A proper law

David Hansen davidh at spidacom.co.uk
Thu, 06 Mar 2003 11:45:45 -0000 

On 6 Mar 2003 at 11:08, Brian Gladman wrote:

> In practice, faced with an abstract data stream encrypted using a
> modern encryption and authentication mode (e.g. AES-CTR + HMAC
> -SHA1), there is currently no known practical way of obtaining its
> unencrypted content without access to the key.

That is of course what people said about some well known earlier 
encryption systems. For years the best people the British had 
despaired of ever breaking Enigma, while at the same time the Poles 
were doing just that. Eventually the Poles told the British (and the 
French) how to do it and people like Alan Turing and Gordon Welchman 
developed the Poles' ideas.

As I understand it brute force attacks against Enigma would still 
have taken a vast amount of time on the computers of the time until 
relatively recently. Stories of covering the moon in computers in 
fact. The key was in being clever, not being intimidated by the big 
numbers and looking at the problem the other way round. This allowed 
the impressive sounding big numbers to be cut down to a size where 
even an electro-mechanical machine could scan the much smaller range 
of possibilities in a relatively short time.

While this may hold no lessons at all for today I would not be so 
sure. I note that in another area, that of genetic "fingerprinting", 
the impressive sounding large numbers are being shown not to be as 
large as proponents claim.

> But I very much agree with your view that there is no evidence to
> suggest that the availability of strong encryption is 'causing the sky
> to fall in'. After seeking such evidence on a worlwide basis it seems
> that we have only a very small number of cases where encryption has
> even been an issue and fewer still where encryption has resulted in
> law enforcement failures.

After typing my message I went to Dorothy Denning's web site. She 
agrees with you on the small numbers, though points out that they 
might rise in the future. This may or may not be the case, my crystal 
ball isn't good enough, though I'm inclined to agree with her (though 
what I think is hardly earth shattering). However, she points out why 
access to keys is not important.
 
> GAK in RIPA is an unnecessary and wasteful diversion of effort and one
> that will consume resources that could be far more effetively used
> elsewhere.

I suspect that it was partly a dummy, sold to people in order to 
divert them from looking at the other nonsense in RIP. 


--
  David Hansen, Edinburgh | PGP email preferred-key number F566DA0E
 I will *always* explain why I revoke a key, unless the UK 
 government prevents me using the RIP Act 2000.