A proper law

[Owen Lewis]

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk
> [mailto:ukcrypto-admin@chiark.greenend.org.uk]On Behalf Of Brian Gladman
> Sent: 06 March 2003 14:13
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: A proper law

> > As I understand it brute force attacks against Enigma would still
> > have taken a vast amount of time on the computers of the time until
> > relatively recently. Stories of covering the moon in computers in
> > fact. The key was in being clever, not being intimidated by the big
> > numbers and looking at the problem the other way round. This allowed
> > the impressive sounding big numbers to be cut down to a size where
> > even an electro-mechanical machine could scan the much smaller range
> > of possibilities in a relatively short time.
>
> I could write a book on why some rotor machines failed while others remain
> strong even today.
>
> But the main lesson I draw from this period is that it is very
> easy to take
> a strong cryptographic algorithm and then undermine its strength
> by using it
> in the wrong way.

Agreed, but the situation is actually worse. Cryptography is never an end in
itself but a subordinate function within an information security system. If
some part of that system other than the cryptography fails, then the object
for putting the system in place is lost and it makes little difference
whether the crypto is strong or weak or whether it is well or badly
implemented.

This, it seems to me, is the flaw in 'strong cryptography for the masses'
argument. Good information security systems are relatively expensive to
procure and maintain. The 'masses' simply cannot afford/implement proper
information security - even for some who truly understand what the
requirements are.

What crypto may, uniquely, be able to do is to secure information in
transit, be it electronic or physical transit, between two point and across
an unprotected system or area. I think this is why it is of some effect on
LEA. Electronic eavesdropping is - has been- used in many serious
investigations. Were LEA to lose the ability to intercept communications
covertly, this would have serious consequences on the cost on a thorough
investigation of many criminal endeavours. Moreover, the substitution of
easy communications interception by an attack on one or more other parts of
the information security chain would constitute at least as great an affront
to concepts of civil liberty.

RIPA is an attempt to strike a proper balance between civil liberties and
the needs of good governance. Whether the balance is right continues to be
the subject of debate here. However, there seems to be less talk than once
there was of any real chance of getting RIPA overturned by the ECHR.

Owen