Once Again with Feeling: Government Wants the Keys

Today's New York Times has an article entitled: “U.S. Tries to Make It Easier to Wiretap the Internet.” Boy we have been around this block before. Back in 1993 the U.S. Government proposed a new cryptographic standard that rather then being based around a published algorithm would instead be based on a proprietary hardware solution. An important “feature” of this solution was a built-in back door for the U.S. Government to be able to decrypt any message (with appropriate legal authorization, of course).

This program, the “Clipper Chip”, failed miserably. Now once again we see the government proposing that all encrypted communications be open to it. The article doesn't have a lot of technical details on exactly how this proposal would work and it is also clear that the details of the proposal itself are still being worked out. That said, let me speculate:

I believe there are several issues here. They are related, but different. The first issue is likely lack of clue by website operators and social networking sites when it comes to permitting the government to intercept information. Because many sites these days are using SSL (https) to encrypt data from a person's browser to the site, if a law enforcement agency needs access to content, they need to go to the site operator. I suspect that many of these operators are not setup to handle such requests.

The second issue mentioned in the article is that of “peer-to-peer” networking systems such as Skype which encrypt information on an end-to-end basis, so even the service provider may not be able to intercept these communications. Frankly the use of the term “peer-to-peer” elicits images of illegal behavior such as copyright violations. However the more correct term, used in the Internet standards arena from the very beginning is END TO END. Which is to say the original vision of the Internet was (and is) end systems communicating over a dumb but fast network.

The Bell System was designed with the notion that the network was trusted. There was only one provider, the phone company, so you only had to trust one entity. The Internet on the other hand was designed so that it did not have to be trusted. It cannot be trusted because there are many providers that make up the Internet. In fact the Internet connects together providers in countries that are at war! So Internet protocols that require security must assume that the network itself is untrusted, which means encrypting sensitive information. This is fundamentally at odds with the notion of putting in back doors for a government.

Why attempting to put in such back doors in systems is a bad idea is articulated in a paper written in 1997. The “Eleven Cryptographers Report” which I reference in my blog post from January 24th of this year when I was commenting on the Chinese compromise of Google. Everyone should read the report, again.

Today's New York Times has an article entitled: “U.S. Tries to Make It Easier to Wiretap the Internet.”  Boy we have been around this block before. Back in 1993 the U.S. Government proposed a new cryptographic standard that rather then being based around a published algorithm would instead be based on a proprietary hardware solution. An important “feature” of this solution was a built-in back door for the U.S. Government to be able to decrypt any message (with appropriate legal authorization, of course).
This program, the “Clipper Chip”, failed miserably. Now once again we see the government proposing that all encrypted communications be open to it. The article doesn't have a lot of technical details on exactly how this proposal would work and it is also clear that the details of the proposal itself are still being worked out. That said, let me speculate:
I believe there are several issues here. They are related, but different. The first issue is likely lack of clue by website operators and social networking sites when it comes to permitting the government to intercept information. Because many sites these days are using SSL (https) to encrypt data from a person's browser to the site, if a law enforcement agency needs access to content, they need to go to the site operator. I suspect that many of these operators are not setup to handle such requests.
The second issue mentioned in the article is that of “peer-to-peer” networking systems such as Skype which encrypt information on an end-to-end basis, so even the service provider may not be able to intercept these communications. Frankly the use of the term “peer-to-peer” elicits images of illegal behavior such as copyright violations. However the more correct term, used in the Internet standards arena from the very beginning is END TO END. Which is to say the original vision of the Internet was (and is) end systems communicating over a dumb but fast network.
The Bell System was designed with the notion that the network was trusted. There was only one provider, the phone company, so you only had to trust one entity. The Internet on the other hand was designed so that it did not have to be trusted. It cannot be trusted because there are many providers that make up the Internet. In fact the Internet connects together providers in countries that are at war! So Internet protocols that require security must assume that the network itself is untrusted, which means encrypting sensitive information. This is fundamentally at odds with the notion of putting in back doors for a government.
Why attempting to put in such back doors in systems is a bad idea is articulated in a paper written in 1997.  The “Eleven Cryptographers Report” which I reference in my blog post from January 24th of this year when I was commenting on the Chinese compromise of Google. Everyone should read the report, again.

Add a Comment

Copyright © 2009-2016 Jeffrey I. Schiller