back to article GCHQ director blasts free market, says UK must be 'sovereign cryptographic nation'

Speaking this morning to CESG's Information Assurance conference, Robert Hannigan, director of GCHQ, declared that Britain was a "sovereign cryptographic nation" and reproached the free market's ability to provide adequate cybersecurity. The claim was delivered to a cybersecurity shindig attended by government employees and …

  1. Anonymous Coward
    WTF?

    What?

    We want you to have encryption, we don't want back doors, but we do want access?

    So how does that work then?

    1. Blofeld's Cat
      Black Helicopters

      Re: What?

      "So how does that work then?"

      It's complicated, and often sub-contracted out, but it essentially involves an orange jump-suit, a plank, some buckets of water and, occasionally, a short rubber hose.

      1. Blank-Reg
        Alert

        Re: What?

        "Rasputin, bring hither the skindiving suit with the bottom cut out and unleash the rampant Wildebeest"!

        1. Will Godfrey Silver badge
          Unhappy

          Re: What?

          What they do is sprinkle fairy dust and powdered unicorn horn round the back door portal so the bad guys can't see the way in.

        2. Kane
          Happy

          Re: What?@Blank-Reg

          Silence, Scum!!

          1. Blank-Reg
            Joke

            Re: What?@KANE

            SHUT UP!

        3. Michael H.F. Wilkinson Silver badge
          Joke

          Rasputin?

          "Rasputin, bring hither the skindiving suit with the bottom cut out and unleash the rampant Wildebeest"!

          Shouldn't that be Igor?

          Yeth, Marthter!!

    2. Tom Chiverton 1
      WTF?

      Re: What?

      How does it work ?

      Lawyers. In secret.

      Now might be a good time to join the Open Rights Group and get this sorted out, before it sneaks past and into law, no ? https://www.openrightsgroup.org/join/ if you please :-)

    3. Old Handle

      Re: What?

      Actually I think the recent advice to encrypt voice calls with ID-based encryption is a perfect example of what they're talking about. It doesn't have a back door, true, but by design it requires a third party to have a copy of all the private keys.

      1. dd88ddd

        Re: What?

        If a third party has all of my keys, that is essentially a 'back-door'. It's a way for someone to have exceptional access, circumventing the protection provided by the encryption. I call that a back-door. Besides, you can't stop people from using systems/cipher-suites that have perfect forward secrecy.

    4. John Smith 19 Gold badge
      Unhappy

      We want you to have encryption, we don't want back doors, but we do want access?

      So how does that work then?

      Surprisingly simply.

      A UK user is asked to produce their encryption keys and they can be sent to prison for up to 2 years if they don't.

      Oh, you mean without any evidence of wrong doing or a Judge issuing a warrant.

      1. dd88ddd

        Re: We want you to have encryption, we don't want back doors, but we do want access?

        And if the key was ephemeral, generated on the fly, by the computer, and discarded when the session ended, and I don't know it, and even if I did it would be useless?

        Stupid law.

    5. dd88ddd

      Re: What?

      It doesn't, it's now clear that the intention is for keys to be retained, and he thinks that makes sense.

      someone should tell him about perfect forward secrecy, he'll blow his lid!

  2. Anonymous Coward
    Anonymous Coward

    Thanks

    My household is already a sovereign cryptographic nation.

  3. Anonymous Coward
    Anonymous Coward

    what, backdoors, moi?!

    Front doors, patio doors, windows, vents, skylights, cat doors - it's only fair! Sewers, well, you would, wouldn't you! Likewise air waves, cables, drone comms and pigeon routes. But BACK DOORS?! Never!

  4. DavCrav

    "People and business in the UK should use encryption to protect themselves."

    "information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state"

    These two statements are mutually contradictory. We could call it the doublespeak paradox.

    1. Roger Varley

      >>People and business in the UK should use encryption to protect themselves."

      >>"information needed for national security and serious crime purposes should not be beyond the >>lawful, warranted reach of the state"

      > These two statements are mutually contradictory. We could call it the doublespeak paradox.

      I don't think that they are. I would have no issue with lawful, warranted access. All we need to agree on now is who is going to issue the warrant, (Hint: It's not politicians)

      1. DavCrav

        "I don't think that they are. I would have no issue with lawful, warranted access. All we need to agree on now is who is going to issue the warrant, (Hint: It's not politicians)"

        Right, but then how do you get the information? If you have end-to-end encryption there's only two places to get the data: the person you are investigating and the person they are communicating with. The second person might well be out of UK jurisdiction, so you get the heavy mob to go round to the target's place to seize computers. Now it's tell us your passwords or else time, and we run into another law that people round these parts don't like, the requirement to give up passwords.

        There are serious contradictory statements around here: you cannot have all of the following:

        1) strong encryption that governments cannot break;

        2) warrants, signed off by anyone you want, politicians, judges, the Queen, whoever, that are enforcable;

        3) the ability to refuse to hand over passwords.

        1. Doctor Syntax Silver badge

          One thing that needs to be clarified. If a password is demanded and given then any attempt to use the data obtained via that password should be counted as self-incrimination and not usable as evidence against whoever gave it.

          1. Anonymous Coward
            Anonymous Coward

            The government would argue (and would have a point) that giving up the password knowing it would provide access to self-incriminating evidence would be construed as a waiver of said right. Indeed, such an argument has a chance of passing Constitutional muster in America.

          2. Adam 52 Silver badge

            Extremely unlikely. For two reasons - English courts, unlike US ones, typically allow unlawfully obtained evidence and because the point is to find evidence. It's no different to giving up your house key and expecting the cannabis factory inside to be inadmissible.

            1. Michael H.F. Wilkinson Silver badge
              Black Helicopters

              So what if you encrypt in such a way that password A gives access to some innocuous data (maybe embarrassing enough, or personal enough to want to encrypt, but nothing illegal), and password B (possibly in combination with A) gives access to the real deal. If you hand over password A, could law enforcement know about the extra payload, especially if the payload has a limited number of bits compared to the other content?

              The above scheme is hardly rocket science (or even computer science for that matter, more like a simple form of steganography). If I can think of a way of circumventing a law requiring me to hand over passwords in 60 seconds, so can many others. This does make me feel that laws like that are either simply ill though through, or just a matter of lots of sound and fury to show people the government is taking ACTION!!!!! whilst signifying nothing in real terms. Could be both, of course.

          3. Anonymous Coward
            Anonymous Coward

            And if deniable encryption is in use, nothing of any utility has been revealed anyway.

      2. Ben Norris

        "I don't think that they are [contradictory]. I would have no issue with lawful, warranted access."

        How do you provide warranted access to truely secure encryption if the parties involved don't want to give up the key? Your opinion on whether it is reasonable is irrelevant, without a backdoor, it is impossible. That is the contradiction. Either it is secure from everybody including gov or its not. Backdoors are there for everyone, if gov insists on some type of masterkey hackers and foreign powers will have that in no time because how will it be possible for gov bureaucracy to use that key(s) without passing them around (and losing them)?

      3. dd88ddd

        What you think is irrelevant. Encryption is either compromised, or not compromised. If law enforcement can access my data with a warrant. Then someone can also access it without a warrant. Hackers, disgruntled employees, unscrupulous individuals.

        If they have the keys, they have the keys. It doesn't matter if they're supposed to have a warrant, hackers/criminals don't care, by the very definition, these are people who are breaking the rules.

        Besides, it's not technologically feasible. It's extremely commonplace to use ephemeral session keys, and systems with perfect forward secrecy.

    2. Anonymous Coward
      Anonymous Coward

      lawful, warranted reach of the state

      lawful, warranted reach of the state

      Sure. No objections. Make it a search warrant. Signed by a judge. NOT ONE SIGNED BY A MINION OF THE SPECTER SITTING IN THE HOME OFFICE!!!

    3. Paul 195

      The two statements are not contradictory. What we need to do (somehow) is return to the status quo as it was in the good old days of landlines. The police/secret services could get a warrant to run a line tap and listen in to what the bad guys were saying. Most people would except this was reasonable. The problem now is we have on the one hand agencies like NSA/GCHQ wanting to hoover up all information (unreasonable and undemocratic), and on the other hand strong encryption can make it hard to listen to the guys they do want to listen to.

      Ideally, we want eavesdropping possible with a warrant, while being too difficult and expensive to do otherwise. I don't think this is impossible; you need to be able to subvert the bad guys' hardware when you have a warrant. Or possibly you can break strong crypto given large enough computing resources (like the NSA/GCHQ) have, but it isn't feasible computationally to do it on the wide scale needed to monitor all of us.

  5. John Mangan

    Paging David Cameron

    "First is the myth that the government wants to ban encryption," said the head of GCHQ. "We don’t. We advocate encryption."

    Perhaps he should tell our beloved PM.

    1. Anonymous Coward
      Anonymous Coward

      Re: Paging David Cameron

      I read most of this as :

      "For gods sake shut that twat Cameron up, of course we're not complete morons but he is, and yes encryption is fine and not having back doors is fine, but the stuff that is protected, we'll find a way to get into that like always if need be, we are supposed to be spys you know"

      1. John Brown (no body) Silver badge

        Re: Paging David Cameron

        "For gods sake shut that twat Cameron up, of course we're not complete morons but he is, and yes encryption is fine and not having back doors is fine, but the stuff that is protected, we'll find a way to get into that like always if need be, we are supposed to be spys you know"

        Yes, this.

        We need GCHQ, MI5/6 etc. I've known many military types over the years and many, especially career officers really do believe in serving Queen and country and doing the best they can to protect the country from threat. The powers they have and the powers they need in this Brave New World are great powers and they do need them. But there MUST be checks and balances in place because great power comes with great responsibility and not every one can handle that, let alone the "rogues" who might get through. Then there's the politicians trying to use those powers to gain more power.

        I know at least one military type who told an MP to fuck off when he tried to wield power he didn't actually have but believed that he had the right to.

        The problem as I see it is letting the Police have almost unfettered access to the proposed data collection required the Draft Bill and the potential for fishing expeditions. The security services really are not interested in that stuff. But plod and local council officials are drooling over the the chance to see what they can find.

        1. ashdav

          Re: Paging David Cameron

          Upvoted you for the last sentence.

        2. Anonymous Coward
          Anonymous Coward

          Re: Paging David Cameron

          "and doing the best they can to protect the country from threat"

          It would have been better if that read "protect the country from people they perceive as a threat"

          Over time that has included Jews in post-war Palestine, all Irishmen, then a lot of Afro-Caribbean people, and now Muslims. Yesterday's arrest stemming from Bloody Sunday shows that this stuff doesn't go away.

          I am wary of assuming that the Military and Police establishments act in my interest.

          1. John Brown (no body) Silver badge

            Re: Paging David Cameron

            "I am wary of assuming that the Military and Police establishments act in my interest."

            Me too, but I was referring only to certain individuals who I have known over the years. The problem isn't the individuals on the whole, but the people at the top, the old school tie brigade and their political masters/friends etc.

    2. smudge
      FAIL

      Re: Paging David Cameron

      "First is the myth that the government wants to ban encryption," said the head of GCHQ. "We don’t. We advocate encryption."

      If that is really, truly, accurately what he said, then he needs to reminded sharpish that he is a civil servant, and is NOT the government.

      To save time, he could be done alongside that eejit general who was shooting his mouth off at the weekend.

      1. Graham Dawson Silver badge

        @smudge Re: Paging David Cameron

        Parse the sentence carefully. There's a change of subject from "the government" to "we". He never addresses the idea that "the government" wants to ban encryption, he only says that GCHQ doesn't want to ban it, presumably because suitably holed encryption is far better for GCHQ than no encryption. No encryption means subjects of interest make use of other, more secure means of communication. Encryption riddled with secret access tunnels means you get enough misplaced trust trust in the existing communication methods to give GCHQ a chance of nabbing someone.

      2. Neil Barnes Silver badge
        Black Helicopters

        Re: Paging David Cameron

        "First is the myth that the government wants to ban encryption," said the head of GCHQ. "We don’t. We advocate encryption."

        Of *course* they encourage encryption: what better way to encourage a sense of security while they find their way in through social programming or physical access.

  6. Vimes

    'All the government is saying is information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state when the need arises."'

    Except that councils will also have access, And other bodies too. Not just the police, SOCA or any other related part of the government. Just look at how RIPA was abused if you need any evidence how this will end up. It's a nice statement of intent but doesn't reflect what will end up happening.

    Besides which, isn't that the purpose of encryption? To put information beyond reach?

    As for 'lawful' that has very little meaning when what is lawful can be so easily subverted. The people in a position in authority are the very same as those responsible for those that were caught out using UNLAWFUL practices (KARMA POLICE as one example?). Those same people can push through changes to the law to make what was previously unlawful suddenly and magically lawful.

    'Lawful' is a meaningless term in the context of any ethical consideration.

    1. John H Woods Silver badge

      "Except that councils will also have access, And other bodies too" -- Vimes

      Yep: the Department for Work and Pensions; the Department for Transport;the Health and Safety Executive; NHS Trusts; the Department of Health; the Gambling Commission ... etc.

      Now, if it's to stop terrorism, only a small list is required: secret services; home office; etc. If it's to stop crime, only the police forces need to be added. Why the hell are all these other bodies on the list? If they have a need for the information to resolve crimes, why can't they go through the police?

      1. Julz

        The full list from the Draft IPB

        Relevant public authority

        --------------------------

        Police force maintained under section 2 of the Police Act 1996

        Metropolitan police force

        City of London police force

        Police Service of Scotland

        Police Service of Northern Ireland

        British Transport Police Force

        Ministry of Defence Police

        Royal Navy Police

        Royal Military Police

        Royal Air Force Police

        Security Service

        Secret Intelligence Service

        GCHQ

        Ministry of Defence

        Department of Health

        Home Office

        Ministry of Justice

        National Crime Agency

        Northern Ireland Office

        Her Majesty’s Revenue and Customs

        Department for Transport

        Department for Work and Pensions

        Common Services Agency for the Scottish Health Service

        Competition and Markets Authority

        Criminal Cases Review Commission

        Department of Enterprise, Trade and Investment in Northern Ireland

        Financial Conduct Authority

        A fire and rescue authority under the Fire and Rescue Services Act 2004

        Food Standards Agency

        Gambling Commission

        Gang masters Licensing Authority

        Health and Safety Executive

        Independent Police Complaints Commission

        Information Commissioner

        National Health Service Business Services Authority

        A National Health Service Trust established under section 5 of the National Health Service and Community Care Act 1990 whose functions, as specified in its establishment order, include the provision of emergency ambulance services

        Northern Ireland Ambulance Service Health and Social Care Trust

        Northern Ireland Fire and Rescue Service Board

        Northern Ireland Health and Social Care Regional Business Services Organisation

        Office of Communications

        Office of the Police Ombudsman for Northern Ireland

        Police Investigations and Review Commissioner

        Scottish Ambulance Service Board

        Scottish Criminal Cases Review Commission

        Serious Fraud Office

        Welsh Ambulance Services National Health Service Trust

        1. Bogle
          Joke

          Re: The full list from the Draft IPB

          > Welsh Ambulance Services National Health Service Trust

          Oh good grief. As far as I'm concerned *Welsh* is encrypted.

        2. Vimes

          Re: The full list from the Draft IPB

          Except that if you look at section 57 of the draft bill it looks like local authorities are also counted as 'relevant public authorities'. I haven't gone into detail, but if you look at the bill...

          From the bill: (emphasis added by me)

          57 Local authorities as relevant public authorities

          (1) A local authority is a relevant public authority for the purposes of this Part.

          (2) In this Part “designated senior officer”, in relation to a local authority, means

          an individual who holds with the authority—

          (a) the position of director, head of service or service manager (or equivalent), or

          (b) a higher position.

          (3) A designated senior officer of a local authority may grant an authorisation for obtaining communications data only if section 46(1)(a) is satisfied in relation to a purpose within section 46(7)(b).

          (4) The Secretary of State may by regulations amend subsection (2).

          (5) Sections 58 and 59 impose further restrictions in relation to the grant of

          authorisations by local authorities.

          Then when you follow this through to section 46 you end up with these reasons, some of which could end up with some quite trivial justifications (prosecuting litterers or checking school applicants anyone?):

          (7) It is necessary and proportionate to obtain communications data for a purpose

          falling within this subsection if it is necessary and proportionate to obtain the data—

          (a) in the interests of national security,

          (b) for the purpose of preventing or detecting crime or of preventing disorder,

          (c) in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security,

          (d) in the interests of public safety,

          (e) for the purpose of protecting public health,

          (f) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department,

          (g) for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health,

          (h) to assist investigations into alleged miscarriages of justice,

          (i) where a person (“P”) has died or is unable to identify themselves because of a physical or mental condition—

          (i) to assist in identifying P, or

          (ii) to obtain information about P’s next of kin or other persons connected with P or about the reason for P’s death or condition, or

          (j) for the purpose of exercising functions relating to—

          (i) the regulation of financial services and markets, or

          (ii) financial stability.

          1. Anonymous Coward
            Anonymous Coward

            Re: The full list from the Draft IPB

            (g) for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health,

            PIU - pleb in uniform, GM - govmt. minion

            PIU: I need to obtain authorisation as the subject is in serious possibility of damage to his physical health

            GM: what is the nature of this damage

            PIU:have you seen my boots, they is well hard

            GM:granted

          2. Asterix the Gaul

            Re: The full list from the Draft IPB

            From the above,it sounds like it's true that they are not after a 'back door' to intrude,just a 'BARN DOOR'!

            'Use & ABUSE' that's the motto inherent in this piece of STASI legislation.

        3. Omgwtfbbqtime
          Facepalm

          Re: The full list from the Draft IPB

          Surprised the Borders Agency didn't make the cut.

          The MOD Plod relevant?????? They've never been relevant.

        4. Anonymous Coward
          Holmes

          Re: The full list from the Draft IPB

          you missed Uncle Tom Cobbly, an all!

    2. Anonymous Coward
      Anonymous Coward

      Also, cleverly

      'Warranted' doesn't mean with a warrant. Yes, very clever wording.

  7. Dabooka
    Black Helicopters

    I may be wrong

    but surely the statement about not wishing for back doors etc is a)because they have them and they're lying or (more realistically for me) b) they have other ways, possible exclusive methods too. Encouraging greater encryption would likely as not would put them in the driving seat too as other less developed agencies would not be able to pry like they can.

    Of course I might be talking complete bollocks, what do I know?!

    1. Paul Crawford Silver badge

      Re: I may be wrong

      You forget that GCHQ, like most agencies, is not a simple creature with a single goal.

      What they should be doing is protecting the UK: that means defence, business and private lives, as they are all inter-related.

      On one hand that means stopping The Bad Guys(tm) from having access, and that means encouraging properly used encryption to make sure that information goes where it should and not in to the wrong hands. On the other hand it means having to break encryption to spy or assist the police for what should be the same goal, and there is an obvious conflict of interests there.

      Most will realise that both goals are justified, but given the evidence of past lying and political machinations bending of the rules, there is a serious mistrust of either goal. This is made so much worse by the clueless fuckwits calibre of politician we seem to get in charge of the situation.

      1. Asterix the Gaul

        Re: I may be wrong

        "On one hand that means stopping The Bad Guys(tm) from having access".

        Just who are the 'BAD GUYS'?

        From NOT just any potential wrongdoer,but millions of 'freedom' lovers too, it's a probable that GCHQ are,along with the 'authorities' within that draft bill,the 'real' villains of the peace.

        As ALWAYS, it's the Westminster trash that are constantly subverting the freedoms that were preserved with such loss of life in WW2.

        It is they who distort the facts & stand the truth on it's head by justifying the bill through making everyone a potential villain.

    2. werdsmith Silver badge

      Re: I may be wrong

      If there has been a quantum computing breakthrough and the people in the giant dough-nut are using it to routinely break encryption, then we are not going to know about it for at least 30 years, if ever.

      The old urban myths about oil companies buying and scrapping any alternative energy inventions that threaten demand for fuel, applies for real to any research into Quantum or other advanced method that can be used against encryption. It simply will remain a secret.

  8. Anonymous Coward
    Anonymous Coward

    and page 2 talks about their work with the FBI

    "pioneered a world leading approach to declassifying threat data and sharing it at scale with commercial partners."

    Does this mean that they charge for access to UK traffic when the FBI wants to see it?

  9. Anonymous Coward
    Anonymous Coward

    Forgive my Britishness

    But most of this seems to come under "You would say that, wouldn't you?"

  10. Anonymous Coward
    Anonymous Coward

    Surprised about not giving away all the 0 day vulnerabilities

    GCHQ is not a funded by my taxes to be the backstop security auditor of all the products and services I use. I refuse to subsidise that, they are there for my protection as well as their more targetted activities but that should not underpin corporate security laziness.

    Yes, disclose the broken, useless 0 days, use some offensively or at least proactively for a time, thats why they are there.

    Encryption does not stop conversations to be tracked even if the content is obscured. I am sure there are enough poor implementations of encryption to side channel or avoid the encryption most of the time anyway.

    Yes I am not happy GCHQ should have free reign to spy on everyone, but I am happy that they can target their "customers" without having to fully disclose all their methods in advance.

    1. the spectacularly refined chap

      Re: Surprised about not giving away all the 0 day vulnerabilities

      GCHQ is not a funded by my taxes to be the backstop security auditor of all the products and services I use. I refuse to subsidise that, they are there for my protection as well as their more targetted activities but that should not underpin corporate security laziness.

      But that is the very essence of government in a capitalist society: to monitor and to regulate to ensure no one takes the piss. Should the government not ensure that the bank you use does not disappear overnight? That the food you buy is safe to eat? That the field next door is not used as a fly tip for nuclear waste?

      These all control commercial activity. What makes encryption and security different other than an instinctive paranoia that fails to appreciate the very role of any government, namely the protection of the people?

    2. werdsmith Silver badge

      Re: Surprised about not giving away all the 0 day vulnerabilities

      "I refuse to subsidise that,"

      So, you are a tax exile then?

      Because otherwise you have no say in the matter. Not even a general election vote can help you with your refusal.

  11. Adair Silver badge

    Re: ...you cannot have all of the following:

    @DavCrav - Very true, but we can have all of these working together:

    1. Transparency (within practical and lawful reason)

    2. Proportionality

    3. Honesty

    4. Trustworthiness

    5. Access to justice (which must be SEEN to be done)

    Unfortunately, when trust is lost and proportionality is a matter of bureaucratic opinion then the whole idea of 'responsible government' starts to look very suspect and shabby. What a mess, and mostly the fault of our collective complacency and the usual problem of an over weening state.

  12. Anonymous Coward
    Anonymous Coward

    Pitiful

    "pioneered a world leading approach to declassifying threat data and sharing it at scale with commercial partners."

    How does that world in some third world country where all the bad guys are screaming, don't use that it's Kaffir technology, throwing away there mobile phone and are going back to whispering conversations over a candle. This is all dreadfully sad, a load of guys who don't appreciate technology but want to destroy large slices of it at the same time, so it suits there own end's and they can continue to spy on OPEC!

    1. Anonymous Coward
      Anonymous Coward

      Re: Pitiful

      Let Boko Haram haram away.

      The locals will duly take care of those motherf*ckers. We have had some episodes along those lines in Europe.

      1. Anonymous Coward
        Anonymous Coward

        Re: Pitiful

        "The locals will duly take care of those motherf*ckers. We have had some episodes along those lines in Europe."

        The trouble with that idea, as demonstrated in Afghanistan, is that sometimes the mofo's are too strong for the locals to deal with. To the point the mofo's become the government. What do you do then, especially if they start getting ambitious about matters outside their borders?

  13. theOtherJT Silver badge

    Left Hand, meet Right Hand

    Good, now we've got the introductions out of the way, do you think you two could go have a bit of a talk somewhere private and then come back and speak to the adults once you're both on the same page please?

  14. Crisp

    I'm not sure that I entirely believe Hannigan.

    "People and business in the UK should use encryption to protect themselves. "

    Good. I agree with that. I don't want someone pinching my credit card number or masquerading as me online.

    " All the government is saying is information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state when the need arises."

    I understand that. But what that means is that the government wants us to have weak encryption that can be broken, or some kind of other method of decrypting the content of a transmission. And they want this method in place without anything that can be described as a "backdoor".

    The fact remains that if the encryption is weak, then it can be broken by anybody. If there's a second method of decrypting the content, then that method can be discovered by anybody. The end result is the same.

  15. Destroy All Monsters Silver badge
    Paris Hilton

    Rebellious colonies forever burdened with shit-tier math!

    "[the] Director was referring to the UK being a world leader in [cryptography] in its own right, in that we do not need to depend on other countries, whether state or industry, to have this capability."

    Mathematics works the same (and possibly even better) in the cindery remains of the British Empire?

    Fancy that!

    Greg Egan may have been up to something with "Luminous" (1998).

  16. captain veg Silver badge

    Do they have internet in prison cells?

    "We are committed to ensuring no part of the internet, including the dark web, can be used with impunity by criminals to conduct their illegal acts."

    I would have thought that the best method of doing that is by locking them up. Which we do. Upon conviction.

    Or did he mean suspects?

    -A.

    1. DavCrav

      Re: Do they have internet in prison cells?

      "I would have thought that the best method of doing that is by locking them up. Which we do. Upon conviction.

      Or did he mean suspects?"

      No, he means criminals. If you are suspected of being a criminal; you might or might not be. But criminals commit crimes, not suspects.

      It's like this: a body is found with an axe poking out the chest. There is a criminal around somewhere, the murderer, and there are suspects. The criminal is a criminal whether or not they are a suspect.

      1. Charles 9

        Re: Do they have internet in prison cells?

        "It's like this: a body is found with an axe poking out the chest. There is a criminal around somewhere, the murderer, and there are suspects. The criminal is a criminal whether or not they are a suspect."

        Not necessarily. The criminal may be the same as the victim: in this case, a Darwin Award Winner trying to play with axe juggling.

    2. Anonymous Coward
      Anonymous Coward

      Re: Do they have internet in prison cells?

      "I would have thought that the best method of doing that is by locking them up. Which we do. Upon conviction."

      To convict, you have to bring the criminal to trial. To do that, not only do you have to arrest him/her but you also have to bring the arrestee to your jurisdiction. Kinda tough to do when the criminal is committing crimes behind the protection of an enemy state that denies they even know the criminal.

  17. Peter Stone

    I see,

    This is the lot, or it's equivalent, that at the time of the Crimean War, used the solution Babbage had worked out to crack Vigenere's Cipher, but never told anyone, or allowed Babbage to publish his method & claim credit for it. Then at the end of the Second World War, gave the captured Enigma machines away, not revealing we had cracked them, and they expect us to trust them??

    1. cantankerous swineherd

      Re: I see,

      plus destroying colossus on Churchill's order iirc.

  18. Peter Stone

    Another point

    Does anyone remember the Clipper Chip/Capstone controversy back in the 90s? They were on about a similar setup using key escrow, & got laughed out of court.

    1. Destroy All Monsters Silver badge

      Re: Another point

      I remember this but I don't remember the laughing.

      Was pretty serious.

  19. cantankerous swineherd

    so if gchq are in the business of protecting the nation, how come they aren't stopping the smart meter bandwagon? or do they think that spying on internet users is going to stop the mass bricking?

    1. Anonymous Coward
      Childcatcher

      "so if gchq are in the business of protecting the nation"

      You might want to read up on this part of GCHQ - https://www.cesg.gov.uk/Pages/homepage.aspx (Just ignore the .aspx bit, I'm sure they are jolly secure)

      They have created a security qualification called "Cyber Essentials" (and Plus) and provided a framework for accreditation etc etc. It's not bad. Download their self assessment sheets and follow them through at home and work (if you can). It's a very good first start.

      If everyone passed that in the UK then all we'd have to worry about is our own govt and assorted agencies. Divide and conquer: simples!

      (No I haven't read the whole article - just got here from /. )

  20. allthecoolshortnamesweretaken

    GCHQ and business

    Why doesn't the GCHQ start 'the next Facebook'? They'd get all the data and could even make money doing so!

    1. Anonymous Coward
      Anonymous Coward

      Re: GCHQ and business

      Why doesn't the GCHQ start 'the next Facebook'?

      = because for job applications for certain roles they have advertised they require a 2:2 from uni!

      1. Anonymous Coward
        Anonymous Coward

        Re: GCHQ and business

        "they require a 2:2 from uni"

        That's a "Desmond" or possibly 1.

  21. fluffybunnyuk

    ummm anyone remember Crypto AG...? no? heres a refresher...

    go to wikipedia and read the Crypto_AG page.

    Do they mean by "helping" its a spin word for fundamentally undermining cryptography standards.

    I dont care i spent 5 years on code to devolve an encrypted data stream to 2 different crytographic outputs... one being my data and the other being my mums peanut pie recipe. I think we know which crypto key I'll be handing over if they come knocking... and if they do i'll up it to somewhere popular for everyone to share. Oops so much for that much vaunted RIPA act people keep quoting...

    1. Anonymous Coward
      Anonymous Coward

      "I dont care i spent 5 years on code to devolve an encrypted data stream to 2 different crytographic outputs... one being my data and the other being my mums peanut pie recipe."

      The trouble with plausible deniability is that your adversary can become wise to it. Much like TrueCrypt/VeraCrypt hidden containers. If the adversary knows you can hide more than one key, they simply won't stop until you disclose the other key, the one everyone knows is the one to the REAL real juicy stuff. Must stink to be using a system capable of deniable encryption and yet not actually using it because you're now in a position where you can never conclusively prove you have something to hide WITHIN the something to hide.

    2. Seajay#

      Re peanut pie

      Just one recommendation, the courts might legitimately wonder why you've spent 5 years protecting your mum's receipe and therefore conclude that you haven't given up the real key and send you to jail anyway. Better to put some really deviant (but not illegal obviously) porn in that sacrificial container.

      Also, if you've been writing encryption software solo, it is probably easily broken.

      1. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re: Re peanut pie

          "For an example of such a GREAT protocol, see the Perpetual Encryption solution."

          The problem with the theory is that you break the OT part of OTP. One-time pads are secure because you only use them ONCE. By doing that, you create the STRONG cryptographic strength of proving that ANY given ciphertext can be translated into ANY plaintext at any given time. POTP actually reuses pads, and that breaks the strong part of that encryption because a cryptanalyst, armed with all the pads, can run ciphertexts and detect patterns that come about through re-use.

          1. Anonymous Coward
            Anonymous Coward

            Re: Re peanut pie

            Now, having read what I wrote and thinking about it some more, I may be mistaken, but there are other ways to employ a shared pad that may not necessarily be one time but can still be difficult to cryptanalyze because you use the pad inventively. For example, a true one-time pad assumes the simplest of use cases: XOR and iterative one-by-one traversal, but if the pad were used in a non-trivial way (say, start in the middle and step some amount or pattern of amounts, wrapping around) and care was taken to not repeat these methods, I think you could use a pad multiple times, even using individual elements more than once (giving the pad a degree of depth) while still being difficult to cryptanalyze due to the high degree of randomness involved. I will be the first to admit that such a technique would need a considerable degree of refinement and would definitely have drawbacks, but I think it could have its uses in specific circumstances.

            That said, I still call out this supposed Perpetual Encryption as mostly hot air.

          2. This post has been deleted by its author

  22. Anonymous Coward
    Anonymous Coward

    Lots of people use Whatsapp

    They're not looking to get backdoors because that would be impractical and stupid - all the big US services would say no. They're also not looking to ban encryption because that would also be impractical and stupid - the rest of the world would laugh at how the UK had just done the equivalent of bombing it's digital economy back to the stone age. What they are doing is pushing for *end to end* encryption to become illegal.

    The first part of achieving this is that you have to surrender your encryption keys if the authorities demand them. Like it or not, this part has already become law. Unfortunately for HM Gov, this probably won't do them any good if the user of the encryption isn't easily able to provide the keys because an app does it all for them - e.g. whatsapp. So the current push is about bullying these communications platforms to change their services so that they are no longer end to end encrypted, permitting the authorities to tap the comms channel whilst it's unencrypted within the comms provider's systems. So really they're just enforcing the weakening of encryption implementations on these services so that they can intercept with a warrant. This is all very sneaky, but it allows HM Gov spokesfolk to say they're not trying to ban encryption without being caught in a lie.

    Of course, this particular manoevre still needs the comms providers to play ball with HM Gov. Presumably they'll be told they will no longer be able to provide comms to UK citizens if they don't toe the line. It will be interesting to see what these providers do next; do they withdraw from the UK (loss of revenue), disable end to end crypto for all their users (and risk really bad PR for downgrading the security of their non-UK users) or redevelop their service to degrade the security implementation for any comms involving their UK customers at either end (comms decrypted whilst at their server) whilst retaining end-to-end crypto for all other traffic (and incur extra development costs).

    On most matters of cyber security the public will never know (much less care) what the real upshot of the actions of our lords and masters, but this is a rare example of where the impact of legislation really could bite HM Gov on the arse. If the IPB results in use of whatsapp being banned for use in the UK it's going to make waves, as that service isn't just used by the IT savvy folk. Alternatively if whatsapp publicise the change of all UK users subscriptions to their "UK_IPB_downgraded_security_option" and hike the renewal price up by 100% (to help pay for the additional development costs incurred, of course) it could still make things uncomfortable for Dave and his chums without whatsapp having to withdraw from the UK market.

    If you want to help non-IT folk understand what all the fuss is about don't go for the easy (but technically incorrect) line that the Gov wants to ban encryption - just tell them that the Gov wants to ban services like Whatsapp. That tends to get their attention long enough for them to realise that this really does mean that big brother will be watching them.

  23. earl grey
    Mushroom

    This qualifies as "pants on fire"

    The only back door they care about is yours: grease free if you please.

  24. Trollslayer

    Been there

    At GCHQ for an interview.

    It's worse than you think - Yes Minister meets The IT Crowd.

    HR are like frightened rabbits which set off alarms for me, always a bad sign.

    1. Anonymous Coward
      Anonymous Coward

      Re: Been there

      Clearly just from reading the CESG homepage, these guys just don't get it apparently;

      ECTOCRYP® Blue is the next stage in sovereign UK cryptographic development which is what there director is waffling on about..

      This enterprise version with its 19” rack mounting is fully interoperable with ECTOCRYP® Yellow, providing High Grade encryption for strategic and tactical networks.

      ◾Sovereign High Grade SECRET and TOP SECRET

      ◾PRIME Suite A certified to interoperate with other certificated PRIME conformant devices, modules include:

      ◾Base (IKEv2)

      ◾Suite A

      ◾Pre-Shared Key

      ◾Pre Placed Key SA

      ◾Community Separation (CCOI)

      ◾NAT Traversal

      ◾Peer Topology Sharing (Node)

      ◾Advanced Networking (DSCP Bypass, IKEv2 Liveness)

      ◾Encryption of multi-cast communications using Pre-Placed Key (PPK)

      ◾Supports crypto discovery using Peer Topology Sharing (PTS)

      ◾Up to 256 cryptographic keys (PPK, PSK, CCOI)

      ◾> 512 simultaneous Security Associations (SA)

      ◾>1.6 Gb/sec bidirectional IMIX throughput

      ◾Support for remote management

      ◾Crypto Ignition Key (CIK) support; Device Not Protectively Marked (NPM) ACCSEC when CIK removed, easing handling constraints.

      There is a huge difference between Pre-Shared Key and Public-Shared Key and I sure as hell don't like the sound of Pre Placed Key (SA) that implies they want to insert there signed-ness everywhere - With support for remote management, that must means a hackable Linux web-portal on it's ass end somewhere with there own private (SA) which some clever bod will replace with there own (SA) after they've broken in... Stupid is as stupid does! What is a DSCP Bypass? An IKEv2 dear god pay peanuts get monkeys there still playing with IPsec calling it secret, ah bless there little cotton socks!

  25. amanfromMars 1 Silver badge

    Do Spooks Lead with Novel Invented Events or Do Vain Battle against the Spectre of Them?*

    The global cyber security market is not developing as it needs to: demand is patchy and it is not yet generating supply. That much is clear. …. Robert Hannigan, director of GCHQ

    Quite another school of thought/university of life would proffer that necessary virtual protection and APT ACTive supplies and cyber security market developments are doing just fine and dandy, thank you very much, and it is because of the likes of a dodgy puppet/perverse master relationship, which can all to easily be realised in the likes of a servant GCHQ/self-serving corrupt government marriage of convenience which is denying them access to new secrets, which out and exploit all manner of systemic establishment vulnerabilities.

    New gatekeepers are never going to deal equitably, if even at all, with an enemy which be a friend of an enemy and into austere terrorising executive administration, are they? Such would be a monumental folly.

    Trying to maintain and sustain a failed fiat currency invention project which enriches the rich and enslaves the poor, is a recipe for disaster and revolutionary act and it generates mounting trouble and real smart conflicts, way beyond the ken of that which would try to oppose it.

    * And to enrich what/whom?

    1. This post has been deleted by its author

  26. This post has been deleted by its author

    1. amanfromMars 1 Silver badge

      Next Generation Encryption has arrived!!! Secure by Design. Secured by Advancing IntelAIgents

      Our solution is 10 to the power of 2158 times more secure than existing Industry standards, meaning its Quantum Compute & AI secure. …… Perpetual Encryption

      Meaning it is Quantum Compute and AI ready, Perpetual Encryption, which is quite another thing and a wholly different Great Ball Game for Virtual Terrain Team Players and Remote Anonymous Rogue Entities alike?

      Hmmm. And surely just as much an alien sport and exploit export adventure as astute classy assured security protocol, although both of those facilities are invariably poles apart in real world scenarios, and then much more of an APT ACTive Portal to some chosen and a Flying Few ‽ . :-} Poe's Law Rules for Reign in ITs Domains and AIDominions, where Madness meets Genius for a Rumba and Tango :-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Next Generation Encryption has arrived!!! Secure by Design. Secured by Advancing IntelAIgents

        It's just a shameless advertising plug. Perpetual Encryption is based on breaking the most fundamental rule of the One-Time Pad: namely, that you only use it ONCE.

        1. amanfromMars 1 Silver badge

          Re: Secured by Advancing IntelAIgents

          It's just a shameless advertising plug. Perpetual Encryption is based on breaking the most fundamental rule of the One-Time Pad: namely, that you only use it ONCE. …. Anonymous Coward

          Hi, AC,

          How’s it hanging?

          Perpetual Encryption will be very pleased that you make that mistake and do not realise that breaking the most fundamental rule of the One-Time Pad: namely, that you only use it ONCE, is not its base protocol but leading with a better, and beta One-Time Padded message may very well be, for of course, such is probably never to confirmed or denied as fact and practice by those and/or that into utilising it effectively.

          1. Anonymous Coward
            Anonymous Coward

            Re: Secured by Advancing IntelAIgents

            One-Time Pads are the only encryption that are mathematically proven to be robust against cryptanalysis because ANY ciphertext can be translated into ANY plaintext of equal or lesser length. The moment you try to reuse a one-time pad, you break that assurance and can no longer call it a one-time pad. Now, you can re-use a pad in inventive ways, but preventing cryptanalysis of a reused pad is a non-trivial matter and requires its own set of rules and guidelines. It will be neither simple nor all-encompassing nor revolutionary.

            So far as I've read both here, on websites, and a Twitter feed, I've yet to see this technique in any great detail nor any direct endorsements from security authorities (or better, actual use of your technique). So to quote someone who isn't seeing eye to eye, "In English, Einstein!" Or is this all just a load of hot air?

            1. This post has been deleted by its author

  27. veti Silver badge

    It's a challenge

    GCHQ - not unjustifiably - has a lot of pride and confidence in their ability to hack other peoples' security. Basically, anything that's on the market now - they can break, with a minimal amount of effort and occasional cheating.

    So he's saying "Go ahead, use the best encryption you can find/be bothered with. It won't bother us, but it will make things a bit harder for everyone else, which is exactly the way we like it."

    Every so often, someone comes up with a new and clever form of encryption, and then it may take GCHQ some weeks or months of effort to figure out how to break it. That would be a window of opportunity during which you could have real privacy from them, at least temporarily, and that's what the Home Secretary - being, as required for the job, someone whose intelligence compares unfavourably with a dead cane toad - wants to abolish.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: It's a challenge

        No form of encryption can be considered unbreakable. The vaunted one-time pad can be intercepted, and quantum encryption can be stymied by blasting light "noise" into the fiber optics. Anything else can be bypassed by simply finding a way to get the message either before it's encrypted or after it's decrypted. Since our senses can't directly work with encrypted data, it'll have to be decrypted at some point.

        1. This post has been deleted by its author

  28. Irnerd

    As is absolutely reflective in British Society - Drink tea from a cup, use a knife and fork, and obey all the following (plus more) organisations (in no particular order)

    Royal Navy

    Royal Air Force

    Royal Army

    MI5

    MI6

    Constabulary (many many)

    ....

    Bank Of England

    And In 2015 / 2016 - added introduction of

    "Royal Encryption and Cryptography"

    Associating that the Crown will own the keys to the security of customer personal data stored by suppliers of broadband? Something charming [though not sure what] about this naivety.

    Good luck to all participants in that government and commercial relationship. A few more champagnes on ice for that likely successful debacle.

    Tin hats at the ready

  29. Paul Johnson 1

    So presumably the Great Firewall of China will soon be joined by Hadrian's Firewall.

  30. hapticz

    why the need

    all the concern for maintaining complete isolation and patency of ideas thru communications, reinforces the need for same. a circular system that fails to respond by adjusting and correcting to result in a non-cyclic, static and predictable (and improvable) state. is this a basic failing of natural human traits, to simply secure another's efforts as their own, essentially bypassing redundantly performed work? theft of concepts, or is it the very possession of concepts the root cause? did we not learn the dangers of the past 10,000 yeras of human desires, oppression, possessiveness and resultant conflicts? history may never teach a being that which it is incapable of learning.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like