Category Archives: Encryption
The Ultimate Guide to Key Management Systems – Hashed Out by The SSL Store – Hashed Out by The SSL Store
If Your Private Key Gets Compromised, So Will Your Encrypted Data Its Why Key Management Systems Are Critical For Any Business Using Encryption
Do you know where your car keys are right now? Your house keys? Considering how important they are, we hope so (or else youll be taking an Uber home and then calling a locksmith). You also probably have a set place for them to reside when you arent using them somewhere secure, like inside your house or in your pocket.
If youre using encryption for any purpose, then you should have a similar system in place for your private keys. They are the critical piece of the cryptographic equation that, when combined with an algorithm, is the key (pun very much intended) to transforming encrypted ciphertext into plaintext that you and I can read.
One of the best things about encryption is that, if used properly, it is essentially impossible to crack. The private keys are one of the weak points, however. If someone gets their hands on yours then theyll be able to decipher the sensitive information that you intended to keep safe and secure. Thus, cryptography keys are one of the most crucial assets that any company has, with the value of the key being equal to that of your most vital data.
Whats the best way to keep your encryption keys safe from cybercriminals? Thats where key management systems come into play. They play a critical role in protecting and managing your keys, which can be especially difficult as a business scales and a handful of keys suddenly turns into hundreds, thousands, or more.
So, what does key management mean, exactly? What are the benefits of using a key management system? And what are the different types of key management platforms?
Lets hash it out.
When we talk about key management, were referring to all the tasks relating to cryptographic keys in an encryption system creation, usage, storage, exchanging, archiving, deleting, and replacing. The overall goal is to protect every key that an organization has, preventing attackers and unauthorized users from getting their hands on the data that has been secured via encryption.
Nowadays, companies possess more data than ever, with significant portions of it being sensitive information that must be protected. Because of the potential value of this data to cybercriminals, more and more businesses have turned to encryption to protect against an uptick in security breaches, prevent costly data losses, and remain compliant to regulatory requirements. Its now to the point that having thousands of cryptographic keys is commonplace, with key management systems (KMS) becoming the primary way of safely, securely, and efficiently handling them all.
Key management covers all of the keys in a cryptosystem at the user level, between either users or the system itself. An effective key management system should be robust and have comprehensive policies for:
There are three broad approaches that can be taken for key management systems:
We recommend a centralized approach in the vast majority of situations, finding that one single system is much easier to manage (with less potential for mistakes or oversights) and avoids contradictions or conflicts between teams or users. Even if different departments have drastically different needs, it is still better to make sure that everyone is on the same page as far as the basic protocols and requirements. Centralize your KMS as much as possible.
Without a proper management system in place, keys can be lost or compromised, resulting in lost access to critical data. Unfortunately, key management gets harder and harder as the size and complexity of your cryptographic ecosystem increases. Key management systems are designed to address the challenges that organizations face when dealing with cryptographic keys, things like:
Now lets go into more detail regarding the benefits that key management bring to a business and the reasons for implementing such systems.
The features of key management systems help boost security thanks to technical elements that help prevent lost, stolen, or misused keys by:
Many organizations turn to encryption because its a requirement of local laws or industry regulations. The specifics of the requirements can vary widely depending on industry, location, and other factors, but no matter what, companies want to avoid the costly fines and penalties that result from non-compliance.
Therefore, key management systems act as a kind of insurance, adding an extra layer of security for data that must be kept safe and confirming that the necessary precautions have been taken ahead of time in order to remain compliant with standards like:
Key management systems are designed to simplify, automate, and scale, which translates to reduced costs for organizations by:
Its the primary goal of encryption in the first place, and key management systems help maximize data protection. It empowers businesses to be selective about key access, only allowing certain employees, applications, or devices to access the keys, and thus the encrypted data they protect. The controls provided by key management systems play a crucial role in preventing valuable information from making its way into the hands of unauthorized or hostile users.
If a simple spreadsheet or list of keys sounds like a good idea, think again. Modern key management systems give users the ability to easily and efficiently manage their keys at every point in the lifecycle. There are different types of key management platforms that have different advantages and disadvantages depending on the needs of the end user. Regardless though, theres a few attributes you always want to look for:
As far as the platforms themselves, they can be broken down into a few basic types:
HSM stands for hardware security module, and is a kind of server that has additional levels of security levels in order to prevent breaches:
HSMs can be used to generate keys, keep them safe from electronic or physical attacks, and make use of the keys within while performing encryption or decryption tasks. An HSM can be used as a key management system, but there are downsides:
This is the same as above, except that the HSM is in the cloud, hosted by a third party provider. These are ideal for companies that are lacking in security resources and cant properly implement an HSM themselves or want to move their security off-site for any other reason. The same hardening measures are still present on the HSMs themselves, theyre just in a different physical location than the end user.
Virtual instances of key management systems offer a few different advantages over HSMs. First off, deployment is usually a much quicker process. HSMs are a physical product that need to be shipped somewhere. Then, a physical installation is needed. A virtual instance on the other hand, can be downloaded from a vendors server in a few minutes and no physical installation is required. Virtual systems also provide more flexibility than HSMs, since they can be installed on any machine that supports the virtual platform running the key manager, such as VMWare.
The virtual element can also be a downside, however. Because theres no physical components, the software of the key manager cannot be FIPS 140-2 validated it can only be FIPS 140-2 compliant. If youre required to have FIPS-140-2 validation by any particular regulations, then youll have to go with an HSM instead. Usually, though, the level of security given by a FIPS 140-2 compliant key manager system is more than enough for the average company.
A key manager system can also be dedicated, or as a service. This kind of configuration is offered by cloud providers like Amazon Web Services (AWS) or Microsoft Azure, which have marketplace offerings in addition to their own key management as a service (KMaaS) systems. These systems are usually multi-tenant, which can be viewed as a negative since it means that several different end users will have their keys stored on the same key manager instance. For clients with security concerns, this type of system is not ideal. Because of this, dedicated services are also usually offered by providers via independent vendors.
Its critical that every organization make key security a high priority, no matter what type of key management system they end up going with in the end. Key management systems make life much easier for end users, while maximizing security at the same time. Sensitive data needs to be restricted, and key management systems provide the kind of organization and control that will ultimately keep it out of the hands of attackers.
Will regulation adapt to encryption, or will encryption adapt to regulation?Expert answers – QNT
Blockchain technology is expected to provide humanity and freedom with the rise of blockchain technology Web 3.0, a truly decentralized Internet. Some people even think that Significant rise of decentralized finance (DeFi) Department has become an important sign of conceptualization From centralized service to decentralized service, Web 3.0 is its cornerstone.
and, Some even compare The invention of blockchain technology revolutionized the emergence of the Internet itself.Symbolically, the original source code of the World Wide Web developed by British computer scientist Tim Berners-Lee is Will be auctioned June 23 at Sothebys Irreplaceable tokens, Or NFT. All three of them NFT, DeFi and Web 3.0 tangled together. But with the comparison between the Internet and the blockchain, a crucial concept has emerged: Without proper supervision In the field of encryption and blockchain, technological innovation will not be as successful as we have seen in the past 25 years. It will change the world as we know it.
It is now obvious that a Lack of regulation will hurt crypto innovation. With the significant growth in the field of decentralized technology, this field has begun to attract more and more attention from global regulators. Their goal is Stablecoin, Go to financial institution, NFT, Crypto assets, Smart contract, Non-custodial wallet, Central Bank Digital Currency and many more.At the same time, some experts such as Caitlin LongTake the founder and CEO of Avanti Financial as an example, see the beginning Crypto regulation crackdownAs a positive trend, this will only benefit innovators. Others have proposed The right way to supervise encryption.
On the other hand, current supervision is not suitable for encryption, and adjustments to newly emerging decentralized technologies may undermine the core value of decentralization. Let us return to where we started: centralized parties control the space. In order to become a regulated industry, is this the price we are willing to pay?
related: Decentralization and Centralization: Where is the future?Expert answers
In order to find the right balance, the encryption space needs deeper and closer working relationships, which will Including regulators and innovators. Only in conversation Crypto companies and regulators, Is it possible for the authorities and industry representatives to find the right way to supervise the emerging technology industry? Through smart supervision And the space that is expected to change our lives this promise was realized at the turn of the last century through appropriate Internet regulations.
In order to understand the opinions of the crypto and blockchain industry representatives on this regulatory dilemma, Cointelegraph contacted some of them and asked them for their opinions on the following issues: Will encryption lose its core value in the process of being regulated, or will regulation adapt to decentralized technology and its benefits to society?
Read the original here:
Will regulation adapt to encryption, or will encryption adapt to regulation?Expert answers - QNT
China ‘all in’ on its own encryption brand – BollyInside
China is actually all in on crypto. Make no mistake about that, Haun said on Squawk Box, despite its latest crackdown on bitcoin mining and crypto services. The Chinese governments five-year plan drafted earlier this year for the first time mentioned blockchain, which is the decentralized digital ledger technology that underpins cryptocurrencies such as bitcoin.
Chinas most recent actions to restrict bitcoin mining in the country and apply pressure to financial services firms against providing crypto-related services has weighed on sentiment in crypto markets.
However, she stressed that Chinese President Xi Jinping and other officials are all in on their brand of crypto, which is a closed permission system. Kind of at odds with the open, decentralized protocols we see as the future of the crypto system.
Bitcoin on Tuesday fell below $30,000 and, at one point even further, briefly losing all of its 2021 gains. The worlds largest cryptocurrency has recovered somewhat, trading at nearly $34,000 on Thursday.
This is hardly the first time China has put restrictions on bitcoin, Haun noted. In 2017, the country moved to shutdown local crypto exchanges, which forced them to move offshore. It did not, however, put an end to the influence of Chinese bitcoin traders.
China also has long been home to more than half of the worlds bitcoin mining capacity; so-called miners use high-powered computers to verify transactions across the blockchain network and are rewarded for their efforts with bitcoin.
The fact China is now ratcheting up its crackdown, Haun said, ultimately reflects the staying power of open decentralized crypto like bitcoin because weve seen this happen before.
Hauns appearance on CNBC came shortly after Andreessen Horowitz announced it was launching a $2.2 billion cryptocurrency-focused fund.
So, I think China is going all in on crypto in a big way and this is a big opening for western societies, and the U.S. included, to lean in, she said.
The well-known Silicon Valley venture capital firm has been involved in the digital asset industry for years, debuting its first dedicated fund in 2018 even as bitcoin and other cryptocurrencies withered during the so-called crypto winter. Haun, also a former Justice Department prosecutor, and Chris Dixon, who founded and ran two start-ups, are in charge of Andreessen Horowitzs crypto group.
Andreessen Horowitz was also the largest outside investor in Coinbase at the time of the crypto exchanges direct listing in April. Haun is a Coinbase board member.
Bitcoins all-time high of nearly $65,000 came on the same day of Coinbases public debut. That day, April 14, was also when Coinbase hit its intraday record of $429.54 per share.
Both the cryptocurrency and Coinbase shares are currently well below those levels. Coinbase traded at around $228 per share Thursday.
Disclaimer: If you need to update/edit/remove this news or article then please contact our support team.
See original here:
China 'all in' on its own encryption brand - BollyInside
How the FBI Is Trying to Break Encryption Without Actually Breaking Encryption – Gizmodo
Photo: MANDEL NGAN/AFP (Getty Images)
Since at least the 1990s, federal officials have publicly worried that encrypted communications give aid to terrorists and criminals. More often than not they have, to some degree, been right.
In the early 2000s, Los Zetas, the infamous Mexican cartel, actually created their own military-grade encrypted radio network, which they used to mask the movements of their narco-trafficking supply chain. Around the same time, al Qaeda and other terrorist Mujahideen groups began using self-engineered encryption software in the hopes of avoiding the all-seeing eye of Americas national security state. Other criminal groups quickly followed suit and, today, the need for dark capabilities has given rise to companies that intentionally court and sell exclusively to underworld clientele. These firms, which allegedly go to great lengths to protect their customers, appear to have a short life span, however: In the last few years, a number of prominent encryption platforms and other technologies have been infiltrated and dismantled by law enforcementwith the most recent example occurring just a week ago.
Last Tuesday, the U.S. Department of Justice announced Trojan Shield, a bold, over-the-top law enforcement operation. In it, the FBI used a high-level criminal informant to co-opt and then run an encrypted chat platform, called ANOM, designed specifically for transnational criminal organizations. Rather than infiltrate an existing platform, the feds had decided to create and operate their own. When drug traffickers and money launderers flocked to ANOM, the FBI and other authorities were waiting, ready to intercept and study all of the communications the crooks offered up. It was the honeypot to end all honeypotsa baited trap on a global scale.
Certainly, the short-term payoff from the operation has been overwhelming: all last week, governments throughout the world continued a parade of hundreds of arrests, with police holding press conferences and gleefully trotting out indictments related to the operation. Alleged biker gangs, Italian crime families, drug traffickers throughout the world were all ensnared. In the U.S., the Justice Department indicted 17 people allegedly involved in managing ANOM (despite the FBIs secret role), arresting a majority of them. The operation has also revealed a deluge of intelligence about the ways in which international criminal syndicates operate, which will doubtlessly help inform future investigations targeted against such groups.
And yet, one of the operations long-term goals, as stated by police, seems elusiveif not quixotic. We aim to shatter any confidence in the hardened encrypted device industry with our indictment and announcement that this platform was run by the FBI, said Acting U.S. Attorney Randy Grossman during a press conference last week. Similarly, Suzanne Turner, the special agent in charge of the FBIs San Diego Field Office, said that this should be considered a warning to criminals. [Those] who believe they are operating under an encrypted cloak of secrecy, your communications are not secure, Turner said. She later added that the operation would hopefully keep criminals guessing as to whether a platform was a legitimate business or one secretly run by the feds.
G/O Media may get a commission
Grossman and Turners statements mark a turning point in a decades-long effort by the U.S. government to undermine encrypted communication, which has proliferated into the mainstream in recent years, from Signal to iMessage, WhatsApp to Google Messages. If the cops cant break encrypted technologies, theyll break our confidence in them insteadeven if it means crossing the line themselves.
Encrypted messaging apps are pretty much untouchable by law enforcement, said James A. Lewis, a security professional with the Center for Strategic and International Studies, in a phone call. Lewis has studied the issue for years.
People used to speak by air-conditioners, or go for a walk in the park, he said, referencing Godfather-type scenarios, in which criminals would sneak around to avoid wiretapping. Now, he said, everybody, including the mafia, has a smartphone in their pocket. Thus, the temptation to rely on such easy methods of communication is strong. Its just a general shift to relying on messaging, he said. Criminals have moved with the rest of the population.
The companies that have preceded ANOMmany of which were infiltrated and dismantled by copsworked hard to conceal their activities, which were done in the service of criminal ecosystems centered around drug dealing and murder, government officials have argued. For instance, Phantom Secure, a now-defunct phone company that offered modified, encrypted Blackberry and Android devices, reportedly sold a majority of its services to Mexican drug cartels, which used the devices to communicate with underlings and strategize narcotics shipments. Two other platforms that were recently taken down by policeSky Global and EncroChatallegedly functioned in very much the same way.
Similarly, the devices used by the kind of groups ensnared in Trojan Shield are far different than your average civilian encrypted chat app like Signal or WhatsAppboth of which use end-to-end encryption, meaning only the sender and recipient have access to any conversations. Most often, they are modified phones that have had the GPS, mic, and camera capabilities disabled, and include a specialized encrypted chat app that functions on a closed loop with other devices specifically designed to communicate with each other. On top of this, the government claims companies that sell such devices will often offer covert protection to their customershelping to remotely wipe the contents of phones if they are confiscated by police. With all of these benefits, criminals have little incentive to give up these types of services because they are simply too useful to their operations.
A lot of the encryption is un-hackable, Lewis said. If you can get access to the device then your chances are better, but if you are just intercepting traffic, it can be exceptionally difficultmaybe even impossible [to hack it].
That unbridgeable impasse is partially why the FBI and other federal agencies have spent the last 30 years waging a slow-motion campaign against the use of encryption. During the first so-called Crypto Wars in the 1990s, national security politicos in the Clinton administration argued that the proliferation of encryption technologies worldwide would effectively create a force-field around corruption. Ever since then, federal officials have, in one way or another, aggressively pursued a workaround for the technology, often employing strategies that threatened civil liberties and treated Americans privacy as an afterthought.
This has gone through a number of different iterations. When the 90s lobbying to halt encryptions export didnt work, the feds quickly turned to a different strategy: lobbying the private sector to install backdoors in their encrypted networks so that the FBI could enjoy intimate access to Americans protected communications. Beginning in the mid-2000s, the Justice Department and the FBI went on a charm offensivetrying to explain to Congress and the American people why it really needed to do this. That campaign has lasted for years, with ongoing lobbying by the FBI director continuing to the present moment.
With Trojan Shield, it really seems like a whole new tactic in the governments ongoing battle against encryption, but one that is far more psychological than legal. Here, the bureau seems to be attempting to shake overall confidence in encrypted platformsinspiring doubt over whether those communications are really secure or just a giant honeypot with an FBI agent lingering in the rearview. In so doing, theyre basically trying to undermine a technology that serves as one of the few protections for everyday peoples privacy in a world intentionally designed to eviscerate it.
Jennifer Lynch, the surveillance litigation director at the Electronic Frontier Foundation, said that the recent operation was concerningadding that she doubted the FBI even had the legal authority in the U.S. to carry out Trojan Shield, which is probably why it was partnered with more than 100 countries, according to the DOJ.
We still dont know a lot about how this investigation occurred and how all of the data-sharing transpired among the different countries that were involved, Lynch said in a phone interview. What we do know, however, is concerning enough. The FBI said that they geo-fenced communications of Americans. That says to me that even the FBI doesnt believe they have legal authority under the Fourth Amendment or our federal wiretapping act to do what they did.
Extrapolating on that point, Lynch noted the bureaus partnership with Australia, which recently passed the TOLA Act. The law allows the Australian government to compel private companies and technologists to reengineer software and products so that they can be used to spy on users. Australias laws also allow for extensive wiretapping, ones that far outstrip the ones available in the U.S., Lynch said.
Basically, the FBI is laundering its surveillance through another country, she said.
Alternately, Lewis argues that the challenges posed by encryption force law enforcement to get creative with how they combat the increasing use of the technology by criminal groups.
You have to get a subpoena, you have to get the company to cooperate, said Lewis, explaining the current restrictions when police try to investigate malfeasance via encrypted chat platforms. The company wontin many caseshave access to the unencrypted data. Thats where something like this becomes attractive [to criminals].
Even with high-powered entities like the National Security Agency, the data they intercept wont necessarily be useful in traditional law enforcement investigations, he said. The NSA is not in the law enforcement business, he said. Theyre not collecting evidence. So even in the cases where they have intercepted traffic, it could not be used in court, said Lewis. So youve got technology problems and legal problems.
If the operation has seeded doubt about the security of the platforms for criminal use, then its done its job, he argues.
Its certainly planted a seed of doubt in their minds, he said, of the criminals. Uncertainty really helps. It means theyll want to do more face-to-face meetings or something else other than talk on the phone, which may make them easier to catch, he said.
Of course, the FBI plants seeds of doubt by chucking handfuls of the stuff at everyone within earshotits not just criminals who will fear that someones reading every text, its all of us. And for Lynch, thats an injustice.
I think that what the FBI did is highly suspect, she said, and I think that we should all be concerned about itbecause it makes us question the privacy and security of our communications.
Read more here:
How the FBI Is Trying to Break Encryption Without Actually Breaking Encryption - Gizmodo
WhatsApp vs govt: Can traceability and encryption co-exist? – Business Today
Amidst WhatsApp's own privacy policy havoc, many have questioned the irony of WhatsApp's recent challenge to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Intermediary Rules) on grounds of privacy.
That said, WhatsApp's challenge brings some key issues to light, especially with respect to compatibility of these rules with end-to-end encryption technologies and the consequent privacy implications.
Encryption technologies in India have long been a bone of contention, especially with the government's authority to require decryption of content under Information Technology laws.
Also Read: WhatsApp sues Indian govt, says new media rules mean end to privacy
The recently notified Intermediary Rules on 25 February 2021 for 'intermediaries' (e.g. WhatsApp, Facebook and Twitter) and digital media publishers (e.g. online news portals and video streaming platforms) have now created a pandemonium in the industry by requiring tracing and identification of users and deploying technological tools for content moderation.
Though these tracing and content moderation obligations apply only to 'Significant Social Media Intermediaries' (SSMIs) (i.e. social media intermediaries having over five million registered users in India), these rules create serious implications for online platforms and users across the board. Notably, WhatsApp has challenged these rules before the Delhi High Court as the 3-month timeline given to SSMIs to implement these obligations came to an end on May 26, 2021.
Identification of 'first originator'
Under the new Intermediary Rules, SSMIs 'primarily' providing messaging services are obligated to identify the first originator of information in India (without identifying the contents of the information) when required by court or executive order on grounds such as national security, public interest etc. This is a step further in the existing obligations to decrypt content upon government orders and maintaining decryption keys.
This is likely to be an obstacle for popular messaging platforms such as WhatsApp, Signal and Telegram deploying the signal protocol end-to-end encryption technology. With this cryptographic protocol, the users on such platforms are generally allotted numeric fingerprints (e.g. adding users through QR codes) and the messages are secured and only visible to the sender and receiver. This is an attractive feature for users to protect their privacy. However, pursuant to these new obligations, the privacy of users will be impacted with platforms implementing technical changes to enable user tracing.
Citing the landmark Supreme Court decision in KS Puttaswamy v Union of India (2017) 10 SCC 1 (Puttaswamy) on the fundamental right to privacy, WhatsApp, in its challenge, has reportedly contended that this obligation violates users' privacy rights as traceability of users will require collection and storage of user data on a massive scale. As per the recent statement published by WhatsApp on its website, "in order to trace even one message, services would have to trace every message". Though there have been several petitions challenging these rules (including WhatsApp's), there is presently no stay on the operation of these rules.
Also Read: MeitY defends new social media rules after WhatsApp lawsuit, assures right to privacy
While it may be argued that SSMIs can trace users by fingerprinting content with numeric codes, there are doubts about the accuracy of tracing without undermining encryption protocols.
For instance, WhatsApp has argued that tracing will be impacted if there are even microscopic changes in the information being shared and the format of sharing (e.g. sharing of an image versus screenshot of that image or adding an extra character or space to a text message).
Interestingly, in separate ongoing litigations since 2019, WhatsApp has objected to suggestions for enabling tracing, such as displaying the originator's information to the recipient of a forwarded message or encrypting original messages with special encryption keys (and corresponding private keys) known only to WhatsApp.
News reports also suggest that WhatsApp has also not confirmed the latest government proposal to the messaging platform for assigning alpha-numeric hash to messages exchanged on its platform. Technology experts have had an apathetic response to the feasibility of such measures, citing concerns such as difficulty in storing hashed copies of millions of messages exchanged on the platform, creating a virtual partition for the platform features across various countries, etc.
Content moderation
Apart from tracing and identification of users, another controversial obligation for SSMIs is to 'proactively' identify and moderate certain categories of information (such as child sexual abuse materials) using technology-based measures (including automated tools or other mechanisms). Adding another layer of review, the rules also require human oversight and periodic review of such measures by SSMIs.
This obligation is another challenge for platforms using encryption technology since, in order to identify and filter content, the content transmitted by users would need to be visible to the platform operators. In parallel, WhatsApp had also expressed its reluctance to implement measures for content filtering before the Supreme Court in In Re: Prajwala (Videos of Sexual Violence and Recommendations) Suo Motu W.P. (Crl.) No. 3 of 2015 due to its end-to-end encryption.
Since the present rules also envisage human oversight and periodic review of these measures, it appears that simply using automated tools (to analyse the encrypted content through numeric codes) to enable content moderation will not be sufficient. Implementing human oversight on content moderation without disrupting end-to-end encryption technology and ensuring accuracy and fairness with automated tools seems to be a Herculean task at this stage.
Also Read: 'User privacy remains highest priority': WhatsApp responds to Centre's 'trick consent' remark
Commercial implications and way forward
Circulation of fake news, child abuse material and other unlawful content has been a rapidly growing problem in India. While encryption protects users' privacy and security, it also leaves unlawful activities online unchecked. It is undeniable that regulation of online content is required to some extent and identification of perpetrators could be useful, but, on the other hand, there is also potential for arbitrary executive orders for user identification and content monitoring on vague and overbroad grounds.
The shield of encryption protecting the users' privacy may have to be redevised to comply with the new Intermediary Rules. Further to the proportionality test propounded by the apex court in the Puttaswamy decision, it is vital to ensure that there is a proportionate balance between regulatory scrutiny and privacy rights. Regulatory scrutiny should not be at the cost of users' privacy.
Although there are some safeguards prescribed under the rules, the existing review mechanisms under information technology laws should also be duly implemented against executive orders. To balance commercial concerns with regulation by the government, it is also crucial to have autonomous review mechanism and independent oversight by industry bodies (similar to some recommendations for regulation of cloud communication and the proposed data protection framework).
These rules are also riddled with certain ambiguities, such as interpretation of 'messaging' services, extent of moderation required, scope of human oversight and periodic review, etc., which may open doors to overcorrection, excessive regulation and potential misuse by administrative authorities.
Another aspect wreaking havoc on the industry is the impact on global practices of such platforms. For instance, storing meta data and location data for tracing the first originator may require weakening the encryption standards and open risks to data breaches and potential violations under stricter data protection laws like in the European Union. Gaps in legislative guidance and unrest in the industry have rendered the burning question for stakeholders (and the industry at large) - is end-to-end encryption technology compatible with these obligations?
While the Ministry of Electronics and Information Technology has stated that the new Intermediary Rules will not force platforms to break their end-to-end encryption, some stakeholders and experts have repeatedly argued that traceability and encryption cannot co-exist. Evidently, these additional obligations will significantly impact the commercial and technical operations of platforms that use encryption. It will be interesting to see the outcome of WhatsApp's recent challenge to the new rules and how the leading messaging platforms (or other SSMIs using encryption protocols) in India implement the necessary technical changes to comply with the new obligations.
(Harsh Walia (Partner), Abhinav Chandan (Partner) and Tanya Varshney (Associate), Khaitan & Co.)
See the rest here:
WhatsApp vs govt: Can traceability and encryption co-exist? - Business Today
Vergecast: Windows 11 leaks, RCS encryption, and this week in antitrust – The Verge
Every Friday, The Verge publishes our flagship podcast, The Vergecast, where co-hosts Nilay Patel and Dieter Bohn discuss the week in tech news with the reporters and editors covering the biggest stories.
In this episode, the show is split into three sections. First, Nilay and Dieter talk to Verge senior editor Tom Warren about this week in Microsoft: leaks of the Windows 11 UI, announcements from E3 2021, and Microsoft CEO Satya Nadella doubling as the companys chairman.
In section two of the show, Verge politics reporter Makena Kelly returns to explain the continuing push by the US government to enact antitrust legislation on tech monopolies this week, five new bills were introduced and the Senate confirmed a new commissioner of the FTC.
In part 3, Verge managing editor Alex Cranz joins in to chat about this week in gadgets and Google the company is adding end-to-end encryption to their Messages app, Sonos officially announced their picture frame speaker, and Telsas Model S Plaid made its big debut.
You can listen to the full discussion here or in your preferred podcast player.
Here is the original post:
Vergecast: Windows 11 leaks, RCS encryption, and this week in antitrust - The Verge
Finding the balance in encryption and crime-fighting Monash Lens – Monash Lens
Operation Ironside last week resulted in more than 800 suspected underworld criminals arrested after being tricked into using an encrypted messaging app in which police were able to monitor chats about serious crime, including murder.
The operation was run in conjunction with the Australian Federal Police, targeting global serious and organised crime. Drugs, weapons, luxury vehicles and cash were seized across more than a dozen countries in whats been called a watershed moment for international policing. Its again highlighted issues relating to encrypted communications within criminal networks.
This operation involved the distribution amongcriminal networks of a secure encrypted communication system known as An0m that was in reality controlled by law-enforcement agencies. However, while ultimately enormously successful in disrupting criminal networks, the use of An0m very likely accounted for only a small percentage of criminal communication in Australia the AFP estimated this at around 5%.
Like much of the world, many of the conversations between Australians are conducted via text messaging. And increasingly, these messages are sent and received in encrypted form.
Well-known messaging apps such as WhatsApp, iMessage and Signal employ end-to-end encryption technology. This means that the digital material making up the messages, including text, images, audio and video are all encrypted on the sending device before theyre transmitted, and are only able to be decrypted by the final receiving device.
Under this model, its not feasible, at least with current computer technology, for an eavesdropper (or law enforcement agency) to decrypt any messages they intercept.
This enables completely private information exchange. For many reasons, this facility of modern life is highly desirable. It provides comfort that our interactions arent being spied upon, and allows us to securely exchange sensitive information. Indeed, beyond text messaging, end-to-end data encryption is crucial for the safety of many of the online transactions we now take for granted.
So, tools for pervasive encrypted communication, once thought of as the purview of security agencies and secretive intelligence operatives, sit in all our hands today. But as recent events highlight, theres a darker consequence of this technology. Along with hiding our innocuous conversations with friends, our work discussion groups, not to mention the voices of freedom under oppression, end-to-end encryption does just as good a job at hiding criminal activity of the worst kind.
Although law-breaking is increasingly technology-driven, criminal networks do not need to be particularly sophisticated to obscure their communications with these widely available secure messaging apps.
This has resulted in the always-present tension between the privacy of individuals, and the safety of communities, being writ large. Coupled with the anonymisation of online activity afforded by the dark web, these technologies have placed enormous barriers in the way of policing and disrupting serious crime. After all, surveillance by law enforcement authorities under warrant is only fruitful if the data gathered is able to be read and understood.
As one particularly damaging example of crime facilitated by the internet, and increasingly by encrypted communication, the distribution of child sexual abuse material has reached a horrendous scale.
Last year, the US-based National Center for Missing and Exploited Children received more than 21 million reports of it from electronic service providers, 94% of which were from Facebook. At the same time, in order to meet oft-stated commitments to user privacy, Facebook is racing to implement end-to-end encryption across its platform. But the company has since acknowledged that this change will make uncovering such material much more difficult.
Although the Facebook-owned WhatsApp has increased its reporting of child sexual abuse material through sophisticated analysis of metadata, its clear that the absence of an ability to analyse the content of images themselves hampers the technological countering of this crime. Similarly, terrorism, drug trafficking and illegal weapons trading are all beneficiaries of the capacity to effectively obscure communication.
Here lies the challenge.
As more and more of our communications are hardened by encryption, the debate will continue as to where the line between privacy and safety sits.
Theres a widespread expectation that users in many parts of the world want to engage in privacy-preserving communication, and hence theres a high value in marketing such systems to gain competitive advantage.
How, then, do we best respond to the need for disruption of criminal activity and preservation of safety in communities in such an environment?
Legislative responses to the rise of end-to-end encryption and the challenges it poses to law enforcement agencies, so far, vary.
In Australia, perhaps the most powerful feature of controversial laws passed in 2018 is the capacity to issue enforceable technical capability notices.
These notices could require service providers to take actions to ensure the provider is able to help to enable laws to be enforced or national security safeguarded. These notices are so named as they may require providers to employ new technical capabilities beyond those they already implement.
Importantly, these notices are prohibited from requiring that providers implement back doorsor other systemic weaknesses such as building a decryption capability or requiring that providers make their encrypted systems less effective. A range of other notices can be issued to providers to require them to provide assistance using their existing technologies via whats known as an industry assistance framework.
As more and more of our communications are hardened by encryption, the debate will continue as to where the line between privacy and safety sits.
Governments will likely be grappling with this issue for some time, given simultaneous commitments to security of personal data and safety of their population.
Indeed, the Council of the European Union adopted a resolution in December entitled Security through encryption and security despite encryption, calling for a new regulatory framework and investigation of technical solutions. Also last year, an international statement calling for similar action was released by the US Department of Justice.
More widely, the topic of end-to-end encryption, including technical and legal responses, continues to be the subject of much dialogue between the tech industry, government, academia, and law enforcement.
Ultimately, the whole community must be genuinely involved in this debate so that a balanced position that is both workable and broadly acceptable is achieved.
Follow this link:
Finding the balance in encryption and crime-fighting Monash Lens - Monash Lens
Drug bust was a huge coup – but the surveillance should trouble free citizens – Stuff.co.nz
OPINION: I do not like the Martin Niemller poem, written in the aftermath of the Holocaust, that begins: First they came for the Socialists, and I did not speak out because I was not a Socialist and ends Then they came for me and there was no one left to speak for me.
It is an impactful statement written by a good man forced to confront his own failings during a shockingly dark period of European history. It retains a contemporary resonance and is frequently cited as a justification to uphold the rights of the least palatable members of a community.
However, this isnt a statement of moral principle. It is an appeal to self-interest and is driven by pity and regret.
Were a passive people. Passionless and docile. Despite our self-image, we Kiwis are driven by a need to conform. It isn't an attractive trait and is on display every time we board an aircraft. Passengers duly attach face masks and air stewards diligently enforce these pointless rules.
READ MORE:* Meet the next Mr Big in the Australian criminal underworld: Hes known as Mr Blonde* Nephews of Australias most wanted man swept up in global app sting* What is Anom, and how did law enforcement use it to arrest hundreds in a global sting?* FBI-encrypted app hailed as a 'shining example' of collaboration between world cops for tricking gangs* Senior gang members arrested after global sting targeting organised crime* US Government steps up fight on Apple and Facebooks use of encryption
Most of what we uncritically accept is benign, but there is one that is deeply corrosive and has real and fatal consequences for both the lives of our poorest and most vulnerable but also for the very liberties that are an essential feature of a free society.
There was a story last week, about the success of Operation Trojan Shield.
This is a remarkable tale. The FBI established its own network of mobile phones, complete with handsets and encryption, and tricked the criminal underworld into adopting these devices in the mistaken belief that they were secure from the states prying eyes.
US Department of Justice
An image, released by the US Department of Justice, showing messages on the compromised encrypted app.
They were deceived. The FBI and other law enforcement agencies were listening and logging every call and text message. According to the recently released US indictment, there were 9500 of these units in circulation.
This latest huge bust, in a never-ending series of huge busts, is being touted as a coup in the War on Drugs, begun by Richard Nixon in 1971 and indeed it is. This is Graham Greene level skullduggery by the boys and girls in blue. Congratulations to all involved.
But... wait.
Lets stop and consider this. As a citizen of a free country it is my expectation that the state is not going to be listening to my communications without first convincing a judge that there is probable cause to be doing so.
Stuff
Damien Grant questions the legal basis of Operation Trojan Shield.
I accept that Apple and Amazon might be logging my keystrokes and snooping in on my conversations in order to sell me petfood and car insurance. Fine, but I can disconnect their services. Apple might be very powerful but it lacks the ability to lock me in a cage. Only a government can legally do this.
With great power should come great responsibility and, in a democracy, a large degree of restraint. What we have here are Western governments collaborating to establish a network with the specific purpose of listening into private conversations.
It isnt clear if a warrant was obtained before this data was gathered; the legal underpinnings of this operation remain murky and involve some third country that has yet to be identified. Even if one was secured in advance, we can be certain that 9500 individual warrants were not secured.
The police are delighted with themselves. Australian detective superintendent Des Appleby happily gloated: I think theyll be shocked to their core that theyve been stooged this badly. All their thoughts and plans, schemes, and theyre all in the hands of the police.
Indeed. Yet, was there any basis for this action other than a vague suspicion that if the police began listening to everything, they would get something? What of the thousands of people who used these phones for nothing more illicit than corporate security and dangerous liaisons?
An incomprehensible 27 million messages were captured and read during the three years this operation was running, and it was running in this country.
This is a violation of, at least, the expectation of Section 21 of our Bill of Rights: Everyone has the right to be secure against unreasonable search or seizure, whether of the person, property, or correspondence or otherwise.
There is no caveat that dispenses with this right if there is a risk that some teenager might be getting high. Despite my Libertarian objections most readers will be fine with this, because: drugs. Drugs are bad and we have Paddy Gower to help us understand how bad.
We are untroubled by the abuse of state power because we crave the illusion of security and lack the imagination to consider an alternative. And because it is the prescribed view of our cultural elites.
It also helps that no fresh-faced boys from Kings or Christs College are usually caught in these dragnets. The scions of Epsom and Fendalton and their parents will be confident that such awfulness will not touch them. So long as those whose private conversations are being bugged, assets seized and lives destroyed by decades in prison look suitably foreign, were pretty relaxed.
Even if we dont think it makes any difference, we know that drugs have won the war on drugs, we confidently assume that our rights are safe. Most readers are probably correct.
I am not going to make an argument that we should protect the civil liberties of the worst outcasts of society because one day we may lose our own liberties. There is no morality or principle in that.
Niemller was a Lutheran pastor. He should have sought inspiration from a much older tradition when considering his and his countrymens failings. I am not a Christian, but there is a profound proverb from antiquity that rings as true today as it did two millennia ago:
And the King will answer and say to them, Assuredly, I say to you, inasmuch as you did it to one of the least of these My brethren, you did it to Me.
Damien Grant is a business owner based in Auckland. He writes from a libertarian perspective and is a member of the Taxpayers Union but not of any political party.
Originally posted here:
Drug bust was a huge coup - but the surveillance should trouble free citizens - Stuff.co.nz
Google enables end-to-end encryption for Androids default SMS/RCS app – Ars Technica
Enlarge / If you and your chatting partner are both on Google Messages and both have RCS enabled, you'll see these lock icons to show that encryption is on.
Google has announced that end-to-end encryption is rolling out to users of Google Messages, Android's default SMS and RCS app. The feature has been in testing for months, and now it's coming to everyone.
Encryption in Google Messages works only if both users are on the service. Both users must also be in a 1:1 chat (no group chats allowed), and they both must have RCS turned on. RCS was supposed to be a replacement for SMSan on-by-default, carrier-driven text messaging standard. RCS was cooked up in 2008, and it adds 2008-level features to carrier messaging, likeuser presence, typing status, read receipts, and location sharing.
Text messaging used to be a cash cow for carriers, but with the advent of unlimited texting and the commoditization of carrier messaging, there's no clear revenue motivation for carriers to release RCS. The result is that the RCS rollout has amounted to nothing but false promises and delays. The carriers nixed a joint venture called the "Cross-Carrier Messaging Initiative" in April, pretty much killing any hopes that RCS will ever hit SMS-like ubiquity. Apple executives havealso indicated internally that they view easy messaging with Android as a threat to iOS ecosystem lock-in, so it would take a significant change of heart for Apple to support RCS.
The result is that Google is the biggest player that cares about RCS, and in 2019, the company started pushing its own carrier-independent RCS system. Users can dig into the Google Messages app settings and turn on "Chat features," which refers to Google's version of RCS. It works if both users have turned on the checkbox, but again, the original goal of a ubiquitous SMS replacement seems to have been lost. This makes Google RCS a bit like any other over-the-top messaging servicebut tied to the slow and out-of-date RCS protocol. For instance, end-to-end encryption isn't part of the RCS spec. Since it's something Google is adding on top of RCS and it's done in software, both users need to be on Google Messages. Other clients aren't supported.
Google releasedawhitepaper detailing the feature's implementation, and there aren't too many surprises. The company uses the Signal protocol for encryption, just like Signal, Whatsapp, and Facebook Messenger. The Google Messages web app works fine since it still relies on an (encrypted) local connection to your phone to send messages. Encrypted messages on Wear OS are not supported yet but will be at some point (hopefully in time for that big revamp). Even though the message text is encrypted, third parties can still see metadata like sent and received phone numbers, timestamps, and approximate message sizes.
If you and your messaging partner have all the settings right, you'll see lock icons next to the send button and the "message sent" status.
Excerpt from:
Google enables end-to-end encryption for Androids default SMS/RCS app - Ars Technica
Google open-sources tools to bring fully homomorphic encryption into the mainstream – The Daily Swig
John Leyden16 June 2021 at 13:46 UTC Updated: 16 June 2021 at 15:10 UTC
Cryptographic expertise not needed to enable computations on encrypted data, says tech giant
Google has released a set of coding utilities that allowfully homomorphic encryption (FHE) operations on encrypted data.
The open source collection of libraries and tools allow computational processes to be carried out on encrypted data without first having to decrypt it, offering security and privacy benefits as a result.
Homomorphic encryption and secure multi-party computation are known technologies. Googles release is largely focused on refining and making them suitable for wider deployment, rather than reinventing the basis for the technologies.
Catch up on the latest encryption-related security news and analysis
Our release focuses most on ease of use, cleanly abstracting the various layers of development between design (what the developer is actually trying to do) and implementation (what actually is performed), a Google spokesperson told The Daily Swig.
The transpiler offers a glimpse into all of these layers, allowing the combined expertise of the crypto, hardware, logical optimization and distributed computing communities to come together in one place.
The suite of tools is available on Github.
Use cases for homomorphic encryption range from spell checkers for an email, to updates from wearables, to medical record analysis to, further down the road, things like photo filters or genomic analysis, according to Google.
The more sensitive or identifying the use case might be, the more important it is that a developer is able to provide strong guarantees on data handling, the Google spokesperson added.
No special expertise in cryptography is required to make use of the search giants technology, which is geared towards overcoming a lack of crypto expertise amongst developers that has historically held back wider adoption of such tools.
DONT FORGET TO READComputer Fraud and Abuse Act: What the landmark Van Buren ruling means for security researchers
The trade-off for the privacy benefits of homomorphic encryption is that the mechanism can be more computationally intensive and slower than other methods an issue not immediately addressed in Googles release.
Performance remains a significant barrier (one we continue to work on) and so this wont be a drop-in replacement for all existing cloud services, the Google representative explained.
At the moment, this environment is aimed at well-scoped problems where data sensitivity is critical or where extra compute cost is worth the added privacy benefit.
Google's approach to fully homomorphic encryption in explained in more detail in a recent white paper (PDF).
Professor Alan Woodward, a computer scientist from the University of Surrey, said Googles FHE tools might be useful across a wide range of applications.
What Google appear to be doing is providing tools to enable FHE across a wide range of areas, he explained.
Bottom line is that anything where you want the dataset encrypted when in live use, not just encrypted at rest, then FHE could help.
RELATED GitHub changes policy to welcome security researchers
See the original post here:
Google open-sources tools to bring fully homomorphic encryption into the mainstream - The Daily Swig