You “absolutely” believe that a particular something (the state of your hand) is the case?
You are mixing up two senses of the word “absolute” there.
An absolutism would be all hands must have five fingers. It is impossible to have a hand without five fingers. Which, clearly, is wrong.
And that is the problem with nearly all absolutist arguments I run into: they don’t come close to covering all cases and require a sort of religious leap of faith, surreptitious redefinition of terms, or blithe ignoring of evidence in order for anyone to put them forward seriously.
It could very well be that there is only “safest” in the digital realm. And if not safest, not safe. ( (b/c automated methods of attack, immediate propagation of ways in, etc.) But that, I think, is more of a conditional argument–encryption is not and can’t foreseeably be far enough ahead of breaking techniques to allow it to be handicapped in this way and still work. I think what Obama is getting at is that that is not the kind of thing he is being told. The kind of thing he is being told is that, on principle, we oughtn’t try to create or think about or talk about an encryption system that would allow for managed third-party access.
I think crypto provided by consumer-level services is their main concern. They’re after the schmucks with all of this, not the criminal masterminds. And a lot of damage has been caused by schmucks–people who’d f-up the whole thing left to themselves, but with Apple’s help they can get it done. (just like the FBI )
Then why is it you keep demanding mathematical proofs?
Yeah, that’s the problem. Your article link has absolutely no bearing on the situation whatsoever unless that’s the particular encryption scheme you’re actually talking about using.
So, again, if you’re going to demand that people talk about the math, how about you start? Don’t just pick a statement about an encryption algorithm that makes you feel warm and fuzzy, talk about the encryption algorithm you’d actually use. And then think about why it is that none of the actual experts have put it forward as a possibility.
.
And here’s something you clearly haven’t thought about… the article you linked to discusses the challenge of brute-forcing the key when all you have is the encrypted text. But that’s completely different from what the situation would be in your hypothetical.
Instead, the attackers would have the ability to create their own encrypted text at will, based on whatever pre-chosen plaintext they wanted, and work the problem backwards from there… and your hypothetical posits that no matter what their own private key is, it will still be decryptable with the government’s single private key. The attackers would even be able to fully analyze the equipment creating the encrypted text, in real-time, while it worked. Although it could still be difficult, that would really simplify things for the attacker.
Who said it was bad? That’s precisely the question at hand. Bad relative to what? Bad relative to the job it needs to do? I haven’t seen a definitive answer on that.
Because I don’t have nuclear weapons, my home defense is “bad?” Because England doesn’t have as many nuclear weapons as Russia, it’s national defense is “bad?” A tool is there to do a job, the question isn’t whether it is absolutely the best tool out there. The question is does it do the job?
And that’s the question that folks like Cory don’t seem to want discussed.
Okay, so dropping the disingenuous argument that downloading an app made in another country is somehow behavior only “criminal masterminds” are capable of we’re going back to how is backdoor access somehow bad, and relative to what.
It’s bad because it opens up more avenues of attack, and key management becomes a massive issue. (See pdf I referenced earlier.) It’s bad compared to what already exists, and will not go away even if you mandate US companies do something else. I’m not sure what is so hard to grasp about that, but the existing litterature on cryptography is going to get you far further along understanding the issues then I can possibly do in the comment section of the BBS.
Downloading an app is one thing. Actually keeping your communications secure over time and in the event of a physical raid on your premises . . . that’s harder to accomplish. Not mastermind level, but probably well beyond schmuck level . . . unless it’s provided as something easy & built-in.
Thanks for the paper reference, I’ve actually printed it out and another more recent one along the same lines (“Keys under doormats”–easy to find). But the last line of that 1997 report is “We urge public debate to carefully weigh the costs and benefits of government-access key recovery before these systems are deployed.”
I only do so when people make positive claims that the difficulty with multiple independent keys is a mathematical one, as nimelennar did in the comment I was originally responding to that got us started on this tangent, which was followed by nimelennar retracting the claim. Are you making a positive claim of this nature, or just saying you have no idea one way or another? I specifically asked you to address the following question about what you are claiming but you declined to do so, please address it if you want to continue this discussion:
The last link I added in an edit to my previous comment seemed to suggest that any system with a single decrypting key could be easily adapted to multiple independent decrypting keys, so without knowing much about the variety of encryption systems out there, for the sake of argument let’s say the scheme in this case is just RSA encryption (which as I said is the only one I’ve actually studied the details of) with 4096-bit keys (also assume a random number generator based on quantum physics is used to generate private keys, since their can be security vulnerabilities associated with pseudorandom number generators as discussed in this article).
My thought about “why it is that none of the actual experts have put it forward as a possibility” is that from what I have read, all their objections are “human error” type arguments about the possibility of someone gaining access to the government key, not mathematical arguments it being possible to figure out the key by brute-force computation. If you are making a positive claim that I am wrong in my impression of the content of expert objections, a single example of an expert saying we couldn’t design a multiple-key encryption scheme that wouldn’t be vulnerable to brute-force cracking would suffice to show I’m wrong.
I “clearly haven’t thought about” this? You seem to have an undue confidence in your intuitions about a subject you apparently don’t know much about on a technical level–the idea that anyone can “create their own encrypted text at will” is a general feature of all public key cryptography, where there is a publicly-known key that can be used to encrypt messages but only the private key can decrypt them. This is true of the standard RSA system with only a single private decryption key, which is the system used in a wide variety of devices today (and the article on the problems with pseudorandom private keys I linked to above mentions that ‘Public key cryptography is the fundamental encryption system used to protect Internet transactions. It involves the use of a public key to encrypt data and an associated private key to decrypt it. For instance, when a user logs into a banking website or a secure e-commerce site, the transactions are encrypted using the site’s public key. The data can only be decrypted by the site owner using the corresponding private key.’)
eh, implementation is always the problem, whether it’s in code, the way you construct your s-boxes, your seed data, differential cryptanalysis ( https://en.wikipedia.org/wiki/Differential_cryptanalysis ), and a million other subtle flaws. “The math is perfect” holds about as much water as a sieve.
The argument isn’t that the math doesn’t work, but that as you add escrows it doesn’t work in practice.
yeah, i’ve implemented dsa symmetric ciphers that could use N ciphers to encrypt and/or decrypt. doesn’t mean i trust even my own code.
Yes, you clearly haven’t thought about it, because of the huge difference between “it would take longer than the age of the universe (to brute-force crack AES encrypted text)” and the problem of finding a key when you have access to the encrypted text, the cyphertext, another working private key, and direct access to the equipment.
Yes, but what you’re clearly not getting is that this is still entirely different from the hypothetical system you’re trying to describe. In the normal case, the attacker didn’t encrypt the text, or at the very least the attacker doesn’t have the information needed to decrypt it.
But in the system you are talking about, the attacker can create the plaintext, encrypt it into the cypher text, and decrypt it at will. They’re not trying to find a key to decrypt text that they don’t understand, they’re just trying to find a different key that will decrypt that text the same way as one they already have. Which is an entirely different class of problems altogether, and an article about the difficulty of brute-forcing an encryption key has absolutely no relationship to that class of problems.
As I said in my last comment, for the sake of argument I’d prefer to talk about RSA with a large key (I suggested 4096 bits before, but this post suggests if we take into account the historical progression of better-than-brute-force algorithms for cracking RSA, along with advances in computer hardware, a 10k bit key will likely be secure until at least the end of this century or so). And if you’re going to claim that there is a purely mathematical problem with giving the government an extra private key, there’s no reason to bring up non-mathematical issues like “direct access to the equipment” (anyway, in the scheme I proposed earlier it would be enormously difficult for the attackers to get access to the equipment that was making use of the government’s private key, it would be closely monitored in some government facility and never connected to the internet).
If there is a public key as in ordinary RSA encryption with a single private key, then the attacker can also use that to turn an arbitrary plaintext into cypher text, so they aren’t “trying to find a key to decrypt text that they don’t understand” in this scenario either. Are you suggesting that when cryptographers talk about the difficulty of cracking RSA encryption with a large key, they are completely ignoring the fact that the public key is public? If you are arguing that having one of two private decryption keys would make it easier mathematically to gain knowledge of the other private key in a way that having a public encryption key does not, your argument above doesn’t give any reason why–and if you are indeed arguing this, then do you have any specific published reference from an expert that indicates this, or a detailed mathematical argument of your own, or are you just saying it’s your intuition that it might make it easier?
Speaking of personal intutions vs. published references, I’ve asked you several times to address the bolded question below:
So again I’m asking you politely to please address it, just as I have tried to address any question you put to me. If you continue to pointedly ignore it, I’m going to conclude you aren’t really interested in any sort of thoughtful two-way discussion, but just in making a rhetorical case that simply avoids addressing any weak spots in your own position (like your lacking knowledge of any actual experts who make the same purely mathematical case for impossibility that you seem to be trying to make), in which case I will bow out of this discussion with you.
I’m not disputing any of this, but just look at how this particular line of discussion got started. Originally nimelennar made this comment arguing that encryption with multiple private keys was “mathematically impossible to do”, and I disputed the notion that it was “mathematically impossible” in this comment, and nimelennar retracted the claim that there were purely mathematical reasons it wouldn’t work in this comment. And then Nonentity jumped in and objected with a series of comments that seemed to imply that even though I was originally just objecting to a positive statement of impossibility by nimelennar, the burden of proof should be on me to provide a detailed double-private-key encryption scheme that would work on purely mathematical grounds, and also made a bunch of skeptical arguments about whether the mathematics would work.
So, this whole line of debate is just about the mathematical question, independent of other practical details of whether it would work. As I’ve said before in some other comments, I am not actually advocating that giving the present-day government a secret key would be a good idea, just saying it’s interesting (and rhetorically useful in these debates) to think about how a possible best-case version of this idea might work. In a best-case scenario I assume you’d have a large number of professional cryptographers reviewing the software and hardware before the whole thing was put into practice, so there’d be a sort of peer-review system in place, and I imagine they’d also try to design the software code to be as succinct as possible to minimize the risk of unrecognized errors, the seed data would be generated by a quantum random number generator, and any other sort of precautions the experts might imagine to minimize the risk of any sort of problem other than people interested in leaking gaining direct access to the facilities where the government key was stored and used.
Oh, for crying out loud… I thought you were the one who wanted to talk about “implementing the non-mathematical aspects”. Yes, I just checked, you said that just up there. So, no, you don’t get to restrict me to talk only about mathematical issues. Sorry.
Besides, if you can’t think of reasons that having access to the equipment performing the math could be a mathematical benefit, you’re sorely under-informed.
The government’s key isn’t some magical fairy thing that only works on the encryption in that one location. The general public would have full access to hardware that performed all of the same calculations to do their own encryption and decryption.
No. I’m saying they are ignoring the possibility that someone who already has the cyphertext, plain text, public key, and a working private key might be trying to find another working private key. Which would be the situation in your scheme. Stop trying to correlate the difficulty a brute-force attacker would have with the difficulty a far more informed attacker would have. Mathematically, those are two different situations.
I never claimed anything one way or the other. And, since the situation we’re discussing does not involve the difficulty of decryption (since the attacker can already decrypt some text just fine, they’re just looking for another equivalent solution that also works on other text), I don’t really feel any need to address it.
No, the best-case scenario would be that a large number of professional cryptographers would be designing it. The problem is, those professionals and experts are the ones who are saying things like “We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago.” and “Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached.”
huh? am i just an old fart or am i the only one that remembers the AES challenge? and did you read the page on differential cryptanalysis? no amount of RNG’s would mitigate that vector.
the moment you start creating more keys, you shorten your keyspace. and the more keys you have, the greater chance there is for flaws in either the math or implementation to be exposed. see heartbleed/beast/poodle/freak and so on. also, when it comes to key escrows, like say CAs, see diginotar, verisign, that damn fake google cert issued by iran (Operation Black Tulip), and more.
in all cases the basic (and it really is basic) math wasn’t attacked. the attack subverted the assumptions based on perhaps the most installed piece of software in the world, or the key escrow company itself.
Yes, originally, but then nimelennar specifically said it was “mathematically impossible”, I objected to that, and you objected to my objection, and continued to do so even after nimelennar retracted the claim, and even after I had explicitly clarified that I was just objecting to nimelennar’s positive claim about the mathematics being impossible, not saying I was sure it was mathematically possible. And you also demanded specifics from me on the purely mathematical question of what encryption scheme would work, and made further objections that really only make sense as mathematical ones, like the claim that having one private key would make a big difference in terms of how easy it would be to find the other one.
Even if you didn’t understand our last few comments to be focused on the mathematical question as I did, I hope you would at least agree that the mathematical question A) “are there are encryption schemes of this sort involving two private keys that would be prohibitive to crack by algorithmic methods” is logically separate from the practical question B) “would it be possible to practically implement any such scheme in a way that wouldn’t be highly vulnerable to practical vulnerabilities like leaking, tampering with hardware, etc.” And if the two questions are logically separate, it only confuses the issue to have kitchen-sink arguments which challenge both ideas within the span of a single sentence or paragraph. So I would ask that in future you please be clear about this distinction, ideally by just having criticisms on the grounds of A) be in separate comments from criticisms on the grounds of B), or at least making clear in each criticism you offer whether it’s intended as a mathematical problem or a real-world implementation problem.
I don’t know what you mean by “mathematical benefit”–certainly one needs to use some math to exploit weaknesses in the hardware, but there’s still a clear conceptual distinction between “purely mathematical” issues and more practical ones involving hardware, a purely mathematical strategy for breaking an encryption algorithm could be defined as one that would work if implemented on an idealized abstract Turing machine for example.
What calculations specifically? Ordinary peoples’ hardware would perform calculations involving the public key to encrypt plain text into cypher text, then user’s hardware would perform calculations involving their own private key #1 to decrypt cypher text, but they’d never be doing any calculations involving private key #2, the government’s univesal key.
And in ordinary RSA encryption, the attacker can already have the public key and thus multiple examples of what cypher text is generated from various known pieces of plain text. When experts talk about the difficulty of cracking RSA encryption with large keys–even when they don’t just talk about the brute-force approach but take into account probable advances in more sophisticated algorithmic approaches, as in this page I linked to earlier–I think it’s safe to assume they are already taking into account the attacker would be “informed” in these ways.
So, the one difference with a double-key scheme is that in addition to being informed in those ways, they are also informed in one additional way, namely having one of the two private keys that can decrypt their own messages, while not knowing the other private key for their own messages that would be the universal decryption key, and of course they don’t know other people’s own different private keys either. As I said earlier, it’s certainly possible this additional information might make a crucial difference, but since you haven’t provided a source saying that specifically I take it this is speculation on your part.
But finding that other “equivalent solution that also works on other text” is the whole problem to be solved, if they can’t do this then they have no way to break into other people’s devices–that’s what cracking the encryption scheme means in this case. Although looking at the link I offered before on encryption with multiple independent keys, I admit I’m not sure it would actually be adapted in such a way that different message-exchangers would have different public keys and private keys of their own, but there could be another private key that would work on all messages. It looks like attribute-based encryption could work this way mathematically, though I don’t know how the encryption/decryption time would scale with the number of attributes, and you’d need 29 binary attributes to assign each member of a population up to 500 billion a unique combination of attributes, along with one additional “master key” attribute only the government would have.
I don’t know enough about cryptography to understand the details of the attacks you mention, and again I’m not claiming there’d be any encryption method that wouldn’t be vulnerable to some implementation-based attack even if there was no purely mathematical method to crack it in a reasonable amount of time; I’m just curious if it might be possible to design an implementation with a high level of safety assuming the basic math works. Along these lines, can you tell me which of the types of attacks you mention you think could still be exploited even if we had a multiple-key system (as in the attribute-based encryption scheme I linked to in my last comment to Nonentity) where the “universal” key was only stored as a hard copy and only entered into machines which were offline, and those machines were destroyed immediately afterwards?
There would be no difference between these calculations other than the value of the key. Also, the ordinary user’s hardware would need to have the knowledge to generate private keys that were compatible with the government’s key.
How about you provide a specific example where this would be a problem that would be investigated, before demanding that I provide a source that has investigated it? Or are you just demanding that someone else generally prove that this would make a difference in every cryptography system known or yet to be invented?
In your scheme as described, the attacker only needs to identify a single private key, and they have the additional information of knowing the inputs and outputs of the encryption algorithm, the public key, and at least one private key (although, in practice, it sounds like the same attacker could generate as many private keys as they wanted, and all of those keys would need to be mathematically related to the private key the government held).
If you think that’s not a problem, why don’t you provide a source saying that it isn’t? Or is this just speculation on your part?
BEAST and variants, which attempts to extract keys via ciphertext, would be easier with multiple keys.
heh, i’m not picking on you, but define offline. i don’t know what to say, other than the apparent complexity of cracking a cipher never lines up perfectly with the real world implications.
)
i don’t know what to say, other than the apparent complexity of cracking a cipher never lines up perfectly with the real world implications.