Tag: Encryption

Categories
Links

How to Interpret the 5th Amendment?

Declan McCullagh has an article on an important case in the US, where a federal judge has demanded a defendant decrypt a PGP-encrypted drive for the authorities. Case law in the area of decryption is unsettled, as McCullagh notes:

The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for at least the last 15 years arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled “Compelled Production of Plaintext and Keys.”)

Much of the discussion has been about what analogy comes closest. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.

On the other hand are civil libertarians citing other Supreme Court cases that conclude Americans can’t be forced to give “compelled testimonial communications” and extending the legal shield of the Fifth Amendment to encryption passphrases. Courts already have ruled that that such protection extends to the contents of a defendant’s minds, the argument goes, so why shouldn’t a passphrase be shielded as well?

Eventually the case law around encryption has to be addressed by SCOTUS. There are too many differing positions at the moment; clarity is needed both for users of encryption in the US, and for counsel seeking to prosecute and defence clients.

Categories
Links

Primer on GPG in Mac OS X

Robert Sosinski has a good walkthrough of setting up GPG in OS X. Hopefully we’ll see some non-console-based instructions sometime in the near future to help those who are gun-shy when presented with a command prompt!

Categories
Quotations

The NSA was quite aware that many new network systems were being built rapidly during the dotcom boom, and if cryptography wasn’t built in at the start, it should usually be too expensive to retrofit it later. So each year the NSA held the line on crypto controls meant dozens of systems open to surveillance for decades in the future. In these terms, the policy was successful: little of the world’s network traffic is encrypted, the main exceptions being DRM-protected content, Skype, the few web pages that are protected by TSL, opportunistic TLS encryption between mail servers, SSH traffic, corporate VPNs and online computer games. Everything else is pretty much open to interception – including masses of highly sensitive mail between companies.

~R. Anderson. (2008). Security Engineering: Second Edition. Indianapolis: Wiley Publishing Inc. Pp. 795.

Categories
Links

‘Going Dark’ Versus a ‘Golden Age for Surveillance’

A critical read about the contemporary aims of intelligence and policing communities to expand their technical surveillance capabilities whilst reducing legal oversight of their activities. A snippet:

This post casts new light on government agency claims that we are “going dark.” Due to changing technology, there are indeed specific ways that law enforcement and national security agencies lose specific previous capabilities. These specific losses, however, are more than offset by massive gains. Public debates should recognize that we are truly in a golden age of surveillance. By understanding that, we can reject calls for bad encryption policy. More generally, we should critically assess a wide range of proposals, and build a more secure computing and communications infrastructure.

Go read the whole piece. It’ll take a few minutes, but it’ll be some of the best minutes you’ve spent today.

Categories
Links

DiskCrypt turns any laptop storage into a self-encrypted drive

An interesting product:

At CES, Singapore-based ST Electronics was showing off a new security device that can be installed in nearly any notebook computer to protect its data from prying eyes—Digisafe DiskCrypt, a hard-disk enclosure that turns any 1.8-inch micro-SATA device into removable and fully encrypted storage. The enclosure, which is the size of a 2.5″ drive, can be used as a drop-in replacement for existing drives.

 

Before boot, DiskCrypt requires a USB dongle to be plugged in to pass the key, and it can also be optionally configured to require the user to enter a password for two-factor authentication. The hardware can handle up to150MBps of data throughput, so once it has been activated it’s completely transparent. ST Electronics’ deputy director Jimmy Neo claimed the encryption module has no impact on read/write performance.

All this is pretty standard for a self-encrypted drive. The main advantage of DiskCrypt is that it can be put into nearly any existing notebook. If there’s a drive failure, a need to move from hard disk to SSD—or just swap out the drive—the enclosure can be quickly opened and the storage device popped out. Separated from the encryption enclosure, the drive is practically the same as destroyed.

It will be important to test this against a hostile attacker, or situate it in a hostile general environment. There is a depressing history of encrypted storage solutions along these lines failing when confronted by a serious attacker. While the crypto itself might be secure, a side-channel attack (the most common means of subverting encryption schemes) could compromise the drive.

Categories
Links

Side Channel Attack =/ Cracking Encryption

From the article:

BlackBerry messenger is “significantly less encrypted compared to the BlackBerry email that corporations are using,” Leif-Olof Wallin, an analyst at Gartner Inc., based in Sweden, recently told Bloomberg News. “Any kind of cryptographer should be able to crack it without the involvement of (parent company, Waterloo, Ont.-based Research in Motion).”

BBM for consumers is sufficiently encrypted and it isn’t a simple matter for ‘amateur cryptologists’ to easily break it. No: the deficiency with the communications encryption
is that RIM uses, and possesses, a common global key to provide transit security to BBM messages. In the case of users that are linked to a BlackBerry Enterprise Server (BES) the BES administrator is responsible for establishing the encryption/decryption keys. As a result, RIM is incapable of breaking the BES infrastructure. It should be noted that, with consumer BBM traffic, the supposed attacker is a transit middle-man and not the government. RIM protects end-users from this – which doesn’t happen with a SMS message – and makes no bones about being there to protect consumers from legitimate (in the sense of legally justified, rather than normatively acceptable) government interceptions.