SoylentNews is people
SoylentNews
In response to the news of what's going on in Australia, Derek Zimmer over at Private Internet Access' blog covers split key cryptography and why government back doors don't/won't/can't work. Attempts to regulate cryptography have been going on for a long while and each try has failed. He starts with recent history, the cold war, and follows through to the latest attempts to stifle encryption. These past failures give a foundation which can be applied to the current situation in hopes of understanding why cryptographers around the world are universally against these kinds of schemes.
The new proposal touted by the NSA, GCHQ, The Australian government and others is a simple evolution of Key Escrow. The proposal is key escrow with split-key cryptography, which is just key escrow with extra steps. There is still a "Golden Key" that can decrypt all messages from a particular service, but this time, two or more entities have pieces of that key. The concept, popularized by a Microsoft researcher, is said to solve the problem of abuse, because all parties have to agree to decrypt the messages.
Earlier on SN:
Australia Set to Pass Controversial Encryption Law
Apple Speaks Out Against Australian Anti-Encryption Law; Police Advised Not to Trigger Face ID
When's A Backdoor Not A Backdoor? When The Oz Government Says It Isn't
Australian Government Pursues "Golden Key" for Encryption
and more
(Score: 4, Insightful) by bradley13 on Sunday December 09 2018, @01:33PM (6 children)
I assume it is obvious, but just in case: "two or more entities have pieces of that key"
This does not improve security. The key will be used, which means that it will be assembled. At that point in time, a single entity has the entire key. Given basic human laziness, that key will be saved - and is just as insecure as ever.
Moreover, having a single key to rule them all means that encryption keys are no longer in the hands of the people requiring security - they cannot be changed at will. This and many, many, many other reasons make key escrow a stupid idea.
Rope, lamppost, politician: some assembly required.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Sunday December 09 2018, @01:57PM (1 child)
Make the politicians live under these rules for 5 years before the general public has to. Let's see how long their privacy lasts under split key cryptography.
(Score: 2) by takyon on Sunday December 09 2018, @03:26PM
XDDDD that's so great!!! 2bad it won't happen
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Interesting) by exaeta on Sunday December 09 2018, @03:48PM (3 children)
A better solution is to double encrypt the key. I.e. it's encrypted to the government and the version encrypted to the government is encrypted to the corporation.
The government can't decrypt it because the version they need to decrypt it is encrypted to the corporation. The corporation could decrypt the token but not the final message without the government's key.
In the U.S. this would raise Fifth Amendment and First Amendment issues (right against self incrimination and right to anonymous speech) but I don't see why orwellian countries like Australia couldn't move ahead with it. :)
The Government is a Bird
(Score: 1, Disagree) by Anonymous Coward on Sunday December 09 2018, @04:42PM (2 children)
Uh...the net result is exactly the same as split-key. Using either scheme requires 2 parties to decrypt the message.
One party issues business licenses, controls an army, and can lock up CEO's. The other party employs people, pays taxes, and raises a country's GDP. This unholy alliance will not hesitate to collude to control the population.
(Score: 2) by urza9814 on Monday December 10 2018, @04:59PM (1 child)
It's not exactly the same, precisely because you don't ever need to reassemble the keys. The first party can decrypt using the first key, then pass the partially decrypted data to the second party who completes decryption using the second key. Nobody ever needs both keys together. Not even in RAM somewhere.
Yes, the government could confiscate the key, in which case it's no longer complying with the law, in which case it doesn't matter what encryption scheme they wrote into the law since they're just ignoring the damn thing anyway. That's not much different than the current situation. And that's the real issue. It doesn't matter what law they write, because we already have ample proof that they aren't going to obey it anyway...
(Score: 2) by exaeta on Wednesday December 12 2018, @05:20PM
Yeah. Anyone who can't see the big difference really doesn't need to be involved in cryptography (except for learning purposes, of course).
God help anyone who tries to explain the differences though. Most people don't seem to understand the fundamentals of information security and can't seem to grasp it either, for some reason. In their mind, the result is the same, so it's the same thing. But they don't understand the differences in information exposure, nor do they even care to think about it. This is one reason hacks and compromises are so common.
The Government is a Bird