SoylentNews is people
SoylentNews
Riana Pfefferkorn, a Cryptography Fellow at the Center for Internet and Society at Stanford Law School, has published a whitepaper on the risks of so-called "responsible encryption". This refers to inclusion of a mechanism for exceptional access by law enforcement to the cleartext content of encrypted messages. It also goes by the names "back door", "key escrow", and "golden key".
Federal law enforcement officials in the United States have recently renewed their periodic demands for legislation to regulate encryption. While they offer few technical specifics, their general proposal—that vendors must retain the ability to decrypt for law enforcement the devices they manufacture or communications their services transmit—presents intractable problems that would-be regulators must not ignore.
However, with all that said, a lot more is said than done. Some others would make the case that active participation is needed in the democratic process by people knowledgeable in use of actual ICT. As RMS has many times pointed out much to the chagrin of more than a few geeks, "geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone." Again, participation is needed rather than ceding the whole process, and thus its outcome, to the loonies.
Source : New Paper on The Risks of "Responsible Encryption"
Related:
EFF : New National Academy of Sciences Report on Encryption Asks the Wrong Questions
Great, Now There's "Responsible Encryption"
(Score: 4, Insightful) by NotSanguine on Sunday February 18 2018, @05:52PM (4 children)
I disagree. How does the old saw go? "Three can keep a secret, if two of them are dead."
I'd add that often, not even that is enough.
Sure, you can roll your own encryption tools and share binaries (via encrypted, out-of-band channels) with trusted parties. Assuming you use sufficiently large key sizes [stackexchange.com], that will almost certainly keep prying eyes from decrypting any messages sent/received while in transit. However, the same can be said for current TLS implementations.
This, IMHO, argues for ubiquitous encryption of *all* network traffic, significantly increasing the complexity of compromising *specific* encrypted communications via wholesale network traffic captures.
That said, in order for such trusted parties to usefully interact with such messages, those parties must at least have the capability to decrypt them. That opens up a raft of potential vectors for compromising the confidentiality of those messages.
What's more, If one of those trusted parties is targeted [xkcd.com], confidentiality is almost certainly suspect.
Are things quite so dire for most of us? Probably not. But given the state of current technology, some form of coercion (warrants, violence/threat of violence, drugs, bribery/extortion, etc., etc.) is almost certainly the weakest link in the chain, not a lack of secure encryption tools.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by JoeMerchant on Monday February 19 2018, @03:45AM (1 child)
The $5 pipe wrench, artfully applied to the holder of a secret key, is indeed the most efficient method of decoding many secrets.
The real art in secret communication is not letting anyone know who you are communicating with in the first place. Or, not communicating anything secret at all - if no one can tell the difference, then you're doing it right.
🌻🌻 [google.com]
(Score: 2) by NotSanguine on Monday February 19 2018, @04:22AM
An excellent point.
Given that the complexity (I discuss that a little bit below) in obfuscating the participants in a particular communication in the current environment, especially for folks who are unlikely to be targeted, I submit that a strategy of strongly encrypting *all* communications, whether they communicate sensitive information or not, is more achievable on a large scale. Sadly, that's not very likely, given the state of the software ecosystem enabling such communications.
I imagine I could undertake a survey of Craigslist ads, posts on sites like 4chan, reddit and, a raft of other sites that allow anonymous comments in an attempt to identify covert (or potentially not so covert) communications channels with a reasonable chance of success.
Even without performing such a survey, I'm certain that such communications, while perhaps not common, are used in the same way that classified ads in newspapers were used for covert communications in previous decades.
In fact, I assume that intelligence gathering agencies already scan all those sites and more in an attempt to identify such communications.
In some cases, that would be *more* secure than using encrypted emails/chat/messaging apps, given the risks associated with local system/app/server related compromises.
However, those covert channels have their own set of issues WRT cipher distribution, mis-identification of messages and timing, among other things.
Unless and until we have protocols and tools that can, relatively seamlessly, ensure confidentiality and integrity, one can either keep sensitive information to oneself, or meet trusted parties in isolated, soundproofed faraday cages to discuss such things.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by JoeMerchant on Monday February 19 2018, @03:55AM (1 child)
Well, one solution for the "two can keep a secret" problem is for all parties to communicate 1:1 using each others' public keys. If one (or more) parties are sloppy with their keys, only messages addressed to the poor key keeper are compromised. This is just as unavoidable as the sloppy party re-posting the decrypted content in public - you can't stop a bad actor, but you can limit what you share with them.
🌻🌻 [google.com]
(Score: 2) by NotSanguine on Monday February 19 2018, @04:33AM
Absolutely. Unfortunately (as I pointed out in my reply [soylentnews.org] to your previous comment), the software ecosystem that would need to support widespread use of asymmetric key encryption is sorely lacking in the features that could engender widespread use.
Choosing the "wrong" (whether they be incompetent, unprincipled, stupid or otherwise "bad actors") folks with whom to communicate sensitive information goes far beyond digital communications, as is evidenced by (I'm sure there's at least one in your circle) that person(s) who can't help but tell everyone the stuff you reveal to them in confidence.
No, no, you're not thinking; you're just being logical. --Niels Bohr