[Cryptography] Justice Dept. Revives Push to Mandate a Way to Unlock Phones
John Denker
jsd at av8n.com
Sun Mar 25 22:35:16 EDT 2018
On 03/25/2018 10:38 AM, Erik wrote in part:
> What are some possible technological responses that can be utilized to
> protect against this sort of legislation? I'm curious what people here
> would do if some legislation of this sort were written into law.
0) Thanks for mentioning this. It's something we need
to stay on top of ... even though it has been discussed
before.
1) The short answer is that there is no good technological
fix. This is a political problem, not a technical problem,
and must be recognized as such. We must defend against it
using political means, not technical means.
They assert, based on no evidence, that there will be
a win/win outcome, whereby they can snoop on the bad
guys and everybody else will be more secure. In all
likelihood, any strong action they take will lead to
a lose/lose outcome.
2) One thing to consider is superencryption. If the
data has one layer of "regulated" encryption, no
attacker has any idea whether it is superencrypted
unless and until they strip the first layer. They
can pass a law against superencryption, but they
can't enforce it without revealing that they've
been stripping the first layer.
If the second layer involves stego as well as
encryption, it would be particularly hard to
prevent.
This leads to the maxim: When strong crypto is
outlawed, only outlaws will have strong crypto.
3) At the opposite extreme, we should consider the
possibility that somebody will install (additional)
bugs that bypass all security and exfiltrate your
keys, upstream of any and all encryption. This
makes all ordinary citizens very much less secure.
4) Any strong immune response runs the risk of
provoking autoimmune disease. By that I mean it
becomes possible to provoke all sorts of DoS
attacks, using the government as a weapon against
innocent persons. In particular, you can send
"illegally" encrypted messages to some innocent
schmuck, and he will be unable to prove that he
doesn't know how to decrypt them. Put the words
"ISIS kiddie porn" in the headers.
5) These are actually *not* the scariest scenarios
I know of. I mention these because they should be
scary enough to persuade any halfway-reasonable
person that security needs to be strengthened not
in any way weakened or bypassed.
Nastier scenarios can be discussed on a need-to-know
basis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180325/693a6308/attachment.sig>
More information about the cryptography
mailing list