UK Government Wants Private Encryption Keys 822
An anonymous reader writes "Businesses and individuals in Britain may soon have to give their encryption keys to the police or face imprisonment. The UK government has said it will bring in the new powers to address a rise in the use of encryption by criminals and terrorists." From the article: "Some security experts are concerned that the plan could criminalise innocent people and drive businesses out of the UK. But the Home Office, which has just launched a consultation process, says the powers contained in Part 3 are needed to combat an increased use of encryption by criminals, paedophiles, and terrorists. 'The use of encryption is... proliferating,' Liam Byrne, Home Office minister of state told Parliament last week. 'Encryption products are more widely available and are integrated as security features in standard operating systems, so the Government has concluded that it is now right to implement the provisions of Part 3 of RIPA... which is not presently in force.'"
no diffreance than real life (Score:4, Interesting)
What about global corporations? (Score:5, Interesting)
What about communication between offices on the internet? A japanese analyst creates some research, but due to technical problems the only Compliance office up is in Europe. So every program or service that can comminicate with Britain has to check if a request is going to/through the UK before applying the "approved" encryption.
To quote, "this is madness"
England Prevails (Score:5, Interesting)
Parliment better watch out... hear there's a train heading there loaded with fireworks and other things that go boom.
Re:Simple solution. (Score:5, Interesting)
Methinks the UK government doesn't know that what it wants is technologically infeasible....
New encryption scheme (Score:5, Interesting)
One Key (Score:2, Interesting)
One key to rule them all; one key to find them. One key to bring them in and in the darkness grind them. In the land of Norsefire, where England Prevails.
Re:Brilliant idea... (Score:5, Interesting)
I'm sure the criminals, paedophiles, and terrorists will just be lining up to hand over their keys, too.
That's the odd thing about this. You can get up to 2 or 5 years in the can (depending on if they think you're a terrorist). So if you have gigs of terrorist info that could get you sent away for life, just say you lost your keys and go away for 5 years max.
A solution (Score:3, Interesting)
Specifically, the public key is published, but private keys are pretty much unknown. The only thing you really know about your private key is the passphrase needed to use it (note that the computer using an entropy source generated the key in the first place).
The key itself? Should be stored on a flash memory card. Or another easily destroyed medium. If broken, you have NO way of supplying the key to the government.
The issue is key management. If the key doesn't exist, no amount of threatening or torture can cough it up. Sure, the passphrase (at the drop of a hat), but the key?
Ratboy
Re:Who needs encryption? (Score:5, Interesting)
what will this do? (Score:3, Interesting)
Re:perfectly reasonable (Score:1, Interesting)
Bad Legislation (Score:4, Interesting)
These days encryption software like truecrypt have multiple levels of "plausible deniability" so even if a key was coerced out of someone you don't know if the data that is decrypted is the real deal or just another decoy.
These so called government security advisers really don't know anything about security. The UK Government can't even remember to deport foreign criminals after they server their sentence. The country will be a lot safer if the Government fixed their own incompetence rather than pass TROLL laws which deprive the real law abiding citizens of their liberties whilst allowing the terrorists to carry on business as usual.
Re:Simple solution. (Score:3, Interesting)
Plausible Deniability (Score:5, Interesting)
TrueCrypt lets you mount the container as a filesystem, which is a convenient way to go. This sort of thing allows you to:
a) Deny that there is anything encrypted for which you have not proffered a key. "Oh yeah, show me what I have encrypted and I'll show you the key."
b) If that's not enough, proffer the false key that gives them the alternative access. "Ok, here you go. Let me know if you find anything incriminating. (tee hee)"
Lastly, if you use things like encrypted swap on a unix device, you can plausably say that what is there is just an encrypted swap file, and you don't have a key because the key is never saved to the disk. Why isn't it mounted now? You only set it up temporarily and forgot to delete the file when it was done. (for 1Gb files or larger...) If you have a 20Gb file, you're probably going to have to explain it... and go for option (b) above.
Of course, if your 20Gb file is not a file, but is just an "empty" partition... well there you go.
Please note - I'm not advocating breaking any law here - just outlining what this will drive people who care enough to do.
Unenforcable Law (Score:3, Interesting)
This is why... (Score:2, Interesting)
It will also force more people to use much more sophisticated technoligies. Things such as TrueCrypt's Hidden Volume [truecrypt.org] feature for Plausible Deniability. Again TrueCrypt requires no install, is open source so people can be happy knowing that others can review the code to ensure there are no back doors and it uses well known (and therefore well tested) algorithms.
Also the government are kidding themselves if they think they will catch terrorists with this. If you are willing to kill hundreds or thousands of people and more than likely kill yourself in the process, are you going to be worried about going to prison for with holding your private key? Of course not. The same holds true for the really evil pedos. Going to prison for with holding your private key isn't as bad as going to prison for having 20,000 pictures of naked 3 year olds.
The only thing this will do is hurt our country. More rights lost with no real gain. If they could be 100% sure it would remove terrorism and pedos I would think about it but it won't, it won't make any difference what so ever. Next they will be requesting a copy of a key to your house so they can secretly search it without you knowing to ensure you are not breaking the law.
Re:More like "Horribly Bad Joke." (Score:3, Interesting)
1) Information is only encrypted between the phone and the base station, so they can just tap the base station
2) Some of the encryption algorithms are known to be broken, others are secret and probably backdoored
In related news... (Score:3, Interesting)
Re:In Soviet Russia... (Score:2, Interesting)
Re:On the other hand (Score:3, Interesting)
But the thing about ephemeral keys is that they are ephemeral, i.e. they can't be "produced" on cue. All it takes is a permanent VPN connection to make this useless.
Even better, I could see a fairly trivial encryption mechanism that would make this absolutely insanely fun for the UK government. Modify the crypto so that:
In this case, once the attacker (the UK government, in this case) got the current key, they would have to find a way to take that, coupled with the packet containing the encrypted copy of that routine, and obtain the key used to encrypt it. As long as the cipher makes known-plaintext attacks relatively hard, this is relatively hard. Because of the random periods between key generation, coupled with the creation of multiple streams and the random-time writing of preexisting keys, this will mean that the attacker will have to guess a potentially large number of keys before arriving at the one that successfully decodes a second stream started while the first is going. It will also require accurate time stamps of the data.
Basically, the only practical way to break such a scheme is to have been monitoring since the very first connection was established between the two hosts.
Re:Nothing compared to Tuesday's Dictatorship Bill (Score:2, Interesting)
Re:Actually... (Score:5, Interesting)
It means that you have been fully indoctrinated to accept the political and social assumptions of your society, and you now indoctrinate others into those assumptions... in such a way that it perpetuates the current political system. You are to the modern state what a priest is in Catholisism.
An example of a political assumption in a society would be something like the debate over government's role in health care in Europe. There are those who argue that equality of care (everyone is entitled to equal care) is why health care should be provided and controled by the government... and those that disagree. There are those who argue that no-one should be without health care, and therefore the state should provide it to everyone... and there are those that disagree. BUT, no one questions the idea that the government can or will provide truly equal care, or that the government can or will provide the care to everyone. The political assumption is that government never fails to provide people with services, and that government always provides those services in a manner that is equal to everyone. Even the people who are against the state's intervention into health care don't question that government will provide health care, and they don't question that the government will do it with absolute equality.
In a reasonable debate, you would hear people argue that states have engaged in terrible acts of inequality... in fact the worst acts of inequality, such as mass genocide, have been commited by the state. In a reasonable debate one would argue that states have often commited horrible failures in providing services to it's citizens, in some cases resulting in millions of deaths. Yet, in modern mainstream political debate, it is unheard of and inconceivable that someone could support universal and equal health care for everyone, and also not support state control of health care. In mainstream politics, if you support equal and universal health care, YOU MUST SUPPORT STATE RUN HEALTHCARE. Through political "scientists" such as yourself, and many years of indoctrination and government controlled education, you have been able to control people's thoughs as such that THE STATE = EQUALITY, and THE STATE = PROVIDING FOR THE NEEDS OF SOCIETY... and to be against the state is to be against equality and providing for the needs of everyone. As a "scientist", you should be able to step out of your views for a second and see that is a very powerful form of brainwashing!
Your job, as a political scientist, is to maintain a faith in the state and political process. You may question a specific government policy (but that is like questioning what type of sandwich I should eat for dinner... there is a big assumption that I should be eating dinner, and that my dinner should be a sandwich), but your job is to make sure all debate about the political sytem preserves the political system.
Now, I will admit I am stereotyping political science people. I suppose there are few token anarchists or libertarians or classical liberals in the political science field. But I think that you would probably agree, that anarchists or libertarians or classical liberals are probably few and far between in the field of political science. You wouldn't expect a political scientists to be against the political system, any more than you would expect a carpenter to be against wood.
...what if... (Score:3, Interesting)
Which "indocrination" trumps?
Easy Solution (Score:3, Interesting)
Government is not all that sucks... (Score:3, Interesting)
The problem is, the non-governmental "solutions" are just as broken as the govermental ones, but also there are fewer checks and balances against them. The closer you get to anarchy, the easier it is for independent "gangs" to form and move to exert control over something. In government, you have gangs too, but those gangs that have a little more transparency and they can at least theoretically be removed or altered via democratic processes.
The idea that market forces can keep independent gangs in line is a myth that is dispelled as soon as you look very close at corporate-gang behaviors, especially once they start getting large enough to either exert significant control over a market, or collude with their peers to shut down the smaller competition. Often products do not succeed due to their inherent quality, but rather the quality of the marketing applied to them or the quality of the control a company has over the marketplace. Perhaps you'd be comfortable selecting a medical procedure based on the most persistent marketing rather than its success rate? You won't even *know* the success rate unless they're regulated into telling you, just like food companies had to be regulated into telling you the ingredients of their products.
Sure the government system sucks, but the reason we *know* it sucks is largely due to the transparency it has. Other systems suck too, but you may not know how much they suck if there's no means to impose some transparency of the processes. "Voting with your dollars," just won't do it.
Re:Actually... (Score:3, Interesting)
You can also use state authority to provide for an independently funded institution that competes on the free market (with a little leverage to make the market more free than it currently is in certain areas) as outlined in this guy's plan. [healthsecu...merica.com]
Re:More like "Horribly Bad Joke." (Score:3, Interesting)
There was a period of time when the Clinton Administration allowed export of software (only to the USA's allies) that encrypted data over the network provided it had support for key escrow. Someone in my employer's company had the idea that, "gee, Kerberos Key Distribution Centers keep each user's key in a data base, in the clear. Why not propose that, unchanged, as a Key Escrow System to the NSA? Law enforcement can obtain a warrant to get a user's private key per the policy of the Clinton Administration.".
So I did just that. The NSA's response: not good enough because they need to be able to descrypt arbitrary sessions, which means they needed a centralized place in a modified Kerberos system to record each session key, and BTW, have vendor supplied tools for making this really easy. As vendors we were unwilling to do all that because it would severely weaken the strength of the system. So we told the NSA, thanks, but no thanks.
The UK government is either very naive, or very stupid.