Chinese government rules due to come into force on Saturday would oblige security vendors to disclose encryption information. The regulations mean that suppers of six categories of products - including smart cards, firewall and routers - will need to submit trade secrets to a government panel in order to receive a license to …
To quote a somewhat well known 80's tennis player
"you cannot be serious"
I was gonna refer to the slightly more heartfelt Wesley Snipes' Blade in the circumstances:
"M*th*rf*ck*r, are you out of yo' damn mind?"
We need a pissed-off vampire icon.
If they require to know which encryption technique was used, then I really don't see the problem.
Relying on "security through obscurity" as some companies have done for quite a while should be outlawed anyways.
If they require the "keys to the castle", then I *do* see the problem.
'Handing over encryption information is "something companies cannot and will not do,"'
What's that you say chief? Cutting off a major market for your products? Failing to do your job to increase shareholder value?
It will happen, either through greed and a blase attitude to any consequences, or because the people actually running the companies involved are obliged to do so. With any luck they'll just shift deliberately crippled products to China rather than harming the security of the rest of us.
Look at it this way...
"Source code review of security products is carried out under security certification schemes run by CESG in the UK, for example, and by itself is certainly no bad thing. In the past Chinese authorities have asked for malware samples before allowing anti-virus vendors to sell technology into the country, a move into much murkier areas of security ethics. "
The point is that China wants to make sure they know what equipment is being used/sold in their country so that they (the government) can defeat the security or break the keys.)
Not only is this bad for China, but with the recent attacks against Western businesses tied back to the Chinese... you do the math.
You ship 'crippled' products, you have to create and maintain a new separate product line.
The best solution is to ignore the Chinese market completely. Including not purchasing from them. Unfortunately that will take balls that the Western companies do not have.
Wrong way round..
"The point is that China wants to make sure they know what equipment is being used/sold in their country so that they (the government) can defeat the security or break the keys.)"
There is this interesting assumption that somehow only US products can be safe. I rather see it is a way to assure that whatever they buy isn't backdoored by the US. It's not like the NSA doesn't have a track record here.. Also, if there isn't anything available they'll develop their own kit. There is enough competence to do that, but it's of course harder to start from scratch than just buying the kit.
Please keep to the right
There is no assumption that only US products can be safe that I can see. RSA's name is bandied about, but probably only because they developed the most famous implementation of elliptical (public) key encryption.
As stated in the article, if they want to know the implementation (to see if there are any backdoors), no worries at all - the techniques are publically documented. That would merely be a code review that standards are met and no hanky-panky is taking place.
If, instead, the Chinese govt wants the private (trade secret) *keys* for every product, THEN its just to make sure they can review the contents of everything encrypted in China. THEN it is a matter for concern. The fact that they leave it that ambigous is not promising for good intentions...
This is no different
from what other governments do... I know of western governments performing code reviews of commercial security products with the full knowledge of the vendor.
In fact I know of one instance (a few years ago now) where a very popular security product was rejected because the code review turned up some oddities (which the vendor couldn't explain satisfactorily). The conclusion was made that there was a high likelihood the product was back doored.
"suppers of six categories of products"
Mmmmmm... delicious routers.
Cryptographic algorithms used shouldn't be a secret anyway - security through obscurity was never a good choice, which makes me hopeful that this will force companies to fix their security. If they ask for keys, then they're insane. (which is not to say that the US gov didn't ask for both at some point).
Place your bets on the first company...
Who's your pick for the first company to hand over these details in order to win a contract, only to find in a years time there contract is cancelled, a local company (probably with contacts to someone on the review board) comes in, takes over the contract and is found to use a software identical to the first company's...?
Place your bets!
RE: Place your bets
I would love to say I'd bet ten years pay against your tonail clippings no-one is that utterly retarded but unfortuately my faith in the general intelligence of my fellow man died around the time Apple computers became trendy.
Who can blame them?
There is at least one story - with lots of references on the Internet - of a crypto-manufacturer (Crypto AG) putting backdoors into their products so that NSA could read encrypted messages. Whether it's true or not, the Chinese would be prudent to assume that their government comms could be targeted.
Would the UK or US buy crypto equipment from the Chinese?
Crypto AG isn't a US company so any country that doesn't like the US would have been happier getting crypto from them, after all do you think that all US crypto companies have helped or hindered the NSA to evesdrop?
UK buying Chinese crypto
You mean like the secure VPN routers and other crypto comms hardware the UK picked up from Chinese companies last fall?
...like in 21CN
I wondered if anyone would pick me up on that!
What's your Issue here ??
"will need to submit trade secrets to a government panel in order to receive a license to sell to government departments."
Western governments normaly procure COMSEC equipment solely from their local manufactures/government security institutions. Read CESG.gov.uk and you will see that they design algorithms and crypto devices to be used by UKGOV.
Same with Germany (google "SINA box" - using a www.bsi.de developed algorithm) and also the US. The NSA even have their own semiconductor fab. And of course Bell Labs.
So the Chinese even consider buying Western technology FOR THEIR GOVERNMENT and demand the ability to review code . That's totally fair.
As has been mentioned, no company is going to want to hand over encryption keys. And if they did, would you want to buy another product from the same company, knowing that they keys to your shiny new box of tricks have been passed on to the Chinese? It would be commercial suicide.
I take the points raised re "security through obscurity is no security at all". However, I remember many years ago trying to build a system that used a swipe card system that the customer already had in use. We could read the cards no problem. But we couldn't interpret most of the data. The card supplier absolutely flatly refused to tell us. Very very frustrating, but I can't really blame them. I'm sure the cards were encrypted so we would have needed a key anyway, but why not use obscurity as yet another line of defence? Decrypting something without the key is difficult enough. But if you don't even know the encryption algorithm, your job is many times harder, so why not?
If someone selling you boxes and they say 'sorry, but we use a proprietary encryption and no, we won't tell you anything about it', would you buy it?
Or would you rather go to the vendor pushing AES and a ridiculously long key?
After all, the 'proprietary encryption' could be a ROT13 or just XOR of the data...
(Such as found in wireless keyboards from a well-known company)
With a well-known and tested encryption we KNOW how difficult/impossible it is to break.
And knowing that a givent encryption would take a supercomputer years to break is worth more than 'no one is going to figure out how we do it'.
Especially if the crackers get hold of a copy(nicking a box and opening it, maybe?)
Re: AC @11.50
Your problem is you don't see that obscurity is totally different to real security. When you're using obscurity, you're depending on people (namely, your employees) not to divulge the secret. And such employees may loose their thumb drives, be blackmailed or bribed. But when you have real security, you depend on something much stronger than this, namely particular maths proofs etc.
This is why obscurity is NOT another line of defence - it's simply a way to help the manufacturer keep the market to themselves.
The good old US of A already have this requirement for any encryption product sold by a US company to anyone outside the US..
Re: US Requirement
"The good old US of A already have this requirement for any encryption product sold by a US company to anyone outside the US.."
Which - a code review or implementation of a backdoor?
A few years back Washington kicked up a massive fuss when they found out that their purchasing department had signed a contract to buy hndreds of Lenovo PCS and laptops.
A Lenovo computer basially a rebranded IBM computer. It's made in the same factories, it's service engineers are the same service engineers, and a lot of the work done on them is done in a plant in Monterey. But Lenovo is bankrolled from China.
Washingotn blew a gasket and there were all these fears about secret bugging devices and attack code. It was all total bull, but it really upset the Chinese government which reveled that it had just placed a massive order for Dell PCs for its own government departments without nearly so many hoops to jump through and without all of the claimand conspiracy and counter claim.
Now, China is just doing what Washington has been doing for several decades. It's brining in rules to ensure that wireless devices and encrypted software aren't sending out data that they aren't supposed to be.
This is nothing new. In fact many countries go even further.
For example, the British government routinely demands the code for software produced for its military systems (It's often a contractual requirement before you can even get started writting it). This isn't encryption, it's the whole show. Drivers, APIs, every single line of code.
It's one of the things that was holding up the F22 program. The British government refused to comit to purchasing it until it could see the code for the weapons and radar systems to ensure that the CIA or somebody else hadn't put a disabling code in to it that could shut it down remotely. That's actual US military secrets that they were demanding.
are somewhat a diffrent case. They had a good reason to ask for them, and I would expect any government buying kit like that to want to see every single bit of it. It's something the makers should realy expect. Otherwise it is much like being sold a plane and being told "no you can't look at the engine", although if Apple made a plane im sure they would try.
Different case how exactly?
Read again, this new guidelines will apply only for government purchases. As said by others, most countries won't even consider buying foreign kit for these uses.
My company was sold to China
And the corrupt practices they wanted us to engage in were clear even before the deal was signed. Fortunately, they packed up the company's technology and shipped it all to China, shutting down the domestic operations. The only employees kept were the few Chinese employees willing to move back to China. The dominant attitude there is still one of disregard for intellectual property. Any company that discloses trade secrets to a Chinese government panel should at least patent (which of course, discloses) those trade secrets. At least that way they can go after the Chinese firms that will inevitably copy their technology when those firms try to sell outside of China.
"At least that way they can go after the Chinese firms that will inevitably copy their technology when those firms try to sell outside of China."
Not if the Chinese firm refuses to divulge it's secrets.
"Not if the Chinese firm refuses to divulge it's secrets."
Good robust patents cover function, applications & outcomes. As everyone in the IC industry knows, patents that cover processes are not worth the paper they are printed on. Thus, if a company has good international patent protection, they don't need an infringer to disclose any "secrets". They simply need to see what function the infringer's product performs.
So, no difference there then other than time..
Umm, pot, kettle, I quote Doctorow here:
he USA was a pirate nation for the first 100 years of its existence, ripping off the patents and trademarks of the imperial European powers it had liberated itself from with blood. By keeping their GDP at home, the US revolutionaries were able to bootstrap their nation into an industrial powerhouse. Now, it seems, their descendants are bent on ensuring that no other country can pull the same trick off.
– Cory Doctorow
A secure system should not be breakable by disclosure of how it works. That is, of course, never 100% possible, but I think it's perfectly understandable that China wants to do their own check for backdoors, I wouldn't put it past the NSA to try and sneak some creative stuff in.
This means that there is no other route than to slam the door on those not willing to disclose..
I LOVE this idea...
That makes maintaining my do-not-ever-buy-equip-from-these-companies list much easier. Just cross-check them with companies selling to China...
You either sell your routers to the chinese gov, or to me. Never both.
A company wouldn't sell your secrets? When will that happen?
"Handing over encryption information is "something companies cannot and will not do," said president of the European Union Chamber of Commerce Jorg Wuttke,"
Wuttke is an idiot by saying something like that. "Secret encryption (method)" means XOR (or similar pseudo-encryption) and it should be prohibited by law everywhere.
Also Wuttke is an idiot if he thinks that companies are not selling (their own, clients) secrets for money. Quite many companies are living by selling other's secrets. Like Google.
Keyboards, Video Cameras
..are typically made in China these days. A cheap component which nevertheless contains a small microprocessor.
What if the Chinese just put in a receiver (using the keyboard cable as an antenna) and made that thing listen for commands to turn on a transmitter. Chinese intel could then eavesdrop on a really big number of PCs around the globe, provided they get into a distance of 300 meters.
Alternatively, the keyboard could contain some software which could fiddle with the operating system, as the keyboard "sees" all passwords...
I have heard stories of Chinese networked video cameras sold in Germany, which transmitted the video stream to a Chinese server.
The version of Skype that the Chinese government mandates is transmitting all chat data to a central server. Someone hacked into that and found huge amounts of collected conversations. Probably they also logged the Skype keys there, so that they could eavesdrop, should the need arise.
China is getting smarter
China wants to use their own stuff more and more. What better way than to ask vendors to drop their pants and hand over their source code? Additional benefit is that they get said source.
They want to be number one, and for that they have to start eating their own dog food, and that's the best way to promote it in this case.
I know, my wife is Chinese and her brothers are fairly high up either in the government or in the academia.
I thought China was on the list of places to whom the export of certain products and/or technologies is forbidden - and "strong encryption" is included in the list of forbidden stuff. In which case, the Chinese rules would be irrelevant for most people, unless they want to get a personal listing on a US shitlist of undesirables.
Sounds like a great opportunity
Did they recompile it ?
It is one thing to have something that is labeled ''source code to the product'' and to be sure that this is exactly what was used, eg no little extra ''tweak'' hidden in a system macro that leaves a security back door. If they are serious about this they will insist on compiling the source on one of their machines and check that it matches the binary that is shipped with the product.
All of this is a lot of work and will take a lot of time, who is going to pay for it ?
If they don't recompile it then the suspicion must be that they are more interested in getting/ripping-off the technology that doing a security audit.