[Cryptography] Justice Dept. Revives Push to Mandate a Way to Unlock Phones
Tom Mitchell
mitch at niftyegg.com
Mon Mar 26 19:19:00 EDT 2018
On Sun, Mar 25, 2018 at 7:35 PM, John Denker via cryptography
<cryptography at metzdowd.com> wrote:
> On 03/25/2018 10:38 AM, Erik wrote in part:
>
>> What are some possible technological responses that can be utilized to
>> protect against this sort of legislation? I'm curious what people here
>> would do if some legislation of this sort were written into law.
>
> 0) Thanks for mentioning this. It's something we need
> to stay on top of ... even though it has been discussed
> before.
<security+encryption>
One the security side that keeps this on the list ...
It seems to me that Apple cannot have a single key set for all their devices.
They will be necessarily different for each model so already not a single key.
What cryptographic strategy might allow Apple or a Google to have
+1024 secret keys
and when a device is updated each device would be vectored to exactly
one server in +1024 for authentication and a specific signed update.
Such a strategy could mitigate the loss of any one key...
A random assignment of the key to each device would make it impossible
to request a single key. Discovery of the key assignment could only happen in
the update cycle. Should a single key be cracked an updated system image
for that 1/+1024 of the install base might establish a new secret set.
Classic salt in passwords, could be used to vector requests and traffic
in interesting ways.
</security+encryption>
<discussion>
One technical response is that any side door for US law enforcement
will encounter like demands by any and all other law enforcement
globally. <-- globally ####
If it was technically possible (and it is not) then the multitude of
secret keepers
would muddy the waters and allow foreign agents to insert or delete data
to their own ends. So if it was possible for one it is clearly not possible
for many.
As we are learning the Russian view of law and our view are at odds.
The same can be shown for China, N&S Korea, countries that are well funded
by drug trade and more.
Commerce today depends on a trusted platform and management of that trusted
platform depends on a secure device. Phones play an important part in this.
One reality is that a device sold in France with French secrets would not be
an open book at the US border and vice versa. With 193 United Nations nations
the permutations of transit are very large with only one stop. And
those that travel
commonly make multiple border crossings.
The implication is that any US mandate would impact US citizens only and
US prohibitions on warrantless searches of US citizens would apply fully.
One additional impact of a loss of security would risk US commerce and
that is one of the
constitutional mandates in the Commerce Clause of the US constitution.
Missing in all this is the growing part that data security on phones
plays in all commerce.
</discussion>
--
T o m M i t c h e l l
More information about the cryptography
mailing list