Thanks for posting this. Throughout this discussion about Apple, The FBI, Tha All Writs Act, etc. I've been saying we have already had this discussion some 20 years ago and the key point made then is still relevant today. If you create a key for Government, the Government cannot prevent bad actors from using those keys.
The only thing of substance to this discussion that has changed since then is we have multiple robust open source cryptography implementations, which ensures that if the DOJ can lobby congress to make some laws requiring back doors or key escrow, that only criminals will have access to robust cryptography. And it will likely kick off a cryptography arms race, which will only make their job more difficult than they are saying it is already.
I doubt however the Legislative Branch will give them the laws they want. The last thing our legislators want is to make it easier for the FBI to spy on them.
In reading the article over lunch, I realized something else changed as well: the government now has the capability to data mine without human intervention on a massive scale. (Which I strongly suspect they didn't in the early 90s)
That substantially changes the key escrow argument.
What the NSA et al want is not the ability to decrypt communications, but the ability to search all communications to generate intelligence. Naturally, this only works if the stored take is searchable, which encrypted content is not. (For practical and flexible purposes)
So the very existence of key escrow coupled with the desires of the NSA would almost mandate that any escrow keys available to the government be used continuously and automatically to decrypt content into a searchable data warehouse. Which is why if we allow this then in 5 years or less we're going to be having the Person of Interest "It's not a violation of your privacy if only an algorithm is looking at your data" discussion.
Or to quote Strangelove, "Mr. President, it is not only possible, it is essential. That is the whole idea of this machine, you know."
Not only is it already pervasive in government, this type of dissembling has also been policy at Google for a long time.
LIZ FIGUEROA, (D) State Senator, CA, 1998-06: We walk into this room, and it’s myself
and two of my staff— my chief of staff and one of my attorneys. And across from us
was Larry, Sergey, and their attorney.
All of a sudden, Sergey started talking to me. He said, “Senator, how would you feel
if a robot went into your home and read your diary and read your financial records,
read your love letters, read everything, but before leaving the house, it imploded?”
And he said, “That’s not violating privacy.”
I immediately said, “Of course it is. Yes, it is.” And he said, “No, it isn’t.
Nothing’s kept. Nobody knows about it.” I said, “That robot has read everything.
Does that robot know if I’m sad or if I’m feeling fear, or what’s happening?”
And he looked at me and he said, “Oh, no. That robot knows a lot more than that.”
(from PBS Frontline's "United States Of Secrets", part 2)
>I doubt however the Legislative Branch will give them the laws they want. The last thing our legislators want is to make it easier for the FBI to spy on them.
I hope you are right, the thing that concerns me is how brainwashed people are in the post-911 era.
We need to educate people about the technology in their pockets. As discussed in another thread [1], I'm forming a grassroots campaign to do that with a few other developers. If you're interested in being involved, send me an email at stillastudent on google's email service. You don't need to be a developer to contribute.
There are some existing groups working on this, such as Fight for the Future's Save Security campaign [2] and of course the EFF [3]. I support those efforts and have reached out to see how we can work together, though we still plan to make our own website and campaign name for this cause.
My hope is Obama changes his mind on this issue and stops pursuing anti-encryption legislation. Then the campaign would be over. But unless the President strongly endorses encryption, there will be public discussion. We technologists should be a part of that debate.
That was a great article, thanks for sharing. This snippet puts things in perspective:
The agency is really worried about its screens going blank" due to unbreakable encryption, says Lance J. Hoffman, a professor of computer science at George Washington University. "When that happens, the N.S.A. -- said to be the largest employer in Maryland -- goes belly-up. A way to prevent this is to expand its mission and to become, effectively, the one-stop shop for encryption for Government and those that do business with the Government."
> "When that happens, the N.S.A. -- said to be the largest employer in Maryland -- goes belly-up. A way to prevent this is to expand its mission
The article is from 1994 and I believe my reaction is as true then as now.
Why can't NSA just switch to doing 90% information-assurance and work to secure US infrastructure?
Certainly there is more than enough work to go around, if they are looking for something to do I have some suggestions. The US military isn't really known for having secure communications or storage systems, maybe NSA should try to solve that problem (as a plus it is already part of their mission).
Is the claim here that NSA's budget would shrink if all they were doing was securing US systems and communications against foreign intelligence agencies? Does Congress consider that task unimportant?
I'm reacting to a statement from 1994 in which it was claimed that the NSA wanted to expand its mission to ensure it could still employ the same number of people.
>I'm pretty sure they're focused on stopping terrorist attacks like 9/11 from happening.
That was not NSA's original mission and if congressional testimony is to be believed, not one NSA is particularly well suited to do. SIGINT/COMINT targeting the organs of the Soviet Union is a very different game than interrupting a terrorist plot by a small number of unknown actors.
>Note that a former NSA director (Hayden) and CIA director (Woolsey) have said they both support Apple in this case.
The FBI's position is so unreasonable that it appears nearly everyone that is well informed about the issue and isn't currently employed by the US government supports Apple, but we are talking about the Clipper Chip which was an NSA program.
Note that currently, the NSA is not asking for this privilege, and indeed two former intelligence directors (Hayden-NSA/CIA and Woolsey-CIA) and former CIA agent / current US representative Will Hurd all believe the DOJ is in the wrong to try to force Apple to build them an access tool.
I know you're quoting the 1994 situation but I just want to clarify for other readers here.
I strongly disagree! Until they move off, there is everything to discuss. After they understand the economic and security impacts of what they are asking, then we can relax.
We need to be active in the conversation about this. As technologists, we are the ones who understand the tech side of this issue best, and we should be reaching out to our representatives and talking to friends and family about this issue.
There are anti-encryption bills looming, and sitting around waiting for them to be proposed in Congress after some future terrorist attack is not going to do us any good.
Perhaps. Regardless of which of us is correct, we should still be reaching out to our representatives and talking to friends and family about this issue. Unless Obama changes his mind to support encryption, this is a public debate which will eventually start happening in Congress. It's up to us technologists to inform others.
What if instead of the Clipper Chip the NSA/FBI opted to install hardware 'backdoors' that could induce Fault attacks, Side Channel attacks, etc? I just don't see why the government gave up on the chip so easily
They did find other ways to get what they wanted. It was on a more ad hoc basis. And there they were focused
There's a video of former NSA/CIA director Michael Hayden talking about the clipper chip, and how everyone was saying "we're going dark" around that time. They found other ways to get what they wanted, and that's why both he and former CIA director James Woolsey do not support the DOJ's position in the ongoing case against Apple. I can't find the video where he talks about the clipper chip right now.
There's not really benefit to the NSA/CIA from a Clipper Chip 2.0.
None of the non-US targets they're pursuing would or could be mandated to use it. And all illegal domestic surveillance aside, foreign intelligence is still their primary mandate and target.
So in return for no benefit they get a lot of headache. (As you know its use would find its way into the US government, and suddenly the NSA has to support it via its defensive mandate)
just a guess, but in the iPhone case, they probably have connections with the employees of the chip foundry where the security chips are made. they probably know the passwords to those things ( the iphone 6 security chips ) before the're even produced.
They underlying cipher Skipjack was also found to be rather weak. Some attacks were found against reduced-round variants of Skipjack that would have disqualified an AES or SHA3 candidate.
I think this shows how confident the NSA was/is in its cryptanalysis. You can assume that the NSA knew about the 31 round attack before they released it. The fact that they released it at 32 rounds (exactly the bare minimum number of rounds to resist attack) and that in the past 25 years, no one has been able to extend the attack to 32 rounds is in my opinion pretty impressive. Just like you can't help but admire the prowess of a tightrope walker walking over the Grand Canyon, in the same vein, the NSA achieving security with exactly 1 extra round for 25 years is a demonstration of its crypto prowess.
I feel like there's good theoretical comp sci work to be done here to show that this system won't work. I've outlined two open problems below:
APPROACH 1:
Suppose we have a state issued crypto-system F0(Tc) -> Tp.
Alice decides to place another crypto-system F1 on top of that which the state doesn't know about.
Alice unlocks her phone which runs the state's system F0(Tp) -> T1. However, T1 is still encrypted by the unauthorized second-tier crypto-system, F1. This middleware piece of software then runs F1(T1) -> Tp and we have our plaintext. The state, of course, doesn't have the backdoor keys to F1.
The question is how can one prevent this secondary crypto-system from existing? And if one can't, doesn't it make F0 merely a useless ornament that unwraps one cyphertext matryoshka only to reveal another?
APPROACH 2:
idea: any system with a built in guarantee of access by a delegated third party is in contradiction with some theoretical constraints of a generalized security system and puts the whole construction in a lowered security 'level' which had a smaller set of assurances.
Given a user generated token Ku, ciphered text Tc, and plaintext Tp, you have decryption as a function:
F0(Tc, Kc) -> Tp
This requirement is for another key to exist for the State, Ka such that a decryption function F1 (which may or may not be the same as F0) yields:
F1(Tc, Ka) -> Tp
Ka is allowed to be a "salted" key on a per device basis so it can vary across devices as an input to F1.
It does this through another secret function, F2 whose input will be the per-device salt Ds, and a super-global law enforcement key Kl - our secretly held master key.
Law enforcement applies the secret key Kl on the Device and generates the device's master key, Ka by using the Device's Salt:
F2(Ds, Kl) -> Ka
This means that for the law enforcement it's
F1(Tc, F2(Ds, Kl)) -> Tp
Where F1, F2, and Kl are secrets. Tp, Tc, and Ds is known by us and we are free to change.
Here's the issues:
Kl is global across all devices.
F1() must always work regardless of user generated Ku although Ds is allowed to change as a function of Ku.
If I can generate as many Tc and Ds as I can, can we show that given a known F0, F1 and F2 can only be constructed from a exhaustibly reasonable finite set.
How about the idea that the cost of brute-forcing Kl, the master law enforcement key, continually decreases as the number of devices that Kl can open, thus the value of Kl, continually increases? What do the range of those slopes look like?
Any otherwise well-designed system with a built in guarantee of access by a third party is only secure if you can trust that third party. You don't need to prove any theorems to know that. I don't think anyone is arguing that such a system is impossible to build, they're arguing that no such trusted third party exists, and no one who actually cares about keeping a secret would ever willingly use such a system when alternatives exist.
I'm interested in the argument line that would be "Ok, let's assume you are impeccably honest, infallible, and have unwavering integrity and unstealable secrets ... even under those laughable, impossible conditions, it's still a terrible idea because of the following..." and go from there.
The perfect recipient would still have to be sent backdoors from many creators. Many more people would be handling the secret, each one a target to be social engineered into handing it over. I imagine when a more typical backdoor is made, very few people even know it exists let alone know the key to open it. Mandate backdoors and everyone knows they exist so more people will work to find and crack them. They would be very high value targets. Once opened, a backdoor would take a lot of work and expense to be closed, if you even know it had been opened.
Yes, the whole idea is about as plausible as this april fools joke: https://en.wikipedia.org/wiki/Evil_bit ... but it's been put forth and implemented too many times for comfort.
Each time these silly systems like DVD-CSS broke down and became worthless or like DIVX, were widely panned and rejected by the consumer.*
Showing how this will always and forever be the case at a more fundamental level to stop trying this deadbeat idea with different gift-wrapping would be great.
* Even in MP3, you have bits 29 and 30 which are for copyright. What were they thinking? people would re-implement /bin/cp to look for that and fail if the bit is set? Really? AAC has something similar. silly.
Even with absolutely perfect systems, which do not exist in practice even when they may exist in math, the humans with the keys are the weakest link. Stolen credentials are the biggest cause of data breaches in enterprise web applications (according the the Verizon DBIR). And even for absolutely perfect humans with impeccable morals, which do not exist as no one is perfect, there is coercion in the form of rubber hose cryptography.
Even if the system were perfect and the users with legit access had impeccable credential management and physical security, the escrow will be used a lot to unlock devices and communications. It becomes routine.
Processes which become routine are prone to being subverted, as Mrs. Landau stated in her recent congressional testimony that I linked to in yesterday's article on the FBI and key escrow - https://www.youtube.com/watch?v=g1GgnbN9oNw&t=3h35m50s.
Even if you do trust the third party, you've created another attack vector, and worse, you've created one that is far more valuable to attack than any other because you know they hold the keys to the kingdom.
Man the war against oppression / totalitarianism never ends.
Back in 1994 when David Letterman's top-ten lists were still a thing and funny, before instant make a t-shirt websites, I tried to bring attention and defeat the Clipper Chip by printing, selling and eventually giving away "Top 10 reasons to Say No to Clipper" shirts. My 15min of Internet fame (back when that was a saying).
The front has a "Big Brother Inside" Logo, and a chip with the word "clipper".
The back has the following top-ten list (possibly with changed order or
slight wording/spelling/grammer corrections);
"Top 10 reasons to Say No to Clipper"
#1 "Can't trust Clinton not to read McDonalds recipes for Big Mac secret sauce."
#2 "We all know its just so the FBI can get free phone sex."
#3 "The spies at NSA will get eyestrain reading all of Santa's mail."
#4 "Because a policeman's job is only easy in a Police State."
#5 "The Clipper chip will cause it to be slightly less convenient to plan protests, revolutions, conspiraces, and bake sales."
#6 "The 4th Amendment was a pretty good idea. Read it."
#7 "If the Feds listened to my conversations they would be too bored and sleepy to defend our country."
#8 "Responsibility and Government don't mix. See #10"
#9 "It will get the stupid crooks out of the way for the government sponsored ones."
#10 "If they learn how unhappy we are with the government they might start shutting down BBS's, killing off divergent religious groups, illegalizing art, conducting radioactive tests with us, censoring books, and keeping files on us.
The only thing of substance to this discussion that has changed since then is we have multiple robust open source cryptography implementations, which ensures that if the DOJ can lobby congress to make some laws requiring back doors or key escrow, that only criminals will have access to robust cryptography. And it will likely kick off a cryptography arms race, which will only make their job more difficult than they are saying it is already.
I doubt however the Legislative Branch will give them the laws they want. The last thing our legislators want is to make it easier for the FBI to spy on them.