Long live p2p?
---------- Forwarded message ----------
From: Henry Baker
Date: Fri, 08 Jul 2016 07:15:46 -0700
Subject: [Cryptography] Putin goes full Stasi; wants encryption keys
for the Internet
To: cryptography@metzdowd.com
FYI --
https://meduza.io/en/news/2016/07/07/putin-gives-federal-security-agents-two...
Putin gives federal security agents two weeks to produce 'encryption
keys' for the Internet
13:28, 7 july 2016
After signing controversial anti-terrorist legislation earlier today,
President Putin ordered the Federal Security Service (the FSB, the
post-Soviet successor to the KGB) to produce encryption keys to
decrypt all data on the Internet. According to the executive order,
the FSB has two weeks to do it. Responsibility for carrying out
Putin's instructions falls on Alexander Bortnikov, the head of the
FSB.
The new "anti-terrorist" laws require all "organizers of information
distribution" that add "additional coding" to transmitted electronic
messages to provide the FSB with any information necessary to decrypt
those messages. It's still unclear what information exactly online
resources are expected to turn over, given that all data on the
Internet is encoded, one way or another, and in many instances
encryption keys for encrypted information simply don't exist.
https://meduza.io/en/feature/2016/06/27/the-duma-s-new-big-brother-legislati...
The Duma's new 'Big-Brother' legislation kills Russia's Internet
companies and hurts ordinary Web users. Here's how.
16:06, 27 june 2016
Last week, lawmakers in the State Duma approved what Edward Snowden
has called "Russia's new Big-Brother law." A major part of this
legislation creates new regulations on the Internet. According to the
amendments, telecom providers and the "organizers of information
distribution" will need to store copies of nearly all information they
transmit. They can't delete this information until it's six months
old. This applies to recordings of phone calls, as well as the
contents of text messages. And they have to keep copies of metadata
of these communications (the information about when and between whom
messages occurred, but not the actual content of the messages) for a
whopping three years. Companies will additionally be required to help
Russia's Federal Security Service (the modern-day successor to the
Soviet KGB) decrypt all the data. The largest Internet companies in
Russia--Mail.ru and Yandex--oppose the bill, as do the industry groups
the Russian Association for Electronic
Communications and the Regional Center for Internet Technologies, and
even the "Communications and IT" working group within the Russian
government. Meduza looks at why this legislation isn't just
impractical, but will also harm ordinary Internet users and Internet
companies alike.
It's expensive
The legislation requires telecom providers and "organizers of
information distribution" (which could be literally any website on the
Internet, as determined by Russia's state censor) to store all data
sent by its users or visitors. This is a gigantic amount of data:
Russia would need every data-storage manufacturer in the world working
for seven years straight, before the country had the infrastructure
necessary to accommodate so much storage and processing.
And there's another problem: the electrical grid in central Russia
simply isn't powerful enough to fuel the still-unbuilt data centers
that will be required by the new legislation. The equipment and
materials needed to build these data centers, moreover, isn't produced
in Russia, so companies will be forced to buy imported goods.
Experts say the costs of building this infrastructure will be more
than 5 trillion rubles (roughly $77 billion). For comparison, the
federal government's total revenues in 2015 totaled 13.7 trillion
rubles (about $210 billion). The legislation says implementing the
new statutes won't require any state subsidies, but that's untrue: at
the very least, government agencies will need to upgrade the country's
data cables (given that Russia's existing network of cables is too
weak to cope with the higher volume of transmitted information created
by the new regulations).
The government also risks losing income from Russia's Internet
companies, which currently pay taxes on their profits. The new
legislation could make many businesses unprofitable, after they're
forced to spend tens if not millions of rubles on new data-storage
equipment.
It's dumb
The new legislation requires all "organizers of information
distribution" that add "additional coding" to transmitted electronic
messages to provide the Federal Security Service (FSB) with any
information necessary to decrypt those messages. What lawmakers seem
not to understand is that virtually all information transmitted over
the Internet is "encoded." Any text or image sent over email using
Simple Mail Transfer Protocol (SMTP) is in something called
Multipurpose Internet Mail Extensions (MIME) format. Will
"organizers" need to send the FSB information about how MIME works?
If we're talking about encryption, we're talking about almost half the
traffic on the Internet--and the volume is only growing. In most
cases, incidentally, the "organizers of information distribution"
don't have the keys to decrypt their own data. (That is precisely how
Internet privacy works.) For example, it's not even technically
possible to store encryption keys when using the HTTPS protocol, which
is used by an enormous number of websites, including the one you're
reading now, and even Gosuslugi.ru, the Russian government's official
portal where citizens can contact the state about public services. In
other words, the legislation bans the state's own website for contact
with ordinary citizens.
How this legislation is supposed to regulate financial systems is also
unclear. The SWIFT network that links the world's financial
institutions doesn't use Russian cryptographic algorithms, but nearly
all the world's banks--including banks in Russia--use SWIFT. The
world's payment systems, moreover, are required to comply with the
Payment Card Industry Data Security Standard (PCI DSS), a proprietary
information security standard that doesn't disclose its encryption
keys.
In order to comply with the legislation, programmers will need to come
up with new encryption methods that must simultaneously work with
existing encryption methods, given that foreign companies won't
support these new technologies (which don't currently exist, anyway).
But even if Russia manages to create some kind of center to house all
encryption keys, the concentration of data would make the center
extremely attractive, and therefore very vulnerable, to hackers. By
breaking into this hypothetical data center, after all, it would be
possible to decrypt any message sent inside Russia.
The new legislation also violates Russian citizens' right to the
privacy of correspondence, which is enshrined in Article 23 of the
Constitution. In order to deprive Russians of this right, police need
a court order. The "Yarovaya legislation," however, grants
law-enforcement agencies access to everyone's messages without any
judicial oversight.
Today, most messaging apps use encryption. In fact, encryption is one
of their most important competitive advantages, as users often seek
out the safest and most secure communications available. The new law
will make any Russian online service less competitive. It's unclear
what foreign companies will do. Some might simply walk away from the
Russian market.
This text is based on statements by the Russian Internet companies
Yandex and Mail.ru (which are considered "organizers of information
distribution"), the industry groups the Russian Association for
Electronic Communications and the Regional Center for Internet
Technologies (which position themselves as links between the state and
the Internet), and the "Communications and IT" working group within
the Russian government.
---------------
Theresa May, James Comey, Cyrus Vance, et al, can't wait to go full
Stasi, as well.
'Putin-in-the-middle' attacks, anyone?
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
