Specific question about encryption backdoors

[repoman]

So, say that you have a files that you want hidden and are incriminatory (tax evasion etc...)

If there is a backdoor to the encryption and the contents are revealed, I wonder about the legal ramifications of that.

Also, if there is a backdoor that shows the contents, will they automatically know what your password was? it would be interesting if they didn't actually have the password but had the contents. I would not doubt that the FBI would come in quick with pressure to shut down any publicizing of this.

Finally, is there a way to prove that some device does not have a backdoor?

 

[jonatha]

So, say that you have a files that you want hidden and are incriminatory (tax evasion etc...)

If there is a backdoor to the encryption and the contents are revealed, I wonder about the legal ramifications of that.

Depends on the country, but I don't even know what the legal stance in the US is.

Also, if there is a backdoor that shows the contents, will they automatically know what your password was?

Not necessarily. Passwords are typically hashed at some point in the process, and if they can break the encryption they will know the hash but not the password that produced the hash.

Finally, is there a way to prove that some device does not have a backdoor?

No.

 

[Bomb#20]

Finally, is there a way to prove that some device does not have a backdoor?

No.

Yes. Code it yourself. Look up a popular algorithm on the net, read it, judge for yourself that it's too simple to hide anything dodgy in*, write a program, and test it against the sample input and output you find on the net.

Be aware, though, that knowing there's no backdoor to the encryption won't do you any good if there's a backdoor to your computer. If somebody installed spyware they can have already read your secret file before you encrypted it.

(* Lots of popular algorithms have large tables of arbitrary-looking numbers. If you don't know where those numbers came from, you can't be sure that they weren't picked to deliberately weaken the algorithm against some little-known attack. The simplest strong algorithm is RC4**. Any high-school kid can code that up and get it right, and it doesn't have that sort of mysterious table.)

(** Note that this approach doesn't protect you from the front door. For instance, RC4 just isn't as fundamentally strong as some more modern algorithms, and it's possible the NSA has broken it. Snowden didn't say it has, but that would be closely guarded knowledge even within the NSA.)

 

[jonatha]

No.

Yes. Code it yourself.

And write your own compiler and build your own hardware from scratch.

- - - Updated - - -

No.

Yes. Code it yourself.

And write your own compiler and build your own hardware from scratch.

 

[fast]

nm

 

[Bomb#20]

Yes. Code it yourself.

And write your own compiler and build your own hardware from scratch.

A compiler hacked the way Thompson describes shouldn't be able to compromise your encryptor, simply because the compiler won't know your creation is an encryption program (provided you really do code the algorithm yourself -- if you take the lazy way out and copy somebody else's coding of it that you find on the web then of course a hacked compiler might have the program you copied in its list of targets.)

If the spooks have put in a hardware backdoor then yes, you're screwed; I was only answering repoman's question about a backdoor to the encryption itself. Coding that yourself means you know your program wasn't written by the government; but no security measure protects against all threats.

 

[Cheerful Charlie]

So, say that you have a files that you want hidden and are incriminatory (tax evasion etc...)

If there is a backdoor to the encryption and the contents are revealed, I wonder about the legal ramifications of that.

Also, if there is a backdoor that shows the contents, will they automatically know what your password was? it would be interesting if they didn't actually have the password but had the contents. I would not doubt that the FBI would come in quick with pressure to shut down any publicizing of this.

Finally, is there a way to prove that some device does not have a backdoor?

There are plenty of ways to encrypt things that do not in fact have any back-doors or any way to decrypt them. The problem is, if you are in legal trouble, a judge may demand you give up your decryption key. You might sit in jail until you do, and your refusal may be held in some parts of the world as a crime in and of itself.

Recent efforts by open source experts have been made to make sure there are encryption schemes without backdoors or suspected weaknesses introduced by any government agency.

 

[Bomb#20]

There are plenty of ways to encrypt things that do not in fact have any back-doors or any way to decrypt them. The problem is, if you are in legal trouble, a judge may demand you give up your decryption key. You might sit in jail until you do, and your refusal may be held in some parts of the world as a crime in and of itself.

There are products for protecting yourself from that, too, such as Rubberhose. It lets you have several passwords. When the government torturer forces you to give up your key, you just make a show of resisting for a while, finally breaking, and giving up the key to your porn collection. Your oppressors never know you have a second key that would have decrypted the plans to the Death Star. But writing a program like Rubberhose takes way more programming chops than most people have, so you have to download it and run the risk that it has a backdoor. It's always a matter of picking which threat you'll protect yourself from.

 

[Loren Pechtel]

There are plenty of ways to encrypt things that do not in fact have any back-doors or any way to decrypt them. The problem is, if you are in legal trouble, a judge may demand you give up your decryption key. You might sit in jail until you do, and your refusal may be held in some parts of the world as a crime in and of itself.

There are products for protecting yourself from that, too, such as Rubberhose. It lets you have several passwords. When the government torturer forces you to give up your key, you just make a show of resisting for a while, finally breaking, and giving up the key to your porn collection. Your oppressors never know you have a second key that would have decrypted the plans to the Death Star. But writing a program like Rubberhose takes way more programming chops than most people have, so you have to download it and run the risk that it has a backdoor. It's always a matter of picking which threat you'll protect yourself from.

And if you are interested in protecting stuff for a specific period of time there's the ally approach:

Encrypt your data with a random key. Send that key to a trusted friend beyond the reach of whoever you fear is going to try to force matters. Once you have confirmed they have it you erase your copy of the key.

No need to resist, you can explain exactly what you did and there's nothing they can do about it short of a black op directed at the person with the key.

 

[barbos]

There are products for protecting yourself from that, too, such as Rubberhose. It lets you have several passwords. When the government torturer forces you to give up your key, you just make a show of resisting for a while, finally breaking, and giving up the key to your porn collection. Your oppressors never know you have a second key that would have decrypted the plans to the Death Star. But writing a program like Rubberhose takes way more programming chops than most people have, so you have to download it and run the risk that it has a backdoor. It's always a matter of picking which threat you'll protect yourself from.

And if you are interested in protecting stuff for a specific period of time there's the ally approach:

Encrypt your data with a random key. Send that key to a trusted friend beyond the reach of whoever you fear is going to try to force matters. Once you have confirmed they have it you erase your copy of the key.

No need to resist, you can explain exactly what you did and there's nothing they can do about it short of a black op directed at the person with the key.

Do you have friends in North Korea or ISIS? Cause these are the only countries out of reach for FBI

 

[Loren Pechtel]

And if you are interested in protecting stuff for a specific period of time there's the ally approach:

Encrypt your data with a random key. Send that key to a trusted friend beyond the reach of whoever you fear is going to try to force matters. Once you have confirmed they have it you erase your copy of the key.

No need to resist, you can explain exactly what you did and there's nothing they can do about it short of a black op directed at the person with the key.

Do you have friends in North Korea or ISIS? Cause these are the only countries out of reach for FBI

Why do you say other countries are not beyond the reach of the FBI? There are a lot of countries where a US request for encryption keys isn't going to go anywhere.

 

[Bomb#20]

Do you have friends in North Korea or ISIS? Cause these are the only countries out of reach for FBI

Why do you say other countries are not beyond the reach of the FBI? There are a lot of countries where a US request for encryption keys isn't going to go anywhere.

If NK and ISIS were the only countries out of the FBI's reach, that Rubberhose programmer probably wouldn't be holed up in an Ecuadorean embassy.