On Sun, Mar 25, 2012 at 10:55 PM, Marsh Ray <marsh@extendedsubset.com> wrote:

On 03/25/2012 11:45 AM, Benjamin Kreuter wrote:

...

The US government still wants a

No, probably parts of it: the ones that don't have to think of the big picture. The U.S. government is not monolythic. The NSA has shown a number of times that they are interested in strong civilian cryptography for reasons of... national security. In a battle between law enforcement and national security the latter has to win.

...

system where encrypted communications can be arbitrarily decrypted, they just dress up the argument and avoid using dirty words like "key escrow."

Aside from the deep moral and constitutional problems it poses, does anyone think the US Govt could have that even from a practical perspective?

* Some of the largest supercomputers in the world are botnets or are held by strategic competitor countries. This precludes the old key shortening trick.

* The Sony PS3 and HDMI cases show just how hard it can be to keep a master key secure sometimes. Master keys could be quite well protected, but from a policy perspective it's still a gamble that something won't go wrong which compromises everyone's real security (cause a public scandal, expose industrial secrets, etc.).

Key escrow == gigantic SPOF. Even if you split the escrow across several agencies and don't use a single master key, it's still concentrating systemic failure potential into too few points. To build a single point of catastrophic failure into one's economic infrastructure is one of the biggest strategic blunders I can imagine (obviously there's worse, such as simply surrendering when one clearly has the upper hand, say). Back in the early 90s this probably wasn't as clear as it is today.

* Am I correct in thinking that computing additional trapdoor functions to enable USG/TLA/LEA decryption is not free? Mobile devices are becoming the primary computing devices for many. People may be willing to pay XX% in taxes, but nobody wants to pay a decrease in performance and battery life to enable such a misfeature.

Most users already pay heavy battery/performance taxes in the form of uninstallable adware built into their devices. The vendors might be the ones to object then since they might have to stop shipping such software. But ultimately this argument depends on how heavy a burden the users end up feeling. For my money the winning argument is the strategic idiocy/insanity of unnecessary SPOFs. Who wants to ever even think of saying to the POTUS "Mr. President, we have a mole, they've stolen the codes for our civilian networks and they've shut them down from the people's shear fear of financial and other losses. It will take months to re-key everything and in the meantime we'll lose X% of GDP. The stock and bond markets have crashed." As time passes X will tend to increase in the event of such a catastrophe. The higher that percentage the more crippling the attack, with derivatives losses becoming overwhelming at small values of X. It could get worse: "Mr. President, we can't even re-key without changing all these hardware dongles that are manufactured by the enemy, who's now not selling them to us." If the point of key escrow is to make law enforcement easier then there are much simpler non-cryptographic solutions -- not ones to your taste or mine perhaps, but certainly ones that don't involve strategic SPOFs. I'm with you: key escrow is necessarily dead letter, at least for the time being and the foreseeable future. Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE