back to article Here we go again... UK Prime Minister urges nerds to come up with magic crypto backdoors

UK Prime Minister Theresa May has reiterated calls for a special magic version of encryption to be developed by technologists so law enforcement can access everyone's communications on demand – and somehow engineer it so that no one else can abuse this backdoor. Speaking at the World Economic Forum (WEF) in Davos, Switzerland …

Silver badge

Re: Intel have already done this for them... what's the problem

I don't know why the PM is still banging on about this - Intel have done it for her, allowing them to read the memory of any device at will...

Well the problem is they didn't do it for her, so now we need our own solution. What would be better would be if all the governments of the world (USA, UK, Russia, China, Burma, North Korea, Syria, Iran, Yemen, South Sudan, Venezuela...) would sit down together and agree on a common backdoor to spy on their citizens so we don't have to keep replicating the effort. It can't be that hard.

4
0
Silver badge

Re: Intel have already done this for them... what's the problem

The perfect solution!!

Tell them it can be done, and then get them to set up committee's etc. with all the 'agreeable' countries in the world in order to come up with one standard approach.

Stand back and let them get on with it. Keep telling them that we will come up with the code once they have agreed on the requirements. It'll never see the light of day again.

Also, it's a gravy-train the could be ridden forever. Why aren't techies more corrupt and self-serving*?

*Started out as a question but then I realised that this is the first line of a joke, the punchline to which is obviously 'because then they would be politicians'.

6
0

National key storage

How about this for a compromise: when two endpoints A & B negotiate a shared encryption key, make them use 3-way negotiation, between A, B and K where K is a national key storage facility which stores keys for a limited time and releases keys to security services following a suitable legal process.

By "3-way negotiation" I'm presuming it's possible to securely generate a key known by 3 parties but not by eavesdroppers.

I'm not advocating a facility to record the data (encrypted or unencrypted), just to record decryption keys (for a limited time) for cases when the security services already have wiretapped data for which decryption is likely to be in the national interest.

This is a compromise to privacy, and safeguards would need to be in place such as publishing the number of key requests, but it's better than forcing all encryption to have back doors, which any attacker could use.

0
13
Anonymous Coward

Re: National key storage

Escrow key systems already exist (and they are essentially backdoors) - just they are not deemed secure. There's also the problem - who process and stores the keys? - especially when the communication are trans-national.

7
0
Silver badge

Re: National key storage

You would also have to make *all* other types of encryption illegal and make people all over the world stop using their own code.

Not sure that works to be honest :P

6
0
Joke

Re: National key storage

Hold your horses with the downvotes here, misterinformed might actually be on to something

Let's take this, or a similar idea and run with it.......

First of all we set this up as a Government IT project.

Let's give the contract to oh I dunno, Crapita?

We give them a deadline of five years to deliver something.

That should buy us at least a decade before anything actually happens because of course, and even if they do come up with something it will be guarenteed not to work properly

Also by the time we start to see any results a few things will have happened

Technology will have moved on and may have rendered the whole project irrelevant

The current nutters in charge will have forgotten about it and will have moved on to the next hobby horse they think will grab them votes

There will have been a general election or two so the government of the day could easily gain popularity by scrapping the whole thing as being years late and massively over budget

Of course I'll happily volunteer to lead the project in return for substantial remuneration. I could do with the retirement cash

Surprised nobody else has thought of it........

4
0
Silver badge
FAIL

So to translate...

"She then threatened to use her pulpit to apply social pressure: "No-one wants to be known as 'the terrorists’ platform' or the first choice app for paedophiles"

Give us a magic backdoor or we publicise that you're helping criminals and paedophiles whenever a crime happens, whether it's related to your service or not.

Theresa, go back to doing whatever it is you do best (I genuinely don't know if there's anything on that list).

9
0

Re: So to translate...

Spouting bollocks to try and forward her agenda of a totalitarian police state? That's pretty much what she does best.

9
0
Anonymous Coward

Re: So to translate...

>Theresa, go back to doing whatever it is you do best (I genuinely don't know if there's anything on that list).

Running through fields of wheat perhaps, or maybe just the girl jobs around the house?

3
1
Silver badge

Re: So to translate...

Running through fields of wheat perhaps, or maybe just the girl jobs around the house?

I know the original wasn't fields of wheat, but you've just given me the visual image of the most bizarre 'Little House on the Praire' remake ever....

3
0
Silver badge

NO IT IS BLOODY WELL NOT!

"Simply put, electronic surveillance is extremely useful for figuring out what those who would seek to cause harm to a country are up to."

Time after time with all recent events it's been shown "those who would seek to cause harm" are well aware of the possibility of being tracked. They communicate face to face, they communicate through 3rd parties. They communicate in their own code. They communicate through written word delivered through a (to them) trusted 3rd party.

Bombing cell phones with Predator drones in recent times has made "terrorists" (though recent data suggests "we" might be bombing more innocents than proper targets) very wary of using a cell phone to begin with. How is putting in a backdoor in a messenger app going to help if you've already made your target afraid to even touch ANY phone to begin with!

9
0
Anonymous Coward

Human nature has a basic trait of passive "wishful thinking" for something to solve problems that frustrate them. There is possibly a correlation in an individual with their degree of faith in an organised religion.

8
1
Silver badge

I'm glad you caveated your last statement with 'organised' religion.

0
0
Anonymous Coward

"I'm glad you caveated your last statement with 'organised' religion."

An individual person's personal expression of their spirituality is their business - as long as it does not entail deliberate harm to others. Once it becomes a hierarchical organised religion then it quickly tends to become a tribal vehicle for those seeking power over others.

3
0
Anonymous Coward

From the "party" that shares passwords.

Seems to be put up so the walking dead can blame those "in a job in the computers" ("not a proper job, though, is it?").

If the dumb ass wanted some leverage she would have been banging on (and on) about the need for "us" "all" to have an online identity that cannot be repudiated or falsified.

3
0

Shall we try putting into terms they may understand

you have your secure emails / accounts that only you can see - secured

you have your secure crtypto key

However, you need to give the police and whoever else a crypto bypass so they can go in and look when they feel like it

Now stop anyone else from either accidently getting the crypto bypass or working out how to create their own version and stealing all the emails / money

Of course, that is without there being initial errors in the crypto code making it easy to break (WPA)

translated for politicians

As a government you need to put all your money into a safe location... say a safe

You have your key

However, you need to give the police and whoever else a skeleton key so they can go in and look when they feel like it

Now stop anyone else from either accidently getting the key or working out how to create their own version and stealing all the money

Of course, that is without there being initial errors in the lock making it easy to break / bypass (bumping anyone)

5
0
Anonymous Coward

It is not possible to make all "evil" people use the same encryption.

Good people need to be provided a safe and verifiable email service, where government and business can email employees, customers, and be known to be from the correct email address to avoid phishing and then there is reduction of snooping for advertising, curiosity or crime.

One way is to make a secure email service {SEM} is to keep all the email on a set of exclusive servers, it would not move outside the servers to other public email servers. One logs in to it deposits email collects email and logs out as usual but it only moves within the server from known addresses to other known addresses.

Limiting the problem of snooping and other crime would reduce the need for encryption, the government could supply a series of encryption of specific levels for usage on the email service. should the government need to access the encrypted email they would have a master key, one imagines access would be rare as it would be primarily be business email not criminal communications.

So as generator the Gov would have a key, people would use the encryption as usual.

0
3

I would suggest that the crypto key is issued by the government that is the "country of origin" where the data is sent from or stored ie. website/email from example.com would use a SSL key/cert issue by uk.gov allowing data for the .co.uk website to be decrypted by those officials that need to access the data legally. Of course, this would be have be compulsory stopping cert providers issuing certs to data providers in another country.

0
4
Silver badge

Something must be done about the extremists

They are an existential threat to our nation and have no respect for our traditions or our rights. They hide in plain sight and attack us when we least expect it. They use the media for propaganda and try to stoke up fear in the public to try to achieve their goals. They attack the public because they are soft targets, especially at places where they are vulnerable like airports. They use seemingly moderate people to push their agenda and pretend they're not as bad as they are painted or that they're not all like that and anyone who paints with a broad brush is a cynic or a bigot. The moderates try to use the police to silence voices of dissent claiming hate crimes or sexism. They want the impossible and are willing to use any means necessary to try to get it. When you get rid of one group of extremists another pops up in its place who are at least as bad as the last lot. It's enough to make you abandon the tory/labour duopoly and vote green.

10
0
Bronze badge
Headmaster

Forgetting the Point

The argument goes away when you read the UN Declaration of Human Rights (which all members must sign up to) my emphasis

Article 12.

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

So any interception or interference with Private communications is a breach of your fundemental Human Rights

7
0
Anonymous Coward

Re: Forgetting the Point

"UN Declaration of Human Rights"

IIRC Theresa May says she is taking us out of that declaration as well.

0
0
Silver badge

Re: Forgetting the Point

"UN Declaration of Human Rights"

IIRC Theresa May says she is taking us out of that declaration as well.

The un-declaration of Human Rights....

She's going to find herself with a suspicious invite to the Hague at some point....

2
0

Impossible? No

So, let's look at how this could be done.

First, a principle of security is not to rely on 'security by obscurity'. Every detail of the scheme must be open to peer review. The only secrets are keys. Obviously the scheme will have to be opt-in for manufacturers.

OK, so here's a suggestion:

Messages are encrypted by a secret key K. That can be a per message key, session key, whatever. Apps use existing key exchange mechanisms, whatever they want, to establish K. Our goal is to ensure K is also available to the government.

To make K available, we could require that it be encrypted under a government public key PK, and the encrypted form shared with each message. The trouble is, who do you trust to control the corresponding government private key?

The traditional answer to this is secret sharing. Split K into K1, K2, ... Kn shares using an 'm of n' secret sharing scheme. Any m shares suffices to recover K, any m-1 tells you nothing at all (there are established mechanisms for this, e.g. https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing).

Now encrypt each share using different government public keys, PK1, PK2, ..., PKn. The corresponding private keys are held by different government agencies (police, courts, whatever). The bundle of encrypted shares is sent with each message.

Approved government decryptions require cooperation across agencies. Similarly, compromising the system requires collusion across different branches of the state. It's not perfect, but as I'm sure most Reg readers already know, the security of a real-world security system isn't about the crypto, it's about the human processes that manage the system. Sprinkle on some good key management and audit practices, and it's as good as you're ever likely to get.

And yes, I acknowledge there's significant message bloat to carry all the encrypted shares. These days, data is cheap and networks are fast.

0
7
Silver badge

Re: opt-in for manufacturers

Any manufacturer who opts in will be boycotted by the public.

6
0

Re: Impossible? No

And how do you convince crims to use this encryption, rather than something secure?

8
0
Silver badge
Stop

With the TL;DR caveat on comments

surely there is an absolute fortune to be made here. It matters not a jot that unicorns don't really exists. If Theresa May is continuing to insist they do, then surely she'd be willing to spunk a few million on them.

Don't worry about being exposed by an "expert" we all know they're biased anyway. And if one should get close, just suggest it's just jealous because they didn't think of it first.

We could trumpet it to the world as a sterling example of post-Brexit British excellence.

9
0
Silver badge

Re: With the TL;DR caveat on comments

The gravy train exists - unicorns are a lie.

5
0
Silver badge

Re: Unicorns

We have faith that they are pink; we logically know that they are invisible because we can't see them.

7
0
Silver badge
Thumb Up

Re: With the TL;DR caveat on comments

Where's that guy who sold novelty golf-ball detectors as explosive detectors to the Iraqis for $$$$? Get him on the case!

5
0
Silver badge
Joke

So many comments here lacking that can-do attitude we need. I am working on a solution based on blockchain and would welcome early investors to make it a reality.

10
0
Silver badge

I would put money on it that if you went to TM with a proposal and your hand out for cash she would see through it because she *knows* it's impossible.

2
0
Silver badge

I'm in favour

But first, I think Ms May should quadruple the NHS budget, triple the spend on our military, make all UK electricity generation free from greenhouse gas emissions, become completely independent of fossil fuels, and get the unemployment rate down to under 5%. While decreasing taxes across the board.

After all, there are enough bright economists and brilliant politicians in the government that they could surely achieve all that if they put their minds to it?

Only then should we turn our attention to the less important stuff such as making backdoors in encryption algorithms that will only work for the pure of heart.

10
0

Bag. Cat. Out.

Smell the coffee, Theresa.

1
0
Silver badge

Data Value

It is sensible for any person to safeguard data directly in relation to its value.

When the TLA's were going after* actual criminals/terrorists etc. most everyone else thought that 'their' data was worthless and took little to no steps to safeguard it.

Now that everyone knows all the governments and shitty companies want their data soooo badly that it *must* be worth something, so are now taking steps to secure it accordingly.

Why is this so hard for politicians to understand? No matter what they do, there will be a reaction to it, and the technical world can respond to their inane bullshit a lot faster than they can come up with it (and get it into law).

When they come up with a way to 100% copy protect films/games etc. we might have reached a point in human evolution where we could re-visit some of these assumptions about cryptogrophy, but if you want my advice: don't hold your breath.

*Well, before everyone discovered what they were actually collecting.

3
0
Mushroom

Finger etc on the button

It is fairly easy to put somebody's finger / iris on a scanner. Even if they have become recently deceased in custody etc

If I have memorized my encryption passphrase then its going to need a $5 wrench ( https://xkcd.com/538/ )

or Regulation of Investigatory Powers Act 2000 .c 23 Part III Power to require disclosure Section 49

or an orange jump suit with a towel & some water.

As for backdoors - I once wrote an simple program that embedded the password into the header of the file that was encrypted. Obvs this was so we could recover the file when the user forgot his the super sekrit password.

As for metadata... Maltego is still my professional friend

From Register archives - FUD flies as Raytheon reveals social media analysis tool

My comment still applies re "privacy" - Its only a Secret if you don't tell anyone https://forums.theregister.co.uk/forum/1/2013/02/11/raytheon_riot_privacy_hyepgasm/#c_1725101

2
0
Bronze badge

They do not need it, they only want it

Metadata is plenty enough for them to get suspicion and move from there to actual work (surveillance).

Who on earth would be stupid enough to actually use 'sensitive' keywords in their messages if they were actually planning something anyway? It will all be aliased and so keyword scanning would provide nothing. Government just wants to look like they have an answer and look like they are 'doing something' but at the same time not actually spend a huge amount of money.

2
0
Silver badge

Re: They do not need it, they only want it

You had me up to but at the same time not actually spend a huge amount of money

As long the politicians can spend as little of their own and claim the rest as expenses, Tax money is there to be frittered away to ensure executive board seats at retirement...

2
0
Silver badge

I’ll do the it!!!

Writing insecure crypto is easy. I have a great derivation or ROT-13... I call it ROT-29. I wrote it with my friend John Veiler... we were considering calling it Rot-Veiler... but it sounded silly.

Now, if we will ever have secure crypto... with a back door. We first need military intelligence, open secrets, jumbo shrimp, and a few dozen more oxymorons.

Encryption by its very definition cannot contain back doors. It is mathematically impossible. Not like “I have a theory about Brangelina’s breakup”. But as in the mathematical theorems have not been discovered to allow something known to be breakable to be called secure.

I suppose, I’m the U.K., the people have never had to be concerned with government corruption, corrupt policemen, etc... but in the rest of the world, we use encryption to protect the innocent... quite possibly from their governments.

Unfortunately, that places a greater burden on the government when protecting the innocent from the dangerous, but what’s the point of protecting people from the bad guys if your only goal is to remove their liberty?

In addition, there is no possible way to block people from using encryption. So, if you keep the good people from using it, it won’t help with the bad people.

4
0
Anonymous Coward

Why?

Why do we need to "protect ourselves" more than we currently do? The world hasn't fallen down, terrorism is no worse than it ever was, and more information is being made publicly available. Does anyone believe that we are worse off now than say 15 years ago when you were lucky if you had a bebo page?

10
0
Silver badge

Leadership

I think this is an excellent opportunity to lead the way in responsible encryption.

Governments that want to make people use crypto with a secret back door should implement this on their own systems first, just to demonstrate their confidence in the technology.

Strong and Stable.

5
0

Magical Thinking

"The insistence by political leaders and prosecutors that there is a way to both have a backdoor and not have a backdoor has been put forward so frequently that experts have even come up with a term to summarize it: magical thinking."

Isn't there already a term for it? "Cognitive dissonance".

Just wait for those grapes to turn sour...

4
0
Silver badge

Re: Magical Thinking

"Isn't there already a term for it? "Cognitive dissonance"."

Doublethink.

2
0

Two possibilities.

1) She's ignorant as fuck. Cannot exclude this, given what she's done and said so far.

2) She's evil, understands cryptography, and pushes on knowing full well what it will do (not solving crime or catch the really bad guys, but giving away any privacy of normal folk. Could come in very handy).

3
0
Holmes

>>> 1) She's ignorant as fuck. Cannot exclude this, given what she's done and said so far.

This one, if you have any doubts just check what she and her party did on the last election.

2
0

Mrs May is TAPS (thick as pig . . . )

Traditionally, anybody truly desperate to go to Oxford applied to read Geography. There was a mechanism whereby those new students enrolled in an overly large Geography intake had a few weeks to apply to another department for a transfer. Mrs May neglected to do this.

On graduation, the same mediocre Geography graduate ( a second) decided on a career in the city. At this time, the least desirable jobs for high flyers in the city were in financial PR and the Bank of England, somebody had to be really unimpressive not to find a starter job in a merchant bank of a big brokerage (separate at the time).

She is Prime Minister and she still believes in fairies and "back doors". Isn't there a single person in No 10 who can explain that this kind of secret cannot be kept secret?

3
0

Re: Mrs May is TAPS (thick as pig . . . )

"Isn't there a single person in No 10 who can explain that this kind of secret cannot be kept secret?"

You have probably never worked for a medium/large company, or government, or at least have not had to deal directly with very senior management/officials.

PM May almost certainly has no one who reports to her, nor anyone who reports to her reports, with any crypto background, and possibly no one with any hands-on tech background.

Some outsider or low-level functionary who comes in with a claim like that is easily dismissed, as obviously boffins find solutions to previously impossible problems all the time, so how can it be true? Anyone who disagrees is not a "team player", so all those direct and second-level reports nod their heads wisely in agreement, and the claim is ignored. Happens all the time. Hans Christian Anderson even wrote a story about that "team player" managerial mentality, called "The Emperor's New Clothes".

4
0

Re: Mrs May is TAPS (thick as pig . . . )

All your assumptions about my experience and who/what kind of organisation I have worked for are wrong.

Just except that Britain is uniquely ill-served by its Prime Minister. Would Canada's PM or France's President made such a basic error?

0
0

Am I missing something?

OK, here's my simplistic view of a solution, I'm sure someone will be along in a minute to tell me why I'm wrong.

Let's say you run a secure end-to-end encrypted messaging service like WhatsApp.

The 'good guys' come to you with a proper court order or warrant saying you have to let them listen in on messages sent to or received by user1234.

You send a software update to that user's phone that silently adds a backdoor to their encryption, and from then on send the decrypted messages to the 'good guys'.

Obviously, it doesn't work for messages prior to the court order being served, but that shouldn't be a problem.

What else am I missing?

0
1

Codes not ciphers [..or OFFS not again!]

The kitten has a hairball stuck and needs to see the vet.

2
0
Anonymous Coward

Free postage

Here's how I control my worldwide team of l33t agents.

I setup an Ebay shop called hollow_volcano selling widgets and other crap. I use stegnogaphy to implant my messages into some of the shop photos. When agent-X decodes the message he uses a dead drop to get disposable_agent-Y to order some widgets.

Five blue and five red widgets means agent-X is available but five blue and five green widgets means that he is not. (other colour codes are available)

mwahahaha!

3
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018