Internet firms to be banned from offering unbreakable encryption under new laws – Telegraph

1 Comment

1. November 5, 2015 at 10:46 am

   Tomi Engdahl says:

   UK cyber-spy law takes Snowden’s revelations of mass surveillance – and sets them in stone
   ‘You can’t just uninvent encryption’
   http://www.theregister.co.uk/2015/11/05/ipb_reaction/

   The encryption bothering parts of the UK’s Investigatory Powers Bill have left IT security experts flabbergasted.

   Introducing the draft internet surveillance law in the House of Commons on Wednesday, Home Secretary Theresa May presented it as consolidating and updating existing investigatory powers. She spun it as a break from measures in the ultimately unsuccessful Communications Data Bill of 2012, adding “it will not ban encryption or do anything to undermine the security of people’s data.” The reality is far more complex and less reassuring than this bland assurance might suggest.

   “RIPA requires CSPs [communications service providers] to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.”

   Look, ma – no backdoors! (Because they won’t be called that)

   Truly secure end-to-end crypto systems allow only the two people chatting to decrypt each other’s messages, calls or other information exchanged. The app makers, network providers and any eavesdroppers along the line have no hope of cracking the ciphered bytes if intercepted.

   One way to do this is use the Diffie-Hellman protocol, which allows two people to create a shared secret known only to them using prime-number maths

   There are also sorts of end-to-end encrypted communications available now, especially in the wake of the Edward Snowden revelations of NSA-GCHQ mass surveillance, but it’s the main providers the UK authorities are interested in, we hear.

   That focus on the mainstream – Facebook-owned WhatsApp and Apple – may spark an exodus to software perceived as being beyond the radar of the UK authorities. Make sure whatever code you decide to use is verified and trusted to work as advertised.

   Implementation flaws (such as weak keys or bugs in the programming) and slip ups by users (such as accidentally leaking private keys) are enough to break cryptographic systems. “The true security in ‘end-to-end’ encryption depends on how it’s implemented and how it is used. Key generation, management, forward secrecy all matter,” Professor Alan Woodward of the University of Surrey noted on Twitter.

   What the security agencies really want is a backdoor in the cryptography: a way to forcibly decrypt messages and calls. Mathematically, it’s not possible to build such a system in a secure way. If the snoops can flick a switch and defeat the encryption, so can anyone else, in theory. Criminals, bored teenagers, you name it; everyone loses.

   Critics charge that the UK government is trying to effectively ban secure cryptography, a suggestion ministers deny. Despite this, sections of the bill suggest that communications providers operating in the UK may be ordered to “provide technical assistance” and remove electronic protections, possibly under a gagging order along the lines of a US National Security Letter.

   The UK government wants to promote the use of good crypto to further its established goal of making the UK the best place in the world to do e-commerce. Alongside this, GCHQ and MI5 still want to be able to decrypt communications and identify suspects in terrorist plots, child abuse, and other serious crimes.

   Reply