« Lolcat fix | Home | Medieval market »

Do not mess with my encryption

I should probably start tagging a lot of my posts “boy-i-wish-were-a-lawyer.” I haven’t introduced that one yet, but I just might sometime soon.

Just last week, a U.S. federal judge ruled that the court could not demand that a man accused of transporting child pornography across state lines divulge the passphrase for his encrypted hard drive.

Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled “Compelled Production of Plaintext and Keys.”)

This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.

This is a fascinating legal issue to me, and is a crucial watershed at a time when privacy is being ripped limb from limb in America. If this case stands on appeal, it will be a phenomenal step forward for encryption in the public sphere. I like to think that the ruling being upheld on appeal would generate a lot of press coverage, which might lead to increased public interest in personal encryption schemes, whether for hard drives or internet communication.

In discussing this miraculous (though not yet definite) precedent with some friends here, one girl I spoke with acted very confused, and said, “But what if he was doing something bad? Then the police couldn’t read his files and send him to jail.” She was American.

In ernst, there will be a lot of people using this technology to hide their involvement in illegal activities. But there will also be people using encryption to hide their innocent yet sensitive data from theft and exploitation. If the encryption is sophisticated enough, it should stand up to datamining attempts at Langley. It should mask the content of communication well enough to foster what is typically considered unsavory political discussions.

It’s difficult for me to explain how very, very important I find it that communication remain discrete and private while the profusion of nodes of communication multiplies. Technologically it’s quite feasible, but unfortunately the cultural ingredients are not yet present in much of the world, most likely because most people simply don’t understand the systems they interact with every day.

But there are parties hard at work to prevent the widespread adoption of content-masking encryption schemes. Who they are isn’t immediately obvious, but it’s not hard to infer if you pay attention to major players in the tech industry. For instance, Wired recently covered a very compelling oddity in the new Dual_EC_DRBG encryption standard, which was published by the National Institute of Standards and Technology (130-page PDF here).

In an informal presentation at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson showed that the algorithm contains a weakness that can only be described a backdoor.

This is how it works: There are a bunch of constants — fixed numbers — in the standard used to define the algorithm’s elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.

What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.

Not to be pedantic, but this should scare you. The U.S. government is very probably engineering and propagating faulty encryption standards. One might say that this in itself isn’t particularly heinous, given that the flaw has been exposed, and should therefore never enjoy substantial implementation. Cue the toolbags over at Microsoft, who list among the security updates for Vista Service Pack 1 the same nasty Dual EC standard.

Strengthens the cryptography platform with a redesigned random number generator, which leverages the Trusted Platform Module (TPM), when present, for entropy and complies with the latest standards. The redesigned RNG uses the AES-based pseudo-random number generator (PRNG) from NIST Special Publication 800-90 by default. The Dual Elliptical Curve (Dual EC) PRNG from SP 800-90 is also available for customers who prefer to use it.

Oh dear. This news comes a year and a half after a Microsoft cryptographer swore no such move would ever be made.

“The suggestion is that we are working with governments to create a back door so that they can always access BitLocker-encrypted data,” Niels Ferguson, a developer and cryptographer at Microsoft, wrote Thursday on a corporate blog. “Over my dead body,” he wrote in his post titled “Back-door nonsense.”

Notice anything funny? That March 2006 quote is by Niels Ferguson, the same cryptographer who presented on the flaws of Dual_EC_DRBG at the CRYPTO 2007 conference. And yet Microsoft is still going ahead with the implementation of this broken algorithm, despite the objections of cryptographers around the world and its own employees.

When I noticed Ferguson cropping up on both sides of the playing field, I tried to do a little more research on him. For some reason his homepage is redirecting to a spam pharmaceuticals page. Searching on the Microsoft Developer Network blog doesn’t seem to yield any posts by Ferguson more recent than September 2006, but the search functionality is horrendous and frustrating, so I may have missed something.

I don’t know what to make of this yet, but I’m interesting in learning more about Ferguson. I know he’s collaborated heavily with eminent cryptographer Bruce Schneier, so I’ll have to look up some of their papers together. In the meantime, I’m incredibly suspicious, and I’m going to start locking up my data with more trusted, peer-reviewed encryption techniques. I highly recommend you do the same.