Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Congressional Committee Concludes Encryption Backdoors Won't Work (betanews.com)

Posted by EditorDavid on from the talking-vs-unlocking dept.

"Any measure that weakens encryption works against the national interest," reports a bipartisan committee in the U.S. Congress. Mark Wilson quotes Beta News: The Congressional Encryption Working Group (EWG) was set up in the wake of the Apple vs FBI case in which the FBI wanted to gain access to the encrypted contents of a shooter's iPhone. The group has just published its end-of-year report summarizing months of meetings, analysis and debate. The report makes four key observations, starting off with: "Any measure that weakens encryption works against the national interest".

This is certainly not a new argument against encryption backdoors for the likes of the FBI, but it is an important one... The group says: "Congress should not weaken this vital technology... Cryptography experts and information security professionals believe that it is exceedingly difficult and impractical, if not impossible, to devise and implement a system that gives law enforcement exceptional access to encrypted data without also compromising security against hackers, industrial spies, and other malicious actors...
The report recommends that instead, Congress "should foster cooperation between the law enforcement community and technology companies," adding "there is already substantial cooperation between the private sector and law enforcement." [PDF] It also suggests that analyzing the metadata from "our digital 'footprints'...could play a role in filling in the gap. The technology community leverages this information every day to improve services and target advertisements. There appears to be an opportunity for law enforcement to better leverage this information in criminal investigations."

8 of 98 comments (clear)

  1. Disturbing. by Gravis+Zero · · Score: 4, Insightful

    While most people start thinking, "oh what a breath of fresh air, the government getting it right for once," I worry, "have aliens infiltrated our government? Because it seems like they are listening experts and making logical conclusions." ;)

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Disturbing. by Areyoukiddingme · · Score: 4, Insightful

      ... "have aliens infiltrated our government? Because it seems like they are listening experts and making logical conclusions."

      I expect the experts testifying used illustrations in crayon and very small words. And they still got a weasel-worded statement from the committee. "Cryptography experts and information security professionals believe that it is exceedingly difficult and impractical, if not impossible, to devise and implement a system..." No, that's not what they said. Every single one of them said it is impossible. Because it is.

      Congresses come and go, but there is one invariant: they all have trouble with mathematics.

    2. Re:Disturbing. by hawguy · · Score: 4, Insightful

      "Congresses come and go, but there is one invariant: they all have trouble with mathematics."

      That's not saying much, most people have trouble with mathematics.

      Most people aren't making Federal policy decisions related to science, math, and technology while being unversed in science, math, and technology.

  2. A backdoor would be in the wild in a week by HangingChad · · Score: 4, Insightful

    I think we've all seen how good the FBI is at keeping secrets. Any encryption backdoor would be in the wild in a week. In the week before it got loose it would be mostly a political weapon.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  3. Re: by Anonymous Coward · · Score: 3, Insightful

    The backdoors are starting to impact international trade, making US products less appealing. China has also had problems with backdoors, but this allows different countries to become more competitive while the US remains politically divided (preventing them from competing globally in the future, over the long-term).

  4. It is infeasible to be a break 2048 bit Diffie-Hel by raymorris · · Score: 3, Insightful

    I'm sure cryptography experts did in fact say it's infeasible or impractable. That's what those of us who work in the field say about things we think nobody can do (probably). For instance, it's currently infeasible to crack 2048 bit Diffie-Hellman. We tend to avoid saying something is impossible, because as soon as you say that someone's likely to do it :) Theoretically, it's trivial to crack Diffie-Hellman, it's not cracked because of the PRACTICAL difficulty of doing so.

    There's nothing theoretically preventing a master key from working just fine, only PRACTICAL problems of a) keeping the government key secret (while it's used) and b) selecting ciphers and implementations that won't be hacked ten years from now. The practical issues mean it's impractical to have a government master key.

  5. Re:by putting back doors in by ShanghaiBill · · Score: 5, Insightful

    There are two fatal flaws in your reasoning:
    1. You assume that "the police" and "the criminals" are disjoint sets.
    2. You assume that innocent people have nothing to hide, and nothing to fear from the police.

  6. Re:A collosal circle jerk by Anonymous Coward · · Score: 3, Insightful

    Yes, Congress can do a lot to fight cryptography:

    1: Use a modified version of NAC, requring all Internet connected devices to have a hardware DRM stack, and routers having to have a locked down chipset to enforce this. This is already here in some respects -- the FCC demanded all radio firmware be locked down and resistant from user modifications. From there, approved applications can be required, and people's PCs can be scanned, with the results of having something like PGP resulting in arrest.

    2: Take China's approach. China requires 51% ownership of all interests, and they tossed Google out, and made other firms cave in to their eavesdropping demands.

    3: Create a special agency similar to the DEA or BATFE to go and toss people who use unauthorized crypto in prison for long sentences. The system is already in place and well privatized.

    4: Watch social networks. A PGP header is reasonable suspicion enough. A file that contains no decodable data is also suspician. This doesn't mean -guilt-. It means the owner now has to deal with a judge and jury, or make a plea bargain.

    5: Demand all businesses use BlueCoat on all outgoing traffic, with it in TLS/SSL decoding mode (where it MITMs its own key.) If the traffic can't be decrypted and scanned (to catch people using multiple layers), it doesn't leave. Businesses can include ISPs.

    6: Force a "UL" type listing guarenteeing a device cannot have crypto attached. Easily done, easily enforced.

    Yes, people can say that crypto is hard to kill, but governments can easily detect it, and after a few people go to prison for just suspician as examples, it won't happen.