David Cameron wants to ban all forms of encrypted communication

[Truth Seeker]

I think this was the reason the developers of TrueCrypt the disk encryption program suddenly pulled the software and claimed it was not secure, was the real reason for removing it because they were asked to put in a "Back Door"? TrueCrypt is still undergoing a independent audit to tell how secure it really is.

[HeliX]

I think this was the reason the developers of TrueCrypt the disk encryption program suddenly pulled the software and claimed it was not secure, was the real reason for removing it because they were asked to put in a "Back Door"? TrueCrypt is still undergoing a independent audit to tell how secure it really is.

The answer to that is probably. They set off a load of canaries in their code, and some obvious red flags on their website (suggesting people use BitLocker - hah). Almost certainly the same way LavaBit went. Just less noisy.

[ans]

Ignoring the complete lack of understanding in how end2end encryption works, all this will do is push people onto custom solutions out of sight from anyone. These terrorists/crimanals don't all live in caves anymore, they have very capable and sophisticated people working for them.

 

I get *why* they think this would be a good thing, but it's an incredibly flawed idea on all levels.

[When Skies Are Grey]

I get *why* they think this would be a good thing, but it's an incredibly flawed idea on all levels.

 

Ah but its good pre-election fluff to keep middle England appeased.....

[hillshepherd]

does the TOR browser come into this proposal as they imply its a conduit for all kinds of illegal hanky panky? btw i'm not as web savvy as a lot of peeps on here.

[Chinahand]

I'm not sure I agree with the way this topic is being framed.

My understanding is that the Intelligence services are concerned because terrorists have access to encrypted communication via lots and lots of public apps.

Here's a link analysing a speech by the head of GCHQ for example.

He sees "social networks and other online services ... becoming “the command-and-control networks of choice for terrorists and criminals”."

The bad guys can easily gain access to these communications channels and it is a huge task to find them, decrypt what they are saying and try to gain intelligence about how terrorists are using them - the way the likes of GCHQ operate they hoover up haystacks of everyone's information to try to find the needle of useful intel.

If these apps weren't as strongly encrypted - ie key lengths beyond the ability of anyone other than a major government to crack - it is far less likely they'd be used by the bad guys.

Yes, no doubt they'd then go and use other methods to communicated - ones with higher levels of security.

But these forms of communication would be rarer, difficult to set up, and if you came across them unusual.

It is the ubiquity of high level encryption for communications that don't really need to be encrypted (does it matter if your facebook page, or twitter feed etc is so secure?) which is the problem.

 

I don't know - I agree I find pervasive surveillance disturbing.

 

There needs to be checks and balances and there are huge risks of abuse. But I want it to be really difficult for the likes of ISIS and AQ to operate. They need to be using people hand delivering individual memorized messages, not using an app from the app store. Is that achievable without a massive loss of individual freedoms.

 

I'm not sure. Encryption comes in levels of crackability. There is an effort needed to break it. I'd like my work emails to come with "pretty good privacy" - but that would mean my competitor doesn't have the ability to steal/read them. That doesn't mean they should be able to hide people threatening national security.

 

How to put those different levels in isn't clear to me, but I don't think it is an all or nothing issue as Helix is saying. The trouble is technology advances so quickly that something secure a decade ago is open now.

 

Its an arms race and the spooks keep loosing it. Currently they are being locked out of so many communications networks they are seriously concerned and are making a fuss.

 

I'm not surprised by that, and understand the need for the security services to be able to break into someone's comms if necessary.

[Vulgarian]

Ignoring the complete lack of understanding in how end2end encryption works, all this will do is push people onto custom solutions out of sight from anyone. These terrorists/crimanals don't all live in caves anymore, they have very capable and sophisticated people working for them.

 

I get *why* they think this would be a good thing, but it's an incredibly flawed idea on all levels.

 

Quite. Events like Charlie Hebdo are a boon to Western Governments who have been trying to get a tighter grip on the virtual realm for years and these kind of crisis give them sufficient weight of public opinion to do so. Stopping terrorists in only one reason that the present UK government is so keen on increasing its powers in this area, but terrorists will always find another means of communication. A desire for greater control over an important area of public life which is of great value to governments is undoubtedly another reason.

 

Terrorist attacks are very rare and statistically a very minor threat to public safety. But of course they are much more significant than pure statistics would suggest. If such strong legislation as this is being proposed after a few journalists are shot in another country, what can we expect if the conflict escalates?

 

We will sorely regret relinquishing these freedoms in years to come. Once they are gone there is really no going back, and the laws that are currently being proposed (snoopers charter) are open to serious abuse in the future.

[HeliX]

@ChinaHand

 

Once a particular form of encryption is cracked, it stays cracked for all implementations. So yes, making them use a "more crackable" encryption scheme would mean the Government could crack it... but so could everyone else, albeit a little bit later (other than the people who have access to GPU farms). You'd also probably have to invent a new scheme to start with, I don't know off the top of my head of any cryptographic schemes which are crackable but not yet cracked.

 

Also, if the Government were to enforce broken encryption methods on popular apps, a lot of non-terrorists would change to better protected apps too.

[Chinahand]

I thought key length and other things were the issue - wasn't that why there were/are export restrictions on encription technologies from the US?

 

They would only allow software with a certain key length be exported - stuff they could crack given a "US government" worth of computer power, but which would be beyond the ability of basically everyone else other than Nation States.

 

It isn't down to anything theoretical about the algorithms - its blunt processing power to break the public keys.

[AcousticallyChallenged]

I never realised WhatsApp was encrypted end-to-end, I knew iMessage was though. Though, I am highly dependent on WhatsApp for communication so wouldn't like it to disappear.

Remember the kerfuffle over the encryption of BBM?

 

I think every service should aim to encrypt themselves end-to-end, making it harder, if not impossible to outlaw them all.

 

Terrorists aren't as dumb as people think, as mentioned earlier in this thread. There are ways around everything and they're one of the groups striving to find them.

Cameron seems to be under the impression that banning something will work, history begs to differ.

[HeliX]

I thought key length and other things were the issue - wasn't that why there were/are export restrictions on encription technologies from the US?

 

They would only allow software with a certain key length be exported - stuff they could crack given a "US government" worth of computer power, but which would be beyond the ability of basically everyone else other than Nation States.

 

It isn't down to anything theoretical about the algorithms - its blunt processing power to break the public keys.

That mostly refers to symmetrical encryption, which is not the sort used by WhatsApp.

 

Asymmetrical encryption is a lot more difficult. Take a 256bit private key, for example:

There are ~1e10^77 different 256bit private keys. The entire bitcoin network as a whole was checking 15trillion sha256 hashes/second in August 2011. Bearing in mind that a lot of that work is being done by people with hordes of computers, with multiple GPUs in each.

 

If we assume that it takes the same time to run an ECDSA operation as it does to check an sha256 hash (it doesn't, it takes a LOT longer), then it would take 0.65billion billion years to get that private key.

 

Basically, it's out of the realms of any organisation's current capabilities to crack any reasonable asymmetric encryption scheme.

[HeliX]

I never realised WhatsApp was encrypted end-to-end, I knew iMessage was though. Though, I am highly dependent on WhatsApp for communication so wouldn't like it to disappear.

Remember the kerfuffle over the encryption of BBM?

 

I think every service should aim to encrypt themselves end-to-end, making it harder, if not impossible to outlaw them all.

 

Terrorists aren't as dumb as people think, as mentioned earlier in this thread. There are ways around everything and they're one of the groups striving to find them.

Cameron seems to be under the impression that banning something will work, history begs to differ.

It didn't used to be, but the TextSecure guys were brought in to improve the security of the service.

[Chinahand]

So Helix - isn't the point to restrict 256 bit asymetric technologies (make them 64 bit or whatever [please note I'm just randomly picking a number not making a realistic suggestion], which are secure for most applications but if you pissed off IBM or Google they could hack you in a month if they dedicated a bit team and a couple of million to do it?) IE its a big deal, but something the NSA or GCHQ does every day!!

 

Or are you saying anyone can rig one up this technology really simply if they can code and so the bad guys will always EASILY be able to avoid it.

 

But that again goes to the issue - if using such technology is rare it will be noticeable and so draw attention to the users. It is the ubiquity of it that is the trouble ... too many haystacks if you get my meaning!

[HeliX]

So Helix - isn't the point to restrict 256 bit asymetric technologies (make them 64 bit or whatever [please note I'm just randomly picking a number not making a realistic suggestion], which are secure for most applications but if you pissed off IBM or Google they could hack you in a month if they dedicated a bit team and a couple of million to do it?) IE its a big deal, but something the NSA or GCHQ does every day!!

 

Or are you saying anyone can rig one up this technology really simply if they can code and so the bad guys will always EASILY be able to avoid it.

 

But that again goes to the issue - if using such technology is rare it will be noticeable and so draw attention to the users. It is the ubiquity of it that is the trouble ... too many haystacks if you get my meaning!

Basically, if the Government can crack it so can anyone else. There are malicious users who have botnets in excess of 50,000 personal computers. The Government does not have a big enough tech advantage to make deliberately using a weak cipher viable (even if they did it should flag serious alarm bells).

 

The only reasonable way to give the Government the ability to read messages at will would be to build a backdoor. Which again is exploitable by other people, it's a serious security risk.

You could potentially give the Government everyone's private key... but you'd also have to give them every single session key to match up with the times/dates of the messages too.

 

Not to mention that there is STILL no appreciable benefit to this daft idea! I can't think of many attacks where the culprits weren't known to police, and weren't already on a "watchlist". How is being able to monitor everyone going to help when they can't even get the job done monitoring specifically the right people?

[Chinahand]

Are you saying a bot net has capacities close to a supercomputer? I'm surprised, if so why isn't google or whoever crowd sourcing to win the Megaflops challenge or whatever it is called nowadays?

 

I thought a dedicated supercomputer was still a lot more powerful than what could be crowd sourced, especially when that crowd source is covert and so has to be deal with variable access to CPU time.