back to article Global crypto survey proves govt backdoors completely pointless

In 1999, when a fierce crypto war was raging between governments and developers, researchers undertook a global survey of available encryption products. Now security guru Bruce Schneier and other experts have repeated the exercise, and it spells bad news for those demanding backdoors in today's cryptography. The latest study …

  1. Synonymous Howard

    I will let you, Mr Gov, to put a backdoor on my kit ...

    when you let me personally audit its use and see a lambda proof of how it can be used with 'perfect security'.

    Click Burr ... Hello? Mr Gov? Hello?

  2. Joe Harrison

    Sorted!

    I knew it must be possible to get unbackdoored crypto. No way they can defeat me now unless they put the backdoors in the chips before they even leave the factory! Which obviously couldn't hap...Oh wait...

    1. Anonymous Coward
      Big Brother

      Re: Sorted!

      That's not a backdoor. It's an "errata" in a "management engine" you paranoid fool. Why would we have any interest in insignificant little ants like you anyway you paranoid fool.

  3. Anonymous Coward
    Anonymous Coward

    "[...] it would be ridiculous to try and enforce a ban on non-government-approved encryption."

    Governments even in democracies have a penchant for out of proportion draconian penalties for things they wish to ban as a political gesture - "pour encourager les autres". The damage it may do is often regarded as secondary to the political grandstanding aim.

    The UK already has potentially rolling jail sentences if you say you can't give them the key to an apparently encrypted file.

    1. Gray
      Boffin

      Obligatory Congressional knee-jerk

      Lest anyone think the US Congress will pay the slightest heed to this crypto survey, it's worth considering that most members will wish to be seen "standing tall" on the issue of national security and strong opposition to terrorism, domestic and foreign (and pedophiles! And whistle-blowers! And political opponents!)

      Privacy and security are the privilege of the privileged; no others need apply.

      1. a_yank_lurker

        Re: Obligatory Congressional knee-jerk

        Vegas should have odds on which bloviating idiot/Congress critter demands pointless backdoors calling the study flawed.

    2. Arthur the cat Silver badge

      The UK already has potentially rolling jail sentences if you say you can't give them the key to an apparently encrypted file.

      I thought it was 10 years max if the CPS(*) thought your /dev/random was kiddie porn or terror related stuff, 2 years max otherwise, and they can't get you more than once for it.

      (*) For those not familiar with the UK legal system, the CPS is officially the Crown Prosecution Service, but is usually regarded as standing for Couldn't Prosecute Satan after a number of spectacular failures to prosecute high profile cases.

      1. Anonymous Coward
        Anonymous Coward

        >I thought it was 10 years max if the CPS(*) thought your /dev/random was..

        ..if the CPS(*) chose to allege your /dev/random was..

        T, FTFY

        *Big* difference

    3. MrDamage Silver badge
      Trollface

      rolling jail sentences

      If I ever decide to visit Ol' Blighty, then every device I have will have some variant of "fuck off copper" as the password.

      They can go along and detain me, and then attempt to prosecute. In court, I will simply ask if they tried the term "fuck off copper" as the password.

      I'm sure there are enough competent ambulance chasers in Blighty who would relish the chance of slapping the plod with an unlawful imprisonment suit, complete with a suitable large damages sum.

  4. noj

    Reg: please update link

    https://www.schneier.com/cryptography/archives/2016/02/a_worldwide_survey_o.html

    I may have missed it, but a quick glance through https://www.schneier.com/blog/archives/2016/02/ didn't yield a title that looked like it had the mentioned survey

    Thanks!

  5. Nick Kew

    1999 vs now

    Actually even in 1999 crypto solutions were widely available to anyone who cared enough to download them. The main difference was the historic exclusion of the US from much of the community because of the legacy of silly export laws.

    Then as now it was trivial to a geek. But now as then, there's a big non-techie public who will only get crypto by buying a product that supports it. That's the public some politicians expect to control.

  6. geascian

    Message for Ms May

    -----BEGIN PGP MESSAGE-----

    Version: BCPG C# v1.6.1.0

    hQEMA6rr0kpTNOnbAQgAyrKR3fjJRbkig0JZ+zFI1DxSeT7u/AvrSzKc8OXueXUr

    XrOf1xMrkVXjoWtl9hcs5LXw7JgTjOAP39EWi3Y/V00YyGjgtgMPjvtPAore8g+a

    qS80l6wwJAQM3h1Qzgf2ilUU5uszvWSfUUDXJHJuY63KxrWfQ2JIf9TcgoiN8VqF

    PxznXxpOhEhau1z/Iz3w81ZDZ8afSJu9o0Y/I0LWSOx8H8rBuGg93kvDmZgjhlCB

    1fhQ2Ss7ScXJHR0XnyZZFQ6zjE7fqVcGRVzPNQwhp6d0FqpRc9jcNTUpFX/SlPKs

    wY2kkolrrSKTc87Di53lQh22jC6pGRdLyEGIhCt2KMkwieuH88qrEWBV9x8Ah2Tc

    qEsoqhbFQ9vermUbvWfN07WUaek6ldRwChShClIBqqjm

    =fFfj

    1. Arthur the cat Silver badge

      Re: Message for Ms May

      I suspect she'd have problems with this one, never mind PGP.

      Trg n pyhr SSF!

  7. btrower

    if you haven't done anything wrong

    This is similar to the argument from "if you haven't done anything wrong, you have nothing to fear". Proper privacy and security requires more than just the possibility of some people having it. It requires that it is the default for everyone and it requires political regimes in place that make it exceedingly costly to subvert.

    Every step of the system from hardware manufacture on up to human interface design needs to be designed for security. Everything is subject to attack.

    We should culturally and legally make any illegitimately obtained information 'fruit of the poison tree' and and make it illegal to make any use of it. For instance, its only use as evidence should be as evidence of the criminal breach of privacy used to obtain it.

    We are rapidly approaching a point where it is simply impossible even for experts to prevent surveillance. It is surprising to see any expert making a claim to the contrary.

    I am very suspicious of our current security culture whereby everyone is encouraged to use the same small battery of inter-operable standards with key sizes only ever just 'good enough'. Is there anybody who knows much about this stuff that would really set arbitrary limits on things like key sizes? How can any expert endorse, for instance, Certificate Authorities controlled by governments, financial institutions, predatory companies and other fundamentally compromised entities?

    I would say that any advice that is security related should be taken with a very big grain of salt. That includes this, if for no other reason than its list of hazards is woefully incomplete.

    1. Mike 16

      Re: if you haven't done anything wrong

      -- fruit of the poison tree --

      Neatly circumvented by "parallel construction", in which at least U.S. L.E.O.s are well versed, as I assume are other would-be Stasi in nominally democratic states.

      Or they could just skip that time-consuming trial thing and send you directly to Gitmo. Or just disappear you if you happen to be a bookseller in H.K. There are a _lot_ of "them" in that "they".

      1. a_yank_lurker

        Re: if you haven't done anything wrong

        Compare to many "police departments" over here the Stasi may be a marked improvement.

  8. Anonymous Coward
    Anonymous Coward

    "distributed from all corners of the globe."

    Journalism school fail.

  9. Adam 52 Silver badge

    "ridiculous to try and enforce a ban"

    Not to the average politician. Much, much easier than enforcing a ban on, say, driving too fast or offending people; and we have laws banning both of those. They are arbitrarily enforced, the latter mostly used as "looking the wrong way at a policeman", but remain popular.

    1. Anonymous Coward
      Anonymous Coward

      Re: "ridiculous to try and enforce a ban"

      Aren't we all tired of this shit yet?

      Will peeps *please* stop believing that anyone's trying to "ban encryption". Whenever our political masters wish to pass some hideous Orwellian act to crush what little we have left in the way of rights, they shove it through as quickly and quietly as possible. Of course. This ludicrous spectacle is the opposite of that. As loud and static as possible. It's not going anywhere because nobody's really trying to "ban encryption." It is a targeted disinformation campaign to address a specific problem:

      The "problem:"

      Since the Snowden "revelations" the average mug has finally realised that the "tinfoil brigade" was right all along and governments really are spying en masse on practically everything they do. Really!!!! OMG!!! As a result there's been a significant upturn in awareness of and demand for cryptography apps - as can easily be seen on any technology related forum or software hub. This obviously poses a bit of a problem from a mass surveillance perspective.

      The "solution:"

      Operation Restore Confidence.

      *Pretend* to want to ban the pathetic joke crapto incorporated in consumer electronics and government issued protocols "cos it's so hard we can't break it. Honest. And terrorists and paedos!" Thus restoring the average mug's confidence in the "security" of the pathetic joke crapto incorporated in consumer electronics and government issued protocols. That same broken-by-design "encryption" everyone was using before the "revelations."

      No one is going to "ban encryption"

      No one is even trying to "ban encryption"

      REALLY!

      It's just theatre.

      It's just an exercise to restore confidence in the sham.

      Has this really not sunk in yet?

      1. Mark 85

        Re: "ridiculous to try and enforce a ban"

        I think that here in the States there's bigger problem. Our CongressCritters follow whatever hysteria is generated by the media and to some extent, the TLA's. Take a look at Feinstein, for example. There is also a perception from their bleatings that encryption is one product or that all the products have a common basic to allow what they want.

        Yes, it's theatre, but it's coming to a TLA or LEA near you.

  10. Anonymous Coward
    Anonymous Coward

    Double encryption

    If some governments required encryption that includes a backdoor, one could just their broken encryption to re-encrypt something already properly encrypted.

    The government would only discover that if they used their backdoor, so it citizens of that country would quickly find out their government really was using the backdoor only with proper legal procedure (search warrant or whatever) followed.

    1. Anonymous Coward
      Black Helicopters

      Re: Double encryption

      The government would only discover that if they used their backdoor, so it citizens of that country would quickly find out their government really was using the backdoor only with proper legal procedure (search warrant or whatever) followed by disappearing if it was not.

      There... completed that sentence for you.

  11. tom dial Silver badge

    Law enforcement back doors are wanted for law enforcement, not surveillance. As others have pointed out, surveillance does not require back doors, and NSA, at least, has not expressed much interest (if any) in backdoored encryption systems since Clipper and Capstone. Intelligence agencies do not require content access for a much of what interests them and have ways they often can use to circumvent encryption without requiring a corrupt algorithm, as they must since they have no control over their adversaries' encryption systems.

    Law enforcement back doors are being proposed, at least in the US, to address a perceived need to obtain evidence by warrant or subpoena that may be encrypted. That does not make them a good idea, but at least puts them in the right context. We have survived quite a while with court supervised wiretap procedures and other searches for law enforcement. All of these involve techniques that could be used, and are, by criminals and others for undesired purposes. Widespread use of encryption will hide some information that otherwise would be obtainable through legal processes, and law enforcement officials are concerned, with some justification, that criminals will go free because of it. Cryptographic systems with provision for law enforcement access, if they were feasible, might not be the total disaster usually described, although requiring them remains poor public policy for all the reasons normally given.

    1. Someone Else Silver badge
      Coat

      Whazzat?

      The U.S. is encrypting warrants and subpoenas? Who knew?

      Oh...wait....

      1. tom dial Silver badge

        Re: Whazzat?

        "... to obtain by warrant or subpoena evidence that may be encrypted."

  12. Anonymous Coward
    Anonymous Coward

    It's Government - vs - Corporations

    "Such regulations could cripple that country's global software industry's sales – something Apple, Google et al are nervously aware of."

    First the Government got F...'d by the banks which led to the GFC.

    Now people have more confidence in companies and brands (Google, Apple) than they have in their government.

    The corporations also don't like to pay tax -at home - so they find loopholes to pay less tax overseas.

    Government is afraid of losing control, so they want to show the big corporations who's boss - by undermining sales. ( e.g. By enforcing weak encryption)

    And when the terrorist threat gets old and boring - they just fabricate another threat to keep you in a state of fear. This fear is helpful because it keeps people distracted while their liberties are taken away.

    But hey, its for your own good. Trust us.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like