have access would be an agreement worldwide on a data-encryption standard that included key-escrow. Likely this would be implemented with a large database of registered keys rather than a "skeleton key" approach simply because the "skeleton key" would be a ridiculously easy target. Of course, this whole scenario cannot work for catching dissidents and criminals, and therefore cannot serve the purpose of fighting terrorists.

The reason is that under any reasonable key-escrow scheme a government would be required to show evidence before using the person's key to find the data. This works fine for average citizens who only use the mandated encryption standard, but, Surprise! When the government uses the key of terrorist Tim to decode his messages, they find that not only did he use the mandated scheme, but he also encrypted his data with his own scheme, which, of course, is unbreakable with current technology. Terrorist Tim wins in two ways here, not only did his data remain secure, but he also managed to waste a large amount of the government's time and resources.

The fact that this is even being proposed shows the ignorance of technology rampant in Congress. I live in NH, maybe I'll write a letter to Senator Gregg.

Re:Answer: they could never work

[Elwood+P+Dowd]

You say:

The reason is that under any reasonable key-escrow scheme a government would be required to show evidence before using the person's key to find the data.

But if you remember, the biggest issue in the Clipper Chip deal was that they changed the wording that created the "Fruit of the poison tree" doctrine that currently keeps illegally acquired evidence out of the courtroom. They might try to do away with the evidence requirement.

Re:Answer: they could never work

[Sloppy]

They could never work

Of course, that depends on what the real purpose is. The purpose might be to create lawbreakers.

"There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible to live without breaking laws." -- Ayn Rand, "Atlas Shrugged"

Re:Answer: they could never work

[reverse+flow+reactor]

There are method of hiding data in plain sight. Just read "Chaffing and Winnowing: Confidentiality without Encryption" at http://theory.lcs.mit.edu/~rivest/chaffing.txt


Also, said Terrorist could use multiple techniques together:

- write message
- apply method of Chaffing and Winnowing (above) or method of hiding messages in spam.
- hide that message in favorite media with outguess.
- encrypt that with PGP or GnuPG.
- encrypt that with the mandated, key-esrowed, back-doored technique
Now there are several barriers to break down, but only the easy one is known about until an investigation is already under way.

Or:
- said terrorist could avoid electronic communications, and meet face to face in a public park or on a public bus or in a crowd

Ask a gardener how they deal with weeds. Do you just remove what you can see, or do you go after the roots? Ask a doctor how he/she deals with a disease. Does he/she treat the symptoms and hope for the best over time, or does he/she treat the source of the disease?

Yes, cutting off one of their means of communication would be an incovenience for people who have evil plans. But is there a better we that we can deal with their evil plans in the first place?

I don't know the answers, I just ask the questions.

Re:Answer: they could never work

[khym]

Actually, it could work, assuming that it's only used after a warrant has been acquired. The feds get the warrant, try to decrypt the info, and can't. Or they decrypt it, and find antoher layer of encryption underneath. Then they can charge the terrorists with use of illegal encryption and send them to jail for a few years.

Re:Answer: they could never work

[Old+Wolf]

If a terrorists is willing to murder several thousand people, I don't think he is going to have any compunction about using illegal cryptography.

Compusory backdoors means that law-abiding citizens lose their privacy, and criminals are unharmed (or perhaps even have their position improved, because their target companies are all now backdoored).

Re:Answer: they could never work

[Fred+Ferrigno]

Everyone keeps saying that "if you ban cryptography, it won't stop the criminals from using it." That's not the point at all.

The point is to head off Slashdot's vision of the future where everyone uses cryptography for everything. If you ban cryptography, the criminals will still use it. This is true. However, they'll be the only ones using cryptography, and therefore be much easier to spot.

The NSA doesn't want to decrypt grandma's shopping list. It's a waste of time. Rather, if grandma starts using Government-Approved encryption, and the criminals keep using PGP, all Carnivore has to do is look for PGP, and whammo--you've found your criminals. They don't even have to decrypt it; simple use of real encryption is a sign of guilt.

Certainly, there are other reasons to oppose this legislation, very real reasons that we must not let this happen. But "it won't work" isn't going to cut it. Because it will work, just not in the way you think it will.

Re:Answer: they could never work

[Dwonis]

They don't even have to decrypt it; simple use of real encryption is a sign of guilt.

Not really, it's a sign that you are using OpenSSH in a foreign country through a U.S. network (and if I were the head of the OpenSSH team, I'd make damn sure that OpenSSH is INCOMPATIBLE with any insecure algorithms -- even if it had widespread use in the U.S.)

How the government might know

[ciurana]

"We've been hearing about adding crypto back doors for the govement to snoop on us, but how would they work? Would there be one key that could be cracked opening up all such traffic? Also, how would/does the government know wether a bitstream is random bits, or encrypted data?"

There is no such thing as "random bits of data" streaming through the network. All data has redundancies and self-imposed structure in order to convey information. Read Shannon for details on information theory.

Most currently available cyphers create a data stream that appears extremely randomized. This, in itself, could be a way for the government snoops to detect encryption: A sample of data that is more random than other data.

You can try the "compression test" for encryption. Try compressing some data. Check the file size. Now, encrypt the same data and run your compression program. You'll notice that the "compressed" file is the same size or larger than the original. This is because the encrypted data is "extremely randomized", and the compression program cannot find patterns in it to compress it. The snoops can use a similar test to detect encrypted data streams, i.e. over time, the probability of any character appearing is 1/n where n is the length of the alphabet (0-255 for bytes).

Steganography and hiding cyphertext in cyphertext (see Applied Cryptography) would be a good way around encryption back doors.

Cheers!

E

Re:How the government might know

[dvdeug]

> You can try the "compression test" for
> encryption. Try compressing some data. Check the
> file size. Now, encrypt the same data and run
> your compression program. You'll notice that the
> "compressed" file is the same size or larger
> than the original. This is because the encrypted
> data is "extremely randomized", and the
> compression program cannot find patterns in it to
> compress it.

This is true of good random numbers, too. It's even more true of compressed data - this test will trigger on every gziped or zipped file to pass through the network. It's also trivial to use some sort of base64 (or more complex encoding that uses letters with English frequency) over your encryption to break this.

It also doesn't distinguish encryption permitted by the government, and cypto using illegal keys and methods.

Re:How the government might know

[ciurana]

So your average data stream already has (or you may hope so) a rather high entropy. And the compression test does not work well.

The entroupy in a compressed data stream isn't as high as you think. Remember that you have additional data at the beginning of the stream (and possibly at the end) that indicates which compression program/algorithm is used.

A good way to add entropy would be to compress the data, then encrypt it, then compress it again, then transmit it. Most decent encryption software tries to compress the plaintext first anyway to reduce redundancies.

Cheers!

E

Re:How the government might know

[Sloppy]

You can try the "compression test" for encryption.

This won't work, because you can have false positives and false negatives.

The false positive case is obvious: if the data is already compressed, it will look like it's encrypted even if it's not. So some kid downloading Britney Spears' MP3s gets flagged as a terrorist.

You can also create false negatives by padding or otherwise injecting artificial redundancy. If "xyz" is entropic (doesn't compress, appears to be encrypted) then just send "xaayaazaa" (where the filler could be anything and you'll fool anyone who's looking for too much entropy. So Osama's packets go right through Big Brother's net and no one even notices that they're encrypted.

Why use crypto at all then?

[DanEsparza]

I think it's a stupid idea to even toss around the idea of a 'crypto back door'. I can understand why politicians are desperately attempting to dig up the 'silver bullet' that would have stopped the WTC tragedy (and will stop the next horrific event from happening) -- but they're barking up the wrong tree for several reasons.

Making crypto 'safe' with a back door effectively makes it useless. Why would anyone in their right mind use a cryptographic algorithm knowing that a perfect stranger has a 'backdoor pass' to their information? The whole point of crypto is to only allow the intended recipient to view the secret information.

This idea would weaken any cipher that this idea is applied to. Why? Simple. Key recovery in a datastream you haven't ever seen before depends basically on one of 2 things: Brute force, and a little ingenuity. If you know that the cipher has a 'universal backdoor' then each stream encrypted with the cipher will be that much easier to crack -- because the streams will have to be somewhat similar.

What happens when the wrong people get the 'back door' key? You don't think that someone dangerous is going to somehow either recover the key manually, or steal it? Think again. A 'back door' key (or set of keys) of this scope would be too good to pass up. Why bother attempting to recover a key that unlocks one stream, when you can unlock a whole set of streams?

The cat's already out of the bag Why would somebody who really wants to keep information secret use a cipher that didn't keep it secret -- especially when there are so many good ciphers (RC4, Twofish, etc.) that don't have a backdoor? In short -- this is a braindead thought process that will lead the U.S. straight into another disaster.

Re:Why use crypto at all then?

[SweenyTod]

It's not the algorithm you put a back door in at all, it's the system that implements the crytpo system you hack.

For example, I implement twofish or RC4 or AES perfectly, but make known to various 3 letter government agencies what the 1st 80 bits of the key will be (hello Lotus Notes).

Or I encrypt with two fullblown keys, and keep a copy of the second one, so I can always decrypt it when I need to.

Or I send the Bad Guy's computer a specially encoded message that tells my crypto system to start forwarding to the previously mentioned three letter agencies copies of all plain text.

Or I change the random number generator to generate a known series of random numbers.

There are many ways to backdoor a system. Security is more than the encryption algohrithm used, it's the system that implements it. Encryption plays only a part of the overall system.

Of course, all this would be close to impossible to do in an open source system, which is why we all use them, right?

If you can't decrypt it, it must be terrorism...

[MrKevvy]

Simply, that the only way to prove that something was encrypted "legally" would be to automatically break it, all of it, as it passes through various communications channels.

But this is too large of a job for just one person, or a (fiscally feasible) number of people, as much traffic may not pass through a central point. Machines will have to do it automatically, and there will ave to be many o them. Who will make the machines? How will they guarantee that the backdoor isn't released? What if the machines themselves take a walk?

Steganography would be the only way around this, by hiding an encrypted snippet well enough that it doesn't look encrypted. What if someone posts a badly-encoded GIF of their cat on their personal page, and the so-called "Stego detectors" pick it up. Of course, the "message" isn't there. Therefore it can't be decrypted, and they will be flagged as a criminal... scary prospect.

As the technology progresses, only poorly done stego and innocent media would be caught. It's already possible to encode messages to be indecipherable from quantization noise by any theoretically possible system.

Re:Back doors

[csbruce]

Standard operating procedure for corportations that don't want all of their trade secrets handed over to their competitors will be: PGP/GPG --> bitwise obfuscation --> ascii-ization/steganographization --> government-approved encryption.

How can access to backdoor be restricted?

[sterno]

The biggest problem with this is what happens to thsoe backdoor keys the government has. I mean first of all, how can we be assured that they can only use the keys with a court order? Furthermore, even if there's a way to assure that, is there any ruling that indicates that's even a requirement. I mean it seems that the fourth amendment might prevent unauthorized access but until a court rules it's hard to say. They could pass a law giving back doors and then alter say that they can access them without court supervision (and the court may or may not support that)

The other problem is that if the government does start accessing things without a court order, how would you know? You could probably develop a crypto system that would leave obvious evidence if it has been accessed through a backdoor, but the government wouldn't want that because it might interfere with an investigation.

Dig out your old Clipper chip documents

[BeBoxer]

The government has already done a lot of research into the area, and pretty much implemented a whole key-escrow system. Nobody used it and as a result it was a flop. To be honest, I don't know how much of the supporting infrastructure was actually deployed.

The basics of Clipper worked like this. The system was based on hardware encryption chips which implemented the protocol. No software versions existed AFAIK for obvious reasons. Each and every chip had a unique ID and "unit key". Each encrypted transmission had a Law Enforcement Access Field (or LEAF) prepended to it. The LEAF consisted primarily of the current session key encrypted with the unit key of the sending chip and it's ID number. I believe the whole LEAF was then encrypted with a single key shared by all chips.

On the law enforcement end, the DoJ was supposed to maintain a database of all the chip ID / unit keys. There was lots of fancy promises made about the security of the database, and how it would be split it two so that two separate agencies would have to cooperate in order to gain access to the database, etc. All very feel good but in the end un-auditable and basically BS since the regulations guaranteed that there would be no penalty for improper access to the keys.

Anyway, the LEAF field in combination with the database allows access to the session key and hence the plaintext of any message.

The whole scheme has so many problems it's not even funny. Not the least of which are: the whole protocol has to be keep top secret. If you know how to generate a legitimate LEAF field, you know how to generate a bogus LEAF field too. An AT&T researcher published a paper about how to get two Clipper chips to talk to each other with bogus LEAF fields. It took a fair amount of trying to get random LEAF's which had valid checksums, but it was quite doable. Presumably, they won't repeat that mistake. Software implementations are pretty much verboten, since they are far too easy to reverse engineer or tamper with. If you are trying to mandate back-doored encryption, you would pretty much just mandate that all encryption be performed using NSA designed and approved chips manufactured by a secure contractor.

As to what stops you from sending random data, one need only imagine the governments response when they detect that you are sending random data. Such random data would be presumed to be illegally encrypted data, and you would be arrested as such. It's quite possible that you would be freed once you had shown that the data was random. In the mean time, your face would be plastered on the front page of the paper as a "suspected terrorist". You might expect to be held without bail due to the extreme danger a suspected terrorist poses to society. The draconian penalties involved will serve to keep people in check, not any technical ability. Look at the penalties handed down for DMCA violations. Then compare the severity of pirating a movie versus flying an airliner into a building. Finally, scale the DMCA penalties accordingly. You can imagine the outcome.

Re:Dig out your old Clipper chip documents

[dragons_flight]

I have a friend who previously worked for a company (I forget the name) that does a sort of chip reverse engineering in the US. Essentially, they are paid to take chips apart and understand how they work in order to check for patent violations. Along the way they can also generate complete design schematics.

Pretty cool technology to be dealing with, but it does show that corporations as well as governments are perfectly capable of taking chips apart.

Re:Dig out your old Clipper chip documents

[markmoss]

Simple. It'll become illegal to send random data. How about sending a JPEG of a Jackson Pollock painting? It sure looks like random data. (Pollock's usual method of creating "art" was to cover the floor with canvas, set a ladder in the middle of it, climb up with various colored paint cans, and fling paint.) But since some people will pay large sums for the original, it isn't random data and you could sue for false arrest.

Meanwhile, real terrorists will be sending the communications they need buried in innocuous-looking messages in the clear. Agree on a few code words at a face to face meeting, and then you can make all messages necessary for scheduling and coordination look like ordinary business communications -- e.g., send the target location, date, and time as the time and place for a meeting, an order for "staplers and staples" can refer to guns and ammo, ...

Or if they really have to send an incriminating message, there are lots of ways to hide it in an innocuous message. E.g., insert a letter here and a letter there as "misspellings". Flip a few bits in an image or audio file -- if the recipient has an unmodified copy of the file, just do an XOR to recover the hidden message. Or if you want something really sophisticated, hire some underpaid Russian mathematician/programmer.

Or after a decade or two of this sort of sh*t, you'll be able to hire impoverished Americans instead...

Already exists

[11thangel]

That law is called obstruction of justice. If you have a key, it can be subpoena'd at any time, if they can prove to a judge that your encrypted data may include things necessary to procede with a trial. If you don't hand it over, or conveniently "lose" your copy, you get hit with obstruction of justice and you look like an incompetant fool who can't even keep track of his own crypto keys.

Re:Already exists

[krlynch]

Not to mention the 5th Amendment problems with forced key turnover.

I doubt that there is a 5th amendment issue here. Consider that there is no 5th amendment issue with taking fingerprints, court ordered blood tests in criminal cases, and required breathalyzer tests in suspected drunk driving cases, among other things. The 5th amendment protection, "nor shall [he] be compelled in any criminal case to be a witness against himself", has generally been very narrowly construed by courts, if I remember correctly, to be just that - they can't force you onto the stand in a criminal case against you; even then, once you have chosen to take the stand, you CAN in fact be forced to give testimony that is not in your favor. (IANAL and all that, but I do remember some of the things that I learned in civics classes :-)

Easy Ways to Avoid Backdoors

[Bonker]

If a normal guy like me can come up with these, you know that scary, insidious, Terrorist types are lightyears ahead:

1. Use existing crypto programs or write your own. Anyone with access to a high-level math textbook or a book on encryption and a little bit of coding experience can currently write crypto that is brute-forceable only by supercomputers. The same is true of the existing versions of PGP and other crypto programs available world-wide.

2. Steganography. Apps exist world-wide that will hide plain or crypted data in all sorts of things. Images, MP3's, Spam Mail, etc...

3. Use non government-controlled chanels to transmit data. Sneaker-net, by definition, is uncrackable without a spy in the house. No technology currently allows LEO's to read a CD without first placing it in a drive. This may not be far off, but it's still effective, so far as I know. Also, most phone companies can be persuaded to install 'burglar alarm' circuits that are just non-powered plain copper that between any two given locations.

4. XOR Crypted data in a manner so that if decrypted without first XORing it back, it will decrypt into useless, but not random information. I'm not a coder, but I can imagine that some talented hacker somewhere could come up with a scheme of encoding a crypted message so that it decrypted as Mom's cookie recipe if you didn't decode it properly.

5. For communications in which anonymity is more important than secrecy, use existing file-sharing networks to propogate messages. Freenet is the best example of this.

6. Transmit textual data in non-standard image formats. Ascii text is easy to detect. A compressed PNG of text data would be much more difficult to detect, especially by automated methods. A compressed or reencrypted raw bitmap would be even more difficult to detect. Existing image scanning programs work by scanning for a predertimined signature. Making images of text so that there is no signature possible is fairly easy in photoshop.

Simple

[TrumpetPower!]

We've been hearing about adding crypto back doors for the govement to snoop on us, but how would they work? Would there be one key that could be cracked opening up all such traffic?

If you're talking about public key cryptography or some form of key exchange protocol (such as what happens with PGP, SSL, and the like), then, yes, there'll be more than one key that can decrypt the message. PGP already allows you to encrypt a message to more than one recipient; a simple solution would be to require all software to always encrypt to Uncle Sam's key in addition to the intended recipients.

The other solution is to weaken the encryption algorithm in some way. There are very subtle approaches, but the simplest is to limit the length of the key. A 40-bit key takes half as long to crack with brute force as a 41-bit key, and a 42-bit key takes twice as long again (all else being equal). If you have an application that uses 128-bit keys, it could be ``dumbed down'' to a 40-bit key by forcing all keys to start with 88 zeroes (or some other known pattern).

How to get people to use such software when there's a wealth of reliable strong cryptographic software readily available is left as an exercise to the reader.

Also, how would/does the government know wether a bitstream is random bits, or encrypted data?"

Most encrypted streams have header information to make identifaction easy for the recipient. If you've ever gotten PGP-signed or -encrypted email, you've seen ``BEGIN PGP MESSAGE'' or some such at the top.

You could, of course, remove all such identification. If the encryption method is strong, what remains is provably indistinguishable from pure noise. If the recipient adds the identifaction back--if she puts ``BEGIN PGP MESSAGE'' before the bits--the result can be fed to the decryption proces without trouble.

But how many people send random bitstreams to each other? Somebody doing so would stand out like a sore thumb against the usual traffic of ASCII.

The most commonly accepted solution is steganography, the art of hiding secrets in plain sight. ``All the twenty clever kings'' could mean ``attack'' if you were to just look at the first letter of every word. Common modern methods of steganography include encoding the message in the low-order bits of a JPEG, but the field is still young and many techniques a bit crude. If ``they'' are already looking at you, ``they'' will have a good chance of finding the message.

As always, Bruce Scnhier's Applied Cryptography is a wonderful resource.

b&

legal rather than technical

[eyeball]

first, i'm not a lawyer.

too much time is being spent thinking about the technical aspects of enforcement and use of 'backdoors'. what everyone's failing to realize is that the technical aspects of crypto laws are irrelevent. it's how they will be used htat's important. if any cyrpto laws are passed, they'll be used in prosecution and trial rather than proactively enforced.

picture this scenario: you are a criminal who has been sending encrypted mesages to someone else. you're busted, and on trial you are asked to decrypt the messages. you refuse. you are then thrown in jail for not complying with the crypto laws.

again, i'm not a lawyer, but it seems that if crypto laws will work in this manner, we are throwing away our 5th ammendment right to refuse to incriminate ourself.

Why is Decryption Needed by the Feds?

[scotpurl]

It's my primitive understanding of the court system that during a trial, the records of phone calls may be entered into evidence. This is not the actual content of the call, and who made the calls is not part of the evidence. Just the fact that one telephone called another telephone.

Why then must the Feds know what is in a message? If the fact of tranmission of a message is adequate, at least in the courts, then why does the content need to be known?

Also, why does the Government beleive that it should have the right to be a party to all conversations? If the Feds had a time machine, and could travel back in time and listen in on any conversation, I beleive that would be ruled an invasion of privacy. How then is decrypting a message any different?

Here's what I said to my political representatives

[Zwack]

This is a long post (for me)... It basically contains the majority of a letter that I sent to my representative and senators... It basically states a number of reasons that I think this proposal is inoperable. I encourage all of you to contact your elected representatives as well.

Adam/Zwack

As I feared when I first saw the attack on the World Trade Center, it has been reported (http://www.wired.com/news/politics/0,1283,46816,0 0.html) that "Sen. Judd Gregg (R-New Hampshire) called for a global prohibition on encryption products without back doors for government surveillance."

Media reports have made it appear that Osama Bin Laden may have used encryption, but it is more likely that he relied on a lack of technology. According to the media, Bin Laden held face-to-face meetings in a private room rather than trusting that the communications channel was not intercepted. One journalist who has met him had some newspapers with him and Bin Laden is reported to have pounced on them and read them as he was so out of touch with the outside world.

Even if there is a ban on encryption products, older encryption products already exist without those back doors. Writing encryption software is not too complicated (Applied Cryptography is about $40) and terrorists and criminals are not going to worry about breaking yet another law. So who would this effect? Criminals? No. Terrorists? No. Penry, The Mild Mannered Janitor? Could Be.

Anyone can do a little research and find out that there are other techniques that cannot be legislated against that are just as effective for secret communications.

Ronald Rivest, one of America's foremost cryptographers published a paper in 1998 called "Chaffing and Winnowing: Confidentiality without Encryption." (http://theory.lcs.mit.edu/~rivest/chaffing.txt) In it he describes a method for plain text communication which does not rely on encryption to hide the message. He then goes on to add more twists to the method, which mean that if someone demanded the actual message you could give them a completely false, and presumably inoffensive, message.

If that wasn't enough to make legislation on encryption pointless, then steganography, the practice of hiding one message inside another, could be used either independently or with "Chaffing and Winnowing". It is possible for messages to be hidden within pictures, movies, sound files and even Stream of Consciousness-like poems easily. The sophistication of some of the programs is astounding. One program (http://www.outguess.org/) actually performs a statistical analysis on the image first to ensure that in hiding the message it does not modify the image too much.

There are numerous other non-technological techniques that could make this law pointless. For example, the terrorists could choose a book, say Hamlet, and spell out their message with the words or letters in that book. A message like "42 23 17 65" is not going to mean much to anyone until they know that in a specific edition of a specific book they should read the twenty third word on page 42, the 65th word on page seventeen... and so on.

They could use a simple code where phrases mean certain things. So "I went to see the new production of Oscar Wilde's Importance of Being Earnest" might mean "The birthday cake arrives tomorrow". As long as only the parties involved know the code phrases, and their meanings this kind of communication is impossible to break.

If encryption software without back doors is outlawed, what will terrorists do? If they're paranoid they'll use illegal encryption to encrypt a code phrase, hide it in an image, and then mix it with several completely innocent, and some totally random streams using chaffing techniques.

That way, by the time the NSA have worked out which streams contain real messages, figured out that one or more of the images contains a steganographically hidden message and broken the encryption on it, they will have wasted weeks in order to get a perfectly normal sentence that isn't going to mean anything to them anyway.

In that same period of time, several companies who are obeying the law and not using encryption will have had their company secrets stolen by other companies, as they couldn't encrypt confidential messages between two of their office. The French Secret Service was known to pass trade secrets to French companies when the French government was strictly controlling encryption. Add to that the many completely innocent uses of encryption for security and confidentiality: communicating with banks, logging on to remote servers, protecting medical records, implementing Virtual Private Networks and so on. Banning encryption that the government can't decode is more likely to cause harm to the law abiding citizen than it is to stop or reduce terrorist or criminal activities.

In short, any attempt to regulate the free flow of ideas, whether encrypted or unencrypted is only going to hinder law abiding citizens, and effectively punish them, without providing any additional safety. Remember that these highjackings were very low tech, no computers were hacked, no high technology weapons were used, just people armed with knives and the willingness to die.

Several options

[jd]

• Key Escrow, where some percentage of the private key is registered with the Govt.
  
• Synonyms (which requires weak algorithms), where a third "key" is generated, which is different from, but functionally identical to, the private key. One way to do this is to fix certain bits. This was accidently done in some early SSL implementations for Netscape.
  
• DH duplicates, where key exchanges are automatically forwarded by the hardware and/or software.
  
• "Skeleton Keys", where the hardware logs the keys used, and transmits them on request.
  
• A requirement to use Microsoft encryption code. Ooops, sorry, already covered. :)
  
• Plain-text logging by hardware, prior to all encryption, available on request.
  
• Requirement for HW manufacturers to build TEMPEST into all machines, with images forwarded.
  
• Keyboard loggers mandatory on all machines, with data stored and/or forwarded.
  
• A return to mainframe-style machine operation, where everything is handed over to approved operators. (So THAT's why certification programs are so popular....! :)
  
• A ban on all privately-owned computers, with all machines becoming dumb terminals to a central machine. One box to rule them all, and in the darkness BIND them...
  

Interesting turnaround...

[aralin]

So while many years it was illegal to export more than 56 bit encryption out of USA, now it will be illegal to IMPORT the same :)))

Wake up, America, the world is laughing at you.

Re:Back doors

[JCCyC]

You forgot...

#5 They'll blame #4 on those few remaining Evil Linux Communist Terrorist Hackers, and tighten the vise even more.

#6 goto #4

Re:Back doors

[zulux]

ascii-ization/steganographization -->

Argh! You mean all those Ascii Goatse.cx posts on Slashdot could have hidden messages - those sneaky bastards! Hiding information in someones bum is not nice!

Answering The Question

[Steve+B]

How Would Crypto Back Doors Work?

1. The government requires the publishers of crypto software to install some sort of digital "skeleton key".

2a. Corrupt politicians use the back door to dig up dirt on their political opponents, like Filegate and COINTELPRO.

2b. Crooks compromise one of the agents who knows about the back door, and use it to forge big money transfers to themselves and a free ticket to the Cayman Islands.

2c. Terrorists get hold of the back door, and use it to forge all sorts of false communications to create chaos.

2d. An 3133t hacq3r d00d cracks the back door, and uses it to replace your bank records with a picture of Natalie Portman engaged in topless grits-wrestling.

Oh... you meant to ask how crypto back doors are supposed to work? Ask the people who came up with this hare-brained scheme.

key escrow functioning

[TheSHAD0W]

The way key escrow systems work is the decryption key is encrypted using a new randomly generated key. (This can be repeated for keys to be escrowed with more than two entities.) The new key(s) and the encrypted decryption key are then sent to different escrow agents. Since both the encrypted key and the key(s) used to encrypt it are required to recover the decryption key and decode messages, it requires the cooperation of all the escrow agents to gain such access.

All that is left is a method of preventing people from using key sets that haven't been escrowed; this can be done by designing cryptographic hardware to only use keys that have been digitally signed by the authority that generated the escrow keys.

Note that when using a general-purpose computer to perform encryption and decryption, there is no easy way to prevent people from using unescrowed keys. Software designed to check for such things can always be patched and disabled.

Definitly not escrow.

[MarkusQ]

An alternative to direct key escrow is the system used by Lotus Notes for their export versions a while back. Known as a "Work Factor Reduction Field", it's some fractional part of the key (Lotus used 24 of the 64 bits in their keys), encrypted with a system-wide key (usually half of an asymmetric key pair) and included in the transmission.

The problem here is that this system-wide key now becomes the sweet one-stop-shopping target for crackers that the whole escrow system seeks to avoid.

-- MarkusQ

How it will really work

[r_j_prahad]

In theory, a keylist will held in escrow by a division of the Supreme Court, and only released to investigators who can satisfy the same criteria needed for an ordinary wiretap.

In reality, the keylist will be posted on alt.hackers.malicious within 24 hours of being delivered under seal to the Supremes.

+1 Hackish on the MQR standard

[MarkusQ]

From an export point of view, strong encryption is considered "arms". Last time I checked the constituion, we have the right to bear arms and that right cannot be infringed. Perhaps we need some help from the NRA??? ;)

In the spirit of free-as-in-chaos, I have instituted my own private moderation system. Under this system, I hereby give you +1 Hackish. If more people thought like this the world would be a much better place (IMHO).

-- MarkusQ

Too many formulas

[scott1853]

I'm sure echelon can handle ROT13, but can it handle ROT14. One problem is a minor change in the encryption formula can make the governments efforts futile. Rotate the bits right, rotate them left, invert them, invert the high 4, rotate the low 4, there's lots of combinations. Even if they programmed all the different variations in, it would take a bit of time to process a single e-mail.

What about encryption formulas created in other countries? Didn't we just get past the point where we can export basic encryption. Are they going to ban importing (maybe they already did, I don't know).

I don't know the answers, unfortunately, neither does the government, but they're gonna pass some laws anyways.

Re:Too many formulas

[(void*)]

Actually, doing such things very likely makes the scheme vulnarable to crytanalysis.

Re:Too many formulas

[(void*)]

I refer you to Donald Knuth's Art of Computer Programming, Volume 3, where he talk about pseudorandom number generation. Although cryptography is not random number generation, many of the principle are the same. One thing is that choosing arbitrary operations to perform on an encrypted dataset does not necessarily strengthen a cryptographic algorithm.

Re:They won't help (solution)

[ciurana]

One-time pads + encryption du jour.

See Applied Cryptography 2nd ed. pp. 227-229 "Hiding Cyphertext in Cyphertext" and "Destroying Information"

E

E

Relevant Articles

[thrig]

Bruce Schneier has all sorts of stuff to say about crypto in "Applied Cryptology."

See also his webpage search thingy, which links to a bunch of articles specific to escrow.

The DMCA connection

[ocie]

The government really has no choice. Breaking encryption is now illegal, so these backdoors are the only way for them to try and read encrypted messages.

Re:Detecting encrypted messages vs. Random bits

[TheSHAD0W]

This changes drastically if low-end crypto, even backdoored crypto, becomes used routinely for email traffic.

There are two reasons for this: First, it takes a significant amount of CPU time to break and decode an encrypted message, even if you have retrieved the key from the escrow agents. Decoding the traffic to and from a few selected email accounts is one thing, but having a system decoding and monitoring routine traffic is another matter entirely.

The second reason is that, if you take a message that's been encrypted using a military-grade cryptosystem, and then encrypt those results with a weak system (such as DES-40), it is impossible to tell that message apart from a routine message only encrypted with a weak system without decrypting both. In other words, there is no way to casually monitor lightly encrypted message traffic and pick out the people using unlawful encryption.

As a result, if weak encryption becomes common, people who wish to keep their messages secure can do so without tipping off the law. It is only if you are already suspect that your use of high-grade encryption would be discovered.

A Simple Workaround

[jgerman]

It's easy enough to defeat the backdoor. Double encrypt your message. Once with software that the government does not have a key for and again with the approved method. This way any message that you send will look like gibberish when decrypted with the government key. This will have the added benefit of foiling sniffers that route messages encrypted by un-approved methods to an agency that sorts through them.

The root of this problem is that it can never, EVER work. Mainly because we have freedom of speech, they government can pass as many laws as it likes on legal encryption but they can't enforce them. Think of the civil-disobedient potenial. You could get thousand of people to send random encrypted gibberish to one another. Just because the government can't understand it doesn't make it illegal, what's the difference between that and encrypted meaningful information. The answer is none. This is all simply a case of communicating in a language that the government doesn't understand... all well within our rights.

Counterpane

[swagr]

Counterpane, a.k.a "Bruce Schneier's Headquarters" has an article about using a deck of cards for encryption here.

So I guess even playing a game of bridge will get you thrown in jail.

Two copies of session key, separately encrypted

[Sloppy]

I have no idea if this is how the usual "key escrow" proposals work, but here is a way to do it:

The software generates a random session key, and block-encrypts the plaintext with it. Then it stores two copies of this session key along with the ciphertext. One copy of the key is encrypted with the user's secret key. The other copy is encrypted with the Big Brother's public key.

The decrypt the message, a "normal" user, who knows the user's secret key, uses that to get the session key, and uses the session key to get the plaintext. If Big Brother wants to read the message, he uses his private key to decrypt the other copy of the session key, and reads the plaintext that way.

Another use for Linux on Linux

[dmaxwell]

Run a honeypot using Linux on Linux and give the government the keys to that. One could furthermore have the overall system (which is still secure) page the owner when the government key is used. Even better, there will be nice logs of anything nasty they tried to do while they were in there. I love the idea of posting one of their "high tech secret" keysniffers all over USENET. The idea of the goverment wanting secret access to my boxen is ludicrous. If all else fails, I can transparently pass all traffic through a box that logs the hell out of any traffic passing through it. If I want to know when they're messing around with my boxen then I will. I will regard the government the same as a script kiddy: something to be monitored and contained.

I imagine the need for monitored and logged physical access is obvious too. The agents will look GREAT on camera when they suspect all of this and try to lay hands on the machines themselves.

It's called "Key Recovery"

[kbonin]

There's several ways to do it, for example:

#1 "Key Escrow" - All your keys are simply registered with big brother. To reduce the logistical nightmare, you would likely just register special backdoor keys used to encrypt the session key, which would then be included with the message.

#2 Big brother publishes one or more public keys, to be used to encrypt each session key, which is then included with each message.

The BXA/NSA guidelines for getting permission to export strong crypto include full disclosure on your data formatting, headers, compression, etc. The review process includes submission and approval of test vectors.

It should be noted that once these are required by law, compliance testing could be automated by building systems holding the private keys and testing recovery on live data.

It should also be noted that since (1) no terrorists would use such software; and (2) terrorists are already using steganography to obscure their encrypted data from trivial recognition as ciphertext: This entire effort will have ZERO impact on real terrorism. Its just an attempt by the NSA/FBI to retain their historical ability to eavesdrop trivially on all ordinary civilians everywhere without warrants or oversight. Last weeks events were just the pretext they've been waiting for. Anyone telling you different is ignorant or has an agenda...

or just send all your emails in Navajo

[abde]

anyone have any open-source Navajo language extensions to Pine or mutt ?

How they work

[bhurt]

Baiscally, the method the crypto backdoors work is by putting a known, designed-in weakness into the algorithm. For example, it could leak key bits into the encrypted stream. The goverment could then pick the keybits back out of the stream and use them to either directly decrypt the data, or use it to simplify a brute forcing ("OK, we know what a 112 bits of the 128 bit key are- know all we need to do is brute force the last 16.")

There is an obvious problems with this from the cryptological angle- the encryption algorithm has to remain secret. Once you figure out the encryption scheme, and notice where the key information is being leaked, you too can take advantage of the back door. It's the classic problem with master keys- once they get out and get duplicated, it quickly becomes worthless to have the locks. So not only do you not dare publish the algorithm, you do not dare let anyone reverse engineer it.

Re:crypro backdoors?

[Amazing+Quantum+Man]

I agree. But the goverment is under pressure (either real or imagined) to "Do SOMETHING! Do ANYTHING!" to make the people feel "safer".

Since they already had these proposals flying around, some since the days of Bush Sr., it was easier to dust them off than to do any actual thought.

Re:Maybe not escrow...

[Tackhead]

> An alternative to direct key escrow is the system used by Lotus Notes for their export versions a while back. Known as a "Work Factor Reduction Field"

And how many billions of dollars would US businesses lose when their "secure" communications were cracked, not by NSA, but by foreign competitors?

Bin Laden may have made hundreds of millions of dollars by buying put options in airline and reinsurance companies two weeks ago.

Do we really want to give him and his associates access to that kind of money with the touch of a keyboard?

Do we really want to find out what our enemies could do with that kind of money if he could operate underneath the radar, possibly making several such transactions, over the course of ten years?

NSA isn't the only bunch of folks with access to supercomputers.

#include <beowulf_joke.h> /* ha ha, only serious /*

If anything can be cracked, it will be. Our financial system relies on the security and integrity of businesses' ability to communicate.

Just as the enemy can engage in asymmetrical warfare on the physical battlefield (lobbing 767s into our physical infrastructure, where we can't bomb Afghanistan to the Stone Age 'cuz the Russians beat us to it), they can also engage in asymmetrical warfare in the infosphere (destabilization through insertion of false transactions into our financial systems, a task greatly simplified through a reduction in cryptographic strength -- again choosing to fight where they have no comparable financial infrastructure that we can target in return).

If NSA still has any pull with Congress, I hope they'll be able to nip this one in the bud. I'd even go so far as to suggest that the second part of their mandate -- defending American communications from compromise -- obliges them to try.

Fun begins with FU

[heliocentric]

I saw a presentation from a Dr. David Fu with the NSA and he talked (he had to get approval from his boss on the outline) about how one would look at a stream of data (radio pickup) and using statistic info, detect if this fits into the idea of "random" of if it falls into the other category. I would assume that real approaches use something beyond the simple math that was presented to our undergraduate minds, but I know it sure made me think. I didn't take notes at the time, but those of you in colleges and/or cool schools, contact the NSA and see if they might have a PR team, or a person working there who is a graduate of your institution who might want to come back and give a little talk.

govt measures call for citizen countermeasures

[abde]

to answer your question, the government backdoor would be the Secret Password : "joshua"

if the government tries to enforce this, just bookmark http://www.pgpi.com.

All I have to say about this is

[Dr.+Awktagon]

-----BEGIN PGP MESSAGE-----
jA0EBwMCqfZBng3VrnJg0nABTxB8dVsveql8FeH3E/0O50aY3/ X3Cw2z8/0wUj/3
umds2c5uH9w7ST4id0MwiWrCQ1qf81A+44SXhufxhkTQd0IAIm IA81RRhiqeL2uO
W+XE7EcSIhOrgnf2pwUm1rHpz6ey6gO3g+Vq4BvAEcNb
=6Njf
-----END PGP MESSAGE-----

Re:The back door doesn't need to work

[Gregoyle]

Whups, you guys just destroyed the key when you seized Tim's box. He has forgotten his password. He is a member of a terrorist organization who is willing to die (or go to prison) for his beliefs.

The purpose of gathering intelligence is not always to convict a criminal, often it's to get his compatriots or to leave open an intelligence channel that can be exploited at a later time.

Making it illegal to encrypt your data with unbreakable methods is something not very likely to happen. Holding someone in contempt of court for not supplying the key for evidence is much more likely. This doesn't help when you are intelligence gathering, though, as I have previously stated.

Olives!

[heikkile]

There is good reason to suspect that Osama bin Laden has used encryption while discussing plans for terrorism. This has prompted USA to consider laws to regulate encryption, so that the USA can always listen to such discussions.

There is even more reason to suspect that Osama bin Laden has been eating olives while discussing plans for terrorism. Therefore it would be much more effective to mandate all olive stones to carry a hidden microphone that would record and broadcast all discussions taking place in its vicinity, easily catchin the political opponents - I mean terrorists.

Some would say that it would be extremely difficult to make sure that every olive would carry its microphone. All it would take is an international treaty mandating microphones to be installed in all prepackaged olives, and outlawing any home production. Then some powerful international orgization - or the US government - could go out and bomb all olive producers who do not comply with the microphone directive. Soon nobody would dare to produce rogue olives!

Although this may sound like a totally unrealistic plan, it is many ways more likely to succeed than any plan limiting the use of encryption. For the first, olives, small as they are, are physical items that will have to be grown somewhere, pickled and processed, and marketed. All this leaves a physical trail of physical olives moving around. On the other hand, cryptographic tools are ethereal words, easily transmitted by whisper, by graffiti, and other totally intraceable means. Besides, most of them are already published in books all around the world! And once an olive is eaten, the stone is discarded, and a new olive must be acquired, hopefully from a compliant source. Not so with crypto tools, they can be used over and over again, so if the foreign competition - I mean the terrorists - have already managed to gain access to some crypto tools, they can keep using them for ever.

Besides, by betting its reputation on microphoning all olives, the US Government would make itself much less of a laughing stock than if they tried launch a campaign to limit the disucussion and use of encryption!

Re:Green Eggs and Guvament Cheese?

[saider]

But the crooks could still write their own crypto software and then run it through the crypto chip. Then when Johnny Law decodes the bitstream, he gets another bitstream that is indistinguishable from noise.

The government has a choice. Have crypto be available to law abiding and the crooks or to have the crypto available to only the crooks. As you can see, the crooks will always have crypto available to them.

The government cannot even stop someone from bringing cocaine into the country, how the hell are they going to stop a crypto program from spreading?

Fair is fair

[heikkile]

If any backdoor or escrow scheme is to be acceptable for the rest of the world, it must make sure that foreign governments have access to any and all encrypted communications used by US agencies suspected of industial espionage.

Re:Plain Text

[baptiste]

Good idea. What's your credit card number :-)

Just ask McGlen.com - they informed me yesterday that 'an unidentified individual gained access to certain protected files maintained by Mcglen.com through a security breach in Microsoft Internet Information Server.' and thus may have my credit card # - how comforting. Funny that they don't also take some of the blame for not keeping their servers patched current. Course serves me right for ordering from a site that uses IIS :) Cept, well, it wasn't me - it was my wife :)

RC4, 1337 d00dz, blonde bombs

[Gregoyle]

RC4 is not considered a "good" cypher by anyone. Its weakness is a lot of the reason WEP was cracked so quickly and thoroughly.

Also, crypto with a back-door would be useful against criminals, just not against governments. For example, you mostly use SSH so hackers can't sniff your packets to get logins and passwords. It's nice to know that governments would be equally hard-put, but that isn't the primary purpose.

Plus, governments have many more resources than 1337 d00dz. They can log your keystrokes, or use other channels (Tempest sheilding, keystroke timing, video cameras). Or they can just bribe your girlfriend. What, you don't have a girlfriend? Beware the next time some blonde bomb comes up to you and just can't get over your coding skills.

I hope more money goes into HUMINT of the latter variety than fruitless reactionary measures like key-escrow. Because I really am patriotic, but I want to be able to have some control over who reads my data.

Re:Maybe not escrow...

[vph]

>And how many billions of dollars would US businesses lose when their "secure" communications were cracked, not by NSA, but by foreign competitors?

How many dollars have non-US businesses already lost because of NSA giving information captured by Echelon to US companies? It would be hypocritical for US residents to complain of activities that they do themselves routinely.

Re:Not convinced

[Jason+Earl]

You must really think that terrorists are stupid. It would be a trivial matter for the terrorist to encrypt their information with real encryption (say GPG), and then encrypt it with the government sponsored fake encryption. The message would look like any other encrypted message, but the government still wouldn't be able to read it.

This also assumes that the terrorists aren't using stenography of some sort to hide their messages in pictures.

In other words the government's ant-crypto plan would only work against everyday, standard, run-of-the-mill, law-abiding, citizens. There is no way that key-escrow, crypto backdoors or any such measure is likely to work against terrorists. Unless, of course, the terrorists were blatant amateurs or idiots (in which case you could probably catch them without crypto back doors). The question then becomes. Why is the government so interested in spying on normal citizens? They know that the terrorists have crypto that they can't break; they likewise know that these terrorists are not likely to give up the use of this crypto.

My guess, because I am not overly paranoid, is that they are simply passing the law to make people feel better. Normal citizens will believe that these laws help combat terrorism, and they will sleep better (even though they are not really any safer).

It has also been shown that the U.S. does fairly extensive spying on legal (but non U.S.) corporations. Since the U.S. writes the bulk of the software used in the world, U.S. laws against strong crypto guarantee that law abiding corporations in other countries are all of a sudden vulnerable to the U.S.'s prying eyes. Since this type of activity is probably good for the U.S. economy, I would say that it is a bonus.

My European friends, on the other hand, would probably disagree. That is likely the reason that the German government is paying for the development of GPG.

Why it might work

[The+Pim]

[Last time I wrote this, it was Flamebait, so I'll try to be more careful.]

Yes, it is generally agreed that modern encryption algorithms can hide data with virtually perfect security. But this alone is not relevant, as long as the government can detect the use of these algorithms.

All the government has to do to nail your "Terrorist Tim" is observe that he is using encryption, and check for the existance of a matching escrowed key. Presumably, any key escrow system would allow for verification that a message was encrypted using an escrowed key, without actually retrieving the key or decrypting the message. Thus, it is entirely conceivable to me that the government could enforce the use of key escrow: Whenever they see encrypted traffic that does not use an escrowed key, they trace the user via the ISP and prosecute him. And maybe they drop the connection, so you can't even get one message through then hide.

So, anyone who wants Internet privacy under this regime must hide the fact that they are hiding data. But, you say, there's a whole field dedicated to this end, called steganography, so the goverment loses again. While steganography is exciting and promising, it's not the knock-down argument that you seem to think.

First, I agree that it is easy to covertly communicate a small amount of information to someone with whom you have prepared ahead of time. Any simple system of code words or similar is probably secure for a brief message or two. But, ...

• People need to communicate more than a few messages on a predetermined subject. A naive system will not stand up to statistical analysis of many messages. For example, you might think that coding messages in the first characters of each word would be undetectable. Hardly--just look for anomalies in the letter frequencies of the first letters.

• People need to communicate without having arranged a system beforehand. Even serious steganography (at least the systems I know about and can imagine) requires a shared secret, implying major challenges in key exchange. In the age of public keys (now the lynchpin of virtually all secure communication), we forget about what an enormous breakthrough asymmetric cryptography was.

• Even serious steganography may be detectable! Just as the government can monitor for non-escrowed keys, they can monitor for any steganography system that they have broken. It is currently not known whether undetectable steganography can be developed.

• Steganography does not have the infrastructure, either in software or in familiarity and understanding, that encryption has. We all know that quality of implementation and good practices are as important as mathematical strength in the successful use of cryptography. Thus, people need to have software they can use and an understanding of do's and don't's. At least, it will take some time before steganography reaches the level of encryption in these regards.

(In the above, you may substitute "terrorists" for "people".)

The point: not that the government should or will do this; but that if they decide to do it, it is not futile! It really could (in addition to destroying the privacy of lawful citizens) slow down terrorist communications (assuming that terrorists use the Internet, which people seem to think they do). So we need a better argument against it than "this is stupid, it can't work".

Re:Why it might work

[The+Pim]

Presumably, any key escrow system would allow for verification that a message was encrypted using an escrowed key, without actually retrieving the key or decrypting the message

Just re-encrypt the illegally encrypted data. No way to find out that the contents are unreadable without actually decrypting it. Thus the only way to spot verbotten encryption is to decrypt everything.

Oops, you're right. So the situation isn't quite as bad as I thought (since routine decryption would be a hard sell for the government).

Re:Why it might work

[Hobbex]

Oops, you're right. So the situation isn't quite as bad as I thought (since routine decryption would be a hard sell for the government).

There is a simple solution to this for the government - simply label the use of unescrowed crypto a terrorist act, that way if they get a warrant and find they cannot decrypt the data, they no longer need to look for further evidence.

Of course, what is really needed from message decryption is the ability to detect and prevent these sort of crimes before they occur, for which this would be useless - but let's not confuse what the world needs and law enforcement wants.

One thing is clear: any practical use of key escrow is deep in police state territory.

Other encrypted channels

[dpilot]

So far the discussion seems to center on PGP and email. That's a bunch of bunk, because in addition to everything that everyone else has mentioned, there are several other routes around a crypto-Carnivore.

1: Move to a different port: Conventionally, email is on port 25. Set up some email servers on some other port, and the content will sail right past Carnivore.

2: Use a different channel, and don't forget that other encrypted channels have their own algorithms.

2a: Use a different channel: Move files around with scp or sftp. Once again, doesn't register as email.

2b: Use a different channel. Use secure websites as intermediaries. When the lock closes in the lower-left corner, it's safe to type your credit card number. It's also safe to communicate other information. Either extra fields can be added, or existing fields can be used. It may even be possible to use innocent eCommerce sites, assuming you've already cracked them.

3: USB keyring hardfiles: Since these alternate channels don't leave encrypted files on the box, put the file on a USB keyring hardfile. Unplug from the system, and keep it on your keyring. If the G-men are after you, you have several options:
a: Take a hammer to it.
b: Scuff your feet, comb your hair, and zap it. They no doubt have ESD protection, but it's probably only good against accidents, not deliberately destructive ESD.
c: Throw it into the traffic.
d: Encrypt it using yet another algorithm - tcfs?

So aside from any other concerns, simply doing something to PGP clearly is not sufficient. You'd need to also weaken https: and SSH, and sniff a LOT more traffic.

But if SSH is given a back door, and we MUST assume that some black-hats or terrorists have recovered it, then how the heck to we do secure administration? We've just opened every remote-admin system to info-terrorism, as well as our eCommerce.

Between weakened/broken encryption and key escrow, I'd choose the latter every time. Both are silly, and would only convey a false sense of security. If it's that serious, I'd think simple traffic analysis would be more informative.

Imagine that A-crowd guy in high school or college you never liked, and always gave you a rough time. Then go through anonymizers, and start sending him encrypted datastreams. Fun, fun, fun.

My letters went to my congressional delegation today.

Take a look at DES...

[(codic)]

Some conspiracy theorists already claim that DES has a backdoor, even though there is no public evidence to support the theory and lots to suggest otherwise.

When DES was invented (by IBM, IIRC) and the government wanted to adopt it as a standard, the NSA took a look at it and changed around the S-boxes (where S, I believe, is for Substitution) for the version that is actually used. They offered no description of how they created their S-boxes or what features they offered that the other ones didn't, etc.

One possible explanation is that the NSA added a backdoor into DES that secretly weakened it some how (e.g., the ciphertext provides information about the key to make an exhaustive key search several orders of magnitude quicker) to the point where they could decrypt a document without necessarily knowing the key ahead of time with a reasonable amount of effort.

There is no public information about successful cryptanalysis of a full (16 round?) version of DES. That is, if such a backdoor exists, and if someone has found it, it's all very hush hush.

The concept of backdoors in cryptosystems is really very messy. It depends way too much on keeping crucial information about the cryptosystem secret. Chances are, if you disclose enough details to implement a cryptosystem and say it has a backdoor, people (good and bad) are going to find it*. If you don't provide information on how it works, it can really only be implemented in "tamper-proof hardware" (a concept almost as flakey as cryptosystems with backdoors), since any software implementation could be disassembled.

To answer your second question, they really can't (as I assume you suspected). So, if the sniffers found some data they couldn't decrypt, they would have to assume it is either, as you said, random data, or data encrypted with an outlawed (read "aparently secure") cryptosystem. In both cases, the sender must be trying to hide something from the government, and is therefore a threat and should be dealt with accordingly. Simple as that.

For anyone who missed it, the current call is for a global ban on strong crypto, not a national one. And in this case "global" means really global, not a "World Series" kind of global.

The next few weeks/months/years will potentially be filled with events and ideas, like this, that change the world we live in. I'm not afraid for our generation. Most of us know what freedom is like, and I really don't think it's something that can be taken away no matter how hard they try. But our unborn children and grandchildren don't. I don't want them living in a world where freedom and privacy are anything other than fundamental rights. I'm currently optimistic; I just hope that's not misplaced.

* And if DES does have a backdoor and no one has found it, then the NSA deserves a pat on the back because they've stumped us all! :)

Re:And furthermore ...

[BadDoggie]

"Keep in mind that the bastards who attacked us last week were willing to (A) die and (B) train for years to be pilots."

This is one of the most important points. You can't fight this sort fanaticism. There is nothing you can do that is bad enough or hard enough to deter such people. They're willing to die, and going out fighting is the best possible way -- it makes them martyrs.

I will point out that they needed a LOT less money than everyone seems to think. It took me about $4500 to get my basic pilot's license. A copy of FlightSim was another $80 or so. The hardest part of flying a 737 is getting it on the ground in one piece. The second-hardest part is getting it in the air. Everything else is basically "point the nose where you want it to go".

I suspect a couple of them went to flight school to learn about things like transponders (which they shut off), basic radio navigation and the special radio codes used to notify the ground you've been hijacked without actually having to say it out loud.

You really didn't need radio navigation to find the WTC. From inland US, you could just go east until you reached the ocean, then turn left. The buildings were visible (if you were a couple miles up) from more than 30 miles away.

So that this isn't completely OT, see this article in The Register. It seems bin Laden isn't using any technology now, and the Feds have no idea where he even is. They still want those back doors in crypto, and they have to push now before people start thinking a bit.

woof.

Can you find the stego'd message in this post?

I explained this about a week ago but look here...

[Lostman]

I explained this to someone else today when asked why I am staunchly against a backdoor/etc in a crypto program.

A good crypto program is based on a function f[x] such that f[x1] = k, and you cannot find x1 if you know the function f[x] and the encrypted k. This, folks, is hardcore advanced mathematics!

To add in a regulation that there be some "backdoor" (eg: some function that will always take g[k] = x1 for an encrypted value k). Once that function g[x] is known by anyone (f[x] would have to be made in a way such that g[x] must exist btw.. it doesnt just happen) then the communications of everyone that uses that encryption algorithm is compromised.

Think of the problems -- no secure transactions (haulting "e-business"), no secure transmissions of trade secrets (look at france -- the companies just moved to a different country), and generally no information is secure.

Now.. to find a way to convince/explain this all in everyday words...

ideas?

Re:F**K encyrption!

[josepha48]

This is actually the best form of encryption.

Noone really knows what you mean....

Haven't you ever seen the movies.. the sky is pink.. it is a beautiful day to die.. but the birds are singing.. yet the clouds are gray.. sure it means nothing in an email, but if you have some secret "decoder ring" then these sentances can have new meanings.. meanwhile the FBI, CIA are all wondering why Akmed is talking about the F**k*** sky...

I remember hearing that in WWII they used other languages, like some american indian language to do encryption..

Re:Not convinced

[Jason+Earl]

Most commercial crypto research is currently being done outside the U.S. because of the U.S.'s past beliefs about exporting crypto. All such a law would do is guarantee that foreign nations would be first to have the advantage of new crypto research.

There is no way that "the rest of the world" is going to give up crypto research. Especially since there is no good way to make mathematics illegal. If the U.S. gives up on crypto research we will simply make way for some other country to move to the forefront.

What is more likely is that the U.S. simply wants to be able to continue to spy on non-U.S. companies that rely on U.S. software. They've done it before.

Security of the master key

[Frank+T.+Lofaro+Jr.]

What if key escrow/back-door crypto becomes a reality, and the master key or the escrowed key repository gets compromised by a terrorist?

Wouldn't that represent a gravely serious threat?

The terrorist would have the ability to monitor, and perhaps disrupt, any encrypted communications, including that for critical infrastructure.

Let's increase the NSA's (*) staff and budget, not take knee jerk actions that help the terrorists.

(*) NSA is mostly code-breakers and the like. Not goons out to get you. Anyone that comes in the middle of the night to crack your head will almost certainly NOT be NSA.

Higher Frequency Bands

[VB]

"...how would/does the government know wether a bitstream is random bits, or encrypted data?"

Audio data looks random. MP3 data looks random. What's to stop someone from recording an analogue message in the high or low frequency range of a music recording, then bladeenc it to mp3 and transmit it in the clear? Still looks random.

How much mp3 traffic flows across the 'Net? >:)

That's a lot of random-looking bits.

Re:Higher Frequency Bands

[Basje]

Audio data looks random. MP3 data looks random. What's to stop someone from recording an analogue message in the high or low frequency range of a music recording, then bladeenc it to mp3 and transmit it in the clear? Still looks random.

Bad example. MP3 is lossy encryption. That means the source data is altered, to sound alike, but isn't binary identical. This goes esp in the ranges where you would typically hide a message, as these are the least audible.

For your scheme to work, it would have to be binary equal, for only a 1 bit alteration in a block would make it, and depending on the algorithm used the whole message, unreadable.

Thus, while MP3 can probably be used to hide a message, it can only work if it's added after compression, and not before.

Re:This is not what I meant...

[Jason+Earl]

Precisely. To be honest your point is a good one, I re-read my original message and it was definitely worded too strongly. Sorry :).

And I understand what it is like conversing in a foreign language. I spent 5 years of my life in South America. Most of the time as the only Yanqui for miles and miles. It is very easy to be misunderstood in a language that isn't your native tongue, even if you are skilled in its use (which you clearly are).

Currently PGP encrypted messages stick out like a sore thumb, and so I can see why it is that you figure that PGP (or GPG) encrypted messages would be detectable from government sponsored messages. You are probably even correct. Heck, most PGP encrypted messages are ascii-armored and have a nifty header proclaiming how they were encrypted. However, terrorists would almost certainly either modify their software so that it output headers that matched the government sponsored crypto, or, even easier, they would simply re-encrypt their encrypted messages with the government sponsored tools.

The only way that the government would know the contents of your message would be to decrypt it (using precious cycles), and when they decrypted it all they would find was a GPG encrypted message!

In other words, if such a system became commonplace they would be worse off than they are now (where most email are simply plain text).

I also agree that using U.S. resources to spy for American companies is wrong. I should have used a smiley so that you would realize I was being sarcastic. Although I am a U.S. citizen until recently I worked for a non U.S. corporation.

Thanks for the discussion.

Great point

[Gregoyle]

Great point,

I've been formulating a "conspiracy" theory with speed limits that is similar to this argument. The idea is that you make the speed limit so ridiculously low that everyone goes much much faster than posted, and thereby generate revenue for the city or town in speeding tickets.

Not quite as insidious, but more practical for that.

Re:Great point

[Dwonis]

One point though: speed limits I've seen are not rediculously low. They usually have everything to do with probability of survival in a collision.

Re:government sponsored encryption

[jonathan_ingram]

No, you have it the wrong way around.

The NSA *strengthened* the DES specification to make it resistant to an attack (differential cryptanalysis) which was unknown on the 'outside', and remained unknown for about 15 years afterwards.

How would they work?

[Amazing+Quantum+Man]

Not very well, because Osama has turned off his phone.

Don't ask Slashdot, instead...

[e-gold]

"Ask Aldrich Ames!"

(Sorry, but it had to be said.)
JMR

Speaking ONLY for myself, as always.

Impossible

[Eric+Seppanen]

This is my way of explaining to non-geeks why crypto regulations will have near-zero effect:

Imagine that somebody comes up with a way to build a bomb using sugar cookies. A building is blown up. Congress decides to regulate the sale of sugar cookies.

Now any sane person will realize that this is pointless, because any idiot can make their own sugar cookies, and bypass all the regulations. So the regulations can only work if the ingredients are also regulated or banned (flour, sugar, eggs), or perhaps all the sugar cookie recipes are destroyed.

At this point it's pretty obvious that such a scheme would never work. But somehow nobody seems to follow this logic when it comes to encryption. The only ingredients for encryption are general-purpose computers. The recipes are encryption algorithms and computer source code. The recipes can be rediscovered or recreated by smart mathematicians and computer programmers.

So what are we going to do? Regulate computers? Mathematics? Encryption algorithms, dozens of which are published in textbooks around the world?

You could no more regulate computers, mathematics, and algorithms today than you could flour, sugar, eggs, and sugar-cookie recipes. Even if you tried, it would have near-zero effect on the bad guys, and would only increase the risk that grandma's bank account gets emptied, because her password wasn't properly encrypted.

Crypto backdoors can't work

[JPS]

Putting a crypto backdoor in a piece of software is fairly trivial. There is quite a lot of litterature about it and inserting a backdoor in say SSL is a very good exercise for students.

Companies which take security seriously don't use windows for this reason and I doubt that any intelligence service would ever use any piece of software that has been created in an country other than its own. So how can one possibly imagine that "bad guys" would used backdoored softwares. They'll rewrite one of their own, that's all. Implementing a RC4 is a matter of hours...

People have to realize that the Internet sets information free. Any kind of information. From anyone. To anyone. And there is nothing you can do against this.

Re:Maybe not escrow...

[Tackhead]

> How many dollars have non-US businesses already lost because of NSA giving information captured by Echelon to US companies? It would be hypocritical for US residents to complain of activities that they do themselves routinely.

Absolutely correct...

...which makes it all the more suicidal for us to knowingly re-expose ourselves to that risk (remember, the French did it to us too on behalf of one of their companies ;-) while other countries' corporate transmissions remain secure.

A deeper look . . . and fundamental problems

[tmoertel]

It is impossible to prevent terrorists from using strong cryptography. Terrorists already use it and would continue to do so if it were illegal. However, if it were illegal, the number of messages that would be unreadable by law-enforcement personnel would be vastly reduced. Any remaining unreadable messages would provide strong evidence that the senders, and perhaps the intended recipients, are involved in some form of illegal activity, at the very least the illegal activity of using unapproved strong cryptography.

Thus the primary purpose of the proposed legislation is not to allow law-enforcement personnel to read terrorists' communications -- terrorists will continue to use unreadable, strong cryptography -- but rather to narrow the search space that law-enforcement personnel must examine when hunting for suspected criminals. One would presume that if a person were discovered to have used unapproved cryptography, such evidence alone would be sufficient to obtain warrants for full searches, wire-tapping, keyboard recording, and the like, and those additional measures would likely yield hard evidence of any additional illegal activities. Thus it is not necessary to decrypt the criminals' messages: The illegally encrypted messages alone are sufficient to reveal suspects, and then old-fashioned investigative methods are likely to be effective.

Of course, the effectiveness of this law-enforcement technique depends on having a practical and enforceable definition of "unapproved cryptography". The problem for law-enforcement personnel -- and law-abiding citizens who wish to protect their legitimate secrets -- thus becomes determining what constitutes an illegally encrypted message. It is well known that a message that has been encrypted with a one-time-pad cannot be distinguished from a string of random bits. Should the government also make access to true randomness illegal so that any string of bits that seems sufficiently random can be assumed to be an illegally encrypted message? Further, is it realistic to believe that covert channels and steganography are detectable?

If not, how will law-enforcement personnel detect illegally encrypted messages? And what if they can't? In that case, what real security have we citizens purchased by sacrificing our liberties?

Those are the questions I want my government to answer. Until they are answered -- and hard evidence provided to support the answers -- I must remain sceptical.

Re:A deeper look . . . and fundamental problems

[(void*)]

You are right, and I don't disagree at all. But I just wanted to point out one futility in this plans:

Thus the primary purpose of the proposed legislation is not to
allow law-enforcement personnel to read terrorists' communications --
terrorists will continue to use unreadable, strong cryptography -- but
rather to narrow the search space that law-enforcement personnel must
examine when hunting for suspected criminals.

This "narrowing of the search space" is no longer viable, now that SSH is out there, RSA's patent has run out, Blowfish, and so on are all widely, freely available. To now advocate putting backdoors on encryption programs would be a step back.

Re:A deeper look . . . and fundamental problems

[mrogers]

Should the government also make access to true randomness illegal so that any string of bits that seems sufficiently random can be assumed to be an illegally encrypted message?

Good idea. Write to your congressman and suggest that they ban entropy. Entropy is the basis of all encryption methods, and encryption makes it possible for terrorists to discuss their evil plans in secret, right under the Government's nose. For the safety of the American people the Government should strive to reduce the amount of entropy in the world, and if possible eliminate it completely. In this time of knee-jerk patriotism, what elected official could oppose such an idea?

Mind you it's going to be awfully cold if they succeed...

Very, very cool

[p3d0]

That chaffing and winnowing article is the coolest thing I have read in a long time. I'm not joking. Everyone here would probably enjoy it. It discusses not only technical issues, but their legal and social consequences.

Thanks for the link.

And useless, too

[quartz]

Even if they *did* work, what's the purpose? To keep tabs terrorists? Bwahaha. Bin Laden is already one step ahead in the high-tech race. He <gasp!> turned off his cellphone, ditched the e-mail account and he's now communicating through human messengers!.

Crypto backdoors... Carnivore... Echelon... what a load of absolute crap.

Re:difference between encrypted and random data

[einhverfr]

If random data becomes outlawed, only outlaws will have random data.

Acutally, I think they would take a while to do this one. I think that it would be easier to simply write random 1's and 0's to a tcp connection and wait for the judge to ask how they know it is not encrypted, in which case you let them disassemble the program...

Or invent a new codec for sound files and start streaming those files to al your friends. it doesn't have to be pretty good, it just has to be unrecognizable from a casual perspective. One could probably even modify Ogg Vorbis to be immediately unrecognizable.

I would probably let others do these tricks, and simply use illegal encryption that was hidden through stenography. Yes, that RSA logo is, uh, just a JPEG....

Yes, U.S. Congressmen and Senators are traitors

[alienmole]

This proposal doesn't necessarily show ignorance it may in fact just show incredibly callous calculating cynical attempt to pass this ridiculous legislation.

You're absolutely correct. The elected officials who propose this sort of legislation are traitors to the United States Constitution and to the principles which make the U.S. a great country.

Its too late

[thogard]

A common trick for export approved crypto is that the checksum (MD5/SHA/WhateverMD) is outside of the encrypted packet. That way if you can guess at whats inside, you can verify whats there without decrypting it. Once you have the plain text and the cypher text, the game is over for the rest of the data stream.

Extradition

[Gregoyle]

We can extradite anyone who has broken our laws in our country from any country with which we have extradition treaties. This includes most countries in the world

Your country can do likewise.

I'm not saying that this is a good thing, just that it is so.

Perfect obfuscation

[Gregoyle]

The point I was making above was that if Tim encrypts his data using his own algorithm (say, RC5), and then encrypts it with Legitimate Encryption Standard v.2.3, there is no way to tell that he has encrypted his data until you decrypt the "legitimate" message.

This would presumeably require a court order (for a government to do it at least), which takes time and energy to get. The only way to systematically tell if people are using their own encryption under this scheme is to decrypt all messages that are passed. This is impractical, and would not likely stand in any society that purports to be "free".

That is why I label it futile. It is futile against those who don't go along with the system, unless they are in your power and fear jail time. For any sort of intelligence gathering such a scheme is essentially useless.

I think that when evaluating security proposals it is first necessary to find out if the proposal is practicable. This can save a lot of energy for step 2, which is finding out if it is Right.

Re:Maybe not escrow...

[crucini]

I think you missed the point. The work factor reduction is only available to someone with the secret system key. Not Osama.

Re:there is still some leverage there

[Panaflex]

ANAL, but as far as I know, holding someone in contempt would enable a judge to keep him or her in prison indefinitely.

At least in the federal courts, the judge can only hold you in court for as long as the grand jury is in session. (During indictment)

During a criminal case it is a couple of years, but I'm not sure.. Susan McDougle was in prison for a few years.

Pan

Re:Commercial encryption == commercial jetliners

[(void*)]

If a terrorist used commercial encryption without an escrowed key, or used non-standard encryption, that could be detected via automatic monitoring eqipment - getting them quickly detected, arrested for illegal encryption use, and investigated. Note that under current law, this could only be done for international traffic - domestic traffic would still require a court order even to record it.

What you are proposing is impossible. You are telling me that JKHDSDFD and EHOQWSW, two encrypted messages, one made using legal crypto with backdoors, the other made using illegal crypto without, that these two message can be distinguished, by computer, without human intervention? What if JKHDSDFD decrypts to ALITALIA, and the computer, not knowing anything about Italian Airlines, flags that erronously as an unencryptable? Or worse,
it decrypts to "HAM AND EGGS", which looks innocuous, but has a steganographically encoded message within it?

Re:difference between encrypted and random data

[einhverfr]

Perfect example of stenography in action!

Difference very simple:

[Schoinobates+Volans]

"Honest citizens don't send random data around". So if it looks random, has no compression headers, it is encrypted. Obviously, this reasoning is utterly flawed, but I'm sure at least some law enforcer will make it.

Two points I haven't seen mentioned...

[Colitis]

1) key escrow - what about tools that regularly change encryption keys (ie I think ssh session keys?). Would the US government have to be sent a new key for every SSH session every hour? How on earth would they store all this?

2) how on earth do they expect everyone to stop using the old encryption methods without backdoors? Intransigence aside, the same people that support encryption backdoors without understanding the issues are the ones that will still be using their old copy of Win 95 years from now and maybe just wondering why they can't seem to connect to the new SSL sites, assuming the servers have all upgraded to the broken encryption protocols, either that or they'll be blissfully unaware that they're breaking the laws of their country by connecting to a server overseas with strong encryption.

Crypto backdoors *would* help

[plover]

Actually, crypto back doors would help immensely.

Consider this scenario: Micro$oft agrees to hide crypto backdoors in their latest "Outlook XP" or "Outlook.NET". For the sake of argument, let's pretend they might agree to do this in exchange for something of value. How about something like the DOJ agreeing to drop the breakup of the company in their civil suit... Micro$oft even gets another selling point out of the deal: they get to promote "OUTLOOK -- now with ENCRYPTED E-MAIL! It's SAFE, and SIMPLE, and your grandma could use it without even knowing it!" Woo-hoo, that's where I want to go today!

Soon the vast majority of the world "standardizes" on Micro$oft e-mail. (For proof that this could happen, I submit every single document sent by SirCam.) So J. Random Lusers everywhere start using "encrypted" Outlook. Including criminals and terrorists, who still aren't typically among the brightest bulbs on the planet.

Sure, as time passes really smart people like Schneier, Biham, et al., take the algorithm apart, and eventually find where it leaks some key bits. There's a brief hoopla that you might even hear on NPR some evening during the drive home, but for the average luser, they'll have forgotten to download the Outlook patch before they even pull into their garage. Questioning Micro$oft really doesn't happen in public, (despite how important those of us who read Slashdot think we are.)

As an extra added bonus, the DOJ/FBI/CIA/NSA can leverage the fact of encryption as a "red flag" indicating the message might be more interesting than an unencrypted one. They just set Echelon to search specifically for these Outlook encrypted messages. As long as they've been saving your leaked key bits, they've got your messages.

Micro$oft got to be their current size by not underestimating the power of inertia: they bank on the fact that if they keep shoveling it out the door, people keep buying it. If they want to provide leaky encryption, it'll be in the hands of millions of people world wide, and probably by tomorrow. And those people are already lining up to pay for the privilege.

Just remember to let Windows perform an "automatic upgrade" of your system tonight.

Disclaimer: this posting is the ficticious product of an overactive imagination that's two hours past needing sleep...

Re:Crypto backdoors *would* help

[sql*kitten]

Consider this scenario: Micro$oft agrees to hide crypto backdoors in their latest "Outlook XP" or "Outlook.NET".

This is pathetic. Can't slashbots discuss any subject without descending to Microsoft-bashing?

FYI, you want encryption in Outlook, just use the PGP plugin. Press the buttons to encrypt, sign and send your email if you want to. Even set it to encrypt all your email by default. When you receive a PGP encrypted email, it will prompt for your passphrase, then display the message in a window cunningly designed to defeat Van Eck snooping. It's a great product.

. Including criminals and terrorists, who still aren't typically among the brightest bulbs on the planet.

I pray you never get a job in an airport.

And how would this work internationally?

[Kjella]

...because everybody here seems to worry about the US. But are we going to get back to the "good" old days of US software (with US key), and international software (PGP & PGPi), or US and non-US hardware as I doubt a software solution would be sufficent. I dont think non-US businesses would ever give their keys away, theres been enough problems with Echelon already.

Kjella

Re:am I missing something?

[PigleT]

Additional point:
3. Not only can anyone can grab the sources for GnuPG and carry on from the last Free version, even if the government outlaws it, but the sources can be verified for backdoors and cleaned if need be; the only way around that would be to get all your keys generated by a government agency, but that could at best only be voluntary as there is a Free GnuPG out there that generates perfectly good keys as well.

And as you say, we can't expect criminals to play fair anyway, so legislation along the lines of escrow is guaranteed to do no more than irritate the masses in the mistaken name of the few.

And then there's trouble

[frog51]

It'll end up the same as we will have here in the UK soon - the RIP bill basically states that if you don't give up your encryption key when asked to by the police, you will be imprisoned. Even if you don't have the key! For example a consultant at a company I used to work for had been given a copy of a clients key to hold for safekeeping. The client lost theirs and so had my colleague. The RIP bill could send them both to prison, as the onus would be on them to prove they had lost it (HOW???).

Guilty until proven Innocent - sucks don't it!

The US Govt is just using the WTC incident as a scare to push some pretty heavy anti-freedom legislation through while everyone is still shocked.

Long live Steganography

Re:Maybe not escrow...

[Tackhead]

> I think you missed the point. The work factor reduction is only available to someone with the secret system key. Not Osama.

Yeah. Not Osama. Someone we can trust, like the head of FBI counterintelligence. What was his name again?

Oh yeah, Robert Hanssen.