1310nm.net

Why encryption with a master-key is no security at all..

The FBI wants an ‘adult conversation’ about encryption, according to Director James Comey, reports AP.

Whilst the conversation is a good idea, and we should all be able to agree that encryption as a tool is employed for both good and evil, but can a system with “over-sight” ever be trusted, and will it achieve what the government expects, or are there going to be unintended consequences?

The FBI are concerned that access to information in on-going investigations is being hampered by this information being “dark” or encrypted. Access to this information will help them with their investigations and in the future may even

The counter-balance is that some people believe that private information should be private, and that the government has no need to see this information anyway, whatever it is legitimate, criminal or otherwise.

“We want to lock some people up, so that we send a message that it’s not a freebie to kick in the door, metaphorically, of an American company or private citizen and steal what matters to them. And if we can’t lock people up, we want to call (them) out. We want to name and shame through indictments, or sanctions, or public relation campaigns ? who is doing this and exactly what they’re doing.” – FBI Director James Comey

Whilst the quote is couched in the terms of protection of US companies and citizens, particularly from hacking teams used by foreign powers, it has some big implications for security as a whole.

A third-key or master-key security protocol would actually need to be developed and implemented, as much effort is made in current protocols to prevent possibility of a third key (ellipical curves based on prime numbers) even existing by accident.

These would then need to be enforced in the US (and presumably in other locations where US companies such as Apple and Google trade.) Given that most people are already happy to hand over much of their information and habits to these organisations as part of the symbiosis that drives ease of use, acceptance by most of the public would happen by default.

The challenge would be in keeping the master-key secret yet still have it available for use. As previous examples have shown (such as Microsoft’s Secure Boot BIOS key release) keeping keys secret is very difficult with a large number of people involved. And if you’re looking to break an encryption, you’ve just halved the time it takes, as it doesn’t matter if you find the exact key or the master-key (and a second stream of data will give you the master key itself if the full keyspace is exhausted in both attempts).

Most encryption protocols have actually been developed outside of America, and there are sufficient “open” implementations of security related technologies and protocols in the world that alternatives could be developed should a need arise.

This means that if some nefarious characters were to need encryption, it would be relatively easy to use a tool without a master-key, and to still communicate. But it’s more likely that we’ll see the resurgence of other forms of message passing such as stenganography, which hides it’s message within other forms, such as a picture or sound file, as these are more innocuous forms of data at rest or on the move than an encrypted file.

Exit mobile version