Germany Frees Crypto

Brian Gladman gladman at seven77.demon.co.uk
Sun, 6 Jun 1999 19:30:07 +0100 

From: John Young <jya@pipeline.com>
To: <ukcrypto@maillist.ox.ac.uk>
Cc: <cryptograph@c2.net>; <David_Conrad@isc.org>
Sent: 03 June 1999 18:58
Subject: Re: Germany Frees Crypto


[snip]
> As someone working on an Echelon story asked elsewhere, just what
> strength of crypto can NSA crack these days.
>

In my view this question has to be posed and answered carefully.  The
reality is that most crypto cracks are not done by breaking the algorithms
but by exploiting weaknesses in their implementation.  It fairly clear that
we are already using algorithms that would be way beyond NSA's ability to
break by brute force if they were implemented perfectly and operated in a
perfect environment.    We already use 128+ bit keys in many of our
algorithms and yet it is very clear that few if any applications come even
close to the levels of security that such key lengths offer.

In the work on AES several papers show how easy it is to get at keys on
smartcards and Markus Kuhn at Cambridge has recently published an excellent
paper on this.  And, of course, software is several orders of magnitude
easier to subvert so we can see that we really do not have to worry about
algorithm strength but rather the strength of implementations.  These have a
***LONG*** way to go before they even come close to matching the security
offered by current algorithms and key lengths.

Having worked on military systems the one thing that I can with confidence
is that the only area in crypto where the 'government machine' remains ahead
of the open world is in the issue of implementation assurance.  Governments
have learnt from a lot of practical experience how easy it is to undermine
algorithm security during implementation. The open world still has to learn
much of this.  I believe that this will happen at a rapidly increasing rate
so I don't think this advantage will last much more than a few more years
but it is there now and it means that key length just gives an unlikely
upper limit on the security that applications offer.

But a wider issue is that the question has to be asked in a context.  If NSA
conducts a targeted attack on a specific message it can clearly break keys a
great deal longer than 56 bits (using DES as a benchmark).  But if we
achieved a situation in which all email was truly protected to even 40 bits
then much of the internet would be instantly out of NSA's reach since to do
'keyword' searches and the like requires a huge volume of traffic to be
decrypted and here even 40 bit encryption would pose an insurmountable
barrier.

So if we could find ways of achieving, as a matter of routine, ***ACTUAL***
cryptographic security at even DES strength, much of the 'State Sponsored
Information Piracy' we currently hear about would not be possible.

IMHO this won't happen, not because it cannot be done, but rather because
most users prefer functionality over security and, given the chance to put
processor and software improvements into one or the other, the market will,
for the present at least, continue to be driven by functionality. Of course
there are applications that, used properly, give good security but they are
used by a very small fraction of the user community, most of whom will
continue to be content to exchange email in the clear.  This is made worse
by the fact that most large companies don't seem to be aware of the need for
good implementation assurance in offering security solutions and hence
provide solutions that seem to offer security performance but which, in
reality, are worse than useless because they give user's a comfortable
feeling while offering no real protection.

My own hope is that a convergence of the open source software and
cryptographic communities will now bring a rapid change in this situation.
The technical community can offer the world good protection and government's
are powerless to stop this happening if we choose to do it.

Frankly I have stopped short of pushing this line vigorously in public but I
am fed up with the UK government's protestations of being positive about
crypto whilst doing all it can 'behind the scenes' to prevent its spread.

Good evidence of this is the UK government's stance in Wassenaar, an
arrangement that states very that it cannot be used to used to justify
actions which impede genuine commercial transactions.  Yet despite this
clear statement, the UK government - the DTI no less - has continued to use
this agreement to seek restrictions on the export of civil cryptographic
products that cannot even remotely be considered to fall within its
provisions.

And if anyone doubts the UK government's desire to hide its actions in
Wassenaar from the public eye, just look at the recent paper on 'Encryption
and Law Enforcement' issued by the PIU. Here export controls on cryptography
are ***not even mentioned*** even though it is very clear that they fall at
the heart of the study remit as a major consideration in the relationship
between encryption and e-commerce.  But worse than simply not covering
export controls, this paper actually ***LIES*** about government actions by
saying:

"However, apart from the OECD Guidelines on Cryptography Policy,
there has been remarkably little co-ordination of policy on encryption
matters."

when almost everyone on this list knows very well that the government has
had a long standing role in a host of international efforts designed to
restrict the spread of cryptography.

I am amazed (maybe I shouldn't be) that the government would tell such
deliberate and shameful lies in a document with a preface signed by the
Prime Minister. In fact I have been so taken aback by this that I have been
at a loss about how best to react to it - it is hard to know where UK
citizens can turn when there is such deliberate dishonesty and lack of
ethics right at the heart of government.

It will be interesting to find out whether the Prime Minister and the Head
of the PIU are aware of the fact that a document put out in their name
contains such deliberate distortions of the truth.  I hope that journalists
on the ukcrypto list will do what they can to discover the level within
government at which this attempt to mislead the UK public has been
orchestrated.

      Brian Gladman