back to article Non-US encryption is 'theoretical,' claims CIA chief in backdoor debate

CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses. And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be …

Silver badge
Black Helicopters

What's all this then?

I'm not sure what Brennan's game is. For a smart guy he sure seems stupid.

Does he not know how maths works? If US encryption is broken, someone else will sell a non-broken alternative. I'm pretty sure he's worked that out, so why say something so patently dumb?

I want to know what's really going on here.

53
0

Re: What's all this then?

A person I rather respect once said that if you ever find yourself considering what politicians are doing and thinking "now, that's stupid!", then know that you do not know all that is going on.

Of course, it's not exclusively correct, obviously: sometimes it's the politicians who are lacking critical information and/or understanding, and sometimes they are indeed just being plain stupid. But it's a world-view that's useful to keep in mind, I find.

33
0

Re: What's all this then?

"He may talk like an idiot and look like an idiot. But don't let that fool you. He really is an idiot."

-- Groucho Marx

I don't really think Mr Brennan is, generally speaking, an idiot. I suspect that there really is something deeper going on here. But I'd not rule out the possibility that he really is an idiot.

-- Bill

38
0
Silver badge

Re: What's all this then?

Encryption itself can be designed and produced anywhere. In fact, AES has non-USA origins. So do a few other encryption algos.

Encrypting gear, however - not so much. You have a choice of USA or China (I am deliberately ignoring Ala-Lu-No or whatever it is called today out of the equation for now, it is constantly shooting itself in the foot so I cannot see it leveraging a market opportunity even if it hits in the face). In some areas, like authentication, there are a couple of smaller players like Israel, but in general that is about it.

So, he has a point - if you are trying to use a product which bundles encryption you have to make a choice between USA and China today and you will probably have to make that choice tomorrow. You are already assuming it has backdoors (not like it did not happen recently with equipment "infected" in transit). Adding them openly does not make a lot of difference commercially.

6
11
Anonymous Coward

Re: What's all this then?

The effect is to create a market opportunity that will quickly be filled, US kit replaced.

The same effect (forced decryption of customer data) in Snoopers Charter that means that every conversation between customers has to be intercepted by the vendor.

Communications product vendor Charlie has to include himself in the encrypted discussion between Alice and Bob, because as the vendor of their comms software and being a British company (regardless of where Alice and Bob are) Snoopers requires he decrypt their comms.

Belgacomm spings to mind as an ex customer of any UK kit, or kit from UK companies. For UK that is only communications satellites affected I think?? Cloud services, data processing, and a few others will be hit.

So your private Alice-Bob comms also include Vendor Charlie, his friend GCHQ, their friends abroad (=5 eyes), UK police (via info sharing), and everyone from traffic wardens to animal charities via the UK's slack data protection system. Shared with everyone but courts and judges to avoid any kind of legal process or privacy right. Natch.

But I'm sure their chief will explain that their backdoors won't affect business because nobody has a choice!

Wishful thinking.

But Brit Kit, not with a free extra account.

12
0
Silver badge

Re: What's all this then?

The effect is to create a market opportunity that will quickly be filled, US kit replaced.

The world is a small village. You will find that getting funds to work on such an opportunity off the ground is virtually impossible (just ask the OpenBSD guys on how difficult it is to get encryption related non-USA funding). Investors will tell you to sod off if you deliberately exclude USA and all American companies out of your customer base day one. Treaties like TTIP and Co will also make it even harder for you to build such a thing tomorrow.

This leaves you the only option to go hat in hand to the hill above Москва река, but that has its own issues. Ones we should probably avoid discussing as none of us would like to hear "Mr Chrisoprase is very unhappy" somewhere in a dark alley way.

That is something Mr Bremnan understands very well by the way (he is not being an idiot here, he is in fact being brutally honest about it - something most USA politicos prefer to avoid).

5
13
Gold badge

Re: What's all this then?

@RIBrsiq: But Occam's Razor applies and on any matter requiring understanding of law, economics, science or technology, the politician is out of their depth and probably motivated far more by what they want to be true than by any advice they might have had from experts.

10
1

This post has been deleted by its author

Anonymous Coward

Re: What's all this then?

Investors will tell you to sod off if you deliberately exclude USA and all American companies out of your customer base day one

Ah, but herein lies the irony: IMPORTING high grade crypto kit isn't illegal (although paranoia suggests the US would quickly slap an import tariff on it if you were to start affecting the revenue of the government's paymasters). So you could still sell to US businesses, and I have a feeling that it's not the US businesses who want backdoors (well, OK, except the IT outfits who probably make a mint selling access to the agencies).

There's also the little issue that "US" crypto isn't actually of "US" origin at all. AES was originally called Rijndael, but that obviously sounded too foreign, and was developed in the country that once gave us techno, Belgium. This suggests that it's not actually going to be spectacularly difficult to obtain another cipher without the US having a foot in the door, but validating it is where the costs lie (as a matter of fact, a number of governments, amongst which the UK, do maintain other ciphers as well).

IMHO, given the continued behavioural problems of the US government it becomes more and more commercially feasible to develop a non-US cipher - as a matter of fact, I personally think we've reached the point where you could probably get an EU grant for it, the trick is to keep the whole thing as open as possible because that makes subverting it hard (sunshine works)..

18
0
Big Brother

Re: What's all this then?

It's called disinformation.

He's quite deliberately speaking hypothetically about his vast governmental espionage agency "needing" the hapless consumer crap weakened - Thus implying (confirming - to all those who think he's "stupid") that the existing US crapto presently in use is most awesomely doubleplustrusty.

It is not.

Obviously.

Perhaps the San Bernardino fiasco broadcast that fact widely, loudly and convincingly enough to necessitate this spot of disinformation?

Hypothetically: The CIA doesn't really need any such thing. Doesn't really want any such thing. Isn't really asking for any such thing.

Equally obviously.

It's a show.

It's a fucking spy agency for Christ's sake. He's a spook. The real deals are done in secrecy. Next time the politicians pluck some deranged Orwellian crap "from thin air" and shove it into law before anyone can bat an eye, it was probably him wot wanted it.... but... whenever he spews shit at you via the world's media: HE'S LYING AT YOU.

No animosity to the man: IT'S HIS JOB

12
1
Silver badge

Re: What's all this then?

I guess that's the crux of the matter: IMPORTING high grade crypto kit isn't illegal ... but it could be made illegal. And if you think that such theoretical ban would only catch US-based companies, look at FATCA and then think again.

4
0
Silver badge
Facepalm

foreign encryption is a 'theoretical' capability

Wasn't the U.S. National Institute of Standards and Technology's very own Advanced Encryption Standard algorithm invented by two Belgians?

5
0

Re: What's all this then?

Maybe he as stock in all the companies that will make a killing replacing all the backdoored kit.

1
0
Facepalm

Re: What's all this then?

"Not that we should be worried about the CIA snooping, Brennan said. In the past three weeks, the CIA has appointed a privacy and civil liberties officer as a full member of senior staff. The person will review all CIA activities to ensure they are legal, Brennan said."

A den of thieves has hired a thief to make sure they stay honest.

Well, I'm satisfied.

7
0

Re: foreign encryption is a 'theoretical' capability

ditto SHA-3

1
0
Silver badge

@Voland "getting funds ... nearly impossible"

Sure, now. If the US mandated backdoors, that would not be so.

2
0
Bronze badge

Re: What's all this then?

Thales e-Security are pretty big, part of the huge Thales organisation, and sell hardware security devices, trusted by many household names.

Based in Cambridge (England).

I'm sure they'll be happy to pick up lots of customers fleeing from the US mandated backdoors.

Disclaimer: I work there.

4
0
Holmes

Encrypting gear, however - not so much.

This is a very, very short term situation.

1
0
Silver badge

@RIBrsiq -- Re: What's all this then?

Well, then, how do you explain Louie Gohmert?, Todd Akin? Tom Tancredo? Joni Ernst? Steve King? (Among others, of course...)

1
0
Anonymous Coward

Re: What's all this then?

Its a good thing none of the foreign countries like say Belgium understand encryption. Oh wait.

1
0
Silver badge

Re: What's all this then?

"Its a good thing none of the foreign countries like say Belgium understand encryption. Oh wait."

don't rule out Finland, either.

that and libertarian-minded Americans who'll do it on the "dark net" and not tell anyone they did it. HELLO "underground economy".

Making drugs illegal - that really stopped THOSE, didn't it? And how about that 'prohibition' thing back in the 1930's? How'd THAT work out?

All I can say is, "they" (politicians, D.C. insiders, "the establishment") must think WE are IDIOTS.

1
0
Anonymous Coward

Re: What's all this then?

Making drugs illegal - that really stopped THOSE, didn't it? And how about that 'prohibition' thing back in the 1930's? How'd THAT work out?

You may accidentally have hit on the real reason for these shenanigans: a repeat of exactly that. The reason the whole drugs market still exists is because it makes a shocking lot of money for a small group of people by being illegal. Like the prohibition, many a billionaire was made on the back of something that is banned because it creates a supply shortage which can drive up the price.

The only thing missing here is the addiction part, but that's backfilled by the fear of the presence of many evil hackers and even the government itself.

It's really just about money. Lots of money.

3
0
Bronze badge

Re: Prohibition in the United States

I quote from the United States Prohibition article in the ultimate online cribsheet "Within a week after Prohibition went into effect, small portable stills were on sale throughout the country".[

1
0
Silver badge

Re: @Voland "getting funds ... nearly impossible"

I suggest that there is another possibility: If the US were to make such a requirement stick (I think the last version of Burr-Feinstein that I saw is pretty unlikely to pass), it is likely enough that it would be followed by similar legislation in quite a few other countries, with China and Russia in the mix but not necessarily the first.

0
0

Re: foreign encryption is a 'theoretical' capability

NIST knew that if they wanted anybody to trust their replacement crypto, they'd have to run an open international competition for it, with all the design rationales published, not just hand us a shiny updated version of the Clipper Chip or something. And yes, AES is Rijndael, from Belgium. And OpenSSH is managed by a Dutch/SouthAfrican who lives in Canada, and OpenSSL by a New Zealander. Shamir of RSA is an Israeli.

"A cryptographer, a Eurocrat, and a normal person walk into a bar. What do they order?" Three Belgian beers, and maybe some Club Mate' if it's available. (Cryptography seems to be one of the Belgian national sports these days.) But it's not just the Belgians and the Dutch and the New Zealanders and the Israelis and Canadians and the Russian Mafia writing computer security software - lots of other places do it too. And while a lot of the Cypherpunks group activities were in Silicon Valley and Berkeley in the 1990s, it's not like everybody attending were Yankees; we had Canadians and Russians and Dutch, and there was a lot of academic work back and forth between US and European and Aussie and NZ universities.

1
0

Re: What's all this then? @Paul

I was thinking of Thales as soon as I read this article. Though I thought Thales was a French company?

But yeah, I even remember reading that the French president uses a Thales secure smartphone because the French also don't trust US hardware.

0
0
Anonymous Coward

Re: What's all this then? @Paul

Thales is a French company. They took over NCypher which was set up in Cambridge by two Dutchmen as I seem to remember.

0
0
Anonymous Coward

Re: foreign encryption is a 'theoretical' capability

And yes, AES is Rijndael, from Belgium. And OpenSSH is managed by a Dutch/SouthAfrican who lives in Canada, and OpenSSL by a New Zealander. Shamir of RSA is an Israeli.

And a lot of it is run on X86/64 hardware featuring Intel CPUs with their embedded micro running some Intel firmware blob that has access to all of memory and the Ethernet port...

So whilst your software list might be Non-American, the hardware and underlying firmware most definitely is American, and it's very opaque too

1
0
Bronze badge

Re: What's all this then?

p.s. Thales are a French company, partly owned by the French government.

0
0
Silver badge

Diversion

This is a trial balloon. Nobody thinks "mandatory backdoors" is going to pass. Brennan and Wyden are both going through the motions because it's their job, but there's no point getting excited about it.

We're being distracted from something, the question is: what? TTIP? Safe harbor?

20
0
Silver badge

Re: Diversion

Syria, Russia, South China Sea buildup etc.

3
0

"US companies dominate the international market".

The question, kind sir, is "would you like that state of affairs to continue?"

Because I personally doubt that it would for long. Even without artificial incentives for people to jump ship.

26
0
Anonymous Coward

Ohh John, I admire your naïvety…

…but if they ever were "theoretical", they'll be reality very quickly for those who care about such things.

Not everything revolves around Corporate America. Ignore that fact at your peril.

18
0
Silver badge

Hog wash.

Most of the rest of the internet-savvy world has perfectly good resources for developing and deploying kit that is as-good-as or superior to the US Gov't stuff.

Many of the recent advances have been made in Europe and Russia. They have also been at the forefront of pointing out the US-sponsored deficiencies. Of course this group (and including increasingly active ones in China) are more than capable of breaking US algorithms and introducing their own.

Massive fail for the old hat CIA/NSA/etc. All you're trying to do is to scare your minions/taxpayers.

10
0
Silver badge

Re: Hog wash.

A reference, please, to a source as to breaking of AES or RSA with high bit length. Strong claims require strong evidence.

Not that either of these algorithms really is "US Gov't stuff."

4
1
Anonymous Coward

Re: Hog wash.

Well, he did write "US algorithms"; neither Rijndal nor Keccak are of US-origin. (One could argue that IF and DL cryptosystems are "US algorithms" -- pace Adi et Taher -- but then the NSA claims all those will be blown away in due course.)

2
0
Black Helicopters

It's okay!

I just finished reading through Brennan's private emails and it's clear the man doesn't have a clue about encryption. If the head of a security organization can't form a coherent idea on the topic, I don't expect anyone will actual place any value on his opinions.

If those are 'copters I hear outside, we'll know that reading his work emails may have been a step too far.

10
0
Silver badge

Re: It's okay!

You're mistaking a public position for a private belief. He's not saying that because he believes it, he's saying that because that's what he wants others to believe.

0
0

Layered Options...

If you encrypt a message with unbreakable security and then send it over a weakly encrypted network it is still unbreakable. Clearly he has no idea of PKI or encryption.

I only trust a one time pad (OTP).

17
0
Silver badge

Re: Layered Options...

> I only trust a one time pad (OTP).

But how was your OTP generated?

Unless your random OTP generator is really random then your message can still be decoded.

And that before we get into the thorny subject of exchange and security of the OTPs themselves.

6
0
Thumb Up

Re: Layered Options...

Was with you (and thinking "Truecrypt") right until you said OTP.

Not typically practical and horribly vulnerable to catastrophic "side channel" failure.

TRUECRYPT

(Use your "OTP" as a permanent keyfile, to augment/"salt" your session passcodes/keyfiles, if you like ,)

1
0
Anonymous Coward

Oi John!

This is what happens when you make silly bets on a game of golf with the chief of staff - you get put on the "make yourself look stoopid to distract and amuse the proles" rota,

12
0
Silver badge

"Not that we should be worried about the CIA snooping, Brennan said. In the last three weeks, the CIA has appointed a privacy and civil liberties officer as a full member of senior staff."

A mere 68-and-a-bit years after it was formed (1947-09-18). My, that was quick. I'm getting dizzy just watching from the sidelines.

12
0
Anonymous Coward

Elitist Delusions of Grandeur

-- This has the delicious stench of American-Exceptionalism written all over it... If its not American it doesn't exist... Yeah <cough> right!

-- Americans are not known for their studious attention to history, but there are warnings about the fall of great civilizations (Rome etc)...

-- If there was a scale where US opinion and power mattered its probably down from 9/10 in the 80's to about 3/10 now. Own goals like unwise ME wars, the Bush years, Obama empty promises, China rising, and revelations from Edward Snowden have all seen to that. So great job. Go Team USA!

17
0
Silver badge

To XSSXXXX, is Creative IT Command and Control in Computers, a Brave New Orderly AI World Order

Well, I think nearly all, at the time of this posting, are in agreement here, and have recognised that Uncle Sam has lost the leading plot and are catastrophically vulnerable to being ruthlessly exploited for both personal and personnel and foreign state and non state actor gain.

And that title can also be written thus .....To XSSXXXX, is Creative IT Command and Control in Computers, a Brave New Orderly AI World Order to Program with Novel Programming and Heavenly Projects delivering Noble Projects in Immaculate Pursuits ..... and/but of course, and one is well warned here and is hereby again advised to remember to never ever forget, for some things are final and vital and fatal and strike without any sort of prior warning, should its Advanced IntelAIgent Systems and Virtualised Administrations Executive[s] be proposed opposed, at any time in any space or place, and be the subject of objectionable attack and/or abuse, are Hellish Schemes and Crazy Operations also always readily available to crush both wayward opponents and competitive rogue renegade elements alike.

To XSSXXXX is IT no Fools' Tool and Perfect Attacking Defence Weapons System. Take care out there, IT is dangerous in the wrong hands, hearts and minds, and can and will kill you if you choose to abuse and misuse it.

Have a nice day, y'all.

2
1

Re: To XSSXXXX, is Creative IT Command and Control in Computers, a Brave New Orderly AI World Order

the above shows just how effective non-US encryption can be, even if we have to go to Mars to get it.

4
0
Silver badge

Re: To XSSXXXX, is Creative IT Command and Control in Computers, a Brave New Orderly AI World Order

the above shows just how effective non-US encryption can be, even if we have to go to Mars to get it. ... Lyndon Hills 1

Hi, Lyndon Hills 1,

It would be a monumental folly to discount and dismiss home delivery whenever Martians realise takeaway is more than a number of steps too far for Earthlings to make and/or take.

It is neither wise nor practical to expect a primitive species to exercise quantum leaps and revolutionary actions they have no offence or defence against, so please expect something quite extraordinary to be rendered and presented currently for continuing disbelief and terrifying consternation.

3
0
Gold badge

What's an encryption product (in this context)?

Because I'm pretty sure that things like OpenSSH would be Hard for the US to stick a back-door into. (Not impossible, looking at recent history of subtle bugs, but certainly Hard.) IOW, the man is clearly an idiot who thinks the people he is trying to talk to are also idiots. (If I were one of the people he was talking to, I might take umbrage at that.)

6
2

Re: What's an encryption product (in this context)?

Bugs in OpenSSH would be more bypassing it rather than backdoors, as far as I was aware what they're after is people building in ways to bypass which they notify the CIA etc about and then keep there, rather than rightly fixing it as a bug

3
0
Gold badge

Re: What's an encryption product (in this context)?

I was thinking a bit more tinfoil than that. I was wondering to myself if a sufficiently clever intelligence organisation couldn't sneak in a bug in a FOSS offering that would weaken the product in ways that only they were aware of, for however long it took before others spotted it. No, it's not a back-door, but it might be worth the effort anyway.

Note also that it wouldn't have to be in an obviously sensitive place. It might suffice to fiddle with the memory allocator (which may not seem like it is even part of the product) or make a trivial patch to remove a compiler warning.

But although this will probably be upvoted by the paranoid wing of El Reg's readership, I must say it seems a bit unlikely to me.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017