cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Crypto Wars, Again (and again, and again, and again ...)

I lived through the crypto wars, 1990s edition.  I remember the Clipper Chip, Skipjack, and the LEAF (Law Enforcement Access Field).  I remember that, after the NSA spent millions of dollars, and years and years, developing it, it took the crypto community three weeks to figure out that there was a flaw in it.  (And, ironically, the flaw was not in Skipjack, per se.  As far as anyone knows, Skipjack is still a reasonably decent medium strength crypto algorithm.  The flaw was in the LEAF, the whole reason for the project in the first place.  It's trivially easy to spoof the LEAF.)

 

But it seems we are going to have this all over again.   LE and the spooks still think they need access to everything everyone says, all the time.

 

I remember "The Electronic Privacy Papers."  (Still got a copy of that, too.)  I remember the page that has the results of a request for info about wiretaps that were impeded by crypto.  Except for the table frame itself, and the column headings, every piece of info on it is blacked out.

 

I remember Dorothy Denning, who was on the LE side at the beginning of the crypto wars.  But, good scientist that she is, she asked for cases from LE where they couldn't get a conviction because of crypto.  Nobody could give her any.

 

I remember PGP, and the threats to throw Phil Zimmermann in jail because of ITAR.  And I've got a copy of "PGP: Source Code and Internals" by Phil, published by MIT Press, and available anywhere in the world because it was a book and therefore protected by the holy First Amendment.  (For those who don't get the joke it was simply a printed copy of the PGP source code.)

 

I also remember that the 1990s version of the crypto wars ended not because of all of our reasoned arguments about how stupid crypto regulations were, but because American businesses told the government that non-American businesses were going to build crypto anyway, and if the regs were in place Americans couldn't compete in business.  That got their attention ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
12 Replies
Caute_cautim
Community Champion

Lets get back to basics, why do Government authorities want access to your encrypted data?

 

A). They don't trust people

B). They are looking for signs of terrorism, subversives or other indicators

C). You are using a new cryptographic algorithm not within their current databases or one you created yourselves.

D).  You live in a country, which is under oppressive central control, who want to make sure you are following the party line i.e. thinking the way they do?    E.g. East Germany when it existed etc.

E).  Researchers want to track and trace malware across borders for easy identification.

 

If you are using a proprietary cryptography method, which you have not asked the authorities approval or verification you can use it, is likely to stand out like a sore thumb - remembering that cryptographic methods and encryption methods are regarded as an "Act of War or an electronic weapon".

 

There is no such thing as a free lunch anywhere in the world - we are all suspicious, and everyone wants to protect their own borders regardless of who, what, where they exist.

 

Regards

 

Caute_cautim

 

 

 

rslade
Influencer II

> Caute_cautim (Community Champion) posted a new reply in Industry News on

> Lets get back to basics, why do Government authorities want access to your
> encrypted data?   A). They don't trust people

Sounds likely.

> B). They are looking for signs of
> terrorism, subversives or other indicators

That's what they all say. Actually, one security researcher thought this was a
possibly legit concern. But, being a scientist, she asked for data to back it up:
could someone show her a case where they knew somebody was guilty, but couldn't
prove it because they used encryption.

Nobody could give her an example ...

> C). You are using a new cryptographic
> algorithm not within their current databases or one you created yourselves.

Not really a reason to want the traffic ...

> D). 
> You live in a country, which is under oppressive central control, who want to
> make sure you are following the party line i.e. thinking the way they do?   
> E.g. East Germany when it existed etc.

Or the Trump administration ...

> E).  Researchers want to track and trace
> malware across borders for easy identification.

Access to plaintext would not help. Malware either a) isn't encrypted, or b) is self-
decrypting. Anything else defeats the purpose.

>   If you are using a proprietary
> cryptography method, which you have not asked the authorities approval or
> verification you can use it, is likely to stand out like a sore thumb -

Encrypted traffic doesn't really stand out. It all looks like noise, if it's done right.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Madness takes its toll. Please have exact change ready.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

HI @rslade 

 

Quote:

 

> C). You are using a new cryptographic
> algorithm not within their current databases or one you created yourselves.

Not really a reason to want the traffic ...

 

Unquote

 

You have obviously not been in a position of inventing a new cryptographic algorithm, where the Government cryptographic experts actually state you need to reduce the key length in order for them to allow you to use it.

By the way, they also stated had we not informed them, we would have been in big trouble.   This is the UK experience. 

 

As stated previously under agreed international export controls and Vienna Convention - encryption is regarded as a weapon of war.

 

Regards

 

Caute_Cautim