Cryptography, keeping on the big lie

Cryptography, keeping on the big lie

Keep living in a never-ending state of denial of facts.

So Cryptography would be a National Security Issue?

I’m tired to be polite and politically correct when talking about encryption. Let us be clear and honest, all those crypto_war is a pile of crap. Every time I heard someone claiming that we should not enforce strong cryptography I wonder: do they have the slightest idea what they are talking about? Probably not, considering also most of the objections against cryptography I heard.

Listening to those “enlighten” minds it seems that without cryptography the world is a sort of heaven where intelligence could have the possibility to solve any criminal case. And it seems that cryptography is used only by the ones who want to act against the laws and public safety.

Well maybe would worth it for them, and us all, to do a reality check.

Encryption and weapons

Encryption is always associated with military technology. The Wassenaar agreement (https://www.wassenaar.org/) stated what should be considered and not a “sensitive” or military technology. Encryption is in that agreement.

So for someone encryption is a weapon.

encryption has been always used in a war context, as well when there were politically sensitive issues. Besides the modern math behind encryption, the tools or techniques to hide or make not intelligible a message are old as war and therefore old as humanity.

It seems that the more advance the technology is, the more advance is the need to consider this as a weapon. It is a long story, from traces in the Old Egypt Kingdom (1900 BC) to the Caesar Cipher history is plagued by examples of cipher and cryptography more or less successful attempts (it is successful if you do not decrypt the message, of course).

But let us be clear, modern encryption, from Turing to Diffie-Hellman-Merkle is basically math, and math is math. I am sorry but considering math as a military weapon is like considering a hammer a weapon. Can’t be a hammer used to kill someone? yes and directly. Can be math used for the same purpose? wait no … unless the math book is really heavy.

Alas nowadays the math can be implemented into technology, and therefore it is accessible also to the ones that do not have a cryptography degree. But technically speaking, since math is math, anyone could develop a mathematical model to implement cryptography, this would make him-her a weapon maker? Actually for some people yes (see all the PGP affair).

Apparently, the issue here is the democratization of encryption as something everyone can have access to (bad and good guys) more or less as knives and hammers and (in some countries) weapons.

Modern technology allows us to implement strong encryption environments, but at the same time rise up the level of “unwanted” decryption capabilities, the faster our computers are, the more encryption needs to go deeper (longer keys, better algorithms…) to be effective. But this is the world we are living in.

It is out of doubt that encryption can be used in a war-like scenario, and that can protect communication and sensitive data, but at the same time is clear that those are implementations of something that is of public domain (alas a big defect related to science). You can block the export of those technologies, but can’t avoid a good mathematician design a decent algorithm that supersedes your limitation, and some decent coder to implement it.

As a limitation, per se, is not so smart at the end, unless you think you are the only one able to do those things.

Encryption and criminality

If encryption can be used to protect valuable military information and communication, can be also used by criminals. No question about it. But again we are talking about something that is public domain (math, you know) and encryption, cryptography, communication masquerading have been out there since…ever.

Targeting one tool just would shift the criminals to another tool. Once you make possible to decrypt the internal IPhone infrastructure you think criminal would rely on it? (if ever).

Most of the communication is passed in clear, talking or writing, or sending videos. But at the same time, those communications can contain hidden messages even without encryption. As in a baseball game when non-formal communication is given between pitcher and catcher on which ball will be the next to be launched, hiding the content of a message disguising it with another is something common. And this does not require encryption and can be as effective as the previous one.

Actually, this is the most used vehicle of communication when you want to send a “secret” message or store info. Encryption is just one of the tools that can be used by criminals.

Encryption and intelligence

So it seems that, anyway, without encryption intelligence work is not possible? This is quite a curious statement mostly because it comes out, mostly, from the same people that declare to collect only “metadata”.

So basically they do mass surveillance (regardless it is legal or not in other countries) to collect only “metadata” but the same is useless against terrorism and criminality? That does not make any sense to me.

It is like the old good intelligence of old times now is useless and we rely only on the decryption of messages.

So let us be clear on this. Metadata can give us a lot of information on a communication transaction and, sometimes, it is all you need if you are doing your intelligence work with intelligence (nice joke, isn’t it? lol)

If you have two suspects and those are starting to exchange encrypted messages, well, you have good reason to make your surveillance stronger.

But if you do not have suspects? well, the answer is to decrypt all messages from anyone and look inside the content to find out if this is terrorist-related.

Is this effective? maybe, I do not question it, is this respectful of privacy? no, it is not. Would be like preventing criminality by bringing everyone in front of a court, I mean every citizen, maybe at the end you will find even some criminal, but the most will be innocent people brought in front of a court.

So all the point here is that without intelligence opening a Pandora box with bad encryption (as the export-grade restrictions that are still harming our digital world) is, at least, questionable.

Can this makes law enforcement and defense agencies work harder? yes and not. If this crypto-war is made to cover inefficiency in the intelligence capabilities of those agencies is for sure a problem.

Unless the point is to substantiate that only mass surveillance activity can save us all. But it is funny, mass murdered killers post their statements on Facebook (in clear) and we do not notice it, and at the same time, we keep talking about encryption?

It is just me that sees an odd situation or ….

Encryption and the internet

We all know what HTTPS is, or we should, at least. We all know what TLS/SSL is, or we should at least. We all know what PKI is, or we should at least.

Internet technology relies heavily on encryption since encryption is one of the basic pillars of security; authentication; authorization and nonrepudiation technologies. Without encryption, all those mentioned things could not be effective on the internet where there is not direct and visible contact between the counterparts.

A system is as secure as its weakest component, therefore weakening encryption is damaging all the internet.

Let’s be clear again, encryption is not the only answer. When I make a VPN (HTTPS, SSL, TLS, IPsec…) we are fairly sure that what we put at the beginning of the transmission pipe is what will arrive at the end of the pipe. But encryption can do a little on the content of the transmission itself, so if we put manure at one side of the pipe we will receive manure at the other side, this is why encryption is just one of the needed technology to be implemented.

But I do not think anyone doubt that without encryption most, if not all, the achievement of the modern internet economy would have not been possible, or you would like to pass your credit card data in plain text? (well actually is what you do when someone swipes your card on a card reader, but this is another story.)

Encryption and privacy

One of the most important encryption value, those days, is to preserve privacy and intellectual property. With the expanding exposure of our life to the digital world, and the promise of the IoT (Internet of Terror–sorry, my mistake, Internet of Things) encryption is becoming, day by day, the tool to preserve our privacy.

Basically one time we would have counted on the privacy of our walls, and till we do. But our world has expanded dramatically and will expand way more in the future.

Being entitled to some privacy is a right, and in some countries (as EU) it is considered one of the fundamental human rights. Alas in the digital world only encryption can take the job of our walls. Weakening encryption means make your home with transparent walls. Maybe you like it maybe not. But I wonder why this glasshouse concept has never been presented as a mandatory security tool from enforcement agencies.

This will make it easier to look for fugitives, stolen merchandise, drugs, and so on…

Encryption and “backdoors”

This is only for this phone.. yea right…

“I am sorry, I swear I’ll never do it again..”, ow many times parents have listen to those words from kids? We do not believe them, of course, we know they will do it again until the lesson will be learned.

I seems that the same approach does not work with grownups. They do not learn even in front of evidence.

The point it seems not to be understood by some people is that there is not only one owner of knowledge outside there. I try to explain before that modern encryption is based on math, and math is public domain kinds of stuff. This means basically that anyone with enough knowledge can work to build or harm encryption systems.

When you plan to put a “backdoor” (or better weaken the way a key is generated, to make it guessable) to access some data, it is just a matter of time that someone else will find the weakness. Only an idiot can think he\she is the only owner of that kind of technology.

Cryptologists and security experts worldwide think the same, recent examples of vulnerabilities related to “export-grade encryption crap technology” prove this point, but this seems not clear yet to someone.

Like climate change issues (and why not, creationism), political beliefs are incredibly blind to simple facts: it will not work.

It is not that security experts and cryptologists do not care about security, or does not care about terrorism and criminality. On the contrary, they care a lot. But they are forced to have a vision that is not shortsighted by contingency. If you do it today someone else will do it tomorrow, it is simple as at. There is no way to stop researchers to look for vulnerability; they can be good or bad, they can be trustful or not, but they will do it, you like it or not.

Encryption and trust

But the question on encryption is way more deeper and complicated. There is a problem every time you make a system weaker: you lose trust and create a precedent.

As in the San Bernardino case, there is no way to guarantee someone else will not ask to access another phone, and another and so on.

Besides this, it is clear that once you do this for one phone, you will be forced to do this for other phones. And then there is the cloud and IoT there waiting for those requests.

We should face two issues:

1. encryption is something used to preserve data confidentiality, integrity and transmission. How can you trust a system that is openly weak?
2. how can we trust the controller?

I tried to clearly express my view on point one before, if you weak a part you weak it all. Basically, it makes the whole system ultrastable, and since we state trust is paramount for security, weaken it will simply shift the use on other tools. It will not a problem for a terrorist to use self-made encryption tools, which may make the message look like plain text …

But I would like to focus on the second point.

Can I, as a European, trust a system that can be penetrated by USA intelligence without my knowledge? I am not talking just from a personal perspective, but also from a government one.

The answer is obviously no. even if we are allies. And the reason is in documents and facts that show how even allies have their skeletons. Snowden (and some other reports before him actually) just make public somethings we were all aware of, but just too focused on denial to take a position.

We live in an interconnected world, and we can not think what we do is without consequences on a global scale. sure we can choose to not care, or not talk about it, but consequences will be hitting us we like it or not.

Once a nation asks for a weaken encryption for “security” reason, there is no guarantee it will not use it also for other purposes. This means that export-grade restrictions, now that the world care and is aware of the problem, or “backdoors” and similar things will rise up a similar answer from the other countries. It is quite amusing to notice that what is a “security matter” for a country can be perceived as a violation of another. Of course, we are the good ones, God is with us (Jeez this remember me something, may be in another language) therefore they are the bad guys, isn’t it? So we can be trusted they can’t…or maybe we can not trust anyone and so consider the encryption a defense tool from anyone?

I know a balance is hard to be found between privacy and security, but if the trust is mined you just will not have more security, because bed guys always know how to protect their stuff.

Encryption and business

So, would you buy, or trust for what it matters, something with a clipper chip on it? Seriously? If you do not care about security and privacy probably yes, if you care obviously not.

So vendors, technology, and services providers should have to make a double offer: with weakened security or not. May be offering a hard discount for the weakened security version of the product. I can Imagine the motto:

“Be insecure for your security”