Wednesday, June 07, 2017

The insanity of trying to control encryption...

Politicians and social commentators keep throwing up this idea that encryption is;
  • Bad (the bolt-hole for terrorists/paedophiles)
  • Somehow controllable (back doors, side doors) by the state.
It's clear that people like Amber Rudd either have no idea (or more likely choose to have no idea) about the nature of data encryption. If you want a little primer I did an intro around a year ago and so thus armed you can explain the difference between symmetric and public-key crypto like a pro!
A few points are worth noting;

  1. Cryptography is maths - all of the algorithms currently in use are published and a decent proportion of computer-science or maths graduates could implement them in code. 
  2. WhatsApp and everyone else that offers end-to-end crypto probably rely on the underlying crypto-primitives provided by the OS - only a fool tries to re-invent the wheel (particularly WRT cryptographic functions)
  3. If you could (and most crypto experts doubt it is achievable) devise a secure public-key algorithm with a back/side-door access how can we trust any public body to not let the private back-door key get out? Five years down the line we discover that some other nation-state has had access to all the private conversations? There is much precedent for this; remember last month's NHS attack was done with code written by and subsequently lost from the NSA. Examples of large governmental bodies loosing data they really didn't want to mislay are legion.
  4. Compromised encryption & identity algorithms will spell the end of eCommerce. No bank will want to expose themselves to that kind of risk.
  5. How do you oblige software writers (who may be anywhere in the world) to use the crypto-crippled algorithm?
  6. How do you oblige "bad guys" to use the crypto-crippled software?
The outcome will be that only people who aren't concerned about security will use the crypto-crippled version of the popular chat/speech apps. Encryption exists outside of laws & countries and people who want privacy (for whatever reason) now have the means to achieve it. No nation state can now stop that.

WRT point 3 (above) I have heard non-technical people say something like "Silicon Valley is full of very clever people - they can figure it out. We were able to put a man on the moon fifty years ago..."
Well, putting a man on the Moon is one thing, putting a man on the Sun is entirely different - and that's what you're asking for, whether you choose to believe the people who actually understand cryptography or not.

No comments: