Slashdot Mirror
Legislating Insecure Encryption
firewort writes: "Sen. Judd Gregg (R-New Hampshire), who called for global backdoors in encryption products in a floor speech last week, is readying legislation. This is another push for backdoors - but it seems that Gregg wants them to be used cautiously, only with permission from a US Supreme court appointed commission, subject to normal search and seizure rules." Representative Goodlatte, who has supported strong encryption before, is one of the few people speaking out against this.
And I will keep on saying it.
Now is the time to contact your representative, your senators and probably even your local media and tell them exactly how much damage this legislation could do.
Tell them about encryption used to protect your online banking transactions. Tell them about encryption used to protect company secrets. Tell them that this is bad for trade. Tell them that this is bad for innovation (unless you're Microsoft I guess)... Tell them how you feel about it.
Don't just sit back and let this go through. If nobody says "this is bad" then it will be passed...
While telling your congress critters, be polite, spell check before sending. Fax and/or write rather than e-mail. Call them and talk to them. But however you do it, make sure that your voice is heard.
Zwack.
p.s. Yes, I've already written to my congress critters.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
I have posted on this topic quite a few times before, but I must post again.
I enjoy working with encryption and number theory. I enjoy the theory behind encryption and why it works so successfully.. I will try to explain how it works (to a point) and this is a BIG reason why backdoored encryption can't work.
For this example: Assume use of RSA encryption
The way that this encryption works is it finds a function f[x] that is (to a point) one way. (NOTE: impossible [as of yet] to prove that it is a true one way function but the lower limit on finding the function has never been solved.. so for all purposes as of yet it is oneway). That is... f[k] == k' (k' being encrypted version of k). The way this works is that the function f[x] which is known by everyone and the value k' could be known by someone and still not be able to convert k' back to k. This is serious advanced number theory and requires very specialized hard-to-find functions.
To allow backdoors (that can be used without having a persons program but only the encoded message) is saying that the function f[x] must be modified to the point that there exists a function g[x] (for each SPECIALIZED function f[x] [that is, each persons f[x] is different, but g[x] must decode all of them]) that can decode any function f[x]'s input. Translation: f[k]==k' but g*[k']==k (for any function f[x] specialized). This function g[x] must be found when working out the base of the encryption product and once the function f[x] is worked out so g[x] exist, it stops being a one way function and therefor stops being useful.
So basically, if this happens, we might as all just encode our messages with rot13 and it will be the same as using any new "government approved" encryption... because someone somewhere WILL leak the functions g[x], whatever[x] (for each encryption product).
(For those who are curious, the reason each f[x] is tailored to a specific person is the picking of the keys allows a "trapdoor" as RSA puts it: another part of the function f[x] that is not mandated at production time. Of course, if a g[x] can decrypt the f[x] (no matter specialized) then the trapdoor theory is useless and serves no purpose therefor weakening it to a childs toy)
And yes, I know I am speaking to the choir here.. the thing is a long time ago I was reading slashdot when someone spoke about encryption and the basics of encryption theory.. it got me interested enough to look at it myself and now I am intrigued by it and am always learning more. My example may have small errors in it.. I hope someone can call me on them if they notice--> its always best to be factually correct...
Thanks.
>However, what it will do is allow law enforcement to stop, interrogate, hold and arrest a suspected terrorist on the grounds that the person has a cryptography program on their computer
Yet another flawed idea. It may work on the brain dead. But is easily avoided by everyone anyone else.
You take someone's computer, anyone's computer. They likely to have hundreds of thousands or even several million files on it - with thousands or maybe tens of thousands of executables. Somewhere in that lot is an executable which contains the "illegal" encryption and decryption routines. An exectuable with a misleading name, which also does something entirely legitimate, which may itself be compressed or encrypted.
You're going to have to scan every file to see if it is exectuable, or a compressed or encrypted executable. When you find your executable you're going to have to do some very detailed analysis to see if it offers any "forbidden" functions.
Analysis of a system for unauthourised crypto programs is going to take serious time and serious resources.
If you have a strong suspect, by the time you've unscrambled what's on their computer the result is pretty academic - it's going to be far too late to assist any ongoing investigation - the trail to the next link will have gone cold.
If you don't have a strong suspect this is going to be useless as an investigation - you can't use it for screening - ANYONE you care to check is going to take so much time and money before you can eliminate the suspect as to make the techinique worthless.
Even at its absolute best, The proposed restrictions will achieve little more that provide an extra, technical offence to charge the obviously guilty with.
The test isn't "does it serve ANY purpose" - it is "does it serve any USEFUL purpose" - and the answer is that it doesn't.
You may think that it is still worth the cost to the rest of us. I don't.
AJB