Windows guru requested - Securing Windows

Brian Gladman ukcrypto at chiark.greenend.org.uk
Fri, 09 Jun 2006 16:07:53 +0100 

Watkin Simon wrote:
>> From: Brian Gladman [mailto:brg@gladman.plus.com]
>> Sent: 08 June 2006 10:47 AM
>>
>> Simon, I don't believe in blind trust when it comes to the security of
>> encryption keys on which my safety and security (or both) might depend.
> 
> Brian, we go round and round the houses on this one.  You assume that once
> Part III is in place there is a higher probability that your keys will be
> seized than compared with now.  I always wonder who wants your keys and why.

The probability of having my keys seized legally now is zero.  Once Part
III comes into force this probability is greater than zero - I cannot
see how it can still be zero.

It's the UK government who wants to make my keys subject to possible
seizure.  I really don't know which part of government would be most
likely to take an interest in my own keys.

> You've explained to me that the scenario you fear is that someone will
> encrypt a message to you using my public/private key pair and thereby result
> in its seizure.  You need to unpack the "thereby" bit.  A lot.

That's not quite my concern.  When I use an RSA key pair, I publish one
key of the pair and keep the other private. Anyone can then use my
public key to encrypt data of_any_kind and I am then in the position of
being the only person who can use the resulting encrypted data to
recover the original.

Once Part III is in operation, anyone could use my public key in a way
that results in my private key being subject to seizure with the result
that it and all the messages with which it has been used could be
compromised.  The issue here is that someone else's actions can put the
keys of entirely honest and law abiding citizens at risk.

I stress that I am worried about the principle here so arguments about
session keys are not valid as I can't stop someone from using my public
key in a way that makes my private key the only means of decryption.

Nor am I convinced by the argument that says that you would simply ask
for a decryption and not the key since it seems to me that taking things
through the courts will ensure that my word won't be good enough in the
face of defence claims that the message is not the one their client sent.

> It's like the recent comment on Spy Blog:
> 
> "We all know that HMG does not want to use this power to examine the drives
> of a small group of sex criminals. Like the anti terror laws, this law will
> be abused on a massive scale and the ordinary computer user will be the one
> that suffers. They will sniff your traffic and see that you have pgp on your
> machine, and will flag you as a potential criminal. They will then demand
> your keys even though you have done nothing at all, simply because you are
> putting your email in an envelope.
> 
> This is the TRUE scenario that we need to explain and repeat, not the
> nonsense of HMG. Wake up."
> 
> A customer of the aluminium milliner me thinks.

It is easy to claim that my concerns are unreasonable but I don't accept
this. Many keys cannot seriously be trusted since their owners are not
themselves trustworthy. But over the years many of us have built up
collections of keys by personal 'face to face' key exchange in such a
way that we can equate trust in the key with trust in its owner.  But
once you make these keys subject to seizure you are undermining the
whole basis on which such trust networks are built.

In my view this is a very dangerous step to take since it is attacks the
very trust on which the use and value of encryption depends.

This might also be a very risky step since the removal of trust in what
we use now is almost certain to result in alternatives that will be far
worse from a legal access point of view. I am hence worried that this is
a 'crypto war' that will escalate in a way that could leave us worse off
than if we simply leave things alone.

>> If I am going to be asked to hand over such keys to _any_ other party, I
>> would expect, before handing them over, to be able to determine to _my_
>> satisfaction that the protection that will be offered to my keys by this
>> party will meet my needs as _I_ see them to be.
> 
> If you're in key disclosure territory, that's a valid matter for discussion
> with the investigator taking into account what the key protects.

The investigator has no right to know what the key protects.  And since
the revelation of the extent of sensitivity of all the data protected by
a key might itself create serious additional risks, this could easily
put honest key holders who find their keys subject to seizure in an
impossible position.

>> Have you released details of the procedural, technical and operational
>> processes that will be used for the handling and protection of seized
>> encryption keys?
>>
>> If so can you please let us know where these details are available?
> 
> Section 8 of the draft code addresses procedures for dealing with disclosed
> key material.  The idea that the code can address every circumstance - from
> a phrase on a post-it note protecting some indecent images through to a 3072
> bit key protecting something or other - and set out a range of processes is
> unrealistic.  Those processes need to reflect circumstances and changes in
> technology and security.  Setting them in stone in a statutory code isn't
> the place to do that. 

If you care to ask GCHQ about security risk assessment you will find
that even on a system of limited scale this can take months or even
years to undertake.

Are you seriously saying that someone faced with the seizure of their
keys will be given access to the details I have asked for AND given the
time necessary to determine that their keys will be in safe hands PRIOR
to being required to hand them over?

I just don't think this makes sense. Surely it is better to show people
in advance that the measures you will use will be fully secure?

What protection will you give to keys in those cases where key owners
are not prepared to specify the consequences of key compromise?

>> Unless I missed it, I did not see the unconditional and unconstrained
>> right of key owners to revoke their keys at any time, irrespective of
>> whether they are seized or are subject to seizure, had been recognised
>> in your proposals.
> 
> It goes without saying that unless the notice includes a secrecy requirement
> the recipient can say and do what they like - so long as their conduct does
> not amount to perverting the course of justice.
> 
>> Nor did I see a clear statement indicating that the unqualified
>> revocation of a key subject to seizure did not constitute tipping off.
> 
> Paragraph 10.12

Thanks, I did miss this.

We will need a wording here that makes it clear beyond doubt that
revocations that allow an inference of key seizure to be drawn will not
constitute tipping off.

That is a statement along the lines of "if I revoke this key I will
always be prepared to give a reason if I am legally allowed to do so"
combined with the answer "I cannot tell you why I have revoked this key"
are not going to prove problematic.

   Brian Gladman