The time is now for a public debate over cryptography policy – ZDNet

Posted on July 8, 2017 by admin

Video: Broaching the security and privacy implications of the data age

Cybersecurity in an IoT and Mobile World

The technology world has spent so much of the past two decades focused on innovation that security has often been an afterthought. Learn how and why it is finally changing.

Last week, the "Five Eyes" nations of Australia, Canada, the UK, the US and New Zealand took part in their annual meeting on counterterrorism, intelligence-sharing and cybersecurity. While cryptography, particularly ways law enforcement could get around it in the interest of fighting crime, was expected to be a major part of the agenda, an official communication issued following the meeting hardly mentions cryptography, and does so in fairly bland, noncommittal terms:

Encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism. To address these issues, we committed to develop our engagement with communications and technology companies to explore shared solutions while upholding cybersecurity and individual rights and freedoms.

This vaguely worded commitment does little to advance an important issue, says Constellation Research VP and principal analyst Steve Wilson. "A genuine crypto policy debate needs to be had, and needs to be seen to be had," Wilson says.

The 1990s saw widespread debate over cryptography, one that didn't really have a winner, Wilson notes. "Most cryptographers said that encryption should be commercially available, that export controls were counterproductive, that government control was futile and that our enemies would roll their own," he says. While these points were not necessarily accepted by governments, there did come a detente whereby access to cryptographic technologies was freed up.

Today the argument has moved to new fronts. In the US, the FBI's demand that Apple create a backdoor allowing access to an alleged terrorist's iPhone prompted strong pushback from the company and public. (The Bureau ultimately hired outside help to crack the phone.)

"There are strong technical arguments that forcing exceptional access mechanisms into encryption algorithms will weaken the systems, making them more vulnerable to criminal attack," Wilson says. "But the arguments are difficult and technical. Most lay people, lawmakers include, continue to harbor naive visions of how encryption works, which leads to presumptions that cyber lock-picking is doable. Backdoors make encryption vulnerable by design and that's a bad thing."

However, civil libertarians and technologists shouldn't reject the governments' desires out of hand, Wilson says. Points to consider:

"I'm not a good enough cryptographer or social scientist to know the answers, but I do know the right people to ask," Wilson says. "I know that we need to ventilate these issues, engage the experts and trust their answers, if we are to move on without too many further distractions."

24/7 Access to Constellation InsightsSubscribe today for unrestricted access to expert analyst views on breaking news.

See more here:
The time is now for a public debate over cryptography policy - ZDNet

Global Quantum Cryptography Market – Analysis, Technologies & Forecasts to 2021 – Aided by Adoption of Crypto … – Business Wire (press release)

Posted on July 3, 2017 by admin

DUBLIN--(BUSINESS WIRE)--Research and Markets has announced the addition of the "Global Quantum Cryptography Market 2017-2021" report to their offering.

The global quantum cryptography market to grow at a CAGR of 33.22% during the period 2017-2021.

The report, Global Quantum Cryptography Market 2017-2021, has been prepared based on an in-depth market analysis with inputs from industry experts. The report covers the market landscape and its growth prospects over the coming years. The report also includes a discussion of the key vendors operating in this market.

According to the report, one driver in market is adoption of the crypto cloud computing system. Crypto cloud computing is built on the quantum direct key system. Each entity encrypts data using their individual private key while using crypto cloud computing systems. These crypto cloud computing systems are being rapidly adopted for authentication processes, video management systems, and for storing information gathered from biometrics. Many enterprises including banks and healthcare organizations are storing their confidential data on the cloud, which makes it important to secure the cloud from unauthorized access. The adoption of crypto cloud computing systems is escalating faster in small and medium sized business (SMBs) when compared to large enterprises as cloud-based services work on a pay-per-use model. These systems also offer flexibility and scalability to accommodate the varying needs of the enterprises.

Key vendors

Other prominent vendors

Key Topics Covered:

PART 01: Executive summary

PART 02: Scope of the report

PART 03: Research Methodology

PART 04: Introduction

PART 05: Market landscape

PART 06: Five forces analysis

PART 07: Market segmentation by end-user

PART 08: Geographical segmentation

PART 09: Decision framework

PART 10: Drivers and challenges

PART 11: Market trends

PART 12: Vendor landscape

PART 13: Key vendor analysis

PART 14: Appendix

For more information about this report visit https://www.researchandmarkets.com/research/sx97c4/global_quantum

Continue reading here:
Global Quantum Cryptography Market - Analysis, Technologies & Forecasts to 2021 - Aided by Adoption of Crypto ... - Business Wire (press release)

Cryptography & cakes – The Hindu

Posted on July 1, 2017 by admin

The Hindu

Cryptography & cakes
The Hindu
I would call it serendipity. How else could a cryptography meet-up occur in the beloved port city of Kochi exactly on the eve of a previously scheduled family function for which I was already heading out for? The language of 1's and 0's has never ...

Post-quantum cryptography on smart cards demonstrated by Infineon – SecureIDNews

Posted on June 29, 2017 by admin

First successful implementation on a commercially available contactless microcontroller

What is all the fuss about post-quantum cryptography on smart cards? Well, with vastly superior computing power, quantum computers have the potential to break the current encryption algorithms used to secure all smart cards and most other IT systems. That is why the IT sectors are or at least should be looking ahead and preparing for future innovations like quantum computing.

Infineon demonstrated a test case in which it supported an instance of next-generation, post-quantum cryptography (PQC) on smart cards. Accomplishing this on a commercially available contactless chip the same used for electronic identity documents and cards is important in that many expected it would take reengineered microcontrollers to support the memory capacity and data transfer requirements for such advanced cryptography.

Quantum computing uses qubits that can exist in any superposition beyond just the 0 and 1 bits used in conventional computing. This allows multiple calculations to be performed simultaneously, vastly upping computing speed and power. With operations that are thousands of times faster, quantum computers bring new capabilities for both good computing purposes but also for hacking and attacks against current encryption schemes.

Quantum computer attacks are not expected to become reality for a decade or two, but upon arrival they will threaten all current algorithms including RSA and ECC. If not protected, this would impact Internet standards such as Transport Layer Security (TLS), S/MIME or PGP/ GPG as well as smart cards, servers industrial control systems, online banking and more.

Security experts at Infineon made a breakthrough in this area by implementing a post-quantum key exchange scheme on the commercially available contactless smart card chip. Key exchange schemes are used to establish an encrypted channel between two parties.

Our challenges comprised the small chip size and limited memory capacity to store and execute such a complex algorithm as well as the transaction speed, says Thomas Pppelmann from Infineons Chip Card & Security Division.

In a world of quantum computers, post-quantum cryptography should provide a level of security that is comparable with what RSA and ECC provide today in the current computing world. However, to withstand quantum calculation power, key lengths need to be longer than the usual 2048 bits of RSA or the 256 bits of ECC.

As always the key will be standardization. Standards bodies plan to release one or multiple PQC algorithms within the next few years to prepare for the inevitable arrival of quantum hacking. Infineon is actively participating in the development and standardization process in order to enable a smooth transition and to address security challenges that may arise.

Continue reading here:
Post-quantum cryptography on smart cards demonstrated by Infineon - SecureIDNews

In an unsafe cyber world, here’s why you should study cryptology – Hindustan Times

Posted on June 28, 2017 by admin

What is cryptology? Historically, when did this start?

Cryptology is the art and science of secret writing. The word is derived from Cryptos and Logia, meaning secret and study respectively. Today, when the cyber world faces immense threat from hackers who are just lying in wait to steal valuable information you send over the internet, Dr. Somitra Kumar Sanadhya, associate professor, department of computer science and engineering, IIT Ropar, tells us why the study of cryptology assumes a lot of significance.

What is the relationship between cryptography and security?

Security is the all-encompassing term used to denote various goals to be achieved against various types of adversaries. For example, one could be worried by internal sabotage during an operation, or breach of access by an intruder to a secure facility etc. Digital security is concerned with protecting information against hackers and unintended recipients. Cryptography is the mathematical foundation on the basis of which the information can be protected. In this sense, it is the tool through which computer and digital security can be achieved.

Humans have needed some form of secret communication since the start of civilization. In the earliest days, people used invisible inks, writing with wax on paper, etc thus hiding even the information that some message is being communicated. During World War 2, spies used miniaturised photographs of sensitive documents and pasted them below the stamp on an envelope. In the Vietnam war, a captured American soldier transmitted information about his torture by his captors in a publicly televised interview by blinking his eyes (and using Morse code).

However, the above examples come under the study of steganography. In cryptology, the aim is to design and use a system of communication which prevents an adversary from understanding the intended message even when he has the ability to capture the transmitted message. Naturally, the transmission must be a modified form of the original message, using some secret. As an example, the earliest known example of a cipher is Julius Caesars armys use of shifted alphabets. Translated to English characters, they used D whenever they wanted to send A, E for B etc. This shifted sequence was rolled back by three characters by the recipient to recover the message.

Historically, army and diplomatic missions have always used cryptography. The history of the subject goes back a few thousand years. But in its modern form, the subject received significant attention from around the world wars.

What is the stand of the Indian government on cryptography?

As far as I know, bitcoins are not yet legal in India. Apart from this, I am not aware of any law which prohibits anyone in India to not use cryptography for any specific purpose.

Please tell us about scope and future of research and development in cryptology?

As people become more security conscious, internet banking and online payments increase, there is bound to be demand of both security engineers as well as cryptologists. Blockchain technology(Blocks are lists of records and blockchain refers to a distributed database used for maintaining the continuously growing lists) is another area which has the potential to transform the financial world. It is already being used for smart-contracts, anonymous payments etc.

Cryptography - Understanding the jargon

What are various disciplines in cryptography?

There has been tremendous research in the design of codes (encryption schemes). Design and implementation of efficient symmetric key encryption schemes as well as public key encryption schemes is an important area of research in the subject. Similarly, the design of schemes which could protect authenticity of the message or the sender is a related line of work.

The question of how to break the security guarantees offered by various cryptographic schemes is always relevant to the area. This is called cryptanalysis.

There are many interesting questions related to secure computations. For example, we might be interested in collating information across multiple computers and do some unified computation, even while knowing that some of the computers are compromised.

The implementation of various designs could leak information about the secrets. For example, a laptop with hidden secret key could be encrypting messages but the small sounds that the laptop is making during the encryption process could be enough for someone with a nearby listening device to recover the secret key. Study of such techniques leads to the study of side channel attacks and their mitigation strategies during implementation.

Finally, as another concluding example, I present one more nice application of modern cryptology. I may possess some secret which I do not wish to share with anyone, but nonetheless, I may be interested in convincing the recipient that I indeed have that secret. More interestingly, the recipient should not learn anything more than the fact that I have the secret. This interesting aim can be achieved by what is known as zero knowledge proof.

Modern cryptography has become so vast that it is not possible to discuss all the major themes of the area here.

Which institutes in India are offering cryptology as a subject?

The RC Bose Centre for Cryptology and Security at Indian Statistical Institute Kolkata has a large number of cryptographers, and they offer PhD, MTech and some short term courses on cryptology. Among the IITs, the ones at Kanpur, Bombay, Madras, Kharagpur, Roorkee, Gandhinagar, Tirupati and Ropar have some cryptology experts in the faculty and most of them offer courses to their bachelors, masters and PhD students. Further, there are many good researchers at IISc Bangalore, IIIT Bangalore, IIIT Hyderabad, Microsoft Research and IBM research etc.

The Cryptology Research Society of India (CRSI) organises annual workshops and conferences for complete beginners to advanced researchers in India. The events are held at different locations every year.

How does one get to learn more about cryptology?

If you are interested in the area of cryptology then mathematics and theoretical computer science are very useful. If you have an electrical engineering, communications or hardware background then you could still work in attacking and securing implementations of cryptographic schemes. I suggest that young students and researchers attend cryptology events in the country, and register for online courses on the subject.

Happy 10th birthday iPhone, the nearest thing to a secure pocket computer – Yahoo News

Posted on June 28, 2017 by admin

Its common for security experts to regard themselves as necessary critics, guardians against malpractice, and raisers of worst-case scenarios. While there is a very present fear of insecurity these days, its rare that we celebrate security. But on the tenth anniversary of a revolutionary technology, wed like to do just that: happy birthday to the iPhone, first released in June 2007.

Ten years ago, a computer was something that hurt your foot if you accidentally dropped it. Mobile phones were devices that were chiefly used for making phone calls. Today, the idea that we cant use these palm-sized pocket computers to command all our digital communications, and also as a camera, games console, torch, and a hundred other things, is quite unthinkable.

There is no such thing as complete security, and the iPhone is not perfect. Like many other technologies, the iPhones security relies on a users ability to choose and protect a strong password, which is a pragmatic rather than ideal basis for security. Researchers have also uncovered weaknesses in the protection of messages stored on the iPhone. Nonetheless, in an era when the rush to market has resulted in far too many insecure technologies, the iPhone stands out as an exemplar for how its possible to do things right.

The internet, in case you hadnt noticed yet, can be a dangerous place. Apple has often been criticised for its restrictions on what programs its users can and cannot load onto an iPhone. Users are required to download apps from the well-marshalled Apple App Store, which provides a secure gated compound within which software has been scrutinised by Apple before being made available for download.

While this may be seen as nannying, in a world of ruthless ransomware and untold other malicious programs that can ruin both our computers, our bank accounts, and even our lives whats wrong with a benign governess? The Android app store by comparison allows users to install any software of their choice, not all of which has been closely inspected for vulnerabilities or malicious intent.

The iPhone makes extensive use of state-of-the-art cryptography to protect data on the device. Cryptography provides mathematical tools to ensure secret data is kept secret, ensuring data is not maliciously altered or deleted, and identifies the source of data. Cryptography is easy to get wrong when used in a computer, but the iPhone mostly gets cryptography right. Everything from photos, messages, email and app data is protected using strong cryptography. The iPhone also supports innovative applications of cryptography, such as the contactless payment system ApplePay.

Cryptography relies on cryptographic keys, which are secret components critical to providing secure services, and security. Many of the spectacular past failures of security technology, for example the infamous Diginotar hack, have resulted from careless management of keys. There is no point, after all, in using the best lock to lock your front door, only to leave the key under the doormat. The iPhone has a secure hardware vault known as the Secure Enclave within which its critical keys are safely stored. In fact the keys are so safe that they are inaccessible even to Apple or any other companies involved in manufacturing iPhones.

Which brings us to the matter of Apples skirmish with the FBI. Apple has been at the forefront of a much wider and more fundamental debate about security and privacy on the internet.

In one corner stand national security agencies and law enforcement. They have been demanding the means to access data secured on mobile phones, including encrypted messaging services like WhatsApp and emails, in order to defend the realm. In the other corner stand proponents of digital freedom. They argue that building backdoors into strong encryption even for legitimate use by investigators would become a potential weakness for cybercriminals to exploit.

Apple has not shied away from taking a strong stance in favour of privacy. Apple does not know the keys on your iPhone, or the PIN needed to unlock it, by design. That protects you from Apple, just as much as it prevents Apple handing them over to law enforcement. The iPhone was designed to be secure, so why make it insecure just because bad guys sometimes use them?

Apples security design decisions havent always made them popular, especially among its community of developers or with government agencies. But, unlike many of its competitors, the iPhone is a personal device which is just as secure for children and grandparents to use as it is for the few these days who really understand how the technology works. Thats something to celebrate, not bemoan. So, many happy returns to the iPhone, perhaps the closest weve come to having a secure computer in our pocket.

This article was originally published on The Conversation. Read the original article.

Keith Martin receives funding from the EPSRC and the European Commission.

Kenny Paterson receives funding from EPSRC and the European Commission. He is co-chair of the Crypto Forum Research Group of the Internet Research Task Force. He serves as an advisor to Huawei Technologies, SkyHigh Networks and CYBERCRYPT ApS.

Excerpt from:
Happy 10th birthday iPhone, the nearest thing to a secure pocket computer - Yahoo News

Kenny Paterson The Conversation – The Conversation UK

Posted on June 28, 2017 by admin

I obtained a B.Sc. in 1990 from the University of Glasgow and a Ph.D. from the University of London in 1993, both in Mathematics. I was then a Royal Society Fellow at Institute for Signal and Information Processing at the Swiss Federal Institute of Technology, Zurich, from 1993 to 1994. After that, I was a Lloyd's of London Tercentenary Foundation Research Fellow at Royal Holloway, University of London from 1994 to 1996.

In 1996, I joined Hewlett-Packard Laboratories Bristol, becoming a project manager in 1999.

I then joined the Information Security Group at Royal Holloway in 2001, becoming a Reader in 2002 and Professor in 2004. From March 2010 to May 2015, I was an EPSRC Leadership Fellow working on a project entitled Cryptography: Bridging Theory and Practice. In May 2015, I reverted to being a Professor of Information Security.

My research over the last decade has mostly been in the area of Cryptography, with a strong emphasis being on the analysis of deployed cryptographic systems and the development of provably secure solutions to real-world cryptographic problems. I co-founded the Real World Cryptography series of workshops to support the development of this broad area and to strengthen the links between academia and industry. I am co-chair of the IRTF's research group on Cryptography, CFRG. This group is working to provide expert advice to the IETF in an effort to strengthen the Internet's core security protocols.

My research on the security of TLS (the Lucky 13 attack on CBC-mode encryption in TLS and attacks on RC4) received significant media attention, helped to drive the widespread adoption of TLS 1.2 with its support for modern encryption schemes, and was an important factor in the TLS Working Group's decision to abandon legacy encryption mechanisms in TLS 1.3.

I am lucky to have been the recipient of several prizes and awards for my research. These include a Google Distinguished Paper Award for my joint work with Nadhem AlFardan presenting plaintext recovery attacks against DTLS published at NDSS 2012; an Applied Networking Research Prize from the IRTF for my work with Nadhem AlFardan on the Lucky 13 attack; and an Award for Outstanding Research in Privacy Enhancing Technologies for my work with Mihir Bellare and Phil Rogaway on the Security of symmetric encryption against mass surveillance published at CRYPTO 2014. Most recently, my work with Martin Albrecht, Jean Paul Degabriele and Torben Hansen on symmetric encryption in SSH won a best paper award at ACM CCS 2016.

Other career highlights include being selected as Programme Chair for EUROCRYPT 2011, being an invited speaker at ASIACRYPT 2014, and becoming editor-in-chief of the Journal of Cryptology in 2017. I was made a fellow of the IACR in 2017.

Research interests:

Theoretical and Applied Cryptography Network Security Coding Theory and Mathematics of Communications

Australia announces plan to ban working cryptography at home and … – Boing Boing

Posted on June 27, 2017 by admin

The Australian Attorney General and a key Australian minister have published a memo detailing the demand they plan on presenting to the next Five Eyes surveillance alliance meeting, which will be held next week in Ottawa.

The Australian officials will demand that their surveillance partners join with them in a plan to force "service providers to ensure reasonable assistance is provided to law enforcement and security agencies" when spies and police want to read messages that have been encrypted.

The encryption technologies under description are widely implemented in products and services that are often run by volunteer communities, or by companies who operate entirely outside 5 Eyes borders, but whose products can be used by anyone, anywhere in the world.

Working encryption is how we ensure that malicious parties don't hack our voting machines, pacemakers, home cameras, telephones, banking systems, power grids, and other key systems. There is no way to make working cryptography that can defend these applications against "bad guys" but fail catastrophically the moment a police officer or spy needs to defeat them.

The demand to ban working encryption dates back to the Clinton administration and the Electronic Frontier Foundation's groundbreaking victory in Bernstein, which ended the US ban on civilian access to working cryptography. The delusion that authorities can ban working crypto and still secure their national infrastructure persists, and is presently being mooted in Germany, and formed a key plank in Theresa May's party platform in the disastrous UK election.

As a reminder, here's what countries would lose, and what steps they would have to take, to ensure that police and spies could decrypt any communications they wanted to target:

Its impossible to overstate how bonkers the idea of sabotaging cryptography is to people who understand information security. If you want to secure your sensitive data either at rest on your hard drive, in the cloud, on that phone you left on the train last week and never saw again or on the wire, when youre sending it to your doctor or your bank or to your work colleagues, you have to use good cryptography. Use deliberately compromised cryptography, that has a back door that only the good guys are supposed to have the keys to, and you have effectively no security. You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption.

There are two reasons why this is so. First, there is the question of whether encryption can be made secure while still maintaining a master key for the authorities use. As lawyer/computer scientist Jonathan Mayer explained, adding the complexity of master keys to our technology will introduce unquantifiable security risks. Its hard enough getting the security systems that protect our homes, finances, health and privacy to be airtight making them airtight except when the authorities dont want them to be is impossible.

What these leaders thinks they're saying is, "We will command all the software creators we can reach to introduce back-doors into their tools for us." There are enormous problems with this: there's no back door that only lets good guys go through it. If your Whatsapp or Google Hangouts has a deliberately introduced flaw in it, then foreign spies, criminals, crooked police (like those who fed sensitive information to the tabloids who were implicated in the hacking scandal -- and like the high-level police who secretly worked for organised crime for years), and criminals will eventually discover this vulnerability. They -- and not just the security services -- will be able to use it to intercept all of our communications. That includes things like the pictures of your kids in your bath that you send to your parents to the trade secrets you send to your co-workers.

But this is just for starters. These officials don't understand technology very well, so they doesn't actually know what they're asking for.

For this proposal to work, they will need to stop Britons, Canadians, Americans, Kiwis and Australians from installing software that comes from software creators who are out of her jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you've downloaded hasn't been tampered with.

Australia is not alone here. The regime they proposes is already in place in countries like Syria, Russia, and Iran (for the record, none of these countries have had much luck with it). There are two means by which authoritarian governments have attempted to restrict the use of secure technology: by network filtering and by technology mandates.

Australian governments have already shown that she believes she can order the nation's ISPs to block access to certain websites (again, for the record, this hasn't worked very well). The next step is to order Chinese-style filtering using deep packet inspection, to try and distinguish traffic and block forbidden programs. This is a formidable technical challenge. Intrinsic to core Internet protocols like IPv4/6, TCP and UDP is the potential to "tunnel" one protocol inside another. This makes the project of figuring out whether a given packet is on the white-list or the black-list transcendentally hard, especially if you want to minimise the number of "good" sessions you accidentally blackhole.

More ambitious is a mandate over which code operating systems in the 5 Eyes nations are allowed to execute. This is very hard. We do have, in Apple's Ios platform and various games consoles, a regime where a single company uses countermeasures to ensure that only software it has blessed can run on the devices it sells to us. These companies could, indeed, be compelled (by an act of Parliament) to block secure software. Even there, you'd have to contend with the fact that other states are unlikely to follow suit, and that means that anyone who bought her Iphone in Paris or Mexico could come to the 5 Eyes countries with all their secure software intact and send messages "we cannot read."

But there is the problem of more open platforms, like GNU/Linux variants, BSD and other unixes, Mac OS X, and all the non-mobile versions of Windows. All of these operating systems are already designed to allow users to execute any code they want to run. The commercial operators -- Apple and Microsoft -- might conceivably be compelled by Parliament to change their operating systems to block secure software in the future, but that doesn't do anything to stop people from using all the PCs now in existence to run code that the PM wants to ban.

More difficult is the world of free/open operating systems like GNU/Linux and BSD. These operating systems are the gold standard for servers, and widely used on desktop computers (especially by the engineers and administrators who run the nation's IT). There is no legal or technical mechanism by which code that is designed to be modified by its users can co-exist with a rule that says that code must treat its users as adversaries and seek to prevent them from running prohibited code.

This, then, is what the Australian AG is proposing:

* All 5 Eyes citizens' communications must be easy for criminals, voyeurs and foreign spies to intercept

* Any firms within reach of a 5 Eyes government must be banned from producing secure software

* All major code repositories, such as Github and Sourceforge, must be blocked in the 5 Eyes

* Search engines must not answer queries about web-pages that carry secure software

* Virtually all academic security work in the 5 Eyes must cease -- security research must only take place in proprietary research environments where there is no onus to publish one's findings, such as industry R&D and the security services

* All packets in and out of 5 Eyes countries, and within those countries, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped

* Existing walled gardens (like Ios and games consoles) must be ordered to ban their users from installing secure software

* Anyone visiting a 5 Eyes country from abroad must have their smartphones held at the border until they leave

* Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons

* Free/open source operating systems -- that power the energy, banking, ecommerce, and infrastructure sectors -- must be banned outright

The Australian officials will say that she doesn't want to do any of this. They'll say that they can implement weaker versions of it -- say, only blocking some "notorious" sites that carry secure software. But anything less than the programme above will have no material effect on the ability of criminals to carry on perfectly secret conversations that "we cannot read". If any commodity PC or jailbroken phone can run any of the world's most popular communications applications, then "bad guys" will just use them. Jailbreaking an OS isn't hard. Downloading an app isn't hard. Stopping people from running code they want to run is -- and what's more, it puts the every 5 Eyes nation -- individuals and industry -- in terrible jeopardy.

Thats a technical argument, and its a good one, but you dont have to be a cryptographer to understand the second problem with back doors: the security services are really bad at overseeing their own behaviour.

Once these same people have a back door that gives them access to everything that encryption protects, from the digital locks on your home or office to the information needed to clean out your bank account or read all your email, there will be lots more people wholl want to subvert the vast cohort that is authorised to use the back door, and the incentives for betraying our trust will be much more lavish than anything a tabloid reporter could afford.

If you want a preview of what a back door looks like, just look at the US Transportation Security Administrations master keys for the locks on our luggage. Since 2003, the TSA has required all locked baggage travelling within, or transiting through, the USA to be equipped with Travelsentry locks, which have been designed to allow anyone with a widely held master key to open them.

What happened after Travelsentry went into effect? Stuff started going missing from bags. Lots and lots of stuff. A CNN investigation into thefts from bags checked in US airports found thousands of incidents of theft committed by TSA workers and baggage handlers. And though aggressive investigation work has cut back on theft at some airports, insider thieves are still operating with impunity throughout the country, even managing to smuggle stolen goods off the airfield in airports where all employees are searched on their way in and out of their work areas.

The US system is rigged to create a halo of buck-passing unaccountability. When my family picked up our bags from our Easter holiday in the US, we discovered that the TSA had smashed the locks off my nearly new, unlocked, Travelsentry-approved bag, taping it shut after confirming it had nothing dangerous in it, and leaving it completely destroyed in the words of the official BA damage report. British Airways has sensibly declared the damage to be not their problem, as they had nothing to do with destroying the bag. The TSA directed me to a form that generated an illiterate reply from a government subcontractor, sent from a do-not-reply email address, advising that TSA is not liable for any damage to locks or bags that are required to be opened by force for security purposes (the same note had an appendix warning me that I should treat this communication as confidential). Ive yet to have any other communications from the TSA.

Making it possible for the state to open your locks in secret means that anyone who works for the state, or anyone who can bribe or coerce anyone who works for the state, can have the run of your life. Cryptographic locks dont just protect our mundane communications: cryptography is the reason why thieves cant impersonate your fob to your cars keyless ignition system; its the reason you can bank online; and its the basis for all trust and security in the 21st century.

In her Dimbleby lecture, Martha Lane Fox recalled Aaron Swartzs words: Its not OK not to understand the internet anymore. That goes double for cryptography: any politician caught spouting off about back doors is unfit for office anywhere but Hogwarts, which is also the only educational institution whose computer science department believes in golden keys that only let the right sort of people break your encryption.

Tackling Encryption and Border Security key Priorities at Five-Eyes Meeting in Ottawah [Office of the Australian Attorney General]

Australia advocates weakening strong crypto at upcoming Five Eyes meeting [Cyrus Farivar/Ars Technica]

(via /.)

(Image: Facepalm, Brandon Grasley, CC-BY)

Link:
Australia announces plan to ban working cryptography at home and ... - Boing Boing

Australia announces plan to ban working cryptography at home and in the US, UK, New Zealand, and Canada – Boing Boing

Posted on June 26, 2017 by admin