Archive | Cryptography

Prepare for the next crypto war

Last winter it looked as if there was going to be an international initiative against encryption. However, after some public attention, President Obama announced that there were no such plans – at present. Shortly after that, there was a brawl between Apple and the FBI, ending with the FBI withdrawing its subpoena for Apple to build software to give backdoor access to an iPhone. (The FBI cracked it by other methods.) Meanwhile, the UK is slowly moving towards some sort of ban on encryption.

Now, it seems this issue will get new attention. Last week the French called for a global initiative to “deal with” encryption. Apparently, they are trying to get Germany aboard on such an initiative. If so, we can expect the issue to become a hot topic in the EU shortly.

As most politicians are somewhat ignorant when it comes to IT and the Internet – we can expect some ill-conceived proposals.

It would be very difficult for politicians to ban user managed end-to-end encryption like PGP. That should reasonably not be up for discussion. (But you never know when it comes to the EU.)

My guess is politicians (and law enforcement) will take aim at popular communication apps like Whatsapp and Telegram – and to demand backdoors to smartphones and other encrypted hardware.

Cracking communication apps and installing backdoors is still a terrible idea. These techniques will – sooner or later – end up in the wrong hands. And government having access to citizens communications is still a very unpleasant concept.

However, this will not prevent terrorists and criminals from communicating securely and covertly – if they really want to.

/ HAX

France in global call to “deal with” messaging apps »
How the Government Is Waging Crypto War 2.0 »

1

“France in global call to “deal with” messaging apps”

France’s interior minister has claimed that encryption technology in messaging apps is widely used by terrorists and said the country would work with Germany to initially launch a European initiative to “deal with” the issue.

“This is a central issue in the fight against terrorism, many of the messages exchanged with a view to carrying out terrorist attacks are now encrypted,” said Bernard Cazeneuve, reported by Le Monde.

Glyn Moody in Ars Technica: Encryption battle – France in global call to “deal with” messaging apps »

0

Law enforce­ment should be difficult

“I think law enforce­ment should be difficult. And it should actually be possible to break the law.”

“Imagine if there were an alternate dystopian reality where law enforcement was 100 percent effective, such that any potential offenders knew they would be immediately identified, apprehended, and jailed,” he wrote. “How could people have decided that marijuana should be legal, if nobody had ever used it? How could states decide that same-sex marriage should be permitted?”

Wired: Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us »

0

Meanwhile, in Russia…

Russia’s intelligence agency the FSB, successor to the KGB, has posted a notice on its website claiming that it now has the ability to collect crypto keys for Internet services that use encryption. This meets a two-week deadline given by Vladimir Putin to the FSB to develop such a capability. However, no details have been provided of how the FSB is able to do this.

Ars Technica: Russian spies claim they can now collect crypto keys—but don’t say how »

0

European Data Protection Supervisor: Ban encryption backdoors

According to TechDirt, a report from European Data Protection Supervisor (EDPS) Giovanni Buttarelli argues for a ban on encryption backdoors.

Excellent.

But that is not all…

The new rules should also clearly allow users to use end-to-end encryption (without ‘backdoors’) to protect their electronic communications.

Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.

That is taking the issue far. Very far. Maybe so far as to kill the report altogether in the EU institutions.

I cannot imagine politicians prohibiting all forms of attempted decryption, under all circumstances. Europol would go bananas. The EPP and S&D groups in the European Parliament would never accept it. And I imagine the Commission would never put forward such a proposal.

Just focusing on banning backdoors, however, is a totally different issue – that might stand a fair chance to become EU policy.

Then we have this…

In this context the EDPS also recommends that the Commission consider measures to encourage development of technical standards on encryption…

This could be understood as the EU encouraging encryption in general. That would be a good thing. Or as if the EU should take some sort of control over the development of encryption. That would be really bad.

Frankly, I’m not sure what to make of parts of this report.

But, at least, this is a clear stand against backdoors – from an EU data protection bigwig.

/ HAX

TechDirt: EU Data Protection Official Says Revised Privacy Laws Should Ban Backdooring Encryption »

0

Governments vs. WhatsApp

In other words, there is no central repository of plain-text messages that the company can access to comply with a court subpoena. Nor is there a “universal key” that can be used as a government backdoor to decrypt information. When a user sends a message on WhatsApp, he or she can feel fairly confident that no confidence man in the middle lurks between them and the intended recipient of a message. Such security is a very strong selling point in this age of constant data breaches and headache-inducing identity thefts.

Reason: Why We Should All Care About Brazil’s War on WhatsApp »

0

“Snowden sped up spread of encryption by seven years”

The projected growth maturation and installation of commercially available encryption — what they had forecasted for seven years ahead, three years ago, was accelerated to now, because of the revelation of the leaks.

James Clapper, US Director of National Intelligence.

The Intercept: Spy chief complains that Edward @Snowden sped up spread of encryption by 7 years »

0

UK: The Lauri Love case

It is a general principle in democracies under the rule of law that a person suspected of a crime should not be forced to incriminate himself. And the European Convention of Human Rights clearly stipulates the presumption of innocence.

Having that in mind, the Lauri Love case in the UK is troublesome.

Love is being accused of hacking U.S. government computer systems a few years back. He is now fighting extradition to the U.S. — and the British authorities when it comes to the contents of his computers.

The Intercept:

Following Love’s arrest in 2013, the National Crime Agency, or NCA, seized computers and hard drives in his possession. He was then served with an order under Section 49 of the U.K’s controversial Regulation of Investigatory Powers Act, which demanded that he hand over his passwords to open encrypted files stored on the devices.

Years have passed since then — and when Love decided to sue to have his computers and hard drives back, authorities renewed their efforts to access them under Section 49. There will be a court hearing April 12.

“I don’t have any alternative but to refuse to comply,” he told The Intercept. “The NCA are trying to establish a precedent so that an executive body — i.e., the police — can take away your computers and if they are unable to comprehend certain portions of data held on them, then you lose the right to retain them. It’s a presumption of guilt for random data.” (…)

(So I guess you better not have any files with white noise on your hard drive.)

This is not just about Mr. Love. The case can set a dangerous president.

Naomi Colvin, a campaigner for transparency advocacy group the Courage Foundation, told The Intercept that she believed the case could have “huge implications for journalists, activists, and others who need to guard confidential information” — potentially setting a precedent that could make it easier in the future for British police and security agencies to gain access to, or to seize and retain, encrypted material.

In the end, it all boils down to one simple question: Should the government have the right to force you to decrypt encrypted information?

Apart from Ms. Colvins arguments (above), we must consider what would happen if governments are allowed to force you to incriminate yourself. It would shatter presumption of innocence. It could throw court cases into deadlock over evidence that do not exist or cannot be accessed. It would give the prosecution an unfair advantage — especially over innocent individuals, who could be detained until they give up and “confess”.

Equally important, in my mind, is that your personal information is closely connected to your person. It is of less importance if this information is stored in your mind or on an encrypted hard drive. The information you possess is a part of who you are and your life. As long as people are regarded as self-owning individuals (and not the property of the government) everyone should have the right to respect for their own person. (And for private and family life, home, and correspondence.)

But I’m not too hopeful. The Intercept:

Court documents show that the agency requested — and a judge approved — that witness statements and skeleton arguments should not be disclosed “to the press, the public, or any third party save with the leave of the court until after the final hearing, and then only in relation to such matters as are referred to in open court or as permitted or directed by the court.”

/ HAX

Read the full story in The Intercept: British authorities demand encryption keys in case with “huge implications” »

4

Amnesty: Encryption is about Human Rights

In the digital age, access to and use of encryption is an enabler of the right to privacy. Because encryption can protect communications from spying, it can help people share their opinion with others without reprisals, access information on the web and organize with others against injustice. Encryption is therefore also an enabler of the rights to freedom of expression, information and opinion, and also has an impact on the rights to freedom of peaceful assembly, association and other human rights. Encryption is a particularly critical tool for human rights defenders, activists and journalists, all of whom rely on it with increasing frequency to protect their security and that of others against unlawful surveillance.

• Amnesty: Encryption: A Matter of Human Rights »

• EFF: Amnesty International: Encryption is a Human Rights Issue »

0