[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security flaws introduced by "other readers" in CMR
On Sun, Oct 19, 1997 at 10:03:24AM +0100, Adam Back wrote:
> I talked to some people at CESG (Communications Electronics Security
> Group) (they are part of GCHQ, UK NSA equivalent) in a business
> setting. It was they who said that France was changing position to
> going over to "key escrow" or TTPs (Trusted Third Parties). From
I think what caused me to answer was in part your words "changing
position": let's say that up to recently, the french govt position was
no crypto at all (except for authorized entities, and only weak, ie
breakable, crypto). Given the trend on that issue, related to on-line
commerce and so on (the reader has to keep in mind that in France I
seriously doubt the average politician has an idea of what this
means. At best they know the french minitel, which is completely
different), they felt some pressure to change the law in order to permit
the use of crypto. So the move was, well, let's authorize strong crypto
but let's keep the keys. Understandable point of vue, I would say. They
want that because they feel it means statu quo for them, and that's
all. All political issues aside, the technical issues are ignored,
because the guys who decide have no clue, and they probably don't listen
to their own experts who would say that TTP, GAK, key recovery,
whatever, are not that easy to design, implement, and maintain on a
everyday basis. And for that matter, I don't think the situation is that
much different in other western countries, US included.
> Perhaps the CESG are exaggerating because they would like this to be
> the case because it suits their argument.
Yeah, probably. But there is another problem, anyway: some countries
within the EC won't pass any legislation restricting cryto, I think. So
any country within the EC having such a legislation is likely to have
trouble with its partners at some point. Somehow it's like Chirac who
decided to maintain customs with Belgium because people go to Amsterdam
to buy drugs. But in the meanwhile, the border with Germany no longer
has customs, so you drive through Germany to Holland and that's it. So,
it's utterly inefficient, but on the domestic political scene, he can
appear as been strong on drugs.
> > > With the pgp standard as is french government could insist that people
> > > use pgp5.x. pgp5.x provides a reasonablly useful framework for the
> > > french government to adapt to be used as a master access system.
> >
> > http://www.lemonde.fr/multimedia/sem4297/textes/act42972.html
> >
> Do they actually mention PGP software, or OpenPGP standard? Or just
> the general principle?
They do: the title is "Le programme PGP se range", which I unfortunatly
have know idea of how to translate. And then, they say (I loosely
translate, my english is better than our MISTY friend's, but not perfect
;-)
The last version, aimed at compagnies, of this crypto software (still
banned from use in France) includes the highly controversial feature
known as key escrow.
[...]
Of course this system has advantages: when an employee is sick or away,
you can access his files. But, it's reasonnable to think that such a
system could be used for spying purposes.
Within the governement, the key escrow proposal is seriously
challenged. Some, in charge of national security, favor it as necessary
to decrypt terrorists or drug dealer messages, and others, more
concerned by privacy, are against it. In France, the governement chose
this option of TTP.
[Note: somehow this last sentence is in contradiction with the previous
one. It's *not* a side effect of my translation...]
Then, the article recalls that the situation was different in the US,
and that the FBI would like to have something like key escrow, but that
a recent proposal was defeated in congress. They finally recall how PGP
is widely available all over the world, and how the last version was
exported as a book to defeat the export controls.
So, I certainly agree with you that the proGAK have won, or will. As
long as they don't enforce the current laws, as an individual I don't
care. But I fear, as you do, that as soon as you have things like pgp
5.5 which are available, they will start saying "use this or go to jail".
> But, the simple fact is that I think PGP Inc have not evaluated these
> indirect implications for GAK politics. This means I think that they
> have pure intentions. Unfortunately these pure intentions do not help
> us if the effect is as I fear: that the result helps the GAKkers to
> some significant amount.
I think, but I might be wrong, that they have at least to reasons, which
have already be given:
-first, what they did was somehow "easy" (don't jump on me, I don't
write code !!) to implement within the existing code. This is reflected
by what W.Geiger said, that anything pgp5.5 does he could do with
scripts in the old version. Or at least a good part of it.
-second, they don't know what will happen in 12 months, so they cover
their asses. I hope this isn't true, but it's a matter of personnal
opinion more than anything else.
> You confirm my suspicions. I have several people I know in France who
> use encryption illegally. Not least of these is Jerome Thorel himself
> :-) (He who interviewed the SCSSI and had it spelt out to him that it
> was illegal, but they wouldn't bother you if you didn't ask
> permission). However those that I know are effectively anti-GAK
> activists, or cypherpunk type individuals.
A quick search on the MIT key server tells you that there are 538 valid
keys registered with an *.fr address.
If you remove all keys registered in 97, you are left with 232. Remove
96, it goes down to 132, 95 -> 39 and then I know a fair number of them
;-)
So, it seems to me that the number of illegal users is growing up,
anyway.
Interesly enough, most of the registered users are registered with
personnal e-mail addresses, not compagnies e-mail addresses, if you
except academic sites.
> It is not really that technical an idea. The idea is simply that
> communications keys are more valuable to government than storage keys.
>[...]
> The reason is that they consider it purely a recovery mechanism for
> stored emails. That it has this side effect of making a product which
As I said before, I guess they did it this way by lazyness more than
anything else. I think your solution requires more thinking, new code,
and all that sort of things. More brain demanding, in some sense (and
time consuming, whereas their solution is ready, works, can be sold,
makes the compagny make profits, and so on). So, arguing with political
arguments doesn't stand a chance against a market driven compagny, be it
PGP with all its reputation capital. Everybody should concentrate on
technical issues, and several of these have been pointed out, by you and
others.
> There you have the Tim May proposal. Do not recover, just store in
> clear. Most data on disks already is, so why bother. If you want to
> encrypt work out those problems when you come to them, as a separable
> issue. This is a very compelling argument to me.
Well, facts are that it is the current situation, and IIRC what TM what
saying. Once again, in term of costs, it's the easiest solution. And
within a compagny, in a trusted environment, it doesn't matter wether
your hard drive is encrypted. Things which need protection from inside
snooping are usually protected via other more traditionnal
mechanisms. Safe, locks, and so on. If you think to locks, which are
often compared to crypto, most people fail to see that locks are not
made to prevent somebody to break in: they are designed to make the
break-in difficult. Your house door lock is probably pickable in a
matter of minutes (standard locks seem to be really easy to pick in the
US, but I digress...). Locks in a bank are not. So, as for crypto,
difficult is replaced by virtually impossible, you have to think twice
before encrypting something: it's the reverse argument, it is so
valuable that I might stand a chance to be unable to recover it ?
This is, of course, purely a storage issue. And I like the idea (Bill
Stewart's ?) of implementing a mechanism which would simply "weaken" the
storage key, so that if it's lost, you can recover the missing part by
brute force.
I think it's Jon Callas who made a related analogy with a car and what
happens if you have the lost your key: bad example. Suppose you want to
buy a car, and the dealer tells you, I have this new security feature,
unbreakable. Only drawback, if the (unique) key is lost, you can tow
away the car. Well, I won't buy it. Nobody will. (while we are on car
locks, car makers use the same lock on several cars, so if you have an
honda accord, you have a non zero probability of opening a random other
honda accord, albeit very low). Anyway, the car problem is like a
storage problem, and has to be adressed as such. Nothing to do with
securing a (temporary) channel. Somehow, if I was to rent such a car, I
would take it, provided I am no liable if the key is lost ;-). This
because on a short period of time, I won't likely make anything stupid
with that key, and I like the idea that nobody will steal the car while
I am havin dinner. So different situations, different answers.
> Also this is the status quo. Already the police, or terrorist
> prevention investigators can inflitrate, perform dawn raids, etc. and
> this is as it should be.
Statu quo is fine with me in that respect. Insert the usual quote on
technology and the police state. I tend to think that technologies lead
to brave new world anyway, but at least in brave new world people are
"happier" than in 1984.
F.
--
Fabrice Planchon (ph) 609/258-6495
Applied Math Program, 210 Fine Hall (fax) 609/258-1735