|
|||
 a cipher product could have a back door, I've been doing more thinking about it. The general idea is that the encryption package chooses a random session key and uses that to encrypt the data. The password you choose is then used to encrypt that session key, and in addition, a public key provided by the government is also used to encrypt the session key. Both encrypted keys are then attached to the encrypted file. Finally, a strong checksum would be calculated over the totality and appended, to prevent any part of it from being tampered with (for instance, by zapping the government's encrypted copy of the session key). When you want to decrypt, you provide your password and it is used to decrypt the session key, which is then used to decrypt the data. (If the checksum fails, the program would refuse to decrypt.) When the government wants to decrypt, they use their private key to decrypt the other copy of the session key.The theory then is that they would be able to outlaw strong crypto by using something akin to Carnivore to monitor traffic on the internet. When anything which was encrypted went by and didn't have a valid construction (i.e. wasn't encapsulated in one of the approved ciphers having a backdoor) then that would be flagged as illegal use of crypto and investigated. If they found that it was encapsulated correctly but the checksum failed, that too would be investigated. The problem is that it still doesn't prevent me from using strong crypto. I can obtain, or write for myself, a strong crypto package which has no backdoor. I can give that package to a friend. I can encrypt my data using it, armoring my data with steel plate. I then take the encrypted output and run it through one of the approved crypto packages that does have a backdoor prior to transmission. That encapsulates it in an approved digital envelope, placing tissue paper outside my steel plate. I don't tamper with the file (because I don't need to); I transmit it as is. Carnivore sees it, sees that it is encapsulated correctly, sees that the checksum matches, and decides that it is clean. My friend who receives it decrypts it using his copy of the approved crypto package (removing the tissue paper), then takes the result and decrypts again using our strong crypto (removing the steel plate). If the government ever decides to try to break into our communications, they would use their secret key, retrieve the session key and remove the outer layer of encryption (the tissue paper) -- and then run into our strong crypto for which they have no backdoor. Our steel plate would still keep them out. The only way for them to detect this would be for them to routinely decrypt most of te messages they intercepted and to apply a heuristic to the result to decide if it contained an encrypted data package. There are severe technical problems with this but the worst problem is political. All of the proposals about this assume that the government would only be able to use its private key in this way with a warrant or some equivalent form of probable cause. There's no way that the public (or Congress) would grant them permission to routinely decrypt messages speculatively, and if they don't do that then there's no way for them to detect the fact that I'm using strong crypto while hiding it inside their approved weak crypto. (discussion in progress) Suppose that I send my data using an approved crypto package but I doubly-encrypt. If the intercepting system decrypted my message so as to determine that it didn't contain illegal crypto, then its first decrypt pass would reveal another approved crypto envelope. It would then have to decrypt that -- otherwise I could hide my steel plate inside two envelopes made of tissue paper. (Or three, or five, or twenty...) They would have to progressively decrypt as many times as needed to reach the inside of the approved crypto, how many levels deep that was, in order to determine if something illegal was held within it. (When bits are illegal, only criminals will have bits...) This provides the opportunity for culture jamming. Take something innocuous (such as the text of the Bill of Rights, surely protected speech) and recursively encrypt it ten thousand times with an approved crypto package. Each time it grows a few bytes as new encrypted passwords and checksums are added; the resulting file might be a few hundred K. This could be done under automated control using some sort of scripting language; let it run over night. It doesn't matter what password you use; so you may as well use the same one each time (such as "free speech"). Then you and a coterie of friends spend a lot of time sending the resulting file back and forth to each other. Lots of people post it to their web sites and tell people to aid the cause by downloading and discarding it. Your compute load is small; you only have to create the file once. But each time Carnivore intercepted a copy of the file, it would have to decrypt it completely. Do enough of that and even NSA's computers would choke. | |||