RIPA Part III

Brian Gladman ukcrypto at chiark.greenend.org.uk
Fri, 16 Jun 2006 17:35:37 +0100 

Peter Fairbrother wrote:

> Richard Clayton wrote:

>> 3. Finally, there's the "shall we have GAK" where the argument for is
>> that it's much simpler for the police that way and the argument against
>> is that it will seriously damage the economy...
>>
>> There's other for/against arguments for all of these three aspects of
>> course, but as you can see, the weight of these arguments in each
>> direction -- and whether the arguments are practical, principled, or
>> economic -- varies considerably.
>>
>> So I do think it's worth responding that, in particular, (2) and (3) are
>> NOT inextricably linked, but should be split apart.
> 
> How so? And why?
> 
> I believe they are linked, if only because in order to show that a
> decryption is valid, the key must be given.

There is no reason why proving the authenticity of a decrypted message
_necessarily_ requires knowledge of the decryption key.

In one of the situations that worries me (the attempted compromise of a
public/private key pair), I can supply a decryption without revealing my
private key and the fact that this encrypts under my public key to give
the original ciphertext validates its correctness.

In this case it is advantageous to be able to use an encryption key pair
for signature but sadly this also applies in reverse and this means that
some signature keys are vulnerable to GAK simply because they can in
principle be used for encryption as well as signature.

In fact it's pretty hard to see how signing keys are going to be made
GAK exempt since this would simply sponsor a raft of encryption
applications disguised as signature schemes. And this yet one more
reason why GAK provisions could prove disastrous since it probably won't
be possible to limit the damage to encryption keys alone.

> Nor do I think it makes much if any real difference - whether by decryptions
> or keys, ciphertext is vulnerable. Does it matter whether it's by some form
> of verifiable decryption or by key?
> 
> I can't see why. Some small technical differences perhaps, but nothing
> really significant.
> 
> The idea that it's somehow significantly less intrusive to demand
> decryptions than keys has little or no merit, IMO. It makes no real
> difference.

In my opinion it makes a profound difference since, in my view, the
scope for damage arising from the GAK provisions is essentially unlimited.

In contrast, if framed correctly with strong safeguards, there is no
reason to expect (2) to create such extensive damage.

In consequence I support Richard's view that (2) and (3) should be
separated.

  Brian Gladman