Internet and e-mail policy and practice
including Notes on Internet E-mail


2019
Months
Oct
Dec

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Security


24 Oct 2019

Crypto back doors are still a bad idea Security

In the always interesting Lawfare blog, former FBI counsel Jim Baker in a piece called Rethinking Encryption reiterates his take on the encrpytion debates. There's a certain amount that makes me want to bang my head against the wall, e.g.

After working on the going dark problem for years, I'm confident that this problem can be addressed from a technical perspective. In most cases, it's just software, and software can be rewritten.

But it's worth reading to remind us of what the other side is thinking, even with a lot of motivated reasoning that makes him conclude that Congress can pass some laws and the going dark problem will be solved.

A reader who is relatively new to this fight asked me is there's a short and accessible explanation of why crypto back doors can't work.

The usual source is the Keys Under Doormats paper written in 2015. Nothing of importance has changed since then, or for that matter since the Clipper chip arguments in 1994.

The essential point is that either a crypto system is secure or it isn't. No software can tell whether a back door key is being used by the FBI, or by the Russian FSB, or a venal version of Ed Snowden who's selling it to the highest bidder. Beyond that, more complexity means more bugs, and back doors are complex. One of the reasons the Clipper chip failed was that people quickly found ways to circumvent the key escrow feature depite it having been carefully designed by the NSA.

The response by law enforcement has always been that we should nerd harder. Their faith in our skill is touching, but their arrogance that they understand what we can do better than we do is not. Crypto is math, not engineering, and they're telling us that if we just try hard enough we can make 2+2 = 3 ¾.


posted at: 12:05 :: permanent link to this entry :: 0 comments
posted at: 12:05 :: permanent link to this entry :: 0 comments

comments...        (Jump to the end to add your own comment)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access
43 days ago

A keen grasp of the obvious
My high security debit card
350 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.