The UK bans corporate data encryption
Posted: Mon Nov 02, 2015 11:32 pmhttp://www.telegraph.co.uk/news/uknews/ ... -laws.html
Arrrrgggghhh!
Bloody idiots! How the hell do they think online banking works? How do they think there can be any secure financial transactions whatsoever without nontrivial encryption?
No damn it, that is a goddamn lie. That is not how encryption works. This is how encryption works:
Hash algorithms
The data is irretrievably converted into a fixed-length string, which identifies it. The original data cannot be retrieved from that string, period; however, if something else has a matching hash, it is almost certain that it is the same thing. This is how passwords are stored.
Symmetric encryption algorithms
The data is reversibly scrambled with a key. Applying the same algorithm again, with the same key, reverses the scrambling.
HTTPS and other public key encryption
This uses an algorithm with two keys, one public and one private. The public key is public, the private key stays on the servers only. Stuff encrypted with the public key may only be decrypted with the private key, and vice versa.
The server and the user's PC exchange hellos through a connection encrypted via the public and private key. They settle on a random shared key for a symmetric algorithm, and use that and some symmetric cypher to communicate from then on, until the connection is broken and the negotiation starts again.
...
At no point in any of these cases, is there a way to have a backdoor via yet another key. There are only zero keys, or one key, or two. There are no three-or-more-key cyphers. We don't have the math for that yet.
You want to allow decryption of symmetrically encrypted data? That means sharing the symmetric key with someone. Good luck keeping that secret. Oh, and if you have the key lying around, that means anyone who "breaks in" can access all the data.
You want to allow decryption of HTTPS channels? That means someone has to be staging a man-in-the-middle attack, or the encryption has to be deliberately weak. Either way, that's something thieves can take advantage of.
You want passwords to be retrievable? That means either encrypting them with a symmetric or public key cypher (which is stupid), or keeping them in plain text (which is actually illegal in the US).
In summary: this is not the Internet equivalent of allowing, say, police to search homes without a warrant. This is the Internet equivalent of mandating that all houses and private buildings be made with walls of clear plexiglass. This is absolutely bonkers.
Arrrrgggghhh!
Bloody idiots! How the hell do they think online banking works? How do they think there can be any secure financial transactions whatsoever without nontrivial encryption?
Ministers have no plans to ban encryption services because they have an important role in the protection of legitimate online activity such as banking and personal data.
No damn it, that is a goddamn lie. That is not how encryption works. This is how encryption works:
Hash algorithms
The data is irretrievably converted into a fixed-length string, which identifies it. The original data cannot be retrieved from that string, period; however, if something else has a matching hash, it is almost certain that it is the same thing. This is how passwords are stored.
Symmetric encryption algorithms
The data is reversibly scrambled with a key. Applying the same algorithm again, with the same key, reverses the scrambling.
HTTPS and other public key encryption
This uses an algorithm with two keys, one public and one private. The public key is public, the private key stays on the servers only. Stuff encrypted with the public key may only be decrypted with the private key, and vice versa.
The server and the user's PC exchange hellos through a connection encrypted via the public and private key. They settle on a random shared key for a symmetric algorithm, and use that and some symmetric cypher to communicate from then on, until the connection is broken and the negotiation starts again.
...
At no point in any of these cases, is there a way to have a backdoor via yet another key. There are only zero keys, or one key, or two. There are no three-or-more-key cyphers. We don't have the math for that yet.
You want to allow decryption of symmetrically encrypted data? That means sharing the symmetric key with someone. Good luck keeping that secret. Oh, and if you have the key lying around, that means anyone who "breaks in" can access all the data.
You want to allow decryption of HTTPS channels? That means someone has to be staging a man-in-the-middle attack, or the encryption has to be deliberately weak. Either way, that's something thieves can take advantage of.
You want passwords to be retrievable? That means either encrypting them with a symmetric or public key cypher (which is stupid), or keeping them in plain text (which is actually illegal in the US).
In summary: this is not the Internet equivalent of allowing, say, police to search homes without a warrant. This is the Internet equivalent of mandating that all houses and private buildings be made with walls of clear plexiglass. This is absolutely bonkers.
