Schneier on Security
A blog covering security and security technology.
« Shoe Scanners at the Orlando Airport |
| OnStar to Stop Cars Remotely »
October 11, 2007
UK Police Can Now Demand Encryption Keys
Under a new law that went into effect this month, it is now a crime to refuse to turn a decryption key over to the police.
I'm not sure of the point of this law. Certainly it will have the effect of spooking businesses, who now have to worry about the police demanding their encryption keys and exposing their entire operations.
Cambridge University security expert Richard Clayton said in May of 2006 that such laws would only encourage businesses to house their cryptography operations out of the reach of UK investigators, potentially harming the country's economy. "The controversy here [lies in] seizing keys, not in forcing people to decrypt. The power to seize encryption keys is spooking big business," Clayton said.
"The notion that international bankers would be wary of bringing master keys into UK if they could be seized as part of legitimate police operations, or by a corrupt chief constable, has quite a lot of traction," he added. "With the appropriate paperwork, keys can be seized. If you're an international banker you'll plonk your headquarters in Zurich."
But if you're guilty of something that can only be proved by the decrypted data, you might be better off refusing to divulge the key (and facing the maximum five-year penalty the statue provides) instead of being convicted for whatever more serious charge you're actually guilty of.
I think this is just another skirmish in the "war on encryption" that has been going on for the past fifteen years. (Anyone remember the Clipper chip?) The police have long maintained that encryption is an insurmountable obstacle to law and order:
The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals -- all parties which the UK government contents are rather adept at using encryption to cover up their activities.
We heard the same thing from FBI Director Louis Freeh in 1993. I called them "The Four Horsemen of the Information Apocalypse" -- terrorists, drug dealers, kidnappers, and child pornographers -- and have been used to justify all sorts of new police powers.
Posted on October 11, 2007 at 6:40 AM
• 89 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I wonder if this effectively makes large random numbers illegal... perhaps the key could be a one time pad (decrypting your encrypted copy of the Magna Carta, The US Constitution, or a collection Hello Kitty images).
In the US, you can be held in contempt of court indefinitely for failing to decrypt any subpoenaed document (presumably this predates computer encryption). I would be surprised if this isn't common law inherited from the UK. I suppose there is a subtle difference if you can't fight to quash the subpoena, but this doesn't seem to much of a big change.
This has already been spoofed on Userfriendly
The UK police also want the power to detain people without charge for longer than the current 28 (?) days. It will have to be a very long time if they hope to break your encryption by force. They must be hoping that you would eventually volunteer the keys.
(3)A disclosure requirement in respect of any protected information is necessary on grounds falling within this subsection if it is necessary ...
(c) in the interests of the economic well-being of the United Kingdom
It looks like businesses have some good reasons to be spooked.
The UK is falling behind the civilisatory standard of the Roman Empire, where 'nemo tenetur seipsum accusare' was a respected principle. 'No one is bound to accuse himself' means that you don't have a duty to participate or even support any investigations that can lead to your conviction.
This very basic standard of no self-incrimination obviously is no longer valid in the UK. Shame on them. The politicians for making such a law, the people for not defending their rights.
So, now you can go to jail for having bad memory? I wonder how these cases will be handled.
I remember there were few cases in the UK where people accused of child were able to avoid conviction by blaming intrusions and malware for the images that were found in their machines. The police could never prove they were guilty and the explanation of the suspects was plausible (we might never know if they were guilty or not).
How is the police going to solve cases with similar excuses? - If they get a file named vacations2007.enc from a suspect's hard disk and the suspect claims he/she just forgot the password for the key, how is the police going to prove he is hiding something?
If the police has enough evidence to ask the court to issue a warrant for the keys they might just as well ask the court to allow them to wiretap (easier and more cost effective in many cases, in my opinion)
When the police asks to get the keys is probably because they already have strong evidence against a suspect and they just want to know what else is stored in some encryption files they found, like in terrorist cases. But as Bruce says, a terrorist will probably prefer to just spend five years in jail than giving the police the keys to their plans, list of targets or any other information they might have encrypted.
I think this law will be of little help to the UK police. More funding for computer forensics would have been more useful (there are many difficulties and no warranties, but still a good chance to get an unencrypted version of the file or even the keys). The last time I spoke with someone from the Forensic Science Service in the UK he told me they had a huge pile of computers and disks waiting to be processed (most of them pedophile cases) and they could only devote a few hours to each of them due to the current size of storage media and limited resources.
"In the US, you can be held in contempt of court indefinitely for failing to decrypt any subpoenaed document."
And there is nothing wrong with that, if you are even correct about it.
We should not confuse the right to encrypt our secrets with the right to be a criminal. There is a BIG difference between being forced to hand over an encryption key without probable cause and judicial oversight and being immune from obstruction merely because you were smart enough to hide your secrets.
Put aside the 5th Amendment in the States for a second and just imagine you have control of a piece of evidence that is encrypted. It does not incriminate you. That is basically the same thing as you being witness to a crime. You can be compelled to testify as to what you saw or know in relation to a crime, and you should be able to be compelled to turn over a decrypted form of the encrypted evidence (with effective probable cause and judicial oversight, just like being compelled to be a witness in any case).
Now, if it is evidence that incriminates you, and the police can not find such evidence or keys with valid search warrants, then yeah the U.S. has a 5th Amendment which should protect you from having to do anything to further your own prosecution.
By the way, I don't claim this IS the law in the U.S., or that this is how it will be enforced. I just claim this is in line with the Constitution and a free society.
Since the UK law seems to have no provisions for probable cause or judicial oversight, it seems to be an immoral law to me. Maybe it doesn't violate any of the UK's unwritten "constitution" and collection of traditions and laws, but on its face it seems to be immoral to a free society.
@wumpus: "In the US, you can be held in contempt of court indefinitely for failing to decrypt any subpoenaed document (presumably this predates computer encryption)."
If you are the target of a criminal investigation, how can invoking your right to remain silent be "contempt of court"?
AFAIK you are not required to say *anything* (beyond personal information, possibly).
So how do they tell the difference between "I deleted my keys before the documents were requested" and "I deleted my keys when I the documents were requested"? Or legitimately forgetting a password versus refusing to tell?
The latter can be solved only through torture. The former, maybe through analysis of the hard drive. But then, there's all sorts of ways around that, easiest being to keep your encryption key on a floppy disk and burning it to destroy it. (Might still leave traces such as access times on encrypted files; but you can avoid storing access times.)
For a conviction of this "crime", the authorities would have to prove that there is encrypted data on your system, in the first place, right?
How would they do that, e.g., in the case of Truecrypt files that look like full of purely random data. No headers or something.
Sure, large files full with random data may look *suspicious* to investigators, but there is no *proof* that it is a Truecrypt file.
Furthermore, Truecrypt has this nifty "hidden volume" feature which provides another layer of plausible deniability.
I like to erase my USB drives by writing over the entire drive with a random number file the same size as the drive. This is the fastest secure way to delete the files on the drive. I have several of these files for different drives. But each file looks the same as an encrypted file. So what would happen if UK police demand the encryption key? I can't provide it, since it is just a random file. Do I receive 5 years in prison for each file?
What if I start to download a file and then it is interrupted? Or what about a corrupted file? These cannot be opened by the program that would usually open them, making these suspect as encrypted files.
I'm kind of surprised they don't already have this power. For instance, if they get a search warrant on your house, and there is a safe they want to look in, can they not compel you to open it for them? Maybe it's one of those safes that will destroy the documents if forced open. I seem to remember hearing before that they consider encryption to be the same as say, a briefcase combination, the difference being the latter is easier to break.
Probable deniability will solve this problem.
Stock cheeky answer:
I'm entrhalled with random bit, but I also like to keep them secret, so I encrypt them. See? I encrypted this large random bitstring with the key "aaaaaaa" and now it's all yours.
Not to mention, you have all these DVD's that you don't know the key for. Or if you do know the key, you've broken some other law like the DMCA. Damned if you do or don't, I guess.
I think a more accurate Four Horsemen might be
- child pornographers
- the Mafia
- and neo-Nazis
That last has faded a bit, but when the media were first writing net scare stories they loomed pretty large.
Society can't invent new "rights" as it goes along.
If all through the history it was "ok" for a judge to issue a warrant for search, all the information was there .. unencrypted .. and was available for law enforcement to review.
Some think the technology gave them a leg up, think again; the law finally caught up with them :-)
It's an important law, without it 9/10 of the crimes of the 21st century will be not be prosecuted.
The main problems with this law are twofold: firstly, with the ability to nest encrypted data in a volume it is possible to give the police the keys to some innocuous data and keep the dodgy data hidden.
Secondly the offence only carries a relatively short jail term and no further reprecussions as such, whereas being in possession of dodgy sex-related material or terrorist material gets the offender onto the Government's shitlist indefinitely. For this reason a slap on the wrist for RIP violations is infinitely preferable to avoiding this charge and getting caught for the biggie.
All this law is in truth is a case of a legislature trying and failing to understand technology and making an ass of its self in the process; the current Labour government in Britain seems quite incredibly good at making an ass of its self, but unfortunately has no redeeming features worth speaking of.
Anyway, how long before this law gets challenged under the right to a private life that is enshrined in the Human Rights Act?
There may be better ways to say this, but this kind of provision terrifies the averate person and is no deterrent for the Felonius Maximus. So they want to decrypt your password file so they can have full access *as "you"* to access all your credit card statements, web forums, bank account, eBay, formerly anonymous blogs, etc. This law could rightfully be a target of civil disobedience.
No matter the constitutionality of this law, it is a futile effort. People that are smart enough to encrypt their incriminating data are also smart enough to cover their tracks, using TrueCrypt hidden volumes or similar features.
My prediction is that nobody will be convicted solely for posessing encrypted data. People will be convicted because of other evidence that makes refusal to decrypt seem like a minor offense.
@CGomez: "Put aside the 5th Amendment in the States for a second"
No, not even for a second.
"It does not incriminate you."
It is impossible for the authorities to know if a document incriminates me or not if they haven't read it. Are they offering immunity if I decrypt? No. Is a judge going to toss it out after it incriminates me? No.
The problem is your assumption of innocence. It's cute, but if it can be used to force me to incriminate myself, then the fifth amendment is being worked around.
If I claim to be innocent, fifth amendment doesn't apply and I have to decrypt. The document incriminates and I'm off to jail.
If I plead the fifth, authorities claim the document will not incriminate me and I'm equally screwed. I'm either forced to decrypt (hey, it does incriminate me, go figure, off to jail I go) or am declared guilty of obstruction of justice (still off to jail) or maybe aiding and abetting (hello jail) or accessory to a crime (Look! It's a jail!) all because I refuse to incriminate myself.
The problem is not that I can't put aside the fifth amendment, I can. I can admit my guilt, effectively refusing my fifth amendment rights (something which is really stupid). The problem is when I am forced, against my will, to give up my fifth amendment rights (something which is really wrong).
I disagree that society can not assign new rights and privileges as it goes along. However, the UK law at issue here allows demand of the encryption keys.
The crime should not be refusal to turn over keys. It should be obstruction of justice. In other words, you don't need this law.
If there is a valid reason to have the evidence being asked for, current laws against obstruction suffice.
That means the only logical extension that this law provides is police can go on a fishing expedition by demanding keys and maybe they will turn up evidence they had no probable cause to be looking for in the first place.
If the law requires that demands for keys can only be made in connection with probable cause that evidence is decrypted, then current laws against obstruction already cover this!
First, I also don't know how they can get past the "I can't remember" or "I don't know" answers.
Second, there might be a little smoke screen here. "You must give us your keys because otherwise we could never break in!" Yeah, right.
Obviously, you do not read. But I figured someone would be an idiot.
First of all, we are discussing UK law. Second, I posed the same issue under U.S. law. If you think the authorities don't have the legal and moral right to subpoena evidence that doesn't incriminate you, then you are the naive one. Good luck with your contempt of court proceeding when you refuse to testify.
How do you prove that you do NOT have the key for an encrypted file that was put on your hard drive through a browser vulnerability or sent to you by mail?
How do you prove the NON-EXISTENCE of anything?
Simple enough. Encrypt your files using a key-length equal to that of the document. Then create another key that, when applied, decrypts the document into some completely innocent text. Keep the real key hidden in a safe place, and the bogus key on the machine. Give police the bogus key and let them decrypt your files (only to find your personal poetry or the like). Now you have fully cooperated with their investigation and they have found nothing. Pointless law.
Let M be the message you want to make secure.
Encrypt M with *your favorite crypto system* to produce M'.
Insert decryption key after N bytes (memorized this number) to make M''.
Create a zip file (A) of some innocent files so that it is the same size as M''.
Create a one-time pad (P)
XOR M'' with P to create E (doubly encrypted).
XOR E with A to create P'.
Save E on your hard drive.
Burn P and P' to CDs.
Store them in separate secure locations.
If asked, give the authorities P'. They'll only get the innocent files.
@Too Funny: "Keep the real key hidden in a safe place..."
If you have a safe place that is capable of storing a key with length equal to the document, you could as well store the document itself there... ;-)
Oh, same thing goes to Damon: Just store the sensitive data itself at the place where you store the "real" one-time-pad.
Not necessarily true. Suppose the key is “hidden��? on the Internet. I might, for example, take any number of static web pages and combine them with an easily remembered “salt��? to create my real key. This makes the key easily available to me wherever I happen to be at the time. Not quite the same as storing incriminating files out on the web where they might be discovered.
There are two problems with the UK law:
(1) You can be forced to surrender your (decryption) keys; and
(2) You can be obliged to remain silent.
There is nothing intrinsically wrong with a law that forces you to decrypt your data on production of a court-issued warrant. This is consistent with physical-world law regarding access to property (including safes) in response to a warrant.
The problem with surrendering keys is that it gives police access to a much wider scope of information than may have been provided for in a warrant, and it allows forgery of evidence (sign a message with your keys).
The problem with a gag order is that your rights, or the rights of others (e.g. in a business that should disclosed possibly privacy violations) may be infringed by the gag.
The passing of this law (and its work-in-progress equivalents in South Africa and elsewhere) demonstrates the need for a middle ground between the privacy fundamentalists and the fear mongers: There *does* need to be a law addressing the problem of evidence hiding by means of encryption, and the political and legal spheres recognise that. If privacy fundamentalists argue (as they have done) that all disclosure requirements are flawed, then they lose the debate before it even begins. If on the other hand a moderate approach is taken, arguing that certain forms of disclosure are inappropriately broad or have problematic consequences (e.g. surrendering of keys) then a practical middle-ground can be reached.
How unfortunate that they finally got this one through -- I remember discussing the RIP legislation back in January of 2000!
I remember in particular talk of how easy it would be to frame someone for this "crime". Simply leak a PGP-encrypted message to the police with a key identifying an individual for whom you'd like to cause trouble, and perhaps a hint that the message refers to an illegal act. How can you defend against the request for the key? Guilty, until proven innocent!
I think the difference between requiring you to decrypt and turn over plaintext, and requiring you to provide the keys, is an important one. One place where it makes a big difference is the ability of the police to falsify evidence.
If they can compel you only to decrypt documents that are encrypted and signed with a public key algorithm, they can verify the signature with your public key to make sure you're not fooling them, but that's it.
If they can compel you to turn over your private key, that's a whole nother ball of wax. At that point, they can create arbitrary incriminating documents, and sign them as you, applying any date they want to the signature.
In addition, they may be able to use your private keys to carry on conversations as you, entrapping your friends, or effect a destructive reputation attack against you.
Mmm--statute? Unless that's some funky British spelling.
Well if you only have obstruction of justice, then the "real" crime may go unpunished.
If someone is willing to take obstruction charge, then it's logical to assume that what they are obstructing is even a bigger charge .. otherwise why would they? (Leaving left leaning pinko's aside for a a moment).
Maybe my choice of the word "Society" was incorrect, what I meant was that "You" can't claim "new" rights by using technology.
Supreme court used a similar argument in the recent patent case.
"I called them 'The Four Horsemen of the Information Apocalypse'"
This is a technical misuse of "apocalypse", although I recognise the meaning of the word has already been degraded to nonsense.
"Apocalypse" means "unhiding", i.e. "revelation". It is the name of the last book of the New Testament--in full "Apocalypsis Ioannou", the "Revelation of John", which is John's document of the particular visions he received while in exile on Patmos. The ultimate battle and destruction of the world described in these visions is not "the apocalypse"; it is the Armageddon. An apocalypse is a revelatory vision, not the particular events witnessed. The four horsemen Schneier refers to are so named because of their appearance in John's document.
The word is, however, oddly appropriate in this context, though I suspect not in the way Mr Schneier intends. Perhaps I don't give him enough credit.
If I were a British cop, I could put an encrypted file onto a laptop's hard drive, then claim the computer belonged to Tony Blair. Then I could arrest him and hold him until he gave up the key, or died first.
This gets around all habeus corpus rulings, the idea of being allowed to challenge witnesses, and every other legal nonsense.
The ugliest fallout is likely to come when someone appears to be cooperating, but the provided keys don't work. I have quite a few passwords that I have used over the last many years for various sequrity purposes (and quite a few mechanical permutations to tweak them for better security). If I hand the legal system thirty possible passwords for an encrypted file that they found on an old CD and another twenty possible permutations on each password (and I've done this on occasion myself with my own data) and none of these results in a usable decrypt, how are they going to convince anyone that I haven't cooperated. Further, if they do get a conviction, it is very likely (at least in my case) that the file contained information of little value (often encrypted archives of old source code that was relatively sensitive at one time...years ago) and I have truly forgotten the password for the key block but retained the media as there are other items on it that are still of use. The chances that someone who is genuinely trying to cooperate will be sent away for years over an old file containing junk data seem terribly high.
> If I were a British cop ...
> I could arrest him and hold him
I think somebody might notice it if you arrest Tony Blair, and somebody might decide to look into it a little.
And then you won't be a British cop anymore.
Folks, and Bruce, what the heck is the problem?
At least two of the three initial news sources cited (I didn't read the third) include verbiage like this:
>Section 49 of Part III of RIPA compels
>a person, when served with a notice,
>to either hand over an encryption key
>or render the requested material
>intelligible by authorities.
This is no different to someone with a warrant for a safe, house, or business records. Hand them over, or give us the combination to enter.
You can't get away with simply standing in front of your door and stamping your feet in face of a search warrant or subponea.
The law doesn't require you hand over the keys, providing the requested documents is sufficient.
As I understand U.S. law anyway, in criminal cases, you don't have to reveal the existence of a safe. But you can be required to allow access to it once the authorities discover it's existence.
So make sure you exercise your 5th Amendment rights and not reveal the existence of plausible deniability partitions in the first place.
I always thought it was Tim May who first coined the "Four Horsemen of the Infocalypse" [sic] back in the early 1990s.
> "Apocalypse" means "unhiding", i.e. "revelation". It is the name of the last book of the New Testament--in full "Apocalypsis Ioannou", the "Revelation of John", which is John's document of the particular visions he received while in exile on Patmos.
But if you read past the title to the first verse you find it is the revelation of Jesus Christ.
And John was in Patmos, not on it.
"Well if you only have obstruction of justice, then the "real" crime may go unpunished."
What is the difference? Let's say you had a document in a safe that was material to a criminal case, but does not implicate you of any crime.
You will be obligated to turn that over if a valid subpoena is issued.
Let's say there is NO law requiring the turnover of encryption keys. I see no reason why the same obligation doesn't apply to an encrypted document. And I also see no reason why the Court could not appoint a special master to verify that you have indeed turned over the actual plaintext under today's laws against Obstruction of Justice.
There is no added benefit to a law that makes it illegal to refuse to turn over encryption keys, even if such law only applied to valid subpoenas.
If exposing the document would cause you to incriminate yourself, you have to cite the 5th amendment. There is no question that doing so immediately brings police scrutiny, because you have put up a glowing neon red flag. However, in theory, the authorities are now supposed to get that evidence by other valid probable cause (how it really is obtained is a different story).
Now you are defining new courts and procedures .. wonder what is worse?
Chill out .. you aren't making any arguments .. just ranting.
5th doesn't protect you from obstruction of justice which is a different issue .. read some law !
"they may be able to use your private keys to ... attack you"
This is where repudiation is important - at least it lets you say "anything that first appears after this date is compromised". Not a lot of help, but some. Unfortunately there are many situations where this does not help at all, but it does make repudiation even more important.
My other question is about encryption keys that I use but don't have access to. SSL keys are just one obvious example, but any session key will do. If the plod have a log of a session they can demand the keys, but I might not have even the theoretical possibility of accessing them. My reading of the law says I've still committed an offence if I don't disclose those keys.
I thought money launderers, not kidnappers, were the 4th member of the information apocalypse. Still, you're quoting from 1993 - perhaps kidnappers died of a drug overdose and money launderers were brought in as a replacement drummer.
number of my name...> But if you read past the title to the first verse you find it is the revelation of Jesus Christ.
Are you disagreeing with me somehow?
number of my name...> And John was in Patmos, not on it.
Patmos is an island. One typically writes of being on an island, not in it.
"If all through the history it was "ok" for a judge to issue a warrant for search, all the information was there .. unencrypted .. and was available for law enforcement to review."
Except that there have always been some number of people who keep their diaries, accounts and other information in code. And throughout history, all a warrant could get was the diary, account, etc. - it couldn't compel a person to tell the police what it said. This is an erosion of an existing right, rather than some new right which you posit.
>Except that there have always been
>some number of people who keep their
>diaries, accounts and other information
>in code. And throughout history, all a
>warrant could get was the diary,
>account, etc. - it couldn't compel a
>person to tell the police what it said.
>This is an erosion of an existing right,
>rather than some new right which you
Now that is an argument that could persuade me with more development.
Let's ask this next logical question:
Would it be reasonable to demand the digital equivelant of a physical item -- the "something you have" such as a keyfile -- but unreasonable (under self-incrimination) to demand the "something you know" in the form of a passphrase?
Taking bob!!'s point that you could always be compelled to handover physical items -- like safe keys or diaries, but not to provide the cipher for coded text within them, it's an interesting mental exercise.
@Too Funny: Surveillance of your internet connection will easily reveal those files, so the only secret thing that remains is the salt - which you would be required to turn over.
I don't think that you describe a sensible way to construct a one-time-pad, sorry...
I concede that peadophiles often use fairly standard encryption to cover up thier unsavoury activities.
But does anyone know of a single case where terrorists (or freedom fighters) or hardended criminals have used sophisticated encryption tecniques.
Excluding of cource the RIAAs feeble attempts and the gibberish psudo-encryption of the Unibomber.
To all the comments above of the form "they can't prove you haven't genuinely forgotten the key":
You're overlooking a particularly odious part of this law: you aren't presumed innocent until proven guilty.
Under this law, the authorities need only "show" that you had the key at some point in the past. You are then presumed still to have it, unless you can actively produce evidence that you don't. [This is in section 53 (2) in the Act, which is linked to from the first article and one of the earlier comments.]
So if you've simply forgotten the password, you go to jail for not disclosing it/decrypting the data with it.
(I'm not sure if they even need to prove beyond reasonable doubt that you once had the key -- they only require "reasonable belief" to issue a demand for the key in the first place [section 49 (2)]. It would seem odd if they could ask for the key with just reasonable belief, but couldn't then prosecute if you simply said "no".)
@sooth_sayer: "It's an important law, without it 9/10 of the crimes of the 21st century will be not be prosecuted."
Nonsense, nine-tenths of the crimes of the 21st century will be minor assaults and thefts, the same as always. This law might be relevant to a few crimes, but even in this century the vast majority of crimes won't depend on decryption to solve.
[quote]Yet the law, in a strange way, almost gives criminals an "out," in that those caught potentially committing serious crimes may opt to refuse to decrypt incriminating data. A pedophile with a 2GB collection of encrypted kiddie porn may find it easier to do two years in the slammer than expose what he's been up to.[/quote]
it is always the same old story: by generally and a-priori accusing a broad bunch of people a government just wont hit the real criminals.
but try to see it this way and it will make perfect sense: laws like these are never intended to protect people from criminals. they are rather for "cutting back" peoples most basic civil rights!
it has much to do with globalization: leaders of "modern" capitalist industrial nations dont want democracy any longer. its not good for doing business, if working class has too many rights and stands up for them. today it is "go to work, shut up, be calm, pay taxes, consume, obey, watch brainfucking gameshows!". ora et labora - and the god you are supposed to worship is called "mammon"!
@Too Funny: "Keep the real key [one-time pad] hidden in a safe place..."
@Damon: [summary: encrypt the message with both a conventional cipher and a one-time pad, create a fake one-time pad that decrypts the ciphertext to an innocent message, and give the fake pad to the police when they demand the encryption key]
@Paeniteo replied: "If you have a safe place that is capable of storing a key with length equal to the document, you could as well store the document itself there... ;-)" ... "same thing goes to Damon"
Damon almost had it, but then over-complicated it a bit! :)
You can encrypt the message with just the conventional cipher, and create the fake one-time pad to give to the authorities. You don't need the "true" one-time pad at all.
The conventional cipher will have a 128-bit key (or whatever), which *can* be stored securely (e.g. hashed long passphrase). And although the (fake) one-time pad would be hard to store securely, you can store it as insecurely as you like, as it doesn't decrypt any genuine secrets.
First a question: A TrueCrypt device e.g. a complete harddisk used as container, does it show that it is encrypted ?
At least from the device managers point of view it is simply an unformated disk.
Second: All these futile efforts show one thing: governments are scared to death by encryption.
Because with encryption computer data are as safe as your very own thoughts and the only way to get both is torture.
(And western governments still resist to use that on most of their own citizens)
Matt from CT: "The law doesn't require you hand over the keys, providing the requested documents is sufficient."
That's not always true.
Under some circumstances, it is indeed adequate to provide the plaintext of the encrypted information, and keep the keys to yourself. However, section 51 of the Act gives a set of conditions whereby you can be required to hand over the keys themselves. (Basically, it needs a higher-ranking person to demand keys, he has to have a reason for simple decryption not being enough, and such a demand gets logged with the appropriate Commissioner.)
Also, section 50 (3) says that if you can't provide a decrypt because you don't have the ciphertext, then you have to hand over the key. So if the police have impounded your computer and demand that you decrypt a file on the hard drive, you're going to have to give them the key. (And if the key is itself derived from something on the hard drive, you aren't going to be able to use that to avoid giving up the key, because sections 50 (8) and 50 (9) together say that if you don't have the key but know how to get it, you have to tell them how to get it.)
Incidentally, sections 50 (8) and 50 (9) also require you to tell them how to use the key to decrypt the document, in case you use your own proprietary cipher and want to say "here's the key, good luck working out what to do with it".
@TheDoctor: "First a question: A TrueCrypt device e.g. a complete harddisk used as container, does it show that it is encrypted ?"
No. It is completely indistinguishable from random data. No headers, "magic numbers" or the like...
Without the correct passphrase, even the Truecrypt software itself cannot tell whether a file is a Truecrypt volume.
@wm: "You can encrypt the message with just the conventional cipher, and create the fake one-time pad to give to the authorities. You don't need the "true" one-time pad at all."
Now... this is definitely an interesting idea!
@wm -- thanks, those are points that certainly were not clear in the news articles cited!
@wm: Thanks for the suggestion. I'm guessing you're suggest the revised protocol would be:
1. Encrypt a cleartext M to produce M' using a memorized passphrase.
2. Create a zip file A of innocent files the same size as M' (may need to pad one or the other).
3. Store M' on your hard drive.
4. XOR M' with A to produce E.
5. Burn E to a CD and produce it if asked for the keys.
I do see one potential problem: M' would have to look like a one-time pad. No headers or regularity allowed.
Nevertheless, such a method just goes to show that the truly paranoid will be able to avoid any threat from this law. The vast majority of users (even illicit ones) will not be disciplined enough to maintain such habits.
What is more interesting to me is the point discussed by Bob!! and "Matt from CT":
Is the 5th Amendment recognition of a skull barrier? If it is inside you're head, you can't be force to produce it to be used against you? What happens when we start having digital storage inside our bodies? Or when scanners become better at decoding thought? Or minds can be copied?
No *new* rights? In th U.S. it's called the 9th and 10th amendments.
So obviously countered, wonder what the UK is really trying to accomplish. Just encrypt, hide (steg), and encrypt the result. Have the keys for the final encryption ready to provide...
"terrorists, drug dealers, kidnappers, and child pornographers"
terrorists, drug dealers, kidnappers, child pornographers, and corrupt governments.
two points, one to the merits, one to style (?)
i) Suppose one kept one's records in a language the police did not understand. Is one obliged to translate? I think not.
ii) I think the current 'four horsemen' (of doom, whether properly styled the Apocalypse or otherwise) are terrorists, drug dealers, child pornograhers and internet gamblers - though money launderers are ready as substitute horsepersons if required. (maybe there's been a 25% inflation in the number of the horsemen since John the Revelator wrote.) All violations of normal civil liberties may be justified (are routinely justified by police in several countries) to combat these evils.
How can the Police tell if something is encrypted data ?
Suppose I write a program which is a stress test & does something like write a pile of random data to a file, read it back and check it is the same. How does one identify the produced file as "encrypted data" ?
Some programs encrypt automatically - if you post something using ASP.NET you get encrypted stuff in the URL which is state data, am I supposed to know the key for this ? Surely I can't, because if I could MS's security is dead ?
Essentially there is no difference between court order requesting key for physical or computer vault.
From the first time I read through the RIP Act (then it was just a Bill) I was horrified. Both the Orwellian label ("*regulation* of investigatory powers" - when much is removed the spooks and police from regulation and oversight by the courts) and its content.
The provisions seem to be a carefully honed legal attack that is designed to obtain key material from those guilty solely of having secret keys to protect. Its almost a perfect weapon against PKI. The UK was at the forefront of mass wiretapping - In the 70s they intercepted all telephone traffic between Britain and Ireland - without warrant. In the 80s the UK government broke their own laws to permit the wiretapping of *thousands* of people with a single warrant. In the 90s they reclassified many of these "subversives" (their political opponents) as "terrorists" to continue their illegal surveillance. Now, they have GTAC to tap the net on a massive scale. The secret state grows and grows and the so-called "peace dividend" proved to be entirely fictional.
The UK also permits massive US surveillance of the domestic telephone and Internet communications. None of that is subject to warrant and yet the results are available to the UK under the reciprocal UKUSA arrangement. It seems likely the NSA allow some UK intercepts of US traffic to allow NSA to evade the legal constraints on wiretapping at home.
Why are they so invested in large-scale surveillance? Democracy is now devoid of democratic content but simply names the economic interests of Western elites. They fear that the working class will see whose interests are being represented and seek to change the situation. When that happens - as it is beginning to in Venezuela - the "democratic" governments seek to quash the movement of millions by lies, subterfuge and force.
@Damon: "I do see one potential problem: M' would have to look like a one-time pad. No headers or regularity allowed."
Yes, that's an excellent point.
It shouldn't be too difficult to get hold of an encryption program that doesn't add any headers, as they're not in the least necessary. I guess you could test this by generating a message one byte short of the block size  (you need to make it shorter than the block size because block ciphers generally pad their input to the next *strictly-larger* multiple of the block size), and ensuring that it only grew by one byte under encryption.
I'll address regularity in a moment...
 I'm assuming a block cipher because you can use the same key for all messages. With a stream cipher, you would need to use a different key for every message (see http://en.wikipedia.org/wiki/Stream_cipher_attack ), which would be much less convenient.
Following on from my above post...
With regard to regularity, there shouldn't be any regularity in the output bytes themselves (otherwise you want to be looking for a better cipher), but I guess the police might get somewhat suspicious if *all* your messages "just happened" to have lengths that were an exact multiple of the AES block size (or whatever cipher you're using) when you're claiming to be using a one-time pad.
However, this is easy enough to fix once you are aware of it. Probably the easiest is to append some random bytes to the end of the ciphertext after encryption. If you make the number of appended bytes a random number uniformly distributed between zero and one-less-than the block size, then
(1) you'll completely kill the message-length regularity; and
(2) you won't need to remember how many bytes you've appended to a given message -- you just need to truncate it back to the next multiple of the block size to get back to the original ciphertext.
The probably easiest way to avoid that chiphertexts produced by block ciphers are a multiple of the block size is to use "ciphertext stealing" instead of padding.
Anyway, headers are quite common for encryption programs. If, e.g., they offer several algorithms, the choice of algorithm is usually somehow encoded into the ciphertext.
As a rule of thumb: If the decryption program can distinguish between these two cases:
- "You entered the wrong passphrase."
- "This is not a XYZ-encrypted file."
there must be a header.
How can the Police tell if something is encrypted data?
And, by the same token, how can the police tell if something that looks like encrypted data isn’t encrypted data?
For instance, many ‘secure file deletion’ programs will overwrite a file with bytes from a PRNG (pseudo random number generator). If the PRNG is half decent, its output will be statistically indistinguishable from ciphertext. So, imagine a situation where the authorities seize a hard drive and subsequently discover what appears to be ciphertext hidden away in the free space. The authorities demand the key. The hapless owner can’t provide it. The police interpret this as refusal to comply. Unless the owner can prove that the ‘ciphertext’ is nothing of the sort, he’s in trouble.
Of course the solution here is to ensure that any file deletion software uses a zero (blanking) overwrite for the last pass. But honestly, isn’t it ridiculous that law abiding citizens should have to think of such things in order to protect themselves from their own police force?
Interestingly, TrueCrypt volumes already allow for a 'fake' partition, so that you can give someone a key under duress, and it looks like a valid decryption to them.
And truecrypt volumes don't have to have headers.
Incidentally, what happens when with assymmetric encryption? I can't decrypt things I've encrypted to go to someone else.
The U.K.'s new cryptographic key disclosure law has opened up the possibility of a new industry to circumvent such laws - civil key escrow. No one knows the entire key needed to open an encrypted file, and multiple entities must consent to that action. If but one of these entities is beyond the control of those attempting to force the disclosure of the key, the file remains encrypted.
To protect one's cryptosystem from enforced exposure, one may obtain the services of an agent beyond the control of the government attempting to force disclosure. The key is broken into two parts, and the separate parts given to the authorized user, and the escrow manager. Neither has sufficient knowledge of the key to open the cipher.
To open the cipher, the authorized user must first contact the escrow manager, authenticate to them that he is who he claims to be, and then the key is made available to the crypto device only. Once the session is over, the file is reenciphered with a new key, and the two fragments given to the user and escrow manager for the next session, preventing a government from recording the session and spoofing session by sending the recorded key fragment that may have been enciphered.
Authentication may have many parameters and outcomes, predetermined by the user of the escrow service. Some of the parameters that could be used are:
1. an individual included a set of individuals authorized access;
2. requests only from a specific location (telephone number, internet terminal, etc.), time window, communications channel or similar parameter;
3. possession of a physical item or device, such as a smart card;
4. monitoring of the escrow user's independence via a means outside of the control of the user or those that may want to force disclosure of the key.
Failure to meet any of these parameters would result in actions ranging from being given a second chance or a timed lockout to the destruction of the escrowed key. This would greatly delay the access of those attempting to force disclosure of the key. To slow the forced access further, multiple escrow services, independent of each other, could be used.
The one great weakness of this scheme is that is possible for the escrow user being held in violation by simply using the escrow service. A possible means to avoid this is to break up the file during encryption into several fragments. To decipher the file, the majority of files must be in possession of the individual wanting access. Essentially, the cipher becomes an error correction code, with the fragments widely separated to prevent the loss of more than the critical number of file fragments. Sliding the distribution of bits between fragment files, known as interleave, would further improve security.
The escrow services would hold more than the critical number of missing file fragments, and handle these as they did the key fragment(s) above. The cipher and all its keys can be disclosed, but without a sufficient number of file fragments, decryption and recovery of the original file is not possible. Compliance of key disclosure has been met, and security maintained.
Such a scheme would be effective against such government actions such as the French have been rumored to use. Messages are transmitted in many fragments over multiple channels, and again the decryption and recovery requires that a sufficient number of these fragments be obtained. By using multiple channels in a random way, with anonymizers used to obscure the sender and recipient, knowing the cipher and its key(s) is of little use. In fact, the encryption could become superfluous.
Obviously, these schemes require considerably more work, as they were thought up in just a few minutes. They should, however, give others the seeds of ideas that would render useless the actions of those would deprive individuals of their privacy. Think of silver lame' clothing to thwart the electronic strip-search at airports.
@Paeniteo: "headers are quite common for encryption programs"
Indeed. I probably wasn't as clear as I could have been, but I meant that it should be easy to find a program that doesn't use headers, even though you'll have to pick it out of a load of programs that do.
@Paeniteo: "The probably easiest way to avoid that chiphertexts produced by block ciphers are a multiple of the block size is to use "ciphertext stealing" instead of padding."
Ah, thanks. I hadn't come across that technique. (Or maybe I just forgot it; it's been a while since I read Applied Cryptography, if it's in there.)
Continuing my earlier thoughts on eliminating regularity in messages you've encrypted with a block cipher but are claiming to have used a one-time pad for...
You're going to want to use CBC mode rather than ECB mode ( http://en.wikipedia.org/wiki/... ), as it's very likely that the same plaintext block (e.g. 128 bits of zeroes) will appear by chance either in two different messages or twice in a single message. If you were to encrypt the messages using ECB mode, you'd get the same ciphertext at these points, and you don't want that. That would be a clear indication that you *didn't* use a one-time pad like you're telling the police you did.
Even with CBC, you'd need to make sure that every message was encrypted using a different IV, otherwise two messages with the same first block (e.g. a common header) would still encrypt to the same first block of ciphertext and give the game away. And you'd need to remember what IV went with each file, although the IV doesn't have to be secret (it doesn't help an attacker who doesn't have the key). But you would need to conceal the fact that there *is* an IV associated with the message, as that would again contradict your one-time pad claim. Possibly you could use the (hashed) filename of the message, if you're storing it on disk with a fixed filename. (Best to include the entire directory path in the filename, if this is also fixed, in case you use the same filename in different directories.)
I've read the entire thread and I was wondering...
Obviously the wording of the law is ridiculous in demanding the user to hand over his/her keys, but all the problems associated with faking the user id would be solved simply by revocating the key before handing it to the cops, or wouldn't they?
@Antonio: "revocating the key"
Umm, well, apart from the fact that symmetric keys and passwords cannot simply be revoked, revocation does not technically destroy the key. It is more an administrative function.
For example, in GnuPG, you will always be able to decrypt your data even if you revoked the key. Others won't use the key for encryption anymore but not because of technical reasons but because of a simple "don't use me anymore" flag associated with the key.
In fact, with some fiddling, it should be possible to un-revoke a GnuPG-key.
@wm: If you want to got to CBC and therefore need IVs, you could consider stream ciphers again, too.
I would not use the filename for an IV. Just take a number of pseudo-random bytes and prepend them to the ciphertext. While, technically, one might call this a "header", this won't aid in identifying the file as ciphertext as the IV will just look as random as the rest.
Of course, if you use 16 bytes as IV, all files shorter than 17 bytes can be ruled out as ciphertexts but that does not seem to be a serious limitation.
This effectively tries to outlaw possession of noise (digital or analog all the same), which is
1. Undiscernible from encrypted data
Good luck UK gov
Since programs that produce "clean cipher-text" were mentioned in a number of posts, I point out for those interested a Blowfish file encryptor to be found here: http://tinyurl.com/43jor
Giving a passphrase which exists only in your mind seem tantamount to self incrimination. What ever happened to the right to remain silent? Maybe it isn't a realistic example, but we seem to be getting closer to the time when the police will be able to say "we know you're guilty and if you don't tell us so we will put you in jail for five years for failing to tell us so even though we have no proof. Guilty until proven innocent. Wrong direction to go.
Just a weird thought ...
If I have to hand over an 'intelligible' form of a encrypted file, can I give any paper document (of course, unrelated to the encrypted file)?
I could say that I do not have the key, but I do have the plain text (in paper). How is someone to refute the claim?
Some years ago you put us in your famed 'dog house' for our claim to base encryption security on equivocation on top of intractability. You ridiculed our peer-reviewed publications, and our US patent 6,823,068. And quite a few of our present clients have quoted you to me, you being such an authority. But like most new ideas, it takes time. Our encryption-on-demand service, on YouDeny.com offers encryption deniability, which is the ultimate answer to any request for encryption key. Would you grant us another look?
Linux LIVE CD.
Puppy linux -has mozilla firefox built right in.
Runs right from the CD/DVD.
No hard drive needed.
Here's a specific case that highlights the issues:
UK jails schizophrenic for refusal to decrypt files
"Exclusive The first person jailed under draconian UK police powers that Ministers said were vital to battle terrorism and serious crime has been identified by The Register as a schizophrenic science hobbyist with no previous criminal record."
So why is it, the NSA - Endorse && Promote the use of Encryption to the Standard of FDE - Full Disk Encryption for Average home Users in there own Information Assurance Mission published April 2011.
Yet border agents & customs officers retain the power to Seize such a device, secured no less than with there own Security Policies, this is clearly a case of double standards.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.