Congress Considers Mandatory Crypto Backdoors

disappear writes: "Wired news reports that Congress is considering restrictions on crypto software in the wake of the terrorist attack. 'Nuff said." This will be the next battle -- especially in the wake of this week's tragedies, and the the allegations that the prime suspect Osama Bin Laden is a heavy crypto user. The battle of privacy and safety is going to begin in earnest now.

They can, rather easily- make crypto criminal.

[Nonesuch]

The concept is that if you are caught using non-backdoor-enabled crypto software, then they don't need to prove that you are a terrorist, they can just throw you in jail for a few dozen years based solely on the easily proven charge of 'possession of illegal munitions (crypto)".

IMHO, this is just one more step towards a police state.

This was inevitable, but it's still sad...

[FangVT]

In a floor speech on Thursday, Sen. Judd Gregg (R-New Hampshire) called for a global prohibition on encryption products without backdoors for government surveillance. "This is something that we need international cooperation on and we need to have movement on in order to get the information that allows us to anticipate and prevent what occurred in New York and in Washington," Gregg said, according to a copy of his remarks that an aide provided.

This is base grandstanding by a politician in the wake of tragedy. Saying that it needs international cooperation is tantamount to admitting that it can't be done and setting up to blame the rest of the world when it fails.

The constitution was written by a group of people that had visceral knowledge of what it means to need a revolution, in the bloodiest sense of that word. Our modern laws would be a lot better if they were informed by that same knowledge.

Re:Independant Crypto Software

[reverius]

"Stenography which is the clear alternative to encryption"...

umm, "stenography" is "The art or process of writing in shorthand." according to dictionary.com [dictionary.com].

I think what you meant was "steganography", which is "The art of writing in cipher, or in characters which are not intelligible except to persons who have the key; cryptography.".

Impractical and Scary

[Flowbie]

The obvious sentiments

• How do you put the genie back into the bag now that it is out?
• It only punishes the innocent user as criminals are likely to continue using it
• How do you enforce it? Do you enact a law similar to the U.K. where you are obligated to give up your keys upon request? Again, only punishes the innocent as a criminal is less likely to oblige as it would further incriminate themselves. What about a Constitutional issue of self-incrimination?
• Wouldn't it create a "standards" barrier with the rest of the world who won't necessarily have to follow the U.S. cipher?
• What would be done to insure the new "cipher" was improved as technology advanced. We all saw the problems the 40 and 56 bit cipher restrictions caused in just a few years time. Even 128 bit encryption is coming close to being easily broken. Let's not talk about DeCSS.
• How will the government insure that their backdoor will not be used by third parties to compromise the "secure" transaction? Would you feel comfortable knowing that Banks were using a cipher with a known backdoor? How long would it take before this knowledge became common knowledge.

Re:Heavy crypto user?

[Glytch]

I wasn't saying anything about computers in the third world. I was referring (which I should have pointed out, now that I think about it) to an interview on CBC today of a journalist who is one of the few westerners to ever personally interview bin Laden. This man (forgot the name) recounted the three times he had seen bin Laden. When he described their last meeting in Afganistan, he was carrying a several newspapers. Bin Laden saw them, grabbed them, and sat in a corner to read through them all because he was so out of contact with the rest of the world.

BTW, did anyone else see the interview? I'd like to get this guy's name. It was on Newsworld about 3pm AST, I think.

Re:Mixed feelings

[jdriller]

Pledge so just used in emergencies? Ha ha ha...
My x brother in law wrote an article in left wing Z magazine about the special federal circuit court that is specifically set up to approve wire taps. I forget the year and the exact numbers but they rejected something like 4 out of 23.7 THOUSAND. We ALREADY have a guarantee against unreasonable search and seizure and right to liberty. It is the basis of all our law. It is the Constitution. Pledge of restraint and honesty? You have me rolling on the floor!!!
Oh, and by the way he had a white van outside his house for a week - night and day. My nieces even brought the spooks cookies....yeah, and he was a real threat. He is a newspaper sports writer mostly.

Re:Off topic: Why put []'s after links?

[Anonymous Coward]

You can turn it off on your preferences page.

--MarkusQ (karma shields up!)

We MUST lobby against this

[foxxtrot]

As others have already notices Bin Laden did two things, avoid electronic communication, and when he did use crypto, he certainly wouldn't be using back-doored software. So essentially, himself and the other terrorists wouldn't be slowed down, our American civil rights would be violated however.

Alright, now to the non-reduntant part of my post. On Tuesday, Tom Clancy was on CNN in the afternoon. CNN had Tom, because Tom wrote a book about terrorists chrashing a plane into the Capitol building, and killing both houses of Congress, and the President. Well, Tom said that the real problem we had in not seeing this coming is that the CIA employs some 20,000 people, and only about 800 of them are spooks. The only way to fight terrorism effectively is with a large, well-trained intelligence corps. We need at least twice, if not three or four as many spooks out in the field, infiltraiting these terrorist groups, so that we are aware of these plans before they something like Tuesdays events happen.

Cryptography isn't our problem, an incredibly small spy system is.

foxxtrot

Attention: Techno/Privacy Snobs

[Logger]

While everyone here almost unanimously cries that mandatory backdoors wouldn't work, or that it would amount to tyranny. Think about this:

1) Your openess to this type of legislation depends on how willing you are to give up some of your freedom for security. Ultimately, governments always exist to restrict some freedom (some loony isn't free to kill people after all), in exchange for security. Any freshman anthropology class covers that. Maybe you haven't been affected directly enough yet to think it is necessary.

2) If you think this is some new type of breach of privacy. Come on. Postal mail is already this way.

3) If you think it won't work. As someone pointed out earlier, with Carnivore everywhere, people using encryption without backdoors can be detected (and located). Data hiding won't work for long either. I recently read that a prof. at a major university has developed a program that can make very accurate odds of whether a picture contains hidden information. It can't decode the information, but that just goes back to my last statement.

4) If you think the risk of abuse is too great. Maybe, maybe you're right. But if you're worried about financial information, think about how much goes through the postal system already. And as far as the bad employee abusing information, remeber far fewer human hands will touch your electronic data than your postal mail. Also this gets back to your sense of security. At some point you'll take the risk of your information being exposed to the government in exchange for the safety of not getting hit by a terrorist attack.

Ultimately, to be secure you must give up some privacy. The hard question is how much privacy must we give up in order to achieve that security. It's not an easy question, and I'm not sure where that line should be drawn.

But people, please don't be so naive to think that it simply goes without saying that encryption backdoors are unexceptable tyranny. It's just not so. I agree this may not be the first action that should be taken, and for technical reasons that many have pointed out, it wouldn't even work today. However, it can be made to work tomorrow. And someday, if the other measures we take to secure our world are still incomplete, far fewer of you will be so quick to denounce encryption backdoors.

92% give FBI more power; 71% say less liberty ok!

[ClarkEvans]

From the recent poll [washingtonpost.com] on the Washington Post:

11. Would you support or oppose new laws that would make it easier for the FBI and other authorities to investigate people they suspect of involvement in terrorism?

Support: 92%
Oppose: 6%
No Opin: 2%

12. What if that meant giving up some of Americans' personal liberties and privacy---in that case would you support it or not?

Support: 71% (less liberty for more security)
Oppose: 24%
No Opin: 5%

Ben Franklin said something like... those who trade liberty for security will loose both.

Re:Mixed feelings

[Anonymous Coward]

This thread reminds me that I need to credit the folks over on alt.folklore.urban with helping me shoot down that bogus Hitler quote praising gun registration. For those a.f.u.'ers who don't remember (it_was_a couple of years ago), the story goes like this:

"This year* will go down in history! For the first time, a civilized nation has full gun registration! Our streets will be safer, our police more efficient, and the world will follow our lead into the future!"
--falsely attributed to Adolf Hitler (1889-1945), "Abschied vom Hessenland!" ["Farewell to Hessia!"], ['Berlin Daily' (Loose English Translation)], April 15th, 1935, Page 3 Article 2, Einleitung Von Eberhard Beckmann [Introduction by Eberhard Beckmann]

This quotation, often seen without any date or citation at all, suffers from several credibility problems, the most significant of which is that the date given (*in alternate versions, the words "This year..." are replaced by "1935...") has no correlation with any legislative effort by the Nazis for gun registration, nor would there have been a need for the Nazis to pass such a law, since gun registration laws passed by the Weimar government (in part to address street violence between Nazis and Communists!) were already in effect. The Nazi Weapons Law (or_Waffengesetz_) which further restricted the possession of militarily useful weapons and forbade trade in weapons without a government-issued license was passed on March 18, 1938. The citation usually given for this quote is a jumbled mess, and has only three major clues from which to work. The first is the date, which does not correspond (even approximately) to a date on which Hitler made a public speech, and a check of the texts of Hitler's speeches does not reveal a quotation resembling this (which is easily understandable when you realize that "Hitler" is commenting on a non-existent law). The second clue is the newspaper reference, which if translated into German resembles the title of a newspaper called _Berliner Tageblatt,_ and a check of the issue for that date reveals that the page and column references given are to the arts and culture page! No Hitler speech appears in the pages of_Berliner Tageblatt_on that date, or dates close to it, because there was no such speech to report. Finally, the citation includes a proper name "Eberhard Beckmann," which is sometimes cited as "by Einleitung Von Eberhard Beckmann," which is an important clue itself, because it reveals that the citation was fabricated by someone who had so little knowledge of the German language that they were unaware that "Einleitung" isn't the fellow's first name! The only "Eberhard Beckmann" which has been uncovered thus far did indeed write introductions, but he was a journalist for a German broadcasting company after WWII, and he wrote several introductions to_photography books,_ one of which was photos of the German state of Hesse (or Hessia), which may be the source of the curious phrase "Abschied vom Hessenland!" which appears in the citation. This quotation, however effective it may be as propaganda, is a fraud

French tried - it backfired

[horza]

The French don't trust their citizens and for years banned all encryption (except some businesses, with them having to hand over keys). They may have, as you allege, used the intelligence in an underhand way. However, I think your reason for 'relaxing' their stance on encryption is mistaken, or only part of the reason. Upon discovering all about Echelon [echelonwatch.org], and the extent to which the USA have been gathering intelligence on French business (and allegedly lost billions due to NSA handing key data for US businesses), it brought about the greatest 180 degree turn in crypto politics seen to date. From a complete ban to full support [jya.com] of strong encryption, with the encouragement [osslaw.org] of open-source software. To think things had steadily been improving since this article 2 years ago [nwfusion.com]. It would be a blow to the memories of those lost if their sacrifice failed to make the world a better place.

Phillip.

Re:I don't think so.

[Prior Restraint]

... O(log2(N)) ...

FYI:
O(log2(N)) == O(log(N)) == O(ln(N))

Identifying the base is unnecessary.

Re:I don't think so.

[pallex]

"it really possible to create a system that is undetectable even if the algorithm is public?"

What if you used a `rubberhose` type system, where there are (possibly) multiple encrypted streams within a single block of data? Yes, theres a message in there. But is there 2, or 3 or 20?

Re:It will be USELESS for catching terrorists!

[budgenator]

As much as I can determine, present terrorist, drug cartels ect. all seem to opperate on the French Resistance model of WWII;

1. Use of cells (small groups of about 5 -7 people) so that each part of the operation doesn't know who is in the other cells. this limits compromise even when tortured.
2. Each cell only know a small subpart of the mission and is trained for it. again limiting compromise.
3. Each cell is controled by a handeler who in turn only knows how to contact a few cells and is himself is handeled. This way if a handler is compromised only a few drop sites become known. The handler may never come into direct contact with or actualy know the pick-up mule for any given cell.
4. communications are often in the clear, but with hidden meanings such as

   Aunt Sally is getting married, the wedding will be on the 11th of Aug the wedding will be at St. Johns at 4:30 and the reception is at the community center at 7:00 pm the same day. The Bridal registry is at National Dept. store

now if anyone can explain how being able to decrypt a message like this will let the authorities know that planes will be hyjacked and flown into buildings by people who don't know each other at a particular date and time, I'd appreciate it.

Re:I don't think so.

[JanneM]

IANAC either (though I have a few years of university math):

The point is, the pad needs to be aptternless, or it becomes very easy to break (no years or even days to break it). What you would do is add two patterns over each other, while with a random pad you would add a pattern with a non-pattern that destroys the original pattern totally.

Take the (admittedly ridiculous) case of encrypting Beatles "Abbey Road". As it happens, the key is Beatles "Abbey Road". The result is a file of all zeroes. Now, if an opponent got to know that a part of the message was a few bars from one of those songs - and the encrypted file was all zero, it doesn't take a genius to guess what the pad key for the rest of it is.

In a similar (but more complicated) manner, if the opponent can guess a part of the message (for economic espionage, some of the words "Pricing", "offer" or "profit" can be assumed, for example). Try these words out on the encrypted text. If the key is non-random, you will find a part of the key that can be searched for to recover the rest of the key. As an aside, this can be done even when the random distribution isn't perfect; once you can guess that some random values are more likely than others, you can take a large step forward in breaking the crypto. This is BTW also why you shouldn't use the same random key more than once.

With a truly random key system, on the other hand, breaking a part of the message (or using hints) will not help you recover any other part.

Many of the methods you can use to do this kind of analysis can be automated, so for a weak pad, you might talk about a breking time of minutes or hours, rather than weeks.

/Janne