Category Archives: Encryption
Quantum-encrypted communication satellites could be a reality within five years – Wired.co.uk
Google/ESA
A laser in space has measured quantum states on Earth, 38,000km away, for the first time.
This means a network of satellites communicating through quantum encryption could become a reality within five years, according to researchers behind the breakthrough experiment.
"We were quite surprised by how well the quantum states survived traveling through the atmospheric turbulence to a ground station," said Christoph Marquardt from the Max Planck Institute for the Science of Light, Germany, and lead author of the new paper.
Cracking quantum measurements at long distance is crucial to developing a network for quantum-encrypted communication.
Quantum-encrypted communication would be much more secure than the mathematical algorithms used currently. This is because of the properties of quantum mechanics called Heisenbergs uncertainty principle.
Currently, information can be encrypted with techniques based on mathematical algorithms. It is difficult to figure out the exact algorithm used to encrypt a piece of data, making the approach largely safe for now.
However, experts anticipate computers powerful enough to crack the codes will surface in the next 10 to 20 years. This development would mean current encryption methods would be redundant as they could easily be broken.
Last year, researchers at Chatham House's International Security Department said satellites and other space communications technology are at significant risk from hackers and cyber attacks.
But there is a potential solution - and this is where quantum mechanics comes into it.
Subscribe to WIRED
Heisenbergs uncertainty principle means the act of observing a particle creates certain changes in its behaviour. Specifically, it means we cannot know both the momentum and position of a particle to the same degree of certainty at once.
Quantum encryption uses this to create encoded data in the form of light that, if intercepted, will change its behaviour. This can alert the people communicating that the security key is not safe to use.
The problem comes when sending data over long distances. Researchers have been moving towards satellite-based systems because previous attempts at using optical fibres have proven difficult due to signal losses.
Marquardt and his team measured quantum states encoded in a laser beam sent from one of the satellites already in space, working with satellite telecommunications company Tesat-Spacecom GmbH and the German Space Administration.
The satellites had been designed for laser communication, but was not ideally suited for the task.
"From our measurements, we could deduce that the light traveling down to Earth is very well suited to be operated as a quantum key distribution network," Marquardt said. "We were surprised because the system was not built for this. The engineers had done an excellent job at optimizing the entire system."
The team created quantum states in a range the satellite normally does not operate, and were able to make quantum-limited measurements from the ground.
Based on the results, Marquardt says we could see quantum-encrypted communications via satellites within five to ten years.
"The paper demonstrates that technology on satellites, already space-proof against severe environmental tests, can be used to achieve quantum-limited measurements, thus making a satellite quantum communication network possible. This greatly cuts down on development time, meaning it could be possible to have such a system as soon as five years from now."
But there is much work left to do, he added. "There is serious interest from the space industry and other organizations to implement our scientific findings," said Marquardt.
"We, as fundamental scientists, are now working with engineers to create the best system and ensure no detail is overlooked."
Here is the original post:
Quantum-encrypted communication satellites could be a reality within five years - Wired.co.uk
Look who’s joined the anti-encryption posse: Germany, come on … – The Register
Germany has joined an increasing number of countries looking to introduce anti-encryption laws.
Speaking on Wednesday, German interior minister Thomas de Maizire said the government was preparing a new law that would give the authorities the right to decipher and read private encrypted messages, specifically citing encrypted messaging apps such as WhatsApp and Signal.
Such services were allowing criminals and terrorists to evade surveillance, de Maizire said, adding: "We can't allow there to be areas that are practically outside the law."
He did not specify how the encryption breaking would be achieved, but did note that among the options under consideration was forcing phone operators to install software on phones that would effectively bypass encrypted apps by granting access to the phone itself.
That stance reflects a very similar one taken earlier this week by Australian prime minister Malcolm Turnbull, who told Parliament: "The privacy of a terrorist can never be more important than public safety never."
Turnbull revealed that the Five Eyes nations would be meeting next month to discuss how to prevent "terrorists and organized criminals" from "operating with impunity ungoverned digital spaces online" the exact same line pushed by the German interior minister.
In addition, earlier this month, German chancellor Angela Merkel argued in Mexico City for global restrictions and "sensible rules" to deal with online content, stating that Germany would use its presidency of the G20 to develop a concrete set of digital policies at the forthcoming summit in Hamburg next month.
When it comes to encryption issues, much of the focus has been on the UK's Investigatory Powers Act, which introduced a placeholder for a subsequent "technical capability notices paper" that would oblige telecom operators and ISPs to provide content access to law enforcement and require them to unencrypt content wherever possible.
A draft of the paper that was provided only to the telecom industry was leaked, and it revealed that the UK government wants real-time access to the full content of any named individual within one working day, as well as any "secondary data" relating to that person.
The system would oblige operators to provide real-time interception of 1 in 10,000 of its customers: in other words, the government would be able to simultaneously spy on 6,500 folks at any given moment.
That law has been spoken of favorably by the Australian government and it is reportedly considering introducing a similar version.
This rash of anti-encryption legislation comes in the wake of new terrorist attacks in Europe and a determined push by the security services to be able to maintain their current spying capabilities into modern smartphone technologies.
In Germany's case there is also the added factor of an election in September, and the expectation that the country will become a target of terrorist activity as a result of that.
There is a big problem at the heart of the issue however, and that comes in two parts: first, the apps that offer hard-to-crack, end-to-end encryption to users are almost all based in the United States and so outside the legislative reach of Europe and Australasia; and second, encryption is a mathematical process, so introducing a backdoor into any system also leaves that door open for others.
Broadly speaking there are three ways to read people's private, encrypted messages:
It is clear from the German interior minister's comments that it is focusing on the third, most pragmatic solution: gaining access to someone's phone or other device.
No doubt someone in the NSA is currently putting together a PowerPoint presentation that outlines how it has been able to hack into people's phones and bypass protections (including the Russian ambassador to the US?).
We'll have to wait until the next Snowden to find out exactly how it does that, but in the meantime, you can expect new legislation built around successful phone hacks to find its way in the capitals of most Western nations.
PS: A German court has ordered Google to stop linking to Lumen Database, formerly the Chilling Effects website.
Here is the original post:
Look who's joined the anti-encryption posse: Germany, come on ... - The Register
Backdoors, encryption and internet surveillance: Which way now? – ZDNet
Theresa May wants the UK government to get a backdoor into devices.
The UK government has once again raised the issue of online surveillance and internet regulation. But it's unclear exactly what the Conservatives want to do, while cybersecurity experts accuse the government of naivety in its current approach.
"We cannot allow this ideology the safe space it needs to breed -- yet that is precisely what the internet, and the big companies that provide internet-based services provide," said Prime Minister Theresa May, following the recent terrorist attacks in Manchester and London.
"We need to work with allied democratic governments to reach international agreements to regulate cyberspace to prevent the spread of extremist and terrorism planning," May added.
A similar statement appeared in a section of the Conservative Party manifesto for the recent election, which resulted in a hung parliament: "Some people say that it is not for government to regulate when it comes to technology and the internet. We disagree," it read.
However, there's little clarity on what the new minority government intends to do: that will have to wait for the Queen's Speech, which is due next week. Another factor is whether, lacking an overall majority, the government will want to expend limited political capital on this controversial topic.
It's also worth remembering that the UK government massively expanded its surveillance powers only recently. This policy was introduced by Theresa May herself when serving as Home Secretary; the resulting Investigatory Powers Act 2016 was dubbed the 'snooper's charter' by critics because it forces tech companies to store the 'internet connection records' (websites visited) of every UK internet user for a year.
Another area that the government seems keen to gain control over is is end-to-end encryption.
Neither of these moves met with a positive response from those in the information security sector at the recent Infosecurity Europe conference in London.
"Where I think it goes wrong is that when a government starts to talk about regulating the internet, they don't get it. We don't own the internet and no one nation, no one government, and no one state owns and can influence the internet," said Rik Ferguson, VP of security research at Trend Micro.
Part of the problem is that governments and legislation haven't caught up with the fast-paced evolution of the internet and the services built around it.
"A lot of the world's governments were formed at a time when we were still largely an agricultural society: 120 years ago if you worked for the government at the US Postal Service, you were probably better educated than anyone within 100 miles of your post office," said Paul Vixie, CEO at Farsight Security.
But now, the expertise of individuals within the technology and internet sectors has far outstripped the knowledge of the lawmakers -- and governments don't necessarily have the wherewithal to catch up.
"The assumption that the government should know and should see what everyone is doing has to be reopened. We have to ask that question again," argued Vixie.
Even those with some understanding of the situation "don't necessarily have the right security tools to keep your information secure" -- especially in situations where zero-day exploits are being stockpiled.
That was clearly demonstrated by the WannaCry ransomware attack, which was so effective because the US National Security Agency (NSA) lost control of hacking tools which were then used to make the ransomware spread even faster.
If internet regulation is tricky, then what to do about the widespread use of end-to-end encryption is even harder to deal with. If the UK or US insist on tech companies introducing a backdoor into the encryption they currently use to protect communications across the internet, then more authoritarian nations will certainly demand the same.
"I don't think the option of completely dismantling encryption is an option. There's privacy implications that need to be considered, individual rights which need to be considered," said Liviu Arsene, Senior E-threat Analyst at Bitdefender.
Then there's also the risk that severe regulation of the internet will only hamper regular users, while criminals remain unaffected as they continue to find new ways of staying under the radar.
"How completely stupid is that? Every time we see regulation, we see regular folks being impacted and criminals not being impacted", said Peter Wood, an ethical hacker and member the ISACA London Security Advisory Group.
"How is banning an encrypted algorithm from the US going to sort out criminals in any way? Do they really think terrorists will think 'I'm not allowed to, so I won't use it," he continued. "The naivety astounds me."
That's not to say the government shouldn't be able to regulate anything at all. There are numerous aspects of the internet on which governments have established rules and procedures -- including hate speech, exploitation and more -- that help to keep people safe, said Ferguson.
"These are illegal, people do get prosecuted. That's regulation and I'm happy with that, we need that -- many people need to be protected from themselves," he said.
However, Ferguson continued, "It's got to be with public agreement and it's got to be targeted. There is a line we have to be careful not to cross when regulation becomes censorship."
Not only is large-scale censorship a massive infringement on individual civil liberties, it could also also have large-scale economic consequences. According to Vixie, China's 'Great Firewall' is harming its economy and any leaders -- like Theresa May -- who are looking to follow suit should heed that warning.
"If China's experiment is ending by teaching them they should be more open and the government should have less control, then I'd like Theresa May to talk to some of the people that are there and find out what they've learned, rather than insisting Britain run its own parallel experiment to get the same results."
"In other words," Vixie said, "it's crazy talk".
See original here:
Backdoors, encryption and internet surveillance: Which way now? - ZDNet
Germany Ready to Undermine Encryption in Terror Fight – Infosecurity Magazine
Germany has become the latest Western nation to signal its intent to undermine encryption in the name of preventing terrorism.
Central and state-level ministers have apparently expressed dismay that terrorists are using apps such as WhatsApp and Signal to communicate out of the reach of the authorities.
We can't allow there to be areas that are practically outside the law", said interior minister Thomas de Maiziere, according to Reuters.
He reportedly added that Berlin is planning a new law which will effectively give the authorities the right to view private messages.
Its not known how the government intends to achieve its ends. Its unlikely it would be able to force companies like Apple and Facebook to put backdoors in their products or services and a ban is most likely unworkable.
One option being mooted is "source telecom surveillance", where the authorities would force telecoms providers to install software on their customers devices which effectively bypasses the encrypted app to intercept messages before they are scrambled.
Germany has suffered its fair share of terror incidents of late, most notably when a lorry ploughed into a Christmas market in Berlin last December, killing 12.
However, the country has always been resistant to heavy-handed state surveillance given what it endured under the Nazis and in East Germany after the war.
The UK, on the other hand, appears to be blazing a trail with its Investigatory Powers Act, widely regarded as granting the most intrusive state surveillance powers of any Western democracy.
The Australian government is said to be considering implementing its own version of the law, while the European Commission has indicated it is willing to introduce legislation which would undermine end-to-end encryption.
Security experts maintain that doing so would fail to have the intended effect, as terrorists will migrate to more secure platforms, while ordinary users and businesses are left exposed.
See original here:
Germany Ready to Undermine Encryption in Terror Fight - Infosecurity Magazine
Telegram founder: US intelligence agencies tried to bribe us to weaken encryption – Fast Company
Donald Trump is expected to announce his administration's Cuba policy in Miami today. According to the White House, he will roll back some of the two-year-old Obama-era policies that made it easier for Americans to travel to the island nation. Trump also plans to impose stiffer rules for American travelers visiting Cuba, doing away with many of the person-to-person visas, and prohibiting transactions with hotels and tourist groups controlled by the Cuban military, according to the New York Times.
The rule change is expected to make it much harder for American tourists to visit Cuba, cutting into Airbnb's remarkable growth there, as well as that of high-end hotels that rely on well-heeled tourists. For instance, Havana's brand new five-star Kempinski hotel is run by a Swiss hotel chain under a management contract with Cuba's Grupo de Turismo Gaviota, the tourism group run by the Cuban military. Staying there could be forbidden under Trump's revised policy that is intended to keep American dollars away from Cuba's military.
As the Washington Post points out, the move could also help undermine the Trump hotel chain's competitors around the world. In addition to the new Kempinski hotel,Starwood Hotels and Resortswhich merged with Marriott Internationalopened a hotel in Cuba last year, the first by a U.S. company in nearly 60 years. If it's harder for American tourists to visit the island, hotel rooms could go emptycutting into Starwood's bottom line.
The change is also likely to have a negative effect on the Cuban people, who have been able to earn a living while hosting or aiding American travelers.
Trump's press conference will be streaming live here at 1 p.m. ET.
[Photo: DOD photo by U.S. Air Force Tech. Sgt. Brigitte N. Brantley] ML
Read more:
Telegram founder: US intelligence agencies tried to bribe us to weaken encryption - Fast Company
Healthcare Data Encryption not ‘Required,’ but Very Necessary – HealthITSecurity.com
Source: Thinkstock
June 14, 2017 -Healthcare cybersecurity is essential for covered entities of all sizes, especially as ransomware attacks and other types of malware become more common. Healthcare data encryption is often discussed in these situations as well, with many in the industry underlining its importance.
HIPAA regulations do not specifically require data encryption, and instead qualify it as an addressable aspect. However, it is a very necessary piece to the larger data security puzzle.
In this primer, HealthITSecurity.com will review the basics of healthcare data encryption and explain why it is so critical in the current healthcare cybersecurity landscape.
Encrypting data means an organization converts the original form of the information into encoded text. Data is unreadable unless an individual has the necessary key or code to decrypt it.
With healthcare data, this involves securing ePHI and keeping it confidential so unauthorized individuals cannot access or use the information, even if they are able to find the information in a database or network.
READ MORE: Implementing HIPAA Technical Safeguards for Data Security
The Security Rule defines confidentiality to mean that e-PHI is not available or disclosed to unauthorized persons, HHS states on its website. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI.
Furthermore, the Security Rule also emphasizes the importance of ePHI integrity and availability. Covered entities maintain integrity by ensuringePHI is not altered or destroyed in an unauthorized manner, while availability relates to the data is only accessible and usable by authorized individuals.
There are also two kinds of two kinds of data that can be encrypted: data in motion and data at rest.
Data in motion is information that is being sent from one individual or device to another. For example, this can be done through secure direct message or email. Data at rest is when the information is being stored.
Encryption and decryption fall under the Access Control aspect of HIPAA technical safeguards. The Security Rule does not require specific technical solutions, and instead maintains that there are many technical security tools, products, and solutions that a covered entity may select to maintain PHI security.
READ MORE: How Data Encryption Benefits Data Security
Determining which security measure to implement is a decision that covered entities must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics, as specified in 164.306(b) the Security Standards: General Rules, Flexibility of Approach, states the HIPAA Security Series from HHS.
Access Control will give users the necessary rights or privileges to access certain areas containing information, including information systems, applications, programs, or files. These rights and/or privileges should be granted based on an individuals necessary job function, and the minimum necessary must be followed.
Essentially, individuals should only be given the minimum necessary access to properly perform their job. This is especially critical when PHI access is taken into account.
For encryption and decryption specifically, HHS explains that healthcare organizations must determine if this measure will be necessary and benefit workflow.
it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity, HHSstated. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.
READ MORE: HIPAA Data Breaches: What Covered Entities Must Know
HHS added that covered entities should consider which ePHI should be encrypted and decrypted to prevent unauthorized access by persons or software programs. Additionally, organizations can consider reasonable and appropriate mechanisms to prevent access to ePHI by persons or software programs that have not been granted access rights.
Healthcare organizations can use their risk analysis to better determine whether or not something is addressable or required. This is another key aspect of HIPAA regulations, and all entities should be performing regular risk analyses.
Davis, Wright, Tremaine LLP associate Anna Watterson explained in a previous interview with HealthITSecurity.com that the risk analysis is the foundation of the security role for an organization.
The addressable ones need to be implemented if reasonable and appropriate, Watterson said. So the risk analysis can be the basis for determining whether a particular addressable implementation specification is reasonable and appropriate to implement in a particular circumstance.
The National Institutes for Standards and Technology (NIST) explained in a storage encryption guide that organizations should implement encryption solutions that use existing system features, such as operating system features.
It can be more difficult when solutions require extensive changes to the infrastructure. Furthermore, end user devices should generally be used only when other solutions are not sufficient.
Organizations should carefully consider how key management practices can support the recovery of encrypted data if a key is inadvertently destroyed or otherwise becomes unavailable, NIST wrote. Organizations planning on encrypting removable media also need to consider how changing keys will affect access to encrypted storage on removable media and develop feasible solutions, such as retaining the previous keys in case they are needed.
NIST also establishedthe Cryptographic Module Validation Program (CMVP) to analyze, test, and validate that crypto modules are functioning properly and deploying approved algorithms. All algorithms and modules are tested for conformance with the Federal Information Processing Standard (FIPS) 140-2.
Many federal agencies require FIPS 140-2 validation, noted HealthITSecurity.com contributor Ray Potter.
Essentially this means that crypto is useless until proven otherwise, a blunt but accurate sentiment, Potter wrote. Other sectors have adopted the standard as their own, as well, with increasingly strict adherence in state and local government, finance, and utilities. Either encryption is validated or it is not. Its very black-and-white.
With healthcare data encryption, NIST also released NIST SP 800-66:An Introductory Resource Guide for Implementing the HIPAA Security Rule.
NIST security standards and guidelines (Federal Information Processing Standards [FIPS], Special Publications in the 800 series), which can be used to support the requirements of both HIPAA and FISMA, may be used by organizations to help provide a structured, yet flexible framework for selecting, specifying, employing, and evaluating the security controls in information systems, the guides executive summary explained.
Overall, healthcare organizations need to take the time to understand all available options to properly maintain ePHI security. Technology will only continue to evolve, and covered entities and their business associates are becoming more digital and connected both to other organizations and in utilizing internet connected devices.
A ransomware attack could lead to data becoming compromised, but what if it was already encrypted in the first place and was inaccessible? A laptop containing ePHI might be stolen, but what if that data is unreadable without an access key?
HHS even notes in its ransomware guidance that if the ePHI was properly encrypted before an incident occurs, then it is not considered unsecured PHI and the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.
Healthcare organizations should conduct thorough and regular risk analyses to properly determine how and where data encryption would be beneficial. Staying educated on all available options and any federal or state requirements will also help entities ensure ePHI security. While not technically required, data encryption is quickly evolving into a very necessary part of data security.
More:
Healthcare Data Encryption not 'Required,' but Very Necessary - HealthITSecurity.com
FBI Seeks $21M to Counter Encryption – On the Wire (blog)
The FBI is asking for more than $20 million in the 2018 fiscal year budget to counter what the bureau sees as the threat of encryption, both in devices and in real-time communications tools such as text or voice apps.
The request is part of the Department of Justices proposed budget for the next fiscal year, and Deputy Attorney General Rod Rosenstein said during a Senate hearing Tuesday that the FBI would use the money for a wide variety of things. In his testimony, Rosenstein said that the increased use of encryption, which the FBI and other law enforcement agencies refer to as the problem of going dark, is a growing challengeand needs funding support.
The seriousness of this threat cannot be overstated. Going Dark refers to law enforcements increasing inability to lawfully access, collect, and intercept real-time communications and stored data, even with a warrant, due to fundamental shifts in communications services and technologies, Rosenstein said.
This phenomenon is severely impairing our ability to conduct investigations and bring criminals to justice. The FBI will use this funding to develop and acquire tools for electronic device analysis, cryptanalytic capability, and forensic tools.
In the proposed budget, the FBI asked for $21.6 million to address the encryption issue. As Rosenstein said in his testimony, the money may be used for developing or buying tools and techniques to analyze encrypted devices, perform forensic analysis, or cryptanalytic analysis, all of which are time consuming and expensive. While the FBI has been raising concerns about the use of encrypted communications for years, much of the current concern comes from the proliferation of encrypted communications apps and devices that store user data in encrypted form by default.
Most currentiPhones and Android devices have encrypted data storage enabled by default, and law enforcement agencies have struggled to bypass the protections. During the tense showdown between Apple and the FBI last year over an encrypted iPhone used by a terrorist, the bureau sought a court order to getApple to build a backdoored version of iOS specifically to bypass the devices encryption. Apple officials called the request offensive and fought it. Eventually the FBI bought a technique from a third party to unlock the phone.
But that case was just one of many involving encrypted devices, and FBI officials and others in the law enforcement community have continued to push for methods to bypass or weaken encryption systems, both in transit and at rest. Privacy advocates and security experts have pushed back, saying that any backdoored or intentionally weakened encryption system would put all users at risk.
See the original post here:
FBI Seeks $21M to Counter Encryption - On the Wire (blog)
Justice Department requests $21.6M to tackle ‘Going Dark’ encryption problem – Washington Times
The Justice Department is requesting more than $20 million in federal funding to bankroll efforts related to resolving the governments continuing Going Dark problem, Deputy Attorney General Rod Rosenstein said Tuesday, signaling one of the Trump administrations first attempts at tackling the issue of ubiquitous, hard-to-crack encryption amid growing concerns involving its impact on criminal investigations.
While federal investigators have fought for years to counter the so-called Going Dark phenomenon the governments growing inability to access and decipher digitally encrypted communications Mr. Rosenstein said during a Justice Department budget-request hearing Tuesday that resources needed to reverse the trend are required now more than ever.
The seriousness of this threat cannot be overstated, Mr. Rosenstein told the Senate Subcommittee on Commerce, Justice, Science and Related Agencies. This phenomenon is severely impairing our ability to conduct investigations and bring criminals to justice.
The Justice Department is requesting $21.6 million specifically towards countering its Going Dark program, Mr. Rosenstein testified in his prepared remarks.
The FBI will use this funding to develop and acquire tools for electronic device analysis, cryptanalytic capability and forensic tools, he added, in turn enabling the Justice Department to continues its leading role in enhancing the capabilities of the law enforcement and national security communities.
Mr. Rosenstein was not initially slated to testify Tuesday, but appeared after the hearings previously scheduled witness, Attorney General Jeff Sessions, canceled in lieu of speaking before the Senate Intelligence Committee with respect to the Trump administration and its purported ties to Russia, as well the presidents abrupt firing last month of former FBI Director James Comey.
Days before leaving office on May 9, Mr. Comey said federal investigators had legally seized more than 6,000 smartphones and electronic devices during a recent six-month span but found that 46 percent couldnt be opened with any technique.
That means half of the devices that we encounter in terrorism cases, in counterintelligence cases, in gang cases, in child pornography cases, cannot be opened with any technique, Mr. Comey told the Senate Judiciary Committee on May 3. That is a big problem. And so the shadow continues to fall.
The vast majority of smartphones currently sold in the U.S. run either Apples iOS or Googles Android operating systems, the likes of which allow customers the ability to protect their digital contents and communications from eavesdroppers with security-minded technology including strong encryption. While hailed by privacy and security proponents, however, the issue became a hot-button issue last year after federal authorities found themselves unable at first to access the contents of an Apple iPhone recovered from the scene of a December 2015 mass shooting in San Bernardino, California.
If Apple doesnt give info to authorities on the terrorists Ill only be using Samsung until they give info, President Trump tweeted from the campaign trail February. Boycott all Apple products until such time as Apple gives cellphone info to authorities regarding radical Islamic terrorist couple from Cal.
The Obama administration was not in a position where they were seeking legislation, Mr. Comey told lawmakers last month when asked about the possibility of establishing a legal statue to resolve the Going Dark dilemma. I dont know yet how President Trump intends to approach this. I know he spoke about it during the campaign, I know he cares about it, but its premature for me to say.
Read the original:
Justice Department requests $21.6M to tackle 'Going Dark' encryption problem - Washington Times
When is ‘not a backdoor’ just a backdoor? Australia’s struggle with encryption – GCN.com
COMMENTARY
This article first appeared on The Conversation.
The Australian government wants the ability to read messages kept secret by encryption in the name of aiding criminal investigations. But just how it proposes to do this is unclear.
As Australian Attorney-General George Brandis recentlytold Fairfax Media, "[a]t one point or more of that process, access to the encrypted communication is essential for intelligence and law enforcement."
Inan interviewwith Sky News, he spoke favorably of controversial U.K.legal powersthat seek to impose on device makers and social media companies a greater obligation to work with authorities where a notice is given to them to assist in breaking a communication.
Brandis has insisted the government doesnt want a backdoor in secure messaging apps. How, then, he expects companies to break them is unclear.
As many havepointed out, its hard to see any tool that gives law enforcement privileged access to otherwise encrypted messages as anything else but a backdoor.
How end-to-end encryption works
Backdoor or not, its worth being skeptical of any mechanism aimed at accessing encrypted messages on platforms like WhatsApp. To explain why, you need to understand how end-to-end encrypted messaging services work.
Encrypted messaging servers scramble the original message, the plaintext, into something that looks like random gibberish, the cyphertext.
Translating it back to plaintext on the receivers phone depends on a key -- a short string of text or numbers. Without access to the key, it isnt feasible to get the plaintext back.
Keys are generated in pairs, a public key and a private key, of which only the private key must be kept secure. The sender of the secure message has the receivers public key, which is used to encrypt the plaintext. The public key cannot be used to unscramble the cyphertext, nor does possessing the public key help in obtaining the private key.
End-to-end encryption simply keeps the private key securely stored on the phones themselves, and converts the cyphertext to plaintext directly on the phone. Neither the private keys nor the plaintext are ever available to the operator of the messaging service.
Compromising security
An encrypted messaging app could hypothetically be modified in a number of ways to make it easier for authorities to access.
One would be to restrict the range of keys that the app can generate. That would make it possible for the government to check all possibilities.
The U.S. government, which imposedregulations to this effectfor a brief period in the 1990s, may have once had computing resources far in excess of any other entity, but this is no longer the case. In fact, these old rules are themselves still causing security problems, as some applications can be tricked into reverting to the insecure export mode encryption that is trivially crackable today.
Other national governments and well-funded private bodies would find brute force checking of all the possible keys well within their capabilities, compromising the security of legitimate users.
And while governments might believe they can keep their backdoor secure, such secrets have a nasty habit of leaking out, as did hacking techniques used by theCIAandNSA.
Nor can governments simply make possessing encryption software a criminal offence.
Take the application Pretty Good Privacy (PGP) -- or, more precisely, its open-source equivalent GNU Privacy Guard (GPG).
Once used for securing email messages, its now more often used to ensure software updates on Linux systems are from the original authors and have not been tampered with. For instance, thesystem update tool in Ubuntu Linuxuses the GPG machinery for this. Without it, the Linux servers that run much of the internet would become much more vulnerable to hackers.
Similar mechanisms are used in Windows, iOS and Android to prevent tampered applications from being installed. As such, banning or undermining end-to-end encryption would seriously affect internet security.
Endless workarounds
In any case, creating backdoors in end-to-end encrypted messaging services would not achieve its goals. Once messaging app backdoors became known, savvy users would simply switch to another service, or make their own.
Follow this link:
When is 'not a backdoor' just a backdoor? Australia's struggle with encryption - GCN.com
BlackBerry touts encryption-busting WhatsApp tech to banks – Financial News (subscription)
Financial News (subscription) | BlackBerry touts encryption-busting WhatsApp tech to banks Financial News (subscription) BlackBerry is planning to promote new surveillance tech that can sidestep message encryption alongside sales of its smartphones and comms software, allowing banks to keep tabs on traders' calls, texts, and use of Whatsapp and WeChat. The phonemaker ... |
Read more here:
BlackBerry touts encryption-busting WhatsApp tech to banks - Financial News (subscription)