Professor Outlines Issues in Banning Encryption in the UK on BBC Newsnight

17/01/2015

News image
Professor Bill Buchanan outlined some issues in banning encryption in the UK on Newsnight on Friday 16 Jan 2015:

http://youtu.be/h8UoRip0NjU


Related article:

The Conversation


Article

So, David Cameron has stated that the UK will look to switch off some forms of encryption, and that this will contribute against the threats to our society [Link]. To make such a statement might be grand in its scope, and makes a great sound bite, but it is impossible to implement, and extremely naïve from a technical point-of-view. It is also negligent in protecting users from a range of threats.

It's just now possible!

There are so many holes in the argument to restrict encrypted content, including:

  • It is a core part of the Internet, and its usage increases by the day. Every single time we connect to Google, we are using an encrypted stream where is almost impossible for anyone to decipher the contents of the searches. So every time we see the padlock on a browser connection know that we have a secure connection, with the traffic encrypted, typically, with an encryption key created purely for that session.
  • Much of the content we use is actually stored and processed outwith the UK. Someone who suspects that they are going to be monitored will simply setup a secure connection of a remote Cloud site, and store and process information there. It is almost impossible to crack the streams of data that are involved in the connection. With an almost infinite resource for processing and storage on the Cloud, increasingly users are storing their content on remote systems.
  • We have a right to have some privacy. It becomes almost impossible to pick-off good traffic from bad, and many people would balk at the thought of their letters being examined, or with phone taps, so the rights we enjoy with traditional communications technologies seems to be the ones that should be applied to Internet-based communications.
  • We have a right to protect ourselves. As data breaches are occurring on a regular basis, users need to protect themselves, including using encryption on the storage of their data, and on their communications, so it is difficult to say on the one hand that we should protect ourselves from external hackers, and then on the other that we allow our data to be picked apart by security agencies. It should be remember that the tools that security agencies have are often the same ones that the hackers have, so reducing encryption levels will expose our own data to malicious parties.
  • There's no secrets anymore. In cryptography the methods are well-known and there's a wide range of software code libraries and they are fairly easily to integration into applications.
  • It's unfair to pick off certain applications. PGP and Tor are two of the applications areas pin-pointed, but there are so many other applications which could be used, so restricting to a limited selection of applications seems to be wrong.
  • It's just impossible to ban. There is no way that you can define a law which constrains the usage of encryption. Would it be just certain applications (such as email) or could it be certain methods (such as using (PGP)? Overall it is not possible to draw a line in defining what would be allowed and not. Would using a Caesar code by seen as illegal?
  • It would make the UK an unsafe country to do business. Few free countries would consider switching off encryption, as it create an environment for insecurity for both consumers and businesses.
  • Would it be limited to encryption? Where would the ban end? Do we include the encoding of charaters to other formats which are difficult to scan, such as for Base-64 or non-Engish character sets?
  • Deep packet inspection at the core of the Internet is not really possible. At the core of this argument is the examination of data packets within the Internet. The deep inspection of data packets might be possible on home networks, but at the core of a network is it almost impossible to examine each of the packets for their contents. With streams now running at over 100Gbps, where are few systems which could have the processing capacity to actually read the network packets for threats.
  • It's not possible to detect it. The thing about encrypted content is that it looks a lot like random ones and zeros, thus it would be almost impossible to detect it. Even if a random amounts of ones are zeros where detected, it is possible for this random data to be converted into another format, that can actually look like a valid file format.
  • How would it be policed?
  • Who would be allowed to use cryptography?
  • and so many more questions.

The legal system often takes a while to catch-up with technology, and generally new laws are created from a foundation built from the past. With the Internet and on computer systems, law enforcement has led a privileged life, where the easily investigation the disks of suspects, as there was little in the way of security. The increasing focus on privacy, especially on encrypting by default, is placing a major challenge on law investigators. The increasing use of multi-factor authentication also provides major challenges, and thus there is a major on-going battle between the rights of privacy against the rights to investigate.

This article outlines some of the tensions that are being felt on both sides of the argument. For many reasons, many of the rights we have built up in traditional investigations, such as the right to remain silent, are now being challenged in this Cyber Age.

Keeping a secret

The ability for defence agencies to read secret communications and messages gives them a massive advantage over their adversaries, and is the core of many defence strategies. Most of the protocols used on the Internet are clear-text ones, such as HTTP, Telnet, FTP, and so on, but increasing we are encrypting our communications (such as with HTTPS, SSH and FTPS), where an extra layer of security (SSL) is added to make it difficult for intruders to read and change our communications. When not perfect, and open to a man-in-the-middle attack, it is a vast improvement to communicating where anyway how can sniff the network packets can read (and change) the communications. The natural step forward, though, is to encrypt the actual data before it is transmitted, and when it is stored. In this way not even a man-in-the-middle can read the communications, and the encryption key only resides with those who have rights to access it.

While many defence mechanisms in security have been fairly easy to overcome, cryptography – the process of encrypting and decrypting using electronic keys – has been seen as one of the most difficult defence mechanisms to overcome. It has thus been a key target for many defence organisations with a whole range of conspiracy theories around the presence of backdoors in the cryptography software, and where defence agencies have spied on their adversaries. Along with the worry of backdoors within the software, there has been several recent cases of severe bugs in the secure software, and which can comprise anything that has been previous kept secure.

The Trouble Caused by Cryptography

Most encryption uses a secret encryption key, which is used to encrypt and also to decrypt. This is known as private-key encryption, and the most robust of these is AES (Advanced Encryption Standard). The key must be stored someone, and is typically placed in a digital certificate which is stored on the computer, and can be backed-up onto a USB device. The encryption key is normally generated by the user generating a password, which then generates the encryption key.

Along with this we need to provide the identity of user, and also that the data has not been changed. For this we use a hash signature, which allows for an almost unique code to be created for blocks of data. The most popular for this is MD5 and SHA.

Encryption is the ultimate nightmare for defence agencies, as it makes it almost impossible to read messages from enemies. The possibilities is to either find a weakness in the methods used (such as in OpenSSL) or with the encryption keys (such as with weak passwords) or, probably the easiest is to insert a backdoor in the software that allows defence agencies a method to read the encrypted files.

There has been a long history of defence agencies blocking the development of high-grade cryptography. In the days before powerful computer hardware, the Clipper chip was used, where a company would register to use it, and given a chip to use, and where government agencies kept a copy of it.

in 1977, Ron Rivest, Adi Shamir, and Leonard Adleman at MIT developed the RSA public key method, where one key could be used to encrypt (the public key) and only a special key (the private key) could decrypt the cipher text. Martin Gardner in his Mathematical Games column in Scientific American was so impressed with the method that he published an RSA challenge for which readers could send a stamped address envelope for the full details of the method. The open distribution of the methods which could be used outside the US worried defence agencies, and representations were made to stop the paper going outside the US, but, unfortunately for them, many papers had gone out before anything could be done about it.

Phil Zimmerman was one of the first to face up to defence agencies with his PGP software, which, when published in 1991, allowed users to send encrypted and authenticated emails. For this the United States Customs Service filed a criminal investigation for a violation in the Arms Export Control Act, and where cryptographic software was seen as a munition. Eventually the charges were dropped.


And the rest of the article:

LinkedIn





 
[Read More]

Associated people

William Buchanan
Director of CDCS
w.buchanan@napier.ac.uk
+44 131 455 2759
Dynamic Forensics Evaluation and Training (DFET)
Dynamic Forensics Evaluation and Training (DFET) will create new training methods/techniques to support judicial authorities, law enforcement agencies and associated stakeholders in the fight against cybercrime through the development of a virtual (cloud-based) cybercrime training environment to...
Cyber-Security
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Resources