Encryption

[Splintered]

Should people have access to powerful encryption?

Is there a reason why people should not have access to powerful encryption?
Is there a reason why people should have access to powerful encryption?
Should the government have access to back doors in encryption?
Should the government be able to force you to hand over your encryption key?
Do you use encryption?

I'm asking, because the United Kingdom is preparing to force people to hand over their encryption keys. I personally make extensive use of encryption through WPA2 in my Wi-Fi, to using whole disc encryption on my laptop. So I'm worried about having my encryption compromised because of the government.

How do you feel?

[Wednesday Friday Addams]

I use Truecrypt apparently its meant to be very good.
Screw the UK.

[ThreeEyesOni]

Well, I can guess that the reason that they want to change laws is due to the fact that your average Joe can nowadays easily encrypt data well enough that your average government would spend years trying to break it to find out what data is (and often times decades, if possible at all). I do not think that it is ethical to make these demands, and I do not think it is wise to allow them. 128-bit encryption is impossible to break in a practical sense, so it gets to the point where a government either has to do something unreasonable like this or admit that they're boned.

But from your wording, do you mean encryption in the technical sense, or more in a firewall sense, or what?

[Splintered]

Quote:

Originally Posted by ThreeEyesOni

But from your wording, do you mean encryption in the technical sense, or more in a firewall sense, or what?

Technical.

You can compromise encryption by having publicly known back-doors.

[ThreeEyesOni]

Well a back-door would imply a program, operating system or the like. There isn't a "back door" to something like a hex-code encryption.

I really should pay more attention to what they're doing in the Nanny State, seeing as how I'll be living there in the near future. I payed attention to the recent sword ban, but am mostly OK with it since I've never collected anything like that under 100 years old anyway.

And how much impact is something like this supposed to be? Is it something where if they ask, youhave to give, or do you have to "pre register" this information, or what?

[ThreeEyesOni]

OK, I finally bothered to read the article. >_> Probably should have before.

So what they are doing is much like a "search warrant" policy. If you don't turn over the key when they demand it during a search, then you are guilty of breaking such-and-such law. The most obvious (and one that they lightly touch upon there) is the fact that people are not likely to have such codes for everything on their computer, or even know if they have certain files.

I'm unimpressed by the fact that they only briefly mention at the bottom that this is pretty much a useless law against pedos, terrorists and the like; unlike a bank or corporation they don't share keys from group to group. It's all personal encryption and there will be no more way to force the information out of them than there is now. I'm sure that the penalty for this crime is a slap on the wrist compared to any legitimate crimes that could be involved. I mean, go to jail for 5 years for child pornography or go to jail for likely less time for a crime that is of a much milder interpertation? No criminal would willingly do that.

[Splintered]

Quote:

Originally Posted by ThreeEyesOni

Well a back-door would imply a program, operating system or the like. There isn't a "back door" to something like a hex-code encryption.

The may have tried it before in encryption standards. They can purpose a flawed encryption standard where they already know the collisions, and have an instant break on the standard.

To my understanding, the law is that if they ask for an encryption key, you have to turn it over or face jail time.

Edit: According to Wired , anti-terrorism efforts carry a five-year penality. The rest carries a maximum of two.

[ThreeEyesOni]

Well, personally I wouldn't use anything coming out of the NSA, that's for sure. For personal use I'd simply reccomend a Hex-based encryption; it's more than enough to keep out unauthorized users, and when it comes to an actual governmental security organization you're boned anyway if you try to hide something.

To put it in perspective: on a wild guess, I'd say this thread is probably going to be scanned by at least a handful of government programs (from various sectors/nationalities) based on keywords/links.

This law doesn't really have any effect on an average citizen. If you arn't doing anything then it's unlikely it will ever come up (barring perhaps airport sceenings). If you are doing something then you use a combo of various encryption techniques (as well as other methods) and pretty much hope for the best; chances are that if they're asking you for the key then they allready have plenty on you.

The ones that will be in a sticky spot are corporations; these are places that theoreically can't afford for anyone outside of thier employees to find out a universal key. A bank would be downright insane to do this, and I personally wouldn't use a bank that is publicly known to have handed out this information. Governments are some of the least secure info caches based on the fact that people know that they have info of value and it's hard to hide a (legal) governmental info system.

[ThreeEyesOni]

Finally: Two years? If you actually have something to hide, then you take the two years. It's likely to be better than any other punishments you'll end up getting.

So again, it's only the lawful groups that stand to lose here.

[CptSternn]

It's like this - there is not an encryption out there that the current powers that be can't crack.

Thats what the US government uses those Cray's for. They can cut right though the best encryption on the market in no time.

That being said it's pretty crazy they are going to attempt and force everyone to give up their keys. However the gesture is merely symbolic - they could bypass them in a few different ways if they really wanted to.

Most people don't realise that encryption companies, and anti-virus companies, based in America have deals with the government that give them back doors to get around their encryption and software. Wired did a piece on this a while back, as did CNet News.

If you think your encryption is secure, your wrong. Think of it like this - your encryption is like a car window. It deters those opportunistic thieves, but someone who really wants in your car is going to go right in.

[Wednesday Friday Addams]

It's true that ANY encryption can be cracked naturally, since they're all just algorithms no matter how complex
The algorithm and encoding is entirely based on a series of random seeds and the password you assign it
the algorithm and encoding is entirely based on a series of random seeds and the password you assign it.It's nigh impossible to break into that kind of encryption without the password itself, hence the subpoena

Working backwards manually through an algorithm without the key to it would take years on a capable machine for any file block over, say, 10mb
So far I haven't seen anything about Truecrypt being cracked.

[Drake Dun]

Wednesday is correct about being able to keep ahead. It's easier to make your encryption thicker than it is to crack thicker encryption. The trick is to stay ahead, and not attract attention. As long as your message is time-sensitive, you can feel fairly secure as long as you make the encryption thick enough.

Incidentally, there is such a thing as an unbreakable encryption. A genuine one time pad, properly used, is unbreakable. It's just a bit of a pain in the ass to use them, since you have to generate a new one for every message and find a way to communicate it securely beforehand (which usually means actual physical contact).

And fuck the government. We should use whatever encryption methods we want.

[Wednesday Friday Addams]

I mainly use it to make me feel like a evil mastermind.

[ThreeEyesOni]

Same here. :P I have no legitimate need for encryption at the moment; I've mainly used it in the past with shared computers and only currently use it as more of an amusement.

As for brute force (ie raw computing power + time) any encrpytion can be broken eventually, but with a strong enough encrpytion you can make it likely that a large file won't be broken into any time before you are dead.

[CptSternn]

All encryption is crackable and can be undone by various governments in short time no matter how 'secure' you think it is.

As I said, have you not heard of a Cray supercomputer? Check out the stats on those babies. They are used to bust even the best encryption in no time. There has been case after case of various groups arrested for various things and the various governments went right through their encryption in minutes.

If you think your using something at home that can't be easily decoded, your only fooling yourself.

[Drake Dun]

A proper one time pad is unbreakable. It doesn't matter how much computational power you have if there is nothing to apply that power to.

http://en.wikipedia.org/wiki/One_tim...erfect_secrecy

[Tumor]

If you can make it, you should have it. If someone's willing to buy it, they should have it. If someone can break it, they should do so.

*breaks out singing*

It's the CIRCLE of life!!!

[ThreeEyesOni]

Quote:

Originally Posted by CptSternn

All encryption is crackable and can be undone by various governments in short time no matter how 'secure' you think it is.

As I said, have you not heard of a Cray supercomputer? Check out the stats on those babies. They are used to bust even the best encryption in no time. There has been case after case of various groups arrested for various things and the various governments went right through their encryption in minutes.

If you think your using something at home that can't be easily decoded, your only fooling yourself.

Again, you are both incorrect and correct. You're greatly overestimating the ability of existing supercomputers as well as how much of that processing power is available to various groups for thier needs.

The largest brute-force encryption attack (which translated basically means "trying every combo possible") that was both successful and known by members of the public (which includes subsequent leaks of information) was on a 64-bit encryption system. Successful decryptionof a more complex system without some inside knowledge as to the encrpytion used would require a length of time measured in years as well as a parallel technological examination from a hardware end. Ths time goes down the smaller a file is, and drastically up the larger it is.

It is certainly not impossible, and not even too difficult whenm you already have a grasp on the concepts like these governemnts do, but it takes so much time that any time-sensitive information is almost guaranteed to have lost it's value either partially or totally.

[LaBelleDameSansMerci]

The UK seems to be moving more and more toward being a police state.

I think people should have access to encryption because they might have perfectly innocent data that they only want themselves and maybe a known second party to know. Most people are going to use encryption for something as innocent as a journal that one doesn't want one's parents/spouse/kids/friends/whoever to read.

The government should need a warrant to get one's encryption key. To me, it's on the same level as searching a house or office. Storing a document on a hard drive is not much different from storing it on paper.

[Methadrine]

With the two levels of plausible deniability in Truecrypt, I wouldn't worry too much about giving out a password to the government. After much struggling they would get the one to the "meh.." section of the encrypted drive and won't have access to the hidden volume where all my plans of world domination lies. As a matter of fact, they wouldn't even know that such a volume existed in the first place.

[Mir]

I have a question for you guys. How would you exchange keys/passwords for the encryption standard used? Wouldn't those have to be exchanged in person to ensure confidentiality/security of said keys/passwords?

[Bete Noire]

Quote:

Originally Posted by LaBelleDameSansMerci

The UK seems to be moving more and more toward being a police state.

Yes it is. It's not a good direction to take.

[Splintered]

Quote:

Originally Posted by Mir

I have a question for you guys. How would you exchange keys/passwords for the encryption standard used? Wouldn't those have to be exchanged in person to ensure confidentiality/security of said keys/passwords?

It depends on how secure you want.

The only secure way to do it is by having a completely trusted person verbally share the key with the other trusted person in a concrete, soundproof, impenetrable bunker that would make Superman jealous. However, that's impractical.

The easiest way is a publicly encrypted key. Basically, you have two sets of keys, a public key and a private key. The private key should pair if and only if (IFF) you have the correct public key. That way anyone can encrypt a message using a public key, but only you can decrypt it using your private key.

The other option is to have two keys, one for each recipient. Then the only way to decode the situation is to have the combination of both keys.

Another option is to have a one-time publicly known key, and use that to establish another separate private key between two parties. So I'd have a key out in the open, you'd contact me with that, and then I'd send you a new private key for all of our serious conversation.

So it really depends on how secure you want.

[Mir]

Quote:

Originally Posted by Splintered

Basically, you have two sets of keys, a public key and a private key.

And this private key is to be communicated between the two parties how?

[Splintered]

Quote:

Originally Posted by Mir

And this private key is to be communicated between the two parties how?

The private key isn't communicated.

Think of it as one way encryption.

You put the public key out so that anyone can contact you. The private key is the only way to decrypt a message encoded with the public key.

So I'd put my public key out there. Someone would encrypt a message with the public key. The only way to decrypt a message sent with the private, is to use the private key.

Here's a picture of what I'm talking about .