Tuesday, 2 June 2015

"You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption"

Cory Doctorow again, this time from a 1st May article in The Guardian about David Cameron’s intention to break encryption, which I didn’t get around to commenting on at the time:
It’s impossible to overstate how bonkers the idea of sabotaging cryptography is to people who understand information security. If you want to secure your sensitive data either at rest – on your hard drive, in the cloud, on that phone you left on the train last week and never saw again – or on the wire, when you’re sending it to your doctor or your bank or to your work colleagues, you have to use good cryptography. Use deliberately compromised cryptography, that has a back door that only the “good guys” are supposed to have the keys to, and you have effectively no security. You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption.
He goes on to explain why, but you know the drill.  There are technical arguments and practical ones.  Doctorow compares encryption back doors to the TSA’s requirement that all luggage flying through or within the US to use Travelsentry locks, which have an easy-to-get-hold-of master key, which opens them all.
What happened after Travelsentry went into effect? Stuff started going missing from bags. Lots and lots of stuff. A CNN investigation into thefts from bags checked in US airports found thousandsof incidents of theft committed by TSA workers and baggage handlers.
They’re even managing to smuggle the swag off airports where all staff are searched on leaving.
Making it possible for the state to open your locks in secret means that anyone who works for the state, or anyone who can bribe or coerce anyone who works for the state, can have the run of your life. Cryptographic locks don’t just protect our mundane communications: cryptography is the reason why thieves can’t impersonate your fob to your car’s keyless ignition system; it’s the reason you can bank online; and it’s the basis for all trust and security in the 21st century.
We can’t pretend to be surprised if the same thing happens to our personal data, should Cameron get his way.

No comments:

Post a Comment