[Cryptography] Justice Dept. Revives Push to Mandate a Way to Unlock Phones

John Denker jsd at av8n.com
Sun Mar 25 22:35:16 EDT 2018 

On 03/25/2018 10:38 AM, Erik wrote in part:

> What are some possible technological responses that can be utilized to
> protect against this sort of legislation? I'm curious what people here
> would do if some legislation of this sort were written into law.

0) Thanks for mentioning this.  It's something we need
 to stay on top of ... even though it has been discussed
 before.

1) The short answer is that there is no good technological
 fix.  This is a political problem, not a technical problem,
 and must be recognized as such.  We must defend against it
 using political means, not technical means.

 They assert, based on no evidence, that there will be
 a win/win outcome, whereby they can snoop on the bad
 guys and everybody else will be more secure.  In all
 likelihood, any strong action they take will lead to
 a lose/lose outcome.

2) One thing to consider is superencryption.  If the
 data has one layer of "regulated" encryption, no
 attacker has any idea whether it is superencrypted
 unless and until they strip the first layer.  They
 can pass a law against superencryption, but they
 can't enforce it without revealing that they've
 been stripping the first layer.

 If the second layer involves stego as well as
 encryption, it would be particularly hard to
 prevent.

 This leads to the maxim:  When strong crypto is
 outlawed, only outlaws will have strong crypto.

3) At the opposite extreme, we should consider the
 possibility that somebody will install (additional)
 bugs that bypass all security and exfiltrate your
 keys, upstream of any and all encryption.  This
 makes all ordinary citizens very much less secure.

4) Any strong immune response runs the risk of
 provoking autoimmune disease.  By that I mean it
 becomes possible to provoke all sorts of DoS
 attacks, using the government as a weapon against
 innocent persons.  In particular, you can send
 "illegally" encrypted messages to some innocent
 schmuck, and he will be unable to prove that he
 doesn't know how to decrypt them.  Put the words
 "ISIS kiddie porn" in the headers.

5) These are actually *not* the scariest scenarios
 I know of.  I mention these because they should be
 scary enough to persuade any halfway-reasonable
 person that security needs to be strengthened not
 in any way weakened or bypassed.

 Nastier scenarios can be discussed on a need-to-know
 basis.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180325/693a6308/attachment.sig>

More information about the cryptography mailing list