The UK bans corporate data encryption

The UK bans corporate data encryption

Postby Cyborg Girl » Mon Nov 02, 2015 11:32 pm

http://www.telegraph.co.uk/news/uknews/ ... -laws.html

Arrrrgggghhh!

Bloody idiots! How the hell do they think online banking works? How do they think there can be any secure financial transactions whatsoever without nontrivial encryption?

Ministers have no plans to ban encryption services because they have an important role in the protection of legitimate online activity such as banking and personal data.


No damn it, that is a goddamn lie. That is not how encryption works. This is how encryption works:

Hash algorithms
The data is irretrievably converted into a fixed-length string, which identifies it. The original data cannot be retrieved from that string, period; however, if something else has a matching hash, it is almost certain that it is the same thing. This is how passwords are stored.

Symmetric encryption algorithms
The data is reversibly scrambled with a key. Applying the same algorithm again, with the same key, reverses the scrambling.

HTTPS and other public key encryption
This uses an algorithm with two keys, one public and one private. The public key is public, the private key stays on the servers only. Stuff encrypted with the public key may only be decrypted with the private key, and vice versa.

The server and the user's PC exchange hellos through a connection encrypted via the public and private key. They settle on a random shared key for a symmetric algorithm, and use that and some symmetric cypher to communicate from then on, until the connection is broken and the negotiation starts again.

...

At no point in any of these cases, is there a way to have a backdoor via yet another key. There are only zero keys, or one key, or two. There are no three-or-more-key cyphers. We don't have the math for that yet.

You want to allow decryption of symmetrically encrypted data? That means sharing the symmetric key with someone. Good luck keeping that secret. Oh, and if you have the key lying around, that means anyone who "breaks in" can access all the data.

You want to allow decryption of HTTPS channels? That means someone has to be staging a man-in-the-middle attack, or the encryption has to be deliberately weak. Either way, that's something thieves can take advantage of.

You want passwords to be retrievable? That means either encrypting them with a symmetric or public key cypher (which is stupid), or keeping them in plain text (which is actually illegal in the US).

In summary: this is not the Internet equivalent of allowing, say, police to search homes without a warrant. This is the Internet equivalent of mandating that all houses and private buildings be made with walls of clear plexiglass. This is absolutely bonkers.
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: The UK bans corporate data encryption

Postby Sigma_Orionis » Tue Nov 03, 2015 3:34 pm

From reading the article in question I think that what the UK goverment plans is the following is to force Internet firms to reduce the strength of the ciphers by requiring that part of the encryption keys to be something set by them. For example:

When using hash algorithms to encrypt passwords, its common to add to the password in question what is called a "salt" basically it's some extra characters to make it longer and harder to decrypt by brute force. Maybe what they want is to control the said "salt"

This can be applied to the other cases as well.

The US tried to do that in the 90s with the export restrictions on Cryptographic code. For example: several products (like Lotus Notes) used 64/128 bit encryption on their products. But the products that were to be exported could only use 40 bits, the rest of the key that was fixed to some value that was the same for all instances the encryption routines were used. That made the key easily crackable.

As for the idea of a "Master" Key, that would require a different encryption algorithm than those used these days, it has been tried before, specifically Skipjack which was designed by the NSA and the US government tried to convince Private Companies to use it as an encryption standard for voice communication in the 90s (aka the Clipper Chip). Guess what? nobody wanted to use it.

So, to summarize: yeah, it's a dumb idea and one that didn't work before.

In any case I will not use a product that has watered down encryption, PERIOD.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: The UK bans corporate data encryption

Postby Cyborg Girl » Sat Dec 05, 2015 7:06 pm

In related news:

http://blogs.wsj.com/digits/2015/01/16/ ... ion-fight/

HOPE! CHANGE!

Right.

Edit: not that Clinton would have done any different, I'll bet.

(Welcome to the United States. You have two choices: corrupt stooges, or goose-stepping Fascists. Love it or leave.)
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: The UK bans corporate data encryption

Postby SciFiFisher » Tue Dec 08, 2015 6:06 am

Gullible Jones wrote:In related news:

http://blogs.wsj.com/digits/2015/01/16/ ... ion-fight/

HOPE! CHANGE!

Right.

Edit: not that Clinton would have done any different, I'll bet.

(Welcome to the United States. You have two choices: corrupt stooges, or goose-stepping Fascists. Love it or leave.)


The Goose Stepping Fascists have better boots. :P
"To create more positive results in your life, replace 'if only' with 'next time'." — Author Unknown
"Experience is a hard teacher because she gives the test first, the lesson afterward." — Vernon Law
User avatar
SciFiFisher
Redneck Geek
 
Posts: 4889
Joined: Mon May 27, 2013 5:01 pm
Location: Sacramento CA


Return to Sci-Tech… and Stuff

Who is online

Users browsing this forum: No registered users and 9 guests