Why "carnivore" type systems can't be (entirely) open source

[Owen Lewis]

----- Original Message -----
From: "Brian Gladman" <brg@gladman.plus.com>
To: "UK Crypto Posting" <stevee+brg@slimy.greenend.org.uk>
Sent: 04 February 2001 01:05
Subject: Re: Why "carnivore" type systems can't be (entirely) open source


> > (GSM)... both the strength of the
> > algorithm and the use of STO as a delying factor were both carefully and
> > accurately considered and not in the least ill-considered.  Sure, if any
> > major govt had decided to break it they could have. The point is that
they
> > never had the need to do so as the system gives access to clear voice,
> when
> > push comes to shove.
>
> Your latter point is wrong in my view since it is not difficult to
construct
> scenarios where there will be a government advantage in getting at the
data
> by decrypting the encrypted data stream.

I am aware of the pressure there has been, internationally, for some form of
GSM decoder. That pressure would never have existed had the various parties
been satisfied with what access they had. I am surprised that you do not
know this.
>
> > Those whom GSM security has kept out, gnashing their teeth, are those
not
> > allowed much or any access to the clear voice part of the
communications.
> > Dependent on circumstances and on country, these groups might include
>> all of
> > some of the following:  police, DSS, IR, C&E, private dicks, kibbitzers
> > et al.
> >
> > Thus, for the purposes for which they were intended, GSM and its methods
> of
> > maintaining privacy in personal telecommunication have been a roaring
> > success.
>
> Not for providing security.  They have only been a success because there
has
> not been any real user interest in security.

Whether or not there 'was user interest' can have no bearing on either the
level of security provided or the success with which the level has been
mantained. GSM has never been described as a 'secure system'. How could it?
It has been described as providing user privacy and this it has done within
the provisions of applicable law.

> In the main users have
> demanded functionality rather than security and since these are in large
> measure mutually exclusive, this has meant that pretty well all products
in
> the civil market are insecure.
>
> > So you say why not use a stronger system? GSM sells to all
>> comers, around the world and is DUEC free. If its
>> cryptosystem was truly was harder than
> > diamond, then licencing under DUEC would surely have been
>> required and GSM
> > would consequently have been a commercial non-starter as a
>> mass-market system.

> > STO applied to the
> > reason for the NSA stipulated changes to the S box design that
>> was so widely misunderstood for many years (largely because
>> STO is anathema to academic
> > purists and, ergo, can only be applied to evil ends).
>
> Note carefully that this was never a use of STO to protect the design of
DES
> since this was published.   The secrecy was used to protect design
> techniques, not the design itself.

That's Jesuitical :-) STO concealed the reason, for requiring the design to
be changed, from academic/professional open reviewers that were not
knowledgeable enough (at the time) to see why the change was necessary. This
can be likened to giving five oranges to a  child who can't yet count well
and letting him believe that there are only four. The kid is actually better
off than he understands himself to be. The kid counts as well as he can. No
one promises to teach him to count better but only to see that he is
properly fed.

> If this issue is to be understood properly it is vital to distinguish
> between a design and the techniques used to achieve it.  The fact that a
> design is open and published does NOT mean that all the techniques used to
> achieve the design have to be known.  There are advantages in having this
> further level of open knowledge but these have to be argued separately to
> STO applied to a design (that is keeping the design itself secret in whole
> or in part).

Well, that's a start.  STO can be applied to knowledge of method but  not to
the coding of the method's implementation.
Do you suppose that might be the way of the future, to show what cannot be
*fully* apprehended?

> No-one who is serious about information security has ever expected to
> achieve this by relying on the communications layer to provide it.

One might argue that point but let it pass. In context, it is only important
to note that GSM traffic is en claire throughout most of its routing. We are
agreed also that, as a result,  the strength of the cipher in the GSM system
could never be a critical factor for users.
>
> > Expect - hope for even - more successes of its like. You can always try
>> and prove me wrong by coming out with a version of your own mobile phone
>> that uses the most secure cryptosystem you know and then try and sell it
to
>> the public.

> This is pure politics.

:-) Earlier today, reflecting on *your* commentary so far in this thread, I
concluded that it was driven by politics :-)

> AES (Rijndael) exists and is unbreakable by anyone (as far as anybody
> knows). It is easily possible to deploy it in mobile phones and whether or
> not it appears is a political issue.

'Political' is surely the wrong word. We have laws, national and
international with which, by general consent, we should abide. These laws
may not always be wise, perhaps, but they are the only laws we have until we
change them. Until the laws are changed it behoves us usually to find ways
to
conduct our business satisfactorily with in them.

Now, within those laws, GSM has proved a most successful and popular design.
A major part of both its success and its popularity has been its privacy
feature.

It may be, one day, that there will be an international public
telecommunication system with AES providing end to end high level security
but I do not expect to live to see it. You will know that ASCOM and MATRA
developed secure voice chips based on IDEA almost en years ago?

Now, whether or not it is 'a good thing' that every person have access to
high level end-to-end voice encryption *is* a political question. Me? I'm
not a political animal, just a pragmatist.

> It is no surprise to me that those organisations doing work on algorithms
> for telecoms and mobile phones are rolling their own algorithms in close
> co-operation with governments. My assumption is that at least some these
> algorithms are broken (those that remain unpublished).

"At least some of these"? I think we can rely on it. Some other time, I'll
tell you about a certain 'voice cipher unit' that broadcasts clear speech AM
VHF to a range of some hundreds of metres. Yes, there are crooks in this
world and there are some who will be duped by them, including some who
should know better. But we are not
discussing crooks. We are discussing a fine telecommunications product that
does just what it promises on the box.

Owen