Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Encryption Security

How Would Crypto Back Doors Work? 477

Posted by Hemos
from the what-goes-into-it dept.
frantzdb writes "We've been hearing about adding crypto back doors for the govement to snoop on us, but how would they work? Would there be one key that could be cracked opening up all such traffic? Also, how would/does the government know wether a bitstream is random bits, or encrypted data?"
This discussion has been archived. No new comments can be posted.

How Would Crypto Back Doors Work?

Comments Filter:
  • Simple (Score:2, Insightful)

    by nate1138 (325593)
    Simple Answer:

    Crypto backdoors won't work ;) (At least not for their intended purpose)
    • Re:Simple (Score:3, Insightful)

      by imp (7585)
      The problem with weakening crypto is that anybody
      may be able to recover the keys, not just the
      folks that mandated the back door. Also, there
      are long term issues with this. What if a trusted
      party today becomes an untrusted party in the
      future? What do we do when the current threat is
      over? What if the bad guys figure out the backdoor? Would you have worse problems from them
      than you have now with the folks blowing things up? What if the US government gets weird and
      refused to give up the back door once the crisis
      is over?

      And finally: What about the huge delpoyed base of strong crypto?

      One more finally: Little evidence has been given
      that strong crypto is being used today as a shield
      for the communications with this group. Why should we give up our rights based only on the
      say so of the Government, one that has lied to
      us in the past?
      • Re:Simple (Score:3, Insightful)

        by Tim C (15259)
        What if the US government gets weird and refused to give up the back door once the crisis is over?

        "What if"? Why would they?

        Why would they give up such a valuable advantage in the fight against <insert current object of villification>? Terrorists, drug smugglers/dealers, criminals, communisits, dissidents - all have had war declared on them at some point, by some country or other, and all could benefit from the unrestricted use of strong crypto.

        Even if the war against terrorism is won, this legislation would stay in place, to aid the war against the next great evil.

        What if a trusted party today becomes an untrusted party in the future?

        That's exactly the problem I have with this, and all privacy-limiting developments. Here in the UK, as I'm sure you're aware, we have more than our fair share of CCTV cameras on the streets. Every argument in favour of them seems to revolve around the same core assumptions:

        1) They help cut crime, thus making everyone safer
        2) You can trust the Police and the Government

        I have to agree, up to a point. They do cut crime, at least in the covered areas, and I can trust the police and government, now. How do I know I'll still be able to trust them in 20 years time?

        I don't. I just have to hope that I will be able to, because the way things are going, if I can't, I'm going to be in serious trouble. The same is true in this case - if legislation like this is passed now, it makes a future rogue government's job all the easier.

        What about the huge delpoyed base of strong crypto?

        That's easy. It would become illegal to use it.

        If the agency monitoring communications (NSA, MI5, KGB, whoever wherever you are) acquired a message that they could not read, you'd be arrested, and ordered to decrypt it. (There is already provision for pretty much this to happen in UK law, thanks to the Regulation of Investigatory Powers Bill)

        At best, on proving that it's an innocent message, you'd get a slapped wrist and threats of bad things happening if you continued to use strong crypto. At worst, you'd do time just for using crypto they couldn't break.

        Cheers,

        Tim
    • Even if they *did* work, what's the purpose? To keep tabs terrorists? Bwahaha. Bin Laden is already one step ahead in the high-tech race. He <gasp!> turned off [theregister.co.uk] his cellphone, ditched the e-mail account and he's now communicating through human messengers!.

      Crypto backdoors... Carnivore... Echelon... what a load of absolute crap.

  • Escrow (Score:3, Interesting)

    by FatRatBastard (7583) on Thursday September 20, 2001 @01:11PM (#2326344) Homepage
    I?d assume that one of the ideas would be to revive the idea of key escrow. All generated keys would have to be ?registered with the state.?

    I can?t wait until I can purchase a ?You?ll get my 1024 bit private key when you pry it out of my cold, dead Palm? bumper sticker.

  • I certainly hope not... My guess is that upon generating a key, a seperate key is also generated. This key (the other half of which the NSA has) could be used to encrypt the original sender's private key. This would allow the NSA (I don't know which tla will hold the keys, just substitute your favorite one in here...) to be able to retrieve the private key and decrypt the transmission... This is pure speculation...
  • The government would either have to issue everyone a private key, or pass a law making it a crime not to hand over the keys. Although this only relates to detectable encryptions.

    If you were a terrorist you would probably hide messages via a digital watermark in an image file/video file to get around this. Therefore making the laws useless.
    • "pass a law making it a crime not to hand over the keys"

      Unfortunatley we already have this law in the UK - it's called the RIP Act. The penalty for not handing over a key, even if you have forgotten it, is a two year jail sentence.

    • That law is called obstruction of justice. If you have a key, it can be subpoena'd at any time, if they can prove to a judge that your encrypted data may include things necessary to procede with a trial. If you don't hand it over, or conveniently "lose" your copy, you get hit with obstruction of justice and you look like an incompetant fool who can't even keep track of his own crypto keys.
  • How backdoors work (Score:2, Interesting)

    by Chakat (320875)
    A lot of the technology behind the last time congress/the prez tried to cram crypto backdoors down our throat [eff.org] is unfortunately classified, but the basic way it would work is that each key would have its own identifier it shouts out in the process of sending packets back and forth. Upon court order (or not, if there are crooked lawmen), the mandatory escrow part, which is how most what modern crypto backdoor setups work, is used to get the private key and decrypt the message.

    Steven Levy's excellent book "Crypto", which was reviewed here a few months back has the basic gist of the technology. As the technology is mired in classified work and patents, it's a minefield that will have to be carefully traversed

    • "As the technology is mired in classified work and patents....."

      Odd that a process designed to keep something secret (classifying it) should be combined with a process designed to make something public knowledge (patenting it).

  • Key Escrow (Score:3, Insightful)

    by SirStanley (95545) on Thursday September 20, 2001 @01:17PM (#2326390) Homepage
    The Government tried to implement Key Escrow A while ago.
    Basically. When you generate your keys you must submit the key to the governement so they have a copy. Its kind of like your landlord.

    You have a key for your apartment. So does he. If you get locked out he can come on in and let you back in. If you're growing a Pot Farm he can give it to the feds when they have the search warrant and let them in with out bustin no doors down.

    Implementing a mechanical backdoor other than key escrow would suck. Short of the US Governement getting hacked your keys should be safe with them (unless of course you believe the US Governement's sole purpose in life is to get you) If you implement a mechanical back door just wait until it gets reverese engineered. All hell will break loose.

    If Backdoors are implemented. Im a fan of Key Escrow.

    However whats to stop a terrorist for writing their own version of a public cryptosystem such as RSA and not give anyone keys? Guess there will also have to be a law that says if your key isn't registerd and your communicating with it then the governement can arrest you.
    • You could use the government's public key to encrypt your private key, sort of like a registering your car, you would have to register your key. The problem is that you could send them any old crap and say it was your key. The only way they would know is if they tested it by decrypting a message.

      This is all beside the point, because terrorists won't register their keys. If the US government can't stop spam, what makes them think they can stop encrypted messages?
  • They won't help (Score:3, Interesting)

    by levendis (67993) on Thursday September 20, 2001 @01:18PM (#2326395) Homepage
    Crypto backdoors sound good, but in reality they won't help at all. The biggest part of the problem, as you pointed out, is just figuring out what is encrypted and what isn't. According to this article [yahoo.com], the hijackers were sending each other unecrypted emails. If they couldn't even intercept unencrypted messages, how do they think backdoors will help?

    One basic assumption of crypto backdoors is that people will actually use crypto that has the backdoor capability. Its like trying to limit encryption to 128 bits or 4096 bits or whatever it is these days. You can just write your own encryption program (or download & hack the source to some existing program) and create 65536 bit encryption if you want. Sure, its illegal, but if you don't want the feds to find out about your nefarious plans, so what?

    Believe me, we can expect a lot more stupid, reactionary legislation in the coming weeks & months (am I the only one who doesn't feel any safer knowing that the guy on the plane next to me doesn't have his Bic disposable razors????). Thank god we haven't locked up all the Arab-Americans because they could be terrorists...
    • Even more fundamental and larger is figuring out what is interesting and what isn't. The unencrypted emails you mention were probably exchanging flight info, planning when they wanted to fly, where they should go, where they would come form, and so forth. Reading the email in advance probably wouldn't give anything away to someone not part of the group-- it would be profoundly stupid for them to read email that could incriminate them in a public library, where, even if it weren't examined by the FBI, someone waiting for the computer could simply happen to look over their shoulder.

      It's an essentially unbreakable end-to-end chaffing system: only say things that are just like what anyone would say if they were doing ordinary things, but have some shared understanding that only the people involved know about (like, when we're all on planes at the same time, we'll hijack them).
  • For one, the government would most likely be going after the manufacturers of encryption software instead of the users of encryption software.

    Which means the law will be useless because encryption is already out.

    The backdoor will probably be in the form of a key or a series of keys that one or more entities has. To make it seem better, multiple authorities will have portions of the key, so that you can't just grab one repository.

    You can do statistical analysises and generally figure out if something has a likelyhood of being encrypted. It's a cold-war technology that probably got much usage back then. But it's not the kind of thing you could deploy across the entire network.

    Now, I'm not a privacy whacko. I don't encrypt my hard drive. I'm not anti-government. I'm generally pretty pragmatic. But even I don't think that we should have backdoors on encryption software. Does the government have backdoors on our safes? Do the cops have a key to my appartment's door?
    • "Does the government have backdoors on our safes? Do the cops have a key to my appartment's door?"

      They have oxyacetylene torches for your safe, and a battering ram for your door. This is why they are considering the legislation: there is no way of realiably cracking properly-done strong crypto in a reasonable amount of time (less than billions of years.) You can't force your way to a key, or buy it, like you can force a door or buy a better torch to get into safes faster.

      The feds had Mitnick's laptop(?) for five years and made no progress in breaking the encryption he used...

  • This will only stop the unsophisticated users. While the government is backdooring into some 1337 h4x0r script kiddies' communications, terrorists cells will be communicating through steganographic messages with non-government-approved encryption on the local pr0n site.

  • There is no easy answer to this question. It certainly depends on the alogorithms used. It depends on who implemented it, tamperfree devices, and much more. Here are a couple of links that might give the interested reader some points to start:

    Peter Gutmann's excellent crypto tutorial [auckland.ac.nz]
    Some information on Blind Signatures [upenn.edu]
    A very nice link page for privacy and encryption [afn.org]
    Ron Rivest's (the R in RSA) homepage with an excellent link section [mit.edu]
    And a link to buy Applied Cryptography [fatbrain.com], even if the stories lack accuracy it is a good read

    Happy reading!
  • by Gregoyle (122532) on Thursday September 20, 2001 @01:24PM (#2326461)
    They could never work.

    The simple reason is that as long as there is an algorithm that cannot be penetrated, either by force or by escrow, that algorithm can hide data. On this, at least, the cat is out of the bag.

    One of the more likely scenarios which could possibly keep criminals away from data while allowing governments to have access would be an agreement worldwide on a data-encryption standard that included key-escrow. Likely this would be implemented with a large database of registered keys rather than a "skeleton key" approach simply because the "skeleton key" would be a ridiculously easy target. Of course, this whole scenario cannot work for catching dissidents and criminals, and therefore cannot serve the purpose of fighting terrorists.

    The reason is that under any reasonable key-escrow scheme a government would be required to show evidence before using the person's key to find the data. This works fine for average citizens who only use the mandated encryption standard, but, Surprise! When the government uses the key of terrorist Tim to decode his messages, they find that not only did he use the mandated scheme, but he also encrypted his data with his own scheme, which, of course, is unbreakable with current technology. Terrorist Tim wins in two ways here, not only did his data remain secure, but he also managed to waste a large amount of the government's time and resources.

    The fact that this is even being proposed shows the ignorance of technology rampant in Congress. I live in NH, maybe I'll write a letter to Senator Gregg.
    • You say:

      The reason is that under any reasonable key-escrow scheme a government would be required to show evidence before using the person's key to find the data.

      But if you remember, the biggest issue in the Clipper Chip deal was that they changed the wording that created the "Fruit of the poison tree" doctrine that currently keeps illegally acquired evidence out of the courtroom. They might try to do away with the evidence requirement.
    • They could never work

      Of course, that depends on what the real purpose is. The purpose might be to create lawbreakers.

      "There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible to live without breaking laws." -- Ayn Rand, "Atlas Shrugged"
      • Great point,

        I've been formulating a "conspiracy" theory with speed limits that is similar to this argument. The idea is that you make the speed limit so ridiculously low that everyone goes much much faster than posted, and thereby generate revenue for the city or town in speeding tickets.

        Not quite as insidious, but more practical for that.
    • There are method of hiding data in plain sight. Just read "Chaffing and Winnowing: Confidentiality without Encryption" at http://theory.lcs.mit.edu/~rivest/chaffing.txt [mit.edu]


      Also, said Terrorist could use multiple techniques together:

      - write message
      - apply method of Chaffing and Winnowing (above) or method of hiding messages in spam [spammimic.com].
      - hide that message in favorite media with outguess [outguess.org].
      - encrypt that with PGP [pgpi.com] or GnuPG [gnupg.org].
      - encrypt that with the mandated, key-esrowed, back-doored technique
      Now there are several barriers to break down, but only the easy one is known about until an investigation is already under way.

      Or:
      - said terrorist could avoid electronic communications, and meet face to face in a public park or on a public bus or in a crowd

      Ask a gardener how they deal with weeds. Do you just remove what you can see, or do you go after the roots? Ask a doctor how he/she deals with a disease. Does he/she treat the symptoms and hope for the best over time, or does he/she treat the source of the disease?

      Yes, cutting off one of their means of communication would be an incovenience for people who have evil plans. But is there a better we that we can deal with their evil plans in the first place?

      I don't know the answers, I just ask the questions.
      • That chaffing and winnowing article is the coolest thing I have read in a long time. I'm not joking. Everyone here would probably enjoy it. It discusses not only technical issues, but their legal and social consequences.

        Thanks for the link.
    • [Last time [slashdot.org] I wrote this, it was Flamebait, so I'll try to be more careful.]

      Yes, it is generally agreed that modern encryption algorithms can hide data with virtually perfect security. But this alone is not relevant, as long as the government can detect the use of these algorithms.

      All the government has to do to nail your "Terrorist Tim" is observe that he is using encryption, and check for the existance of a matching escrowed key. Presumably, any key escrow system would allow for verification that a message was encrypted using an escrowed key, without actually retrieving the key or decrypting the message. Thus, it is entirely conceivable to me that the government could enforce the use of key escrow: Whenever they see encrypted traffic that does not use an escrowed key, they trace the user via the ISP and prosecute him. And maybe they drop the connection, so you can't even get one message through then hide.

      So, anyone who wants Internet privacy under this regime must hide the fact that they are hiding data. But, you say, there's a whole field dedicated to this end, called steganography, so the goverment loses again. While steganography is exciting and promising, it's not the knock-down argument that you seem to think.

      First, I agree that it is easy to covertly communicate a small amount of information to someone with whom you have prepared ahead of time. Any simple system of code words or similar is probably secure for a brief message or two. But, ...

      • People need to communicate more than a few messages on a predetermined subject. A naive system will not stand up to statistical analysis of many messages. For example, you might think that coding messages in the first characters of each word would be undetectable. Hardly--just look for anomalies in the letter frequencies of the first letters.

      • People need to communicate without having arranged a system beforehand. Even serious steganography (at least the systems I know about and can imagine) requires a shared secret, implying major challenges in key exchange. In the age of public keys (now the lynchpin of virtually all secure communication), we forget about what an enormous breakthrough asymmetric cryptography was.

      • Even serious steganography may be detectable [outguess.org]! Just as the government can monitor for non-escrowed keys, they can monitor for any steganography system that they have broken. It is currently not known whether undetectable steganography can be developed.

      • Steganography does not have the infrastructure, either in software or in familiarity and understanding, that encryption has. We all know that quality of implementation and good practices are as important as mathematical strength in the successful use of cryptography. Thus, people need to have software they can use and an understanding of do's and don't's. At least, it will take some time before steganography reaches the level of encryption in these regards.

      (In the above, you may substitute "terrorists" for "people".)

      The point: not that the government should or will do this; but that if they decide to do it, it is not futile! It really could (in addition to destroying the privacy of lawful citizens) slow down terrorist communications (assuming that terrorists use the Internet, which people seem to think they do). So we need a better argument against it than "this is stupid, it can't work".

    • What if key escrow/back-door crypto becomes a reality, and the master key or the escrowed key repository gets compromised by a terrorist?

      Wouldn't that represent a gravely serious threat?

      The terrorist would have the ability to monitor, and perhaps disrupt, any encrypted communications, including that for critical infrastructure.

      Let's increase the NSA's (*) staff and budget, not take knee jerk actions that help the terrorists.

      (*) NSA is mostly code-breakers and the like. Not goons out to get you. Anyone that comes in the middle of the night to crack your head will almost certainly NOT be NSA.
    • Actually, it could work, assuming that it's only used after a warrant has been acquired. The feds get the warrant, try to decrypt the info, and can't. Or they decrypt it, and find antoher layer of encryption underneath. Then they can charge the terrorists with use of illegal encryption and send them to jail for a few years.

  • "We've been hearing about adding crypto back doors for the govement to snoop on us, but how would they work? Would there be one key that could be cracked opening up all such traffic? Also, how would/does the government know wether a bitstream is random bits, or encrypted data?"

    There is no such thing as "random bits of data" streaming through the network. All data has redundancies and self-imposed structure in order to convey information. Read Shannon for details on information theory.

    Most currently available cyphers create a data stream that appears extremely randomized. This, in itself, could be a way for the government snoops to detect encryption: A sample of data that is more random than other data.

    You can try the "compression test" for encryption. Try compressing some data. Check the file size. Now, encrypt the same data and run your compression program. You'll notice that the "compressed" file is the same size or larger than the original. This is because the encrypted data is "extremely randomized", and the compression program cannot find patterns in it to compress it. The snoops can use a similar test to detect encrypted data streams, i.e. over time, the probability of any character appearing is 1/n where n is the length of the alphabet (0-255 for bytes).

    Steganography and hiding cyphertext in cyphertext (see Applied Cryptography) would be a good way around encryption back doors.

    Cheers!

    E
    • > You can try the "compression test" for
      > encryption. Try compressing some data. Check the
      > file size. Now, encrypt the same data and run
      > your compression program. You'll notice that the
      > "compressed" file is the same size or larger
      > than the original. This is because the encrypted
      > data is "extremely randomized", and the
      > compression program cannot find patterns in it to
      > compress it.

      This is true of good random numbers, too. It's even more true of compressed data - this test will trigger on every gziped or zipped file to pass through the network. It's also trivial to use some sort of base64 (or more complex encoding that uses letters with English frequency) over your encryption to break this.

      It also doesn't distinguish encryption permitted by the government, and cypto using illegal keys and methods.
    • You can try the "compression test" for encryption.

      This won't work, because you can have false positives and false negatives.

      The false positive case is obvious: if the data is already compressed, it will look like it's encrypted even if it's not. So some kid downloading Britney Spears' MP3s gets flagged as a terrorist.

      You can also create false negatives by padding or otherwise injecting artificial redundancy. If "xyz" is entropic (doesn't compress, appears to be encrypted) then just send "xaayaazaa" (where the filler could be anything and you'll fool anyone who's looking for too much entropy. So Osama's packets go right through Big Brother's net and no one even notices that they're encrypted.

  • by DanEsparza (208103) on Thursday September 20, 2001 @01:28PM (#2326484) Homepage
    I think it's a stupid idea to even toss around the idea of a 'crypto back door'. I can understand why politicians are desperately attempting to dig up the 'silver bullet' that would have stopped the WTC tragedy (and will stop the next horrific event from happening) -- but they're barking up the wrong tree for several reasons.

    Making crypto 'safe' with a back door effectively makes it useless. Why would anyone in their right mind use a cryptographic algorithm knowing that a perfect stranger has a 'backdoor pass' to their information? The whole point of crypto is to only allow the intended recipient to view the secret information.

    This idea would weaken any cipher that this idea is applied to. Why? Simple. Key recovery in a datastream you haven't ever seen before depends basically on one of 2 things: Brute force, and a little ingenuity. If you know that the cipher has a 'universal backdoor' then each stream encrypted with the cipher will be that much easier to crack -- because the streams will have to be somewhat similar.

    What happens when the wrong people get the 'back door' key? You don't think that someone dangerous is going to somehow either recover the key manually, or steal it? Think again. A 'back door' key (or set of keys) of this scope would be too good to pass up. Why bother attempting to recover a key that unlocks one stream, when you can unlock a whole set of streams?

    The cat's already out of the bag Why would somebody who really wants to keep information secret use a cipher that didn't keep it secret -- especially when there are so many good ciphers (RC4, Twofish, etc.) that don't have a backdoor? In short -- this is a braindead thought process that will lead the U.S. straight into another disaster.

    • RC4 is not considered a "good" cypher by anyone. Its weakness is a lot of the reason WEP was cracked so quickly and thoroughly.

      Also, crypto with a back-door would be useful against criminals, just not against governments. For example, you mostly use SSH so hackers can't sniff your packets to get logins and passwords. It's nice to know that governments would be equally hard-put, but that isn't the primary purpose.

      Plus, governments have many more resources than 1337 d00dz. They can log your keystrokes, or use other channels (Tempest sheilding, keystroke timing, video cameras). Or they can just bribe your girlfriend. What, you don't have a girlfriend? Beware the next time some blonde bomb comes up to you and just can't get over your coding skills.

      I hope more money goes into HUMINT of the latter variety than fruitless reactionary measures like key-escrow. Because I really am patriotic, but I want to be able to have some control over who reads my data.
  • by MrKevvy (85565) on Thursday September 20, 2001 @01:29PM (#2326489)
    Simply, that the only way to prove that something was encrypted "legally" would be to automatically break it, all of it, as it passes through various communications channels.

    But this is too large of a job for just one person, or a (fiscally feasible) number of people, as much traffic may not pass through a central point. Machines will have to do it automatically, and there will ave to be many o them. Who will make the machines? How will they guarantee that the backdoor isn't released? What if the machines themselves take a walk?

    Steganography would be the only way around this, by hiding an encrypted snippet well enough that it doesn't look encrypted. What if someone posts a badly-encoded GIF of their cat on their personal page, and the so-called "Stego detectors" pick it up. Of course, the "message" isn't there. Therefore it can't be decrypted, and they will be flagged as a criminal... scary prospect.

    As the technology progresses, only poorly done stego and innocent media would be caught. It's already possible to encode messages to be indecipherable from quantization noise by any theoretically possible system.

  • The biggest problem with this is what happens to thsoe backdoor keys the government has. I mean first of all, how can we be assured that they can only use the keys with a court order? Furthermore, even if there's a way to assure that, is there any ruling that indicates that's even a requirement. I mean it seems that the fourth amendment might prevent unauthorized access but until a court rules it's hard to say. They could pass a law giving back doors and then alter say that they can access them without court supervision (and the court may or may not support that)

    The other problem is that if the government does start accessing things without a court order, how would you know? You could probably develop a crypto system that would leave obvious evidence if it has been accessed through a backdoor, but the government wouldn't want that because it might interfere with an investigation.
    • Run a honeypot using Linux on Linux and give the government the keys to that. One could furthermore have the overall system (which is still secure) page the owner when the government key is used. Even better, there will be nice logs of anything nasty they tried to do while they were in there. I love the idea of posting one of their "high tech secret" keysniffers all over USENET. The idea of the goverment wanting secret access to my boxen is ludicrous. If all else fails, I can transparently pass all traffic through a box that logs the hell out of any traffic passing through it. If I want to know when they're messing around with my boxen then I will. I will regard the government the same as a script kiddy: something to be monitored and contained.

      I imagine the need for monitored and logged physical access is obvious too. The agents will look GREAT on camera when they suspect all of this and try to lay hands on the machines themselves.
  • by BeBoxer (14448) on Thursday September 20, 2001 @01:30PM (#2326501)
    The government has already done a lot of research into the area, and pretty much implemented a whole key-escrow system. Nobody used it and as a result it was a flop. To be honest, I don't know how much of the supporting infrastructure was actually deployed.

    The basics of Clipper worked like this. The system was based on hardware encryption chips which implemented the protocol. No software versions existed AFAIK for obvious reasons. Each and every chip had a unique ID and "unit key". Each encrypted transmission had a Law Enforcement Access Field (or LEAF) prepended to it. The LEAF consisted primarily of the current session key encrypted with the unit key of the sending chip and it's ID number. I believe the whole LEAF was then encrypted with a single key shared by all chips.

    On the law enforcement end, the DoJ was supposed to maintain a database of all the chip ID / unit keys. There was lots of fancy promises made about the security of the database, and how it would be split it two so that two separate agencies would have to cooperate in order to gain access to the database, etc. All very feel good but in the end un-auditable and basically BS since the regulations guaranteed that there would be no penalty for improper access to the keys.

    Anyway, the LEAF field in combination with the database allows access to the session key and hence the plaintext of any message.

    The whole scheme has so many problems it's not even funny. Not the least of which are: the whole protocol has to be keep top secret. If you know how to generate a legitimate LEAF field, you know how to generate a bogus LEAF field too. An AT&T researcher published a paper about how to get two Clipper chips to talk to each other with bogus LEAF fields. It took a fair amount of trying to get random LEAF's which had valid checksums, but it was quite doable. Presumably, they won't repeat that mistake. Software implementations are pretty much verboten, since they are far too easy to reverse engineer or tamper with. If you are trying to mandate back-doored encryption, you would pretty much just mandate that all encryption be performed using NSA designed and approved chips manufactured by a secure contractor.

    As to what stops you from sending random data, one need only imagine the governments response when they detect that you are sending random data. Such random data would be presumed to be illegally encrypted data, and you would be arrested as such. It's quite possible that you would be freed once you had shown that the data was random. In the mean time, your face would be plastered on the front page of the paper as a "suspected terrorist". You might expect to be held without bail due to the extreme danger a suspected terrorist poses to society. The draconian penalties involved will serve to keep people in check, not any technical ability. Look at the penalties handed down for DMCA violations. Then compare the severity of pirating a movie versus flying an airliner into a building. Finally, scale the DMCA penalties accordingly. You can imagine the outcome.
  • by Bonker (243350) on Thursday September 20, 2001 @01:31PM (#2326507)
    If a normal guy like me can come up with these, you know that scary, insidious, Terrorist types are lightyears ahead:

    1. Use existing crypto programs or write your own. Anyone with access to a high-level math textbook or a book on encryption and a little bit of coding experience can currently write crypto that is brute-forceable only by supercomputers. The same is true of the existing versions of PGP and other crypto programs available world-wide.

    2. Steganography. Apps exist world-wide that will hide plain or crypted data in all sorts of things. Images, MP3's, Spam Mail, etc...

    3. Use non government-controlled chanels to transmit data. Sneaker-net, by definition, is uncrackable without a spy in the house. No technology currently allows LEO's to read a CD without first placing it in a drive. This may not be far off, but it's still effective, so far as I know. Also, most phone companies can be persuaded to install 'burglar alarm' circuits that are just non-powered plain copper that between any two given locations.

    4. XOR Crypted data in a manner so that if decrypted without first XORing it back, it will decrypt into useless, but not random information. I'm not a coder, but I can imagine that some talented hacker somewhere could come up with a scheme of encoding a crypted message so that it decrypted as Mom's cookie recipe if you didn't decode it properly.

    5. For communications in which anonymity is more important than secrecy, use existing file-sharing networks to propogate messages. Freenet is the best example of this.

    6. Transmit textual data in non-standard image formats. Ascii text is easy to detect. A compressed PNG of text data would be much more difficult to detect, especially by automated methods. A compressed or reencrypted raw bitmap would be even more difficult to detect. Existing image scanning programs work by scanning for a predertimined signature. Making images of text so that there is no signature possible is fairly easy in photoshop.
  • Simple (Score:5, Insightful)

    by TrumpetPower! (190615) <ben@trumpetpower.com> on Thursday September 20, 2001 @01:32PM (#2326511) Homepage
    We've been hearing about adding crypto back doors for the govement to snoop on us, but how would they work? Would there be one key that could be cracked opening up all such traffic?

    If you're talking about public key cryptography or some form of key exchange protocol (such as what happens with PGP, SSL, and the like), then, yes, there'll be more than one key that can decrypt the message. PGP already allows you to encrypt a message to more than one recipient; a simple solution would be to require all software to always encrypt to Uncle Sam's key in addition to the intended recipients.

    The other solution is to weaken the encryption algorithm in some way. There are very subtle approaches, but the simplest is to limit the length of the key. A 40-bit key takes half as long to crack with brute force as a 41-bit key, and a 42-bit key takes twice as long again (all else being equal). If you have an application that uses 128-bit keys, it could be ``dumbed down'' to a 40-bit key by forcing all keys to start with 88 zeroes (or some other known pattern).

    How to get people to use such software when there's a wealth of reliable strong cryptographic software readily available is left as an exercise to the reader.

    Also, how would/does the government know wether a bitstream is random bits, or encrypted data?"

    Most encrypted streams have header information to make identifaction easy for the recipient. If you've ever gotten PGP-signed or -encrypted email, you've seen ``BEGIN PGP MESSAGE'' or some such at the top.

    You could, of course, remove all such identification. If the encryption method is strong, what remains is provably indistinguishable from pure noise. If the recipient adds the identifaction back--if she puts ``BEGIN PGP MESSAGE'' before the bits--the result can be fed to the decryption proces without trouble.

    But how many people send random bitstreams to each other? Somebody doing so would stand out like a sore thumb against the usual traffic of ASCII.

    The most commonly accepted solution is steganography, the art of hiding secrets in plain sight. ``All the twenty clever kings'' could mean ``attack'' if you were to just look at the first letter of every word. Common modern methods of steganography include encoding the message in the low-order bits of a JPEG, but the field is still young and many techniques a bit crude. If ``they'' are already looking at you, ``they'' will have a good chance of finding the message.

    As always, Bruce Scnhier's Applied Cryptography is a wonderful resource.

    b&


    • "...how would/does the government know wether a bitstream is random bits, or encrypted data?"


      Audio data looks random. MP3 data looks random. What's to stop someone from recording an analogue message in the high or low frequency range of a music recording, then bladeenc it to mp3 and transmit it in the clear? Still looks random.

      How much mp3 traffic flows across the 'Net? >:)

      That's a lot of random-looking bits.
  • first, i'm not a lawyer.

    too much time is being spent thinking about the technical aspects of enforcement and use of 'backdoors'. what everyone's failing to realize is that the technical aspects of crypto laws are irrelevent. it's how they will be used htat's important. if any cyrpto laws are passed, they'll be used in prosecution and trial rather than proactively enforced.

    picture this scenario: you are a criminal who has been sending encrypted mesages to someone else. you're busted, and on trial you are asked to decrypt the messages. you refuse. you are then thrown in jail for not complying with the crypto laws.

    again, i'm not a lawyer, but it seems that if crypto laws will work in this manner, we are throwing away our 5th ammendment right to refuse to incriminate ourself.

  • It's my primitive understanding of the court system that during a trial, the records of phone calls may be entered into evidence. This is not the actual content of the call, and who made the calls is not part of the evidence. Just the fact that one telephone called another telephone.

    Why then must the Feds know what is in a message? If the fact of tranmission of a message is adequate, at least in the courts, then why does the content need to be known?

    Also, why does the Government beleive that it should have the right to be a party to all conversations? If the Feds had a time machine, and could travel back in time and listen in on any conversation, I beleive that would be ruled an invasion of privacy. How then is decrypting a message any different?
  • by Zwack (27039) on Thursday September 20, 2001 @01:34PM (#2326535) Homepage Journal
    This is a long post (for me)... It basically contains the majority of a letter that I sent to my representative and senators... It basically states a number of reasons that I think this proposal is inoperable. I encourage all of you to contact your elected representatives as well.

    Adam/Zwack

    As I feared when I first saw the attack on the World Trade Center, it has been reported (http://www.wired.com/news/politics/0,1283,46816,0 0.html) that "Sen. Judd Gregg (R-New Hampshire) called for a global prohibition on encryption products without back doors for government surveillance."

    Media reports have made it appear that Osama Bin Laden may have used encryption, but it is more likely that he relied on a lack of technology. According to the media, Bin Laden held face-to-face meetings in a private room rather than trusting that the communications channel was not intercepted. One journalist who has met him had some newspapers with him and Bin Laden is reported to have pounced on them and read them as he was so out of touch with the outside world.

    Even if there is a ban on encryption products, older encryption products already exist without those back doors. Writing encryption software is not too complicated (Applied Cryptography is about $40) and terrorists and criminals are not going to worry about breaking yet another law. So who would this effect? Criminals? No. Terrorists? No. Penry, The Mild Mannered Janitor? Could Be.

    Anyone can do a little research and find out that there are other techniques that cannot be legislated against that are just as effective for secret communications.

    Ronald Rivest, one of America's foremost cryptographers published a paper in 1998 called "Chaffing and Winnowing: Confidentiality without Encryption." (http://theory.lcs.mit.edu/~rivest/chaffing.txt) In it he describes a method for plain text communication which does not rely on encryption to hide the message. He then goes on to add more twists to the method, which mean that if someone demanded the actual message you could give them a completely false, and presumably inoffensive, message.

    If that wasn't enough to make legislation on encryption pointless, then steganography, the practice of hiding one message inside another, could be used either independently or with "Chaffing and Winnowing". It is possible for messages to be hidden within pictures, movies, sound files and even Stream of Consciousness-like poems easily. The sophistication of some of the programs is astounding. One program (http://www.outguess.org/) actually performs a statistical analysis on the image first to ensure that in hiding the message it does not modify the image too much.

    There are numerous other non-technological techniques that could make this law pointless. For example, the terrorists could choose a book, say Hamlet, and spell out their message with the words or letters in that book. A message like "42 23 17 65" is not going to mean much to anyone until they know that in a specific edition of a specific book they should read the twenty third word on page 42, the 65th word on page seventeen... and so on.

    They could use a simple code where phrases mean certain things. So "I went to see the new production of Oscar Wilde's Importance of Being Earnest" might mean "The birthday cake arrives tomorrow". As long as only the parties involved know the code phrases, and their meanings this kind of communication is impossible to break.

    If encryption software without back doors is outlawed, what will terrorists do? If they're paranoid they'll use illegal encryption to encrypt a code phrase, hide it in an image, and then mix it with several completely innocent, and some totally random streams using chaffing techniques.

    That way, by the time the NSA have worked out which streams contain real messages, figured out that one or more of the images contains a steganographically hidden message and broken the encryption on it, they will have wasted weeks in order to get a perfectly normal sentence that isn't going to mean anything to them anyway.

    In that same period of time, several companies who are obeying the law and not using encryption will have had their company secrets stolen by other companies, as they couldn't encrypt confidential messages between two of their office. The French Secret Service was known to pass trade secrets to French companies when the French government was strictly controlling encryption. Add to that the many completely innocent uses of encryption for security and confidentiality: communicating with banks, logging on to remote servers, protecting medical records, implementing Virtual Private Networks and so on. Banning encryption that the government can't decode is more likely to cause harm to the law abiding citizen than it is to stop or reduce terrorist or criminal activities.

    In short, any attempt to regulate the free flow of ideas, whether encrypted or unencrypted is only going to hinder law abiding citizens, and effectively punish them, without providing any additional safety. Remember that these highjackings were very low tech, no computers were hacked, no high technology weapons were used, just people armed with knives and the willingness to die.
  • Several options (Score:4, Informative)

    by jd (1658) <<moc.oohay> <ta> <kapimi>> on Thursday September 20, 2001 @01:35PM (#2326542) Homepage Journal
    • Key Escrow, where some percentage of the private key is registered with the Govt.
    • Synonyms (which requires weak algorithms), where a third "key" is generated, which is different from, but functionally identical to, the private key. One way to do this is to fix certain bits. This was accidently done in some early SSL implementations for Netscape.
    • DH duplicates, where key exchanges are automatically forwarded by the hardware and/or software.
    • "Skeleton Keys", where the hardware logs the keys used, and transmits them on request.
    • A requirement to use Microsoft encryption code. Ooops, sorry, already covered. :)
    • Plain-text logging by hardware, prior to all encryption, available on request.
    • Requirement for HW manufacturers to build TEMPEST into all machines, with images forwarded.
    • Keyboard loggers mandatory on all machines, with data stored and/or forwarded.
    • A return to mainframe-style machine operation, where everything is handed over to approved operators. (So THAT's why certification programs are so popular....! :)
    • A ban on all privately-owned computers, with all machines becoming dumb terminals to a central machine. One box to rule them all, and in the darkness BIND them...

  • So while many years it was illegal to export more than 56 bit encryption out of USA, now it will be illegal to IMPORT the same :)))

    Wake up, America, the world is laughing at you.

  • How Would Crypto Back Doors Work?
    1. The government requires the publishers of crypto software to install some sort of digital "skeleton key".

    2a. Corrupt politicians use the back door to dig up dirt on their political opponents, like Filegate and COINTELPRO.

    2b. Crooks compromise one of the agents who knows about the back door, and use it to forge big money transfers to themselves and a free ticket to the Cayman Islands.

    2c. Terrorists get hold of the back door, and use it to forge all sorts of false communications to create chaos.

    2d. An 3133t hacq3r d00d cracks the back door, and uses it to replace your bank records with a picture of Natalie Portman engaged in topless grits-wrestling.

    Oh... you meant to ask how crypto back doors are supposed to work? Ask the people who came up with this hare-brained scheme.
  • The way key escrow systems work is the decryption key is encrypted using a new randomly generated key. (This can be repeated for keys to be escrowed with more than two entities.) The new key(s) and the encrypted decryption key are then sent to different escrow agents. Since both the encrypted key and the key(s) used to encrypt it are required to recover the decryption key and decode messages, it requires the cooperation of all the escrow agents to gain such access.

    All that is left is a method of preventing people from using key sets that haven't been escrowed; this can be done by designing cryptographic hardware to only use keys that have been digitally signed by the authority that generated the escrow keys.

    Note that when using a general-purpose computer to perform encryption and decryption, there is no easy way to prevent people from using unescrowed keys. Software designed to check for such things can always be patched and disabled.
  • by r_j_prahad (309298) <r_j_prahad&hotmail,com> on Thursday September 20, 2001 @01:42PM (#2326593)
    In theory, a keylist will held in escrow by a division of the Supreme Court, and only released to investigators who can satisfy the same criteria needed for an ordinary wiretap.

    In reality, the keylist will be posted on alt.hackers.malicious within 24 hours of being delivered under seal to the Supremes.
  • I'm sure echelon can handle ROT13, but can it handle ROT14. One problem is a minor change in the encryption formula can make the governments efforts futile. Rotate the bits right, rotate them left, invert them, invert the high 4, rotate the low 4, there's lots of combinations. Even if they programmed all the different variations in, it would take a bit of time to process a single e-mail.

    What about encryption formulas created in other countries? Didn't we just get past the point where we can export basic encryption. Are they going to ban importing (maybe they already did, I don't know).

    I don't know the answers, unfortunately, neither does the government, but they're gonna pass some laws anyways.
  • Bruce Schneier has all sorts of stuff to say about crypto in "Applied Cryptology [counterpane.com]."

    See also his webpage search thingy [counterpane.com], which links to a bunch of articles specific to escrow.

  • The government really has no choice. Breaking encryption is now illegal, so these backdoors are the only way for them to try and read encrypted messages.
  • It's easy enough to defeat the backdoor. Double encrypt your message. Once with software that the government does not have a key for and again with the approved method. This way any message that you send will look like gibberish when decrypted with the government key. This will have the added benefit of foiling sniffers that route messages encrypted by un-approved methods to an agency that sorts through them.


    The root of this problem is that it can never, EVER work. Mainly because we have freedom of speech, they government can pass as many laws as it likes on legal encryption but they can't enforce them. Think of the civil-disobedient potenial. You could get thousand of people to send random encrypted gibberish to one another. Just because the government can't understand it doesn't make it illegal, what's the difference between that and encrypted meaningful information. The answer is none. This is all simply a case of communicating in a language that the government doesn't understand... all well within our rights.

  • Counterpane, a.k.a "Bruce Schneier's Headquarters" has an article about using a deck of cards for encryption here [counterpane.com].

    So I guess even playing a game of bridge will get you thrown in jail.
  • I have no idea if this is how the usual "key escrow" proposals work, but here is a way to do it:

    The software generates a random session key, and block-encrypts the plaintext with it. Then it stores two copies of this session key along with the ciphertext. One copy of the key is encrypted with the user's secret key. The other copy is encrypted with the Big Brother's public key.

    The decrypt the message, a "normal" user, who knows the user's secret key, uses that to get the session key, and uses the session key to get the plaintext. If Big Brother wants to read the message, he uses his private key to decrypt the other copy of the session key, and reads the plaintext that way.

  • There's several ways to do it, for example:

    #1 "Key Escrow" - All your keys are simply registered with big brother. To reduce the logistical nightmare, you would likely just register special backdoor keys used to encrypt the session key, which would then be included with the message.

    #2 Big brother publishes one or more public keys, to be used to encrypt each session key, which is then included with each message.

    The BXA/NSA guidelines for getting permission to export strong crypto include full disclosure on your data formatting, headers, compression, etc. The review process includes submission and approval of test vectors.

    It should be noted that once these are required by law, compliance testing could be automated by building systems holding the private keys and testing recovery on live data.

    It should also be noted that since (1) no terrorists would use such software; and (2) terrorists are already using steganography to obscure their encrypted data from trivial recognition as ciphertext: This entire effort will have ZERO impact on real terrorism. Its just an attempt by the NSA/FBI to retain their historical ability to eavesdrop trivially on all ordinary civilians everywhere without warrants or oversight. Last weeks events were just the pretext they've been waiting for. Anyone telling you different is ignorant or has an agenda...

  • Baiscally, the method the crypto backdoors work is by putting a known, designed-in weakness into the algorithm. For example, it could leak key bits into the encrypted stream. The goverment could then pick the keybits back out of the stream and use them to either directly decrypt the data, or use it to simplify a brute forcing ("OK, we know what a 112 bits of the 128 bit key are- know all we need to do is brute force the last 16.")

    There is an obvious problems with this from the cryptological angle- the encryption algorithm has to remain secret. Once you figure out the encryption scheme, and notice where the key information is being leaked, you too can take advantage of the back door. It's the classic problem with master keys- once they get out and get duplicated, it quickly becomes worthless to have the locks. So not only do you not dare publish the algorithm, you do not dare let anyone reverse engineer it.
  • I saw a presentation from a Dr. David Fu with the NSA and he talked (he had to get approval from his boss on the outline) about how one would look at a stream of data (radio pickup) and using statistic info, detect if this fits into the idea of "random" of if it falls into the other category. I would assume that real approaches use something beyond the simple math that was presented to our undergraduate minds, but I know it sure made me think. I didn't take notes at the time, but those of you in colleges and/or cool schools, contact the NSA and see if they might have a PR team, or a person working there who is a graduate of your institution who might want to come back and give a little talk.


  • to answer your question, the government backdoor would be the Secret Password : "joshua"

    if the government tries to enforce this, just bookmark http://www.pgpi.com [pgpi.com].

  • -----BEGIN PGP MESSAGE-----
    jA0EBwMCqfZBng3VrnJg0nABTxB8dVsveql8FeH3E/0O50aY3/ X3Cw2z8/0wUj/3
    umds2c5uH9w7ST4id0MwiWrCQ1qf81A+44SXhufxhkTQd0IAIm IA81RRhiqeL2uO
    W+XE7EcSIhOrgnf2pwUm1rHpz6ey6gO3g+Vq4BvAEcNb
    =6Njf
    -----END PGP MESSAGE-----
  • There is good reason to suspect that Osama bin Laden has used encryption while discussing plans for terrorism. This has prompted USA to consider laws to regulate encryption, so that the USA can always listen to such discussions.

    There is even more reason to suspect that Osama bin Laden has been eating olives while discussing plans for terrorism. Therefore it would be much more effective to mandate all olive stones to carry a hidden microphone that would record and broadcast all discussions taking place in its vicinity, easily catchin the political opponents - I mean terrorists.

    Some would say that it would be extremely difficult to make sure that every olive would carry its microphone. All it would take is an international treaty mandating microphones to be installed in all prepackaged olives, and outlawing any home production. Then some powerful international orgization - or the US government - could go out and bomb all olive producers who do not comply with the microphone directive. Soon nobody would dare to produce rogue olives!

    Although this may sound like a totally unrealistic plan, it is many ways more likely to succeed than any plan limiting the use of encryption. For the first, olives, small as they are, are physical items that will have to be grown somewhere, pickled and processed, and marketed. All this leaves a physical trail of physical olives moving around. On the other hand, cryptographic tools are ethereal words, easily transmitted by whisper, by graffiti, and other totally intraceable means. Besides, most of them are already published in books all around the world! And once an olive is eaten, the stone is discarded, and a new olive must be acquired, hopefully from a compliant source. Not so with crypto tools, they can be used over and over again, so if the foreign competition - I mean the terrorists - have already managed to gain access to some crypto tools, they can keep using them for ever.

    Besides, by betting its reputation on microphoning all olives, the US Government would make itself much less of a laughing stock than if they tried launch a campaign to limit the disucussion and use of encryption!

  • If any backdoor or escrow scheme is to be acceptable for the rest of the world, it must make sure that foreign governments have access to any and all encrypted communications used by US agencies suspected of industial espionage.
  • So far the discussion seems to center on PGP and email. That's a bunch of bunk, because in addition to everything that everyone else has mentioned, there are several other routes around a crypto-Carnivore.

    1: Move to a different port: Conventionally, email is on port 25. Set up some email servers on some other port, and the content will sail right past Carnivore.

    2: Use a different channel, and don't forget that other encrypted channels have their own algorithms.

    2a: Use a different channel: Move files around with scp or sftp. Once again, doesn't register as email.

    2b: Use a different channel. Use secure websites as intermediaries. When the lock closes in the lower-left corner, it's safe to type your credit card number. It's also safe to communicate other information. Either extra fields can be added, or existing fields can be used. It may even be possible to use innocent eCommerce sites, assuming you've already cracked them.

    3: USB keyring hardfiles: Since these alternate channels don't leave encrypted files on the box, put the file on a USB keyring hardfile. Unplug from the system, and keep it on your keyring. If the G-men are after you, you have several options:
    a: Take a hammer to it.
    b: Scuff your feet, comb your hair, and zap it. They no doubt have ESD protection, but it's probably only good against accidents, not deliberately destructive ESD.
    c: Throw it into the traffic.
    d: Encrypt it using yet another algorithm - tcfs?

    So aside from any other concerns, simply doing something to PGP clearly is not sufficient. You'd need to also weaken https: and SSH, and sniff a LOT more traffic.

    But if SSH is given a back door, and we MUST assume that some black-hats or terrorists have recovered it, then how the heck to we do secure administration? We've just opened every remote-admin system to info-terrorism, as well as our eCommerce.

    Between weakened/broken encryption and key escrow, I'd choose the latter every time. Both are silly, and would only convey a false sense of security. If it's that serious, I'd think simple traffic analysis would be more informative.

    Imagine that A-crowd guy in high school or college you never liked, and always gave you a rough time. Then go through anonymizers, and start sending him encrypted datastreams. Fun, fun, fun.

    My letters went to my congressional delegation today.
  • by (codic) (214496)

    Some conspiracy theorists already claim that DES has a backdoor, even though there is no public evidence to support the theory and lots to suggest otherwise.

    When DES was invented (by IBM, IIRC) and the government wanted to adopt it as a standard, the NSA took a look at it and changed around the S-boxes (where S, I believe, is for Substitution) for the version that is actually used. They offered no description of how they created their S-boxes or what features they offered that the other ones didn't, etc.

    One possible explanation is that the NSA added a backdoor into DES that secretly weakened it some how (e.g., the ciphertext provides information about the key to make an exhaustive key search several orders of magnitude quicker) to the point where they could decrypt a document without necessarily knowing the key ahead of time with a reasonable amount of effort.

    There is no public information about successful cryptanalysis of a full (16 round?) version of DES. That is, if such a backdoor exists, and if someone has found it, it's all very hush hush.

    The concept of backdoors in cryptosystems is really very messy. It depends way too much on keeping crucial information about the cryptosystem secret. Chances are, if you disclose enough details to implement a cryptosystem and say it has a backdoor, people (good and bad) are going to find it*. If you don't provide information on how it works, it can really only be implemented in "tamper-proof hardware" (a concept almost as flakey as cryptosystems with backdoors), since any software implementation could be disassembled.

    To answer your second question, they really can't (as I assume you suspected). So, if the sniffers found some data they couldn't decrypt, they would have to assume it is either, as you said, random data, or data encrypted with an outlawed (read "aparently secure") cryptosystem. In both cases, the sender must be trying to hide something from the government, and is therefore a threat and should be dealt with accordingly. Simple as that.

    For anyone who missed it, the current call is for a global ban on strong crypto, not a national one. And in this case "global" means really global, not a "World Series" kind of global.

    The next few weeks/months/years will potentially be filled with events and ideas, like this, that change the world we live in. I'm not afraid for our generation. Most of us know what freedom is like, and I really don't think it's something that can be taken away no matter how hard they try. But our unborn children and grandchildren don't. I don't want them living in a world where freedom and privacy are anything other than fundamental rights. I'm currently optimistic; I just hope that's not misplaced.

    * And if DES does have a backdoor and no one has found it, then the NSA deserves a pat on the back because they've stumped us all! :)

  • I explained this to someone else today when asked why I am staunchly against a backdoor/etc in a crypto program.

    A good crypto program is based on a function f[x] such that f[x1] = k, and you cannot find x1 if you know the function f[x] and the encrypted k. This, folks, is hardcore advanced mathematics!

    To add in a regulation that there be some "backdoor" (eg: some function that will always take g[k] = x1 for an encrypted value k). Once that function g[x] is known by anyone (f[x] would have to be made in a way such that g[x] must exist btw.. it doesnt just happen) then the communications of everyone that uses that encryption algorithm is compromised.

    Think of the problems -- no secure transactions (haulting "e-business"), no secure transmissions of trade secrets (look at france -- the companies just moved to a different country), and generally no information is secure.

    Now.. to find a way to convince/explain this all in everyday words...

    ideas?

  • Not very well, because Osama has turned off his phone [theregister.co.uk].
  • "Ask Aldrich Ames!"

    (Sorry, but it had to be said.)
    JMR

    Speaking ONLY for myself, as always.

  • Impossible (Score:3, Insightful)

    by Eric Seppanen (79060) on Thursday September 20, 2001 @03:34PM (#2327320)
    This is my way of explaining to non-geeks why crypto regulations will have near-zero effect:

    Imagine that somebody comes up with a way to build a bomb using sugar cookies. A building is blown up. Congress decides to regulate the sale of sugar cookies.

    Now any sane person will realize that this is pointless, because any idiot can make their own sugar cookies, and bypass all the regulations. So the regulations can only work if the ingredients are also regulated or banned (flour, sugar, eggs), or perhaps all the sugar cookie recipes are destroyed.

    At this point it's pretty obvious that such a scheme would never work. But somehow nobody seems to follow this logic when it comes to encryption. The only ingredients for encryption are general-purpose computers. The recipes are encryption algorithms and computer source code. The recipes can be rediscovered or recreated by smart mathematicians and computer programmers.

    So what are we going to do? Regulate computers? Mathematics? Encryption algorithms, dozens of which are published in textbooks around the world?

    You could no more regulate computers, mathematics, and algorithms today than you could flour, sugar, eggs, and sugar-cookie recipes. Even if you tried, it would have near-zero effect on the bad guys, and would only increase the risk that grandma's bank account gets emptied, because her password wasn't properly encrypted.

  • Putting a crypto backdoor in a piece of software is fairly trivial. There is quite a lot of litterature about it and inserting a backdoor in say SSL is a very good exercise for students.

    Companies which take security seriously don't use windows for this reason and I doubt that any intelligence service would ever use any piece of software that has been created in an country other than its own. So how can one possibly imagine that "bad guys" would used backdoored softwares. They'll rewrite one of their own, that's all. Implementing a RC4 is a matter of hours...

    People have to realize that the Internet sets information free. Any kind of information. From anyone. To anyone. And there is nothing you can do against this.
  • by tmoertel (38456) on Thursday September 20, 2001 @03:49PM (#2327402) Homepage Journal
    It is impossible to prevent terrorists from using strong cryptography. Terrorists already use it and would continue to do so if it were illegal. However, if it were illegal, the number of messages that would be unreadable by law-enforcement personnel would be vastly reduced. Any remaining unreadable messages would provide strong evidence that the senders, and perhaps the intended recipients, are involved in some form of illegal activity, at the very least the illegal activity of using unapproved strong cryptography.

    Thus the primary purpose of the proposed legislation is not to allow law-enforcement personnel to read terrorists' communications -- terrorists will continue to use unreadable, strong cryptography -- but rather to narrow the search space that law-enforcement personnel must examine when hunting for suspected criminals. One would presume that if a person were discovered to have used unapproved cryptography, such evidence alone would be sufficient to obtain warrants for full searches, wire-tapping, keyboard recording, and the like, and those additional measures would likely yield hard evidence of any additional illegal activities. Thus it is not necessary to decrypt the criminals' messages: The illegally encrypted messages alone are sufficient to reveal suspects, and then old-fashioned investigative methods are likely to be effective.

    Of course, the effectiveness of this law-enforcement technique depends on having a practical and enforceable definition of "unapproved cryptography". The problem for law-enforcement personnel -- and law-abiding citizens who wish to protect their legitimate secrets -- thus becomes determining what constitutes an illegally encrypted message. It is well known that a message that has been encrypted with a one-time-pad cannot be distinguished from a string of random bits. Should the government also make access to true randomness illegal so that any string of bits that seems sufficiently random can be assumed to be an illegally encrypted message? Further, is it realistic to believe that covert channels and steganography are detectable?

    If not, how will law-enforcement personnel detect illegally encrypted messages? And what if they can't? In that case, what real security have we citizens purchased by sacrificing our liberties?

    Those are the questions I want my government to answer. Until they are answered -- and hard evidence provided to support the answers -- I must remain sceptical.

Real Programmers think better when playing Adventure or Rogue.

Working...