[Clips] UK Government to force handover of encryption keys
--- begin forwarded text Delivered-To: rah@shipwright.com Delivered-To: clips@philodox.com Date: Thu, 18 May 2006 14:10:20 -0400 To: Philodox Clips List <clips@philodox.com> From: "R.A. Hettinga" <rah@shipwright.com> Subject: [Clips] UK Government to force handover of encryption keys Reply-To: rah@philodox.com Sender: clips-bounces@philodox.com <http://www.zdnet.co.uk/print/?TYPE=story&AT=39269746-39020330t-10000025c> Government to force handover of encryption keys Tom Espiner ZDNet UK May 18, 2006, 12:10 BST The UK Government is preparing to give the police the authority to force organisations and individuals to disclose encryption keys, a move which has outraged some security and civil rights experts. The powers are contained within Part 3 of the Regulation of Investigatory Powers Act (RIPA). RIPA was introduced in 2000, but the government has held back from bringing Part 3 into effect. Now, more than five years after the original act was passed, the Home Office is seeking to exercise the powers within Part Three of RIPA. Some security experts are concerned that the plan could criminalise innocent people and drive businesses out of the UK. But the Home Office, which has just launched a consultation process, says the powers contained in Part 3 are needed to combat an increased use of encryption by criminals, paedophiles, and terrorists. "The use of encryption is... proliferating," Liam Byrne, Home Office minister of state told Parliament last week. "Encryption products are more widely available and are integrated as security features in standard operating systems, so the Government has concluded that it is now right to implement the provisions of Part 3 of RIPA... which is not presently in force." Part 3 of RIPA gives the police powers to order the disclosure of encryption keys, or force suspects to decrypt encrypted data. Anyone who refuses to hand over a key to the police would face up to two years' imprisonment. Under current anti-terrorism legislation, terrorist suspects now face up to five years for withholding keys. If Part 3 is passed, financial institutions could be compelled to give up the encryption keys they use for banking transactions, experts have warned. "The controversy here [lies in] seizing keys, not in forcing people to decrypt. The power to seize encryption keys is spooking big business," Cambridge University security expert Richard Clayton told ZDNet UK on Wednesday. "The notion that international bankers would be wary of bringing master keys into UK if they could be seized as part of legitimate police operations, or by a corrupt chief constable, has quite a lot of traction," Clayton added. "With the appropriate paperwork, keys can be seized. If you're an international banker you'll plonk your headquarters in Zurich." Opponents of the RIP Act have argued that the police could struggle to enforce Part 3, as people can argue that they don't possess the key to unlock encrypted data in their possession. "It is, as ever, almost impossible to prove 'beyond a reasonable doubt' that some random-looking data is in fact ciphertext, and then prove that the accused actually has the key for it, and that he has refused a proper order to divulge it," pointed out encryption expert Peter Fairbrother on ukcrypto, a public email discussion list. Clayton backed up this point. "The police can say 'We think he's a terrorist' or 'We think he's trading in kiddie porn', and the suspect can say, 'No, they're love letters, sorry, I've lost the key'. How much evidence do you need [to convict]? If you can't decrypt [the data], then by definition you don't know what it is," said Clayton. The Home Office on Wednesday told ZDNet UK that it would not reach a decision about whether Part 3 will be amended until the consultation process has been completed. "We are in consultation, and [are] looking into proposals on amendments to RIPA," said a Home Office spokeswoman. "The Home Office is waiting for the results of the consultation" before making any decisions, she said. The Home Office said last week that the focus on key disclosure and forced decryption was necessary due to "the threat to public safety posed by terrorist use of encryption technology". Clayton, on the other hand, argues that terrorist cells do not use master keys in the same way as governments and businesses. "Terrorist cells use master keys on a one-to-one basis, rather than using them to generate pass keys for a series of communications. With a one-to-one key, you may as well just force the terrorist suspect to decrypt that communication, or use other methods of decryption," said Clayton. "My suggestion is to turn on all of Part 3, except the part about trying to seize keys. That won't create such a furore in financial circles," he said. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list Clips@philodox.com http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
This clearly doesnt work. All they will manage to do is harass citizens. Sarad. --- "R.A. Hettinga" <rah@shipwright.com> wrote:
"It is, as ever, almost impossible to prove 'beyond a reasonable doubt' that some random-looking data is in fact ciphertext, and then prove that the accused actually has the key for it, and that he has refused a proper order to divulge it," pointed out encryption expert Peter Fairbrother on ukcrypto, a public email discussion list.
Clayton backed up this point. "The police can say 'We think he's a terrorist' or 'We think he's trading in kiddie porn', and the suspect can say, 'No, they're love letters, sorry, I've lost the key'. How much evidence do you need [to convict]? If you can't decrypt [the data], then by definition you don't know what it is," said Clayton.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Let us not forget all of the methods of "deniable encryption" discussed a few years back. If the "wrong" key is entered, the returned "de-encrypted" file will look -kinda- bad but not actually be the original plaintext. This seems all the easier with TOR-stored data. Fortunately, it would appear that such a law should be bound to force development of deniable encryption tools. -TD
From: Sarad AV <jtrjtrjtr2001@yahoo.com> To: cypherpunks@jfet.org Subject: Re: [Clips] UK Government to force handover of encryption keys Date: Thu, 18 May 2006 22:03:17 -0700 (PDT)
This clearly doesnt work. All they will manage to do is harass citizens.
Sarad.
--- "R.A. Hettinga" <rah@shipwright.com> wrote:
"It is, as ever, almost impossible to prove 'beyond a reasonable doubt' that some random-looking data is in fact ciphertext, and then prove that the accused actually has the key for it, and that he has refused a proper order to divulge it," pointed out encryption expert Peter Fairbrother on ukcrypto, a public email discussion list.
Clayton backed up this point. "The police can say 'We think he's a terrorist' or 'We think he's trading in kiddie porn', and the suspect can say, 'No, they're love letters, sorry, I've lost the key'. How much evidence do you need [to convict]? If you can't decrypt [the data], then by definition you don't know what it is," said Clayton.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
At 09:32 AM 5/19/2006, Tyler Durden wrote:
Let us not forget all of the methods of "deniable encryption" discussed a few years back. If the "wrong" key is entered, the returned "de-encrypted" file will look -kinda- bad but not actually be the original plaintext.
For stored material, that may be useful, but for communications, it's the wrong model. Too many online applications currently use RSA encryption to transfer an encrypted key, which is vulnerable to later disclosure, instead of using Diffie-Hellman key exchange and some signature algorithm (RSA, EG, whatever), for which compromising the key doesn't expose previous communications, only exposes the user to MITM attacks, is much easier to argue against disclosure of, and of course is much easier to replace (blocking MITM with the compromised keys.) Email messages are an appropriate use of RSA-encrypted keys, but any online two-way communications, including VOIP, IPSEC, web forms, and transmission of email, really ought to be using Diffie-Hellman instead. How many of the popular tools support it or could be configured to do so? In most cases, it's probably not hard - you mainly need to choose the right options from standard packages, and make the DH versions the preferred method instead of a fallback.
On 5/19/06, Bill Stewart <bill.stewart@pobox.com> wrote:
... Too many online applications currently use RSA encryption to transfer an encrypted key, which is vulnerable to later disclosure, instead of using Diffie-Hellman key exchange and some signature algorithm (RSA, EG, whatever),
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA++
Email messages are an appropriate use of RSA-encrypted keys, but any online two-way communications, including VOIP, IPSEC, web forms, and transmission of email, really ought to be using Diffie-Hellman instead.
i like the speed of pre-shared keys assuming key mgmt is secure and rekeying frequent (e.g. scheduled PSK's or one time pad based ephemeral key exchange). but anything using ephemeral keys needs to destroy them properly and this is more robust with DH (each end responsible for their respective key destruction) than shared secrets (both ends must destroy secrets) in addition to the fact that shared secrets are usually much longer lived as well.
How many of the popular tools support it or could be configured to do so?
i do it all the time with openvpn, https, etc. in theory anything that supports SSLv3/TLSv1 should support a strong ephemeral DH cipher suite. as for particular sites and servers, i'd be interested to know just what the usual distribution of utilized cipher suites is. RSA without DHE probably is the most common.
In most cases, it's probably not hard - you mainly need to choose the right options from standard packages, and make the DH versions the preferred method instead of a fallback.
yup. in most cases generating dh parameters and explicitly requiring a DHE suite is the hardest part of any custom configuration needed. the session setup costs are a little higher but anyone doing SSL/TLS in bulk probably has the necessary hardware acceleration in place already. as a side note, i'd really like SHA2-256/512 to be added to SSL/TLS and widely implemented. AES256 with SHA1 digest is just a little funny these days...
Yes, deniable encryption is one way to go about since it cannot be proved that the key surrendered is not the real key. This however is not useful when one is in a torture cell where they try to break into the mind :-). Sarad. --- Tyler Durden <camera_lumina@hotmail.com> wrote:
Let us not forget all of the methods of "deniable encryption" discussed a few years back. If the "wrong" key is entered, the returned "de-encrypted" file will look -kinda- bad but not actually be the original plaintext.
This seems all the easier with TOR-stored data.
Fortunately, it would appear that such a law should be bound to force development of deniable encryption tools.
-TD
From: Sarad AV <jtrjtrjtr2001@yahoo.com> To: cypherpunks@jfet.org Subject: Re: [Clips] UK Government to force handover of encryption keys Date: Thu, 18 May 2006 22:03:17 -0700 (PDT)
This clearly doesnt work. All they will manage to do is harass citizens.
Sarad.
--- "R.A. Hettinga" <rah@shipwright.com> wrote:
"It is, as ever, almost impossible to prove 'beyond a reasonable doubt' that some random-looking data is in fact ciphertext, and then prove that the accused actually has the key for it, and that he has refused a proper order to divulge it," pointed out encryption expert Peter Fairbrother on ukcrypto, a public email discussion list.
Clayton backed up this point. "The police can say 'We think he's a terrorist' or 'We think he's trading in kiddie porn', and the suspect can say, 'No, they're love letters, sorry, I've lost the key'. How much evidence do you need [to convict]? If you can't decrypt [the data], then by definition you don't know what it is," said Clayton.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
participants (5)
-
Bill Stewart
-
coderman
-
R.A. Hettinga
-
Sarad AV
-
Tyler Durden