A Complete Guide To The New 'Crypto Wars'

blottsie writes: The latest debate over encryption did not begin with a court order demanding Apple help the FBI unlock a dead terrorist's iPhone. The new "Crypto Wars," chronicled in a comprehensive timeline by Eric Geller of the Daily Dot, dates back to at least 2003, with the introduction of "Patriot Act II." The battle over privacy and personal security versus crime-fighting and national security has, however, become a mainstream debate in recent months. The timeline covers a wide-range of incidents where the U.S. and other allied governments have tried to restrict citizens' access to strong encryption. The timeline ends with the director of national intelligence blaming NSA whistleblower Edward Snowden for advancing the spread of user-friendly, widely available strong encryption.

Tech Companies Making It Public

[justcauseisjustthat]

It's fantastic that tech companies are fighting/discussing this in public, for too many years it been totally behind closed doors in secret meeting.

Re:Tech Companies Making It Public

[Xest]

I don't think it has, and the summary's 2003 date is rather fucking arbitrary. What about DVD Jon's case in 2002? What about the clipper chip fiasco in the mid 1990s?

This is a battle that's been going on very publicly since the dawn of digital cryptography.

Re:Tech Companies Making It Public

[The+New+Guy+2.0]

The Clipper Chip was never developed, it was just discussed by Sen. Al Gore in Washington... and it caused law enforcement types to go crazy. Everybody wants encryption for commerce and themselves, but government wants to intercept everything so they can review and then create charges. SSL went SOL years ago... time for something new on all sides.

Re:Tech Companies Making It Public

[ole_timer]

yes it was developed...https://en.wikipedia.org/wiki/Skipjack_(cipher)

Re:Tech Companies Making It Public

The Clipper Chip was developed, and it was used by a number of places back in the 1990s for a brief time, as the US government was going to require anyone who does business with them use it.

It even goes before that, to 1990-1991, with two politicians making a bill to ban _all_ cryptography. PGP 1.0 was released at a stopgap.

Now, before the pogrom on encryption, one's security choices were lousy. Want FDE on the PC? Best you could get would be Stacker, with password protection set on the drive, which provided "encryption" on the device level. Macs actually had better FDE choices. There were programs like FileGuard which worked on a file by file basis, FWB Hard Disk Toolkit, which did two rounds of DES, Stuffit 1.5.1, which used NewDE... basically DES with fewer rounds, and Casady & Greene's Access Managed Environment, which did encryption on the entire disk, and file level. On the UNIX side, you had crypt(), which used a one rotor ENIGMA-like algorithm.

Well, what happened with the push to outlaw cryptography, was that the Cypherpunks list was born. PGP 2.x was made with an actual tested bulk encryption algorithm (IDEA), and a PKI/WoT structure which arguably is the best commonly used out there, more than 26 years later. Hacks and secret algorithms gave way to using DES, 3DES, then AES.

The ironic thing is that because the crypto wars were "won" in the 1990s, it made crypto development stagnate, because without any real perceived need for it, people went to write other things.

In a way, I do hope people get scared. It would mean that people would actually start writing code, perhaps making a new OpenPGP standard with the innovations from SaltPack, better trust, forward secrecy, ability to cascade algorithms, block level functionality (like PGPDisk), a better ASCII encoding standard, and so on. The only real advances in applied cryptography recently have been crypto-currencies, and the idea of a blockchain. Day to day crypto is still stagnant, with SSL/TLS having the same fundamental weaknesses as it had on inception.

Re:Tech Companies Making It Public

[The+New+Guy+2.0]

Uhm, that's a 404.

Re:Tech Companies Making It Public

[ole_timer]

works for me

Re:Tech Companies Making It Public

[Aighearach]

They start with 2003, then they skip straight to 2007. And none of it is what they claim it is. If they'd started with the Clipper Chip they'd actually have right there the vast majority of events that include "[trying] to restrict citizens' access to strong encryption," because that was the only significant attempt.

The horse shit is so deep, they even claim that the FBI being called to testify in front of Congress is somehow relevant. People who pay any sort of loose attention to public events in Washington understand that there are hearings on everything, and government employees have to testify when asked. They'll be asked stupid questions, and their answers will be misrepresented by the press; as in this case.

And no, internet surveillance is not the same thing as trying to take away my encryption. Uhm, duh? Words, do they mean shit, or not?

Re: Tech Companies Making It Public

[ole_timer]

trust me, skipjack was coded and clipper was manufactured.

Blame it on Snowden !?!?!?!

[PolygamousRanchKid+]

Oh, that's just grand. I would blame the governments, who through their spying actions wake up folks and make them aware that they now need encryption. Otherwise, some government jerk will be reading their email . . . with the intention of stalking.

Oh, can the government maybe blame Global Warming and the Zika Virus on Snowden, as well . . . ?

Re:Blame it on Snowden !?!?!?!

[ausekilis]

I'll just leave this here.

Re: Blame it on Snowden !?!?!?!

[fustakrakich]

Could be true. Let's see what he brings back from Russia.

or Stupid decisions had previsible consequences

[Thanshin]

People are expected to learn at an age of around 4, that if you bite the kid next to you, he'll either bite you back or cry and make someone else punish you for the biting. Apparently, becoming a decision maker in the justice department, the FBI or the CIA, doesn't require having acquired such wisdom.

More seriously, though, the only realistic explanations to the imbecile behavior of American governance towards cryptography is probably a mix of a few lines of reasoning:
- "So what if my decisions of today have dire consequences in tomorrow's landscape? I won't be in power tomorrow, so I don't give a flying fuck."
- "I don't understand any technology beyond the automobile, and I really don't care. Just give me a way of invading privacy now and shut up."
- "So what if today's abuses of power make everyone use cryptography tomorrow? It will just be one more reason to abuse our power even more tomorrow. Everyone outside the 0.01% is a potential terrorist criminal revolutionary."

Re:or Stupid decisions had previsible consequences

[TangoMargarine]

How does it feel to lay down in the gutter and wait for them to walk on you?

Re:WAR

[Thanshin]

Kim Jung-Il, is that you?

Clearly not. If it was, his thoughts would have been communicated telepathically to your mind through his unicorn.

Re:If encryption is so important...

Cuz no body would b able 2 read it genius????

Longer than that, internationally

The Patriot act changed things for the worse, but I feel the timeline should look back further.

In France for example, the use of encryption was illegal until 1999 (and even worse before 1990). Sending an encrypted mail or encrypting a document could be punished with heavy fines and even jail sentences.
That law was changed after banks, among others, complained that it made it impossible to use the internet in a secure way.

So you could say that the discussion goes back to at least the end of the 90's. And probably to WWII, if you look close enough :)

Re:Longer than that, internationally

[jmd]

Phil Zimmerman and pgp in 1991

https://en.wikipedia.org/wiki/Phil_Zimmermann

Re:Longer than that, internationally

[jonwil]

I would say it goes back as far as the late 70s and things like the "New Directions in Cryptography" paper published by Whitfield Diffie and Martin Hellman (a paper the NSA didn't want published)

Re:Longer than that, internationally

[The+New+Guy+2.0]

PATRIOT Act (spell it in all caps, it was an acronym) was passed in the dark period when news was too busy reporting 9/11 damage, and therefore there was no notice to the public that it was going to pass. Congress was smart and sunset the law... so anybody who now says "I can under the PATRIOT Act" needs to be told they lost their citation.

skipjack

[ole_timer]

The war over civilian use of crypto goes back to at least 1994 with skipjack...how quickly they forget

Re:skipjack

[ole_timer]

https://en.wikipedia.org/wiki/...

Re:skipjack

[Toad-san]

It goes back earlier than that. I was invited to pay a visit to NSA at Fort Meade to explain my own home-rolled "CryptoMax" and "CryptoComm" encryption software products (I guess back around '87 or '88), a most interesting visit to say the least.

NSA was pretty insistent back then on hardware solutions, had no tolerance for software solutions at all. I imagine the cryppies were all clutching their chests when Dr. Dobbs Journal published an interesting article on RSA and public key algorithms way back in The Day. (I might still have that volume around :-)

The boys in the big shiny building's cellars found my algorithms (which I had to translate for them from Turbo Pascal and 8086 assembly language, apparently not their languages of choice) very interesting indeed, were most complimentary ("Are you SURE you haven't worked in this business before?", and there were mumbles about "Cray-busting" and the like. Flattering, but I couldn't get their endorsement for the security of the algorithm or code, and they laughed themselves to tears when I asked about foreign export of my programs :-)

Re:skipjack

[ole_timer]

R.V. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystem, Commun. ACM, Vol.21, No.2, pp.120-126, 1978 yes, 1978

What's old is new again

[AntronArgaiv]

Or something. Crypto, by Stephen Levy, chronicles the first crypto war. Worth reading, for background, because this time, it's not "national security", it's kiddie porn and terrorists that are going to win if we don't give the Security Services the keys to everything. And, we should TOTALLY trust them to keep us safe.
Yeah, right.
http://www.stevenlevy.com/inde...

Re:What's old is new again 2

[ole_timer]

worth reading to understand my last comment.

Repeat history

[ThatsNotPudding]

"In order to save the village, we had to destroy it."

"In order to defend the Constitution, we had to shred it."

NSA should blame themselves

[MikeRT]

Had they stuck with assisting ICE, CPB and the Coast Guard, it would have been a ho hum revelation that they were feeding law enforcement active intelligence because those agencies are interdiction agencies that operate at or beyond the borders. It was when it was discovered that the NSA was going well beyond its mission and helping law enforcement in many other ways that the public started caring. It was all totally preventable. All the director had to do is issue a directive that they will not turn over any data to law enforcement operating within territorial boundaries except on national security cases.

Crypto wars go way back

[bytesex]

The current round goes back to at least the exposure of PGP.

Re:Crypto wars go way back

[worf_mo]

I remember the time when US Export Regulations prevented PGP to be exported legally. In order to lawfully bring PGP to other countries, the source code was printed in books which were then exported, scanned and OCRed. Interested parties could follow the progress on a website (# of pages scanned/OCRed/proofread). This went on until 1999, at which point export controls on cryptographic software were lifted.

There's actually an informative page about this which sports the same yellowish background I seem to remember from the nineties.

Re:Crypto wars go way back

[ole_timer]

the best was the algorithm on a t-shirt..

Re:Crypto wars go way back

[ole_timer]

http://www.cypherspace.org/ada...

Re:Crypto wars go way back

[The+New+Guy+2.0]

Yep, remember the 40-bit vs. 128-bit encryption browsers.

Re:Crypto wars go way back

[J053]

I had one of those - it's sadly fallen apart long since. I used to like wearing it through airports - never could get anyone to arrest me, though.

Re:Crypto wars go way back

[J053]

I had this shirt with the algorithm in Perl. I used to like wearing it in airports - never got any negative attention, though. Sadly, the shirt has gone the way of all things long ago.

Re:Crypto wars go way back

[ender-]

Yep, remember the 40-bit vs. 128-bit encryption browsers.

Yes. It was terrible. And we are STILL encountering fallout from that idiocy.
See SSL FREAK vulnerability from last year.

Re:Crypto wars go way back

[anachronous+diehard]

Obviously, you missed the RSA Tattoos: Illegal Tattoos: RSA Tattoos

Several people obtained them when U.S. International Traffic in Arms Regulations (ITAR) banned export of cryptographic software with keys longer than 40 bits, making these tattoos "munitions". Apparently, no arrests were made.

In 1996, the ITAR restriction was ruled unconstitutional, instantly making all these tattoos "retro".

Re:Crypto War

[jenningsthecat]

So how many of you so-called geniuses ( Wiley Coyote ) have even begun to look at cryptology and math, and started to try to develop a few methods not of the usual sort? Maybe if a few hundred new encrypton algorithms were to suddenly pop-up, the governments would be a bit behind the curve of breaking them... and thus the race will go to the prolific instead off to the analytic... AND how many of you have begun to encrypt as much as possible? Just to ensure a good work load for the nosy buggers? ( I want my government workers to be busy...)

Somebody obviously thinks you're trolling. I suspect you are too; but I also think you're making a valid, (if somewhat exaggerated and inflammatory), argument for diversity and original research in encryption. Probably a worthwhile percentage of Slashdot members are actually capable of undertaking the work you suggest.

Also, their IS more safety in numbers - if everybody used encryption, there would be a more even balance of power between the people, and the government that is nominally of, by, and for them. Government agencies can have secure, private communications; citizens have the right to the same capability, and at the same degree of effectiveness. In fact, citizens should have the ability to pierce the government veil a lot more than is currently the case - but that's a whole 'nother argument.

Re:Crypto War

Actually, I am not trolling. I firmly believe that more ( /.ers, OS programmers, EFF ) should be doing this. I am.
And the upshot is that the government will have to do more work to watch us, the citizens. Maybe enough that they will actually limit their snooping to terrorists
( although I doubt it, they do want to use it for drug investigations, kiddie porn and IRS searches for hidden money....).
Sometimes one must exaggerate and be inflammatory to get results.
Other times it is a dare ( triple-dipple-dog dare) that gets results.
Then there is the simple appeal to actually do something instead of just blogging complaints and opinions.
Maybe if more girls would ask their boyfriend-programmers to do an encryption to send pics......

More hyperbole

[tom229]

By people that don't know what they're talking about. The San Bernardino case has nothing to do with "restrict[ing] citizens' access to strong encryption". It's about establishing a precedent that law enforcement can tap into a software companies inherent backdoors. In this case, the Apple backdoor is their master signing key for software updates. It seems obvious from their resistance, and other evidence, that even their "secure enclave" is vulnerable to custom firmware images. If Apple wants to truly absolve all responsibility they simply have to let users install ios firmware built with their own private signing key. Of course, this makes even the newest ios build jail-breakable, which prevents Apple from locking you into whatever "experience" they're currently trying to define. Something seemingly more important to them than the security of your data.

Re:Crypto War

[Lumpy]

they still have not broken XOR and a one time pad.

Pedantry

[StayFrosty]

I'm sick and tired of hearing about "The debate between privacy and security." It's total bullshit. It's pretty hard to have security online without privacy. It's not a balance of one versus the other, one depends on the other. The US Government argues my case all the time when bitching about how when Snowden breached the government's privacy, he adversely affected national security.

This brings me to my next piece of pedantry: I'm tired of hearing about "National Security Issues." Terrorism, ISIS/ISIL/Daesh/IS/Whatever, Al Qaeda, Home Grown Terrorists, Lone Wolves, the Boston Marathon Bombers, etc... do not threaten the territorial integrity of the United States. There is no invasion and there never will be. The government isn't in danger of collapse. Terrorism is a PUBLIC SAFETY concern. Stop pretending otherwise. If we do that though, who is going to keep the money flowing in to the military/industrial complex?

Re:Pedantry

Re: "...who is going to keep the money flowing in to the military/industrial complex?"

No one, and that's the pivotal issue. Terror, crime, and safety are the levers used by the security apparatus to gain ever more access to money, people, data, resources, professional status, and ego fulfillment. They take it for granted that they define what the interests of the state are.

Time was their predecessors understood the law, the constitution, civics and the balance of responsibilities. The current crop of leaders are corrupt and model themselves after J. Edgar Hoover.

Therefore by their logic, anyone who does not support their methods and attitudes, is a terrorist, a criminal and an enemy of the state. It's the easiest way to deal with opposition, by demonizing them. And in so doing, they begin harboring attitudes that share not a little bit with the terrorists they claim to oppose.

This is why Edward Snowden will not get a fair trial. Snowden is an oppositional voice and a leader by his actions. As such he must be taken down.

Re:Crypto War

[shawn2772]

So how many of you so-called geniuses ( Wiley Coyote ) have even begun to look at cryptology and math, and started to try to develop a few methods not of the usual sort?

Wrong approach. If you want to improve the state of crypto, you need to start by learning to break crypto. Anyone can invent an encryption method, but unless you have invested a serious amount of time and skull-sweat into breaking ciphers, whatever you create will suck, terribly.

Maybe if a few hundred new encrypton algorithms were to suddenly pop-up, the governments would be a bit behind the curve of breaking them.

Your plan would make the government's job much, much easier, because the methods that people tend to come up with are mostly very closely related, and tend to all be based on independent reinvention of old ideas for which well-known cracking methods exist. In addition, you're solving a non-problem. We already have very good encryption algorithms, with zero evidence that the government can break them. Snowden's data actually confirms that if you use modern encryption algorithms correctly and manage the keys well, the NSA can't read your data.

What we need is more research into ways to make encryption easier to use correctly, not another gazillion crappy ciphers.

Advancing the use of crypto

[fustakrakich]

That would definitely make the man somewhat of a hero. He would be even more of a hero by his actions if they advance the purging of all incumbents from the House in November and replaced by independents.

Re:WAR

[Aighearach]

Kim Jong-Il died December 17, 2011. You might want to update your spam macros.

Re:Crypto War

[Lumpy]

They will never get the contents of my secret file /dev/random from me..... POWER TO THE PEOPLE!

Re:Crypto War

[Bob+the+Super+Hamste]

As someone who has recently had my interest in this topic reignited you are correct that it is mostly about understating how to break crypto that leads to better crypto. Understanding the math isn't all that difficult if you have an applied math (CS) degree and a willingness to learn as when I was first interested in crypto about 20 years ago there wasn't as much info freely available to learn from and what was there was difficult to find. All of the major symmetric key crypto algorithms are just variations on the Feistel Network structure going back to the early 70s. Here is a paper I was reading just last night on the evaluation on all 16! 4x4bit s-boxes but most ciphers use 8x8-bit S-boxes. There is also a lot that can be learned by looking back at the NIST evaluations of the AES finalists and reading and understanding them.

Re:Crypto War

[shawn2772]

All of the major symmetric key crypto algorithms are just variations on the Feistel Network [wikipedia.org] structure going back to the early 70s.

AES (Rijndael) does not use a Feistel network, and neither does Serpent, another of the five AES finalists (Twofish, RC6 and MARS are based on Feistel networks).