SoylentNews is people
SoylentNews
Riana Pfefferkorn, a Cryptography Fellow at the Center for Internet and Society at Stanford Law School, has published a whitepaper on the risks of so-called "responsible encryption". This refers to inclusion of a mechanism for exceptional access by law enforcement to the cleartext content of encrypted messages. It also goes by the names "back door", "key escrow", and "golden key".
Federal law enforcement officials in the United States have recently renewed their periodic demands for legislation to regulate encryption. While they offer few technical specifics, their general proposal—that vendors must retain the ability to decrypt for law enforcement the devices they manufacture or communications their services transmit—presents intractable problems that would-be regulators must not ignore.
However, with all that said, a lot more is said than done. Some others would make the case that active participation is needed in the democratic process by people knowledgeable in use of actual ICT. As RMS has many times pointed out much to the chagrin of more than a few geeks, "geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone." Again, participation is needed rather than ceding the whole process, and thus its outcome, to the loonies.
Source : New Paper on The Risks of "Responsible Encryption"
Related:
EFF : New National Academy of Sciences Report on Encryption Asks the Wrong Questions
Great, Now There's "Responsible Encryption"
(Score: 3, Interesting) by Anonymous Coward on Sunday February 18 2018, @01:48PM (20 children)
Retain existing encryption code (it won't magically vanish), send your own manually encrypted gunk thru unsafe network.
(Score: 4, Insightful) by Grishnakh on Sunday February 18 2018, @02:19PM (19 children)
Retain existing encryption code (it won't magically vanish), send your own manually encrypted gunk thru unsafe network.
Two problems with that idea:
1. Compatibility: everyone else will be using the "responsible" crypto protocols, so using today's existing code will be about as useful as, oh, sending a PGP-encrypted email to your grandmother. Vendors like Apple will build the FBI-approved stuff into their devices, and block unapproved stuff from their walled garden app stores. So anyone using non-conforming crypto will stick out and be easily detected, and will be very suspicious.
2. Legality: Non-conforming crypto can be simply banned, and with all the snooping on the internet, pretty easily detected. You'll have to resort to steganography, and the only reason you'd want to go down this route is because you really *are* up to something.
Realistically, #1 is the most likely scenario. They don't need to ban current crypto, they just need to render it irrelevant by getting current vendors to adopt their preferred backdoored solutions. Criminals/terrorists usually just use stuff that's commonly available. Remember, the San Bernardino shooters had iPhones which the FBI was mad about not being able to easily get into. If Apple had had a backdoor, then they wouldn't have had this problem, and if that were the case, the likelihood that those shooters would have been savvy enough to jailbreak their phone and install some other kind of crypto app and then use that for communications is pretty low.
The problem is that competent criminal organizations *will* have enough savvy to do that, and then get their members to use it (criminal organizations do have "IT departments" these days), so this stuff would only help the FBI get into the devices of lone wolves and other not-so-competent people. The other problem, of course, is that these backdoors will inevitably get out at some point, and suddenly everyone's encrypted data is now unprotected. There's just no way multiple large organizations can keep this stuff a secret indefinitely.
(Score: 4, Informative) by JNCF on Sunday February 18 2018, @02:50PM (9 children)
Or because you want privacy in an age where its illegal.
(Score: 3, Insightful) by Grishnakh on Sunday February 18 2018, @04:39PM (8 children)
No, because most of the people you want to communicate with aren't willing to jump through the hoops necessary to make that work. How many people do you know now who use GPG encryption for their emails? None? Steganography is a few orders of magnitude more of a PITA to bother with than that, and the bandwidth it provides is pathetic.
(Score: 2) by JNCF on Sunday February 18 2018, @09:35PM (2 children)
1) Those are technical and socials hurdles of the moment, and they are subject to change.
2) I sometimes encrypt things that I have no desire to communicate with anybody other than future iterations of myself, as an added security precaution. Private keys and personal notes both sometimes fall into the category. If I am paranoid enough to doubt the security of air-gapped machines (I am) then I can desire privacy through encryption sans communication.
(Score: 3, Touché) by Grishnakh on Monday February 19 2018, @02:00AM (1 child)
1) Those are technical and socials hurdles of the moment, and they are subject to change.
Yeah, I'm sure the general public will drop Facebook and Twitter and Windows 10 and free webmail and all start using Linux and GPG real soon now....
(Score: 2) by JNCF on Monday February 19 2018, @02:09PM
I'm surprised how many people I know are using Android and Signal.
(Score: 0) by Anonymous Coward on Monday February 19 2018, @01:40AM
We can't even get email users to use pgp so how will anything else take off?
(Score: 2) by JoeMerchant on Monday February 19 2018, @02:01AM (2 children)
The fun thing about pathetic bandwidth: people share cat videos all the time, and your average 15 second cat video can conceal hundreds of pages of text very effectively.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Monday February 19 2018, @01:28PM (1 child)
What if you want to share your 4K 60fps cat videos with privacy?
(Score: 0) by Anonymous Coward on Monday February 19 2018, @01:58PM
Obvious! Embed it in other cat videos!
(Score: 0) by Anonymous Coward on Monday February 19 2018, @07:23AM
I know three. Two of them stopped, though. And the other one is me.
(Score: 3, Interesting) by JoeMerchant on Sunday February 18 2018, @02:58PM (7 children)
Very true, which is why artful steganography is a valuable skill.
🌻🌻 [google.com]
(Score: 2) by Wootery on Monday February 19 2018, @10:57AM (6 children)
I'm skeptical whether it's true in the first place. There's plenty of random-looking binary data sailing through the intertubes. I would've thought it would be pretty straightforward to disguise an encrypted channel.
(Score: 2) by JoeMerchant on Monday February 19 2018, @01:09PM (5 children)
Data in-flight should be relatively easy to disguise. That non-standard encrypting communication app on your cellphone (after your phone has been confiscated and searched) not so much.
🌻🌻 [google.com]
(Score: 2) by Wootery on Monday February 19 2018, @02:39PM (4 children)
Right, but it's data-in-flight that we're talking about. I don't buy anyone using non-conforming crypto will stick out and be easily detected, and will be very suspicious.
(Score: 2) by JoeMerchant on Monday February 19 2018, @03:41PM (3 children)
Well, this is where the "responsible crypto" debate comes into play:
if 99%+ of encrypted data-in-flight is "responsible crypto" then a trawler with the backdoor key can open all of that data-in-flight easily and then the remaining stuff becomes suspicious.
It's a much better situation (for anonymity and privacy) where data-in-flight is heterogeneous and hard to break...
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Monday February 19 2018, @08:23PM (2 children)
Yup, I haven't kept up enough with the crypto scene, but from what I recall even some of the most heavy duty crypto can be brute forced with enough supercomputing resources. Might take a few days or even longer, but at least that makes it impractical to decrypt everything. Thus you get the push for backdoors, that way sifting through all encrypted data becomes easy and you can prioritize resources for decrypting the messages using "illegal" crypto.
It is an arms race that law enforcement simply can not win, and the fight to control humanity results in less freedom for the general public. Even with full access to digital communication the "bad guys" will quickly learn to use methods that make backdoored crypto pointless. Code words, book ciphers, isolated terrorist cells, etc. The only people this is likely to protect us against are the dumb fucks radicalized by the FBI who wouldn't have been a real threat without all the prodding.
(Score: 2) by JoeMerchant on Tuesday February 20 2018, @03:27AM
Nothing breaks a good one-time-pad - not quantum, not the NSA farm outside Langley, or Bumblefarm, or any of them.
Key management is the key. When used properly, Mersenne Twister is a good one-time-pad that is 2^19937 bits long. If you can secretly pass a 2.5KByte key that puts you somewhere specific in that 2^19937 sequence, and scramble up your message so it looks random before applying the pad, then we're done. (If you foolishly try to encrypt a bunch of zeroes with MT as your pad, then it can be broken.)
Moreover, if the crackers just don't know _how_ you're using MT as a OTP, that increases the complexity of an already intractable problem by many additional orders of magnitude.
🌻🌻 [google.com]
(Score: 2) by Wootery on Tuesday February 20 2018, @03:27PM
No. From Wikipedia [wikipedia.org]:
It is a practical impossibility to brute-force good crypto. Supercomputers don't help. Custom silicon doesn't help. Patience doesn't help. If you find a critical bug in OpenSSH, or outdo the world's algorithmists and find an efficient algorithm to crack AES256 (the complexity theoretic consequences would be profound), or take a wrench to the guy who knows the password, or maybe if you invent a quantum computer (but even then, maybe not) then you've got a chance, but brute-force isn't on the table.
(Score: 2) by JoeMerchant on Sunday February 18 2018, @03:01PM
So many "mob enforcement" movies fall back on the theme that most gangsters are basically idiots and confess openly to law enforcement. Law enforcement is busy enough collecting these wise-guys that they don't have much bandwidth leftover to try to crack the hard nuts.
🌻🌻 [google.com]