Schneier on Security

Clive Robinson • February 10, 2012 5:04 PM

Hmm “Bluegrass” I used to sing a bit of that many moons ago in a little pub in South West London.

My “other half” on seeing the words “Squid’s Beard” had the insensitivity to remark that my beard looks as long as a “Red Devils” (humbolt squid) tenticals, and just as nasty…

Which I’m expected to take as “good advice” however if I was to say remark that her “thatch looked like a birds nest of barbed wire” you can guess where I’d be sleeping tonight and for the foreseable future 😉

This “equality” stuff is very one way…

Clive Robinson • February 11, 2012 4:47 AM

@ MarkH,

Though the specific threat is different, the rather severe security practices described in the article certainly overlap some that have been discussed here.

Sadly apart from the “travel naked” advice the rest of it is not sufficient for most mortals due to the “human problem”…

That is there will always be an emergancy of some type that occurs that will cause most humans to break the rules and then bingo “the enemy is within”.

And if you are a target and fail to respond to the “emergancy” in the way they want then you will get pulled for “walking on the cracks in the street” or equivalent, and it will escalate in one way or another, till they get what they want.

For instance there are many nations you cannot go into or travel through even though you stay on “air side” with encrypted data, and you can go to their prison (and most are a lot worse than you will find in the US) for as long as they wish…

And the problem is if they look at your phone or laptop or USB key, even if it is brand new, you can be sure that there will be a file that you either don’t know about or they will claim contains encrypted data, and you can’t prove otherwise (look up “bible codes” to see why).

But the real joke of it is the comment from an FBI droid about how all the US has left is R&D.

But then fails to make the connection that the most valuable information is on academics and engineers electronic devices when they go to conferances, AND that the Bush instigated behaviour of the likes of the TSA stop engineers and academics coming to conferances in the US so conferances are better attended outside of the US causing US academics and engineers to travel abroad for the confrences “that matter”…

It is something that is not lost on some US academic institutions. As some of the commenters to the NYT article you link to are only to aware, and one gave a nice link,

http://www.princeton.edu/itsecurity/services/encryption/travel/

That has one or two other useful links.

But even if you don’t take the data with you to conferences or “meat space” meetings the Chinese amongst others have another way.

If a nation has a natural resource that is desirable to other countries be it cheap labour or dificult to obtain mineral resources. Then as has been seen with China amongst others, they can offer short term short sighted execs a deal whereby the execs issue a “make it so” order and the company then move the entire manufacturing along with all the trade secrets across to China….

One of the reasons we all buy Far East manufactured TV’s is because back in the very early days of colour television the Japanese made the CRT’s far cheaper than could be made in the US or Europe. And the European and US TV manufactures bought them from Japan. The US and European manufactures of CRT’s could not compete and so stopped manufactutring and in many cases even doing research. So ten years down the line not only was there no CRT manufacturing in the US and Europe, they could not manufacture the new style CRT’s even if they wanted to because Japanese companies had patented all the new techniques…

It’s not lost on quite a few people that the same issue is happening with micro chip manufacturing and just about all forms of telecommunications manufacturing. The question is what do the US and Europe do to reverse the trend…

Oh and for those with “imperialistic intentions” just remember why the Indian national flag has a “spining wheel” in it…

Clive Robinson • February 12, 2012 5:21 PM

@ Jon,

Well-encrypted data is (nearly indistinguishable from random

It should be but… sadly the majority of HD-Crypto software written does not produce “Well-encrypted data” even with just a single user.

The reality is that it is not dependent on the crypto algorithm used so much as on the crypto mode you use the algorithm in, and one or two other things. And a most of the best modes are encumbered by patents presently.

But to do HD encryption properly you have to use multilevel encryption based on which ADT container you are working at.

So you need reliable crypto at the lowest HD level, That is the LBA provides the key at this level.

You then need encryption at the partition or crypto container level.

So far this is all relatively straight forward, however at the next layers up it gets awkward, whilst the user can have their own key for the file contents the file meta data has to be shared, but also kept hidden from other users.

That is each user should only be able to see the files that they have permission to see, but more importantly they should not be able to see the meta data for the files they are not supposed to see, and harder idealy they should not even be able to tell how many other files there are belonging to other users.

This is a hard but not insoluble problem and it needs to be done at either the OS kernel level or at the diskdriver level where the knowledge of the file system layout for file and user metadata is known.

The downside of course is the number of relationships between users, that is no user can be assumed to be fully independant of the others, sometimes files need to be shared. One way to do this is to use a seperate key for each relationship.

For just the simple 1 to 1 relationships the number of additional relationship keys would be 0.5(N^2-N) and these additional shared keys need to be securely managed.

But there is a problem the actual number of keys to be managed is the individual user keys plus the shared keys which gives 0.5(N^2+N) keys with only 1 to 1 relationships, it gets a lot worse with groups. And even with only 1 to 1 relationships the number of keys quickly becomes unmanagable. That is for five users you would have 15keys but ten users needs 55keys and a hundred users 5050keys.

Thus you need to go about things in a different way, the simplest way is to have the file stored on the HD under the “owners key” and for the OS to decrypt as required for the other users. However this means that the OS has to have access to all the user keys at all times which is very bad key managment practice.

And as many cryptographers have indicated key managment is a very hard problem, which we have hardly started in upon.

Clive Robinson • February 13, 2012 4:39 AM

@ Daniel,

Math cannot solve all the problems in the universe. It cannot even solve most national security issues. Asking crypto to solve problems that it was never intended to solve is inapposite

Whilst true on the face of it, we “walking talking monkeys” are a mischievous lot, and like the “curious feline” we find that often our curiosity at what is presented as an impossible problem makes it not impossible from a different view point (Arthur C Clark had an apposite comment about old and venerated scientists).

With that in mind let’s look at your first paragraph,

There is an important distinction between the leakage of data and the interpretation of that data.

Yes and as such it’s like gambling on horses. Finding the correct interpretation is the key to placing a bet with a higher than average probability of success (and before betting tax people did used to earn an income from betting on horse).

Mathmatics can help a lot in this regard which is why the NSA, GCHQ et al invest heavily in mathematicians and engineers with certain skills, as it helps lift the signal from the noise. Which brings us nicely to,

If an interrogator is behaving irrationally there is nothing that crypto can do to solve that problem.

Yes and no, to see why take a big step back and ask why the interrogator is behaving irrationaly from your viewpoint and not from their’s?

Basicaly you are trying to tell them that a collection of bytes that could be just random data or encrypted data is “not encrypted data”. What’s your back / cover story for having “random data” as opposed to “encrypted data” on your hard drive?

For the majority of people it’s far from normal to have random data on their memory devices. So to the interrogator it’s a big red battle flag being waved from a hill top for all to see if they chose to look… That is the random data story is like a bucket with no bottom, it does not hold water.

So even with a good back/cover story the balance of probability comes down very very heavily on the side that says you are not telling the interrogator the truth. So their behaviour is far from irrational, whilst yours is.

But the interrogator can go several steps on from that, because the simple truth is encrypted data gives it’s self away. Simply because it is either “too random” or provides “tells”, when compared to the random data created by “natural processes”.

So that big red flag is now accompanied by a Highland Pipe Marching Band giving full vent to a battle anthem.

This happens because all natural processes have bias of one form or another that can be detected. Data that does not have bias is “too random” and thus highly suspect. But the bias of natural processes has certain characteristics which are markedly different from the “tells” of the incorrect use of encryption. These same “tells” often have sufficient characteristics to identify the encryption software used…

So mathmaticaly the interrogator knows with a quite high probability you are lying no matter what your back / cover story is. So do you realy want to ask who is behaving rationaly or not and push the interogator to the next stage?

Which is why in the past it was better to accept the following facts,

1, You can not hide encrypted data.
2, Having encrypted data is a “State Crime” in many parts of the world.
3, In many parts of the world “State Crime” is treated the same as “treason” and effectivly has no limits on investigation or punishment if required.

And not encrypt any data, and thus not carry sensitive data in any form, or have anything that even remotely looked like it might be encrypted data.

Whilst none of those points have changed, other things have and laws now exist for the high level protection of data, and the fun has started with thel likes of HIPPA and Sab-Ox.

So in the past couple of years companies now quite routinely use FDE of various types for compliance reasons, and quite a few major applications will work with encrypted data files.

So when an interrogator asks you, why raise a red flag by trying to pretend it’s “random data” instead of encrypted data?

It’s better to tell the truth and have done with it, and explain it’s company policy for certain depts, and those traveling off premises / abroad to have “loner laptops” setup that way.

However there is a catch, as I said there is a reasonably good chance that the interrogator who has had the chance to examine the device knows which encryption software has been used and thus knows it’s charecteristics. And even truecrypt etc are not up to the stage of alowing you to say “I don’t know the key” in a fully believable way.

As I said further up the post encryption has to be multilevel working from the disk LBA upwards through the various ADT containers. And most importantly for deniability it has to properly manage multiuser capability with file meta data and this is an asspect most applications fail miserably on as well.

But importantly both the HD level encryption and file level encryption need good key managment systems, whereby it is normal operation for a user “not to know or even be aware of encryption keys”. There are several routes to this one of which is secure tokens.

But we have a long way to go on this, however when it gets to the point where all parts of the system are fully multiuser then plausable deniability on keys becomes the norm not the exception.

If it is normal for the system to only show the user “their files” and not the files of others then it would be hard to show that the user could have any knowledge of the files that they cannot see and are thus ordinarily unknown to them.

Think of it this way, when you as an ordinary user log into your company system as User A you don’t see nor do you expect to see the files of other users. This is standard practice for any multiuser system or OS and even most judges would now accept this, unless you were a system administrator.

We have to move this multiuser concept onto the laptop and into the security tokens, and technicaly there is no reason why we cannot do it, and actually it would not be that difficult to do.

So yes if done properly mathmatics can solve the deniability problem, because all you are trying to do is shift the viewpoint from “single user device” to “multiuser system”. And “multiuser system” already has acceptable “deniability” built in as standard.

Finaly we get onto the “$5 wrench” or tourture issue,

‘Rubber hose’ crypto is a legal problem; it’s not a math problem.

Actualy no, it’s not a legal problem either, the reality is that in most places for soldiers and civilians alike tourture is prohibited by international convention which the majority of countries have signed up to.

Tourture is very much a human perception problem, it’s just dressed up to look like a legal problem for the old “I was only following orders” excuse by politicians frightened by the spector of terrorism as drummed up by the various intelligence agencies.

You can see this by the way certain types of person are exempt from the international treaties. Historicaly spies and traitors are not covered by the conventions and treaties which is why you see so much effort in defining “enemy combatants” who don’t wear uniforms into either the “spies” or “traitors” catagories. This is because some people believe tourture works whilst many others don’t believe it works or it is immoral. Thus the believers have to try and hide the reality of their belief from the rest of society.

And so far the scant evidence is that in reality it obtains no more information than simple face to face chat over a cup of tea by a skilled interrogator. And we have known this since before the second world war, because the simplee fact is there are those who give up information and those that don’t and ‘rubber hose’ techniques has little or no effect on this.

Further that the quality of information from tourture is usually considerably worse than that produced by skilled interrogation. This appears to be because tourture is a feed back process, and that the answers given by the victim are as a direct conciquence of the questions they are asked and the pain inflicted and thus have no other correlation in reality.

Basicaly the torturer’s questions give the victim direction but the pain induces the victim to say anything to stop the pain at that point. Thus as even vaguely related gibberish works to stop the pain at that point that is what the victim will trot out, irrespective of the long term consequences.

It does not appear to matter if the pain is physical or mental induced the result is the victim telling the torturer what they think the torture wants to hear irrespective of if it is true or not (which is why we get so many false confessions).

In practice it appears that most tortures by the nature of their questions give away far more information to the victim than the victim gives back. So if the victim is sufficiently intelligent they can actually stay a couple of steps ahead in the process and “lead the enemy astray”, by the time honoured method of talking a lot by saying very little.

Or another way to look at those that believe in tourture is the only tool they can conceive is a hammer, so to them all their problems look like nails to be beaten down out of sight. Oh and their belief in the effectivness of torture is most probably based on their own fears not that of others.

Clive Robinson • February 15, 2012 4:55 PM

OFF Topic:

It would appear that we just can not get it right with random number generators (no surprise to me) and it would appear that there are a number of broken Pub Key certificates that share one or other of their PQ primes because of it.

The easy to read NY Times article,

http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?partner=rss&emc=rss

Or if you are using a mobile,

http://mobile.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.xml

From the researchers paper slightly ammusingly titled “Ron Was Wrong, Whit Is Right,”,

This is a concern because, if these owners find out, they may breach each other’s security. It pales, however, compared to the situation with RSA. Of 6.6 million distinct X.509 certificates and PGP keys (cf. [1]) containing RSA moduli, 0.27 million(4%) share their RSA modulus, often involving unrelated parties. Of 6.4 million distinct RSA moduli, 71052 (1.1%) occur more than once, some of them thousands of times. Duplication of keys is thus more frequent in our collection than in the one from [12]. This leads to the same concern as for ElGamal and DSA, but on a wider scale

You can get the PDF from

http://eprint.iacr.org/2012/064.pdf

Or if your PDF view barfs on it try,

http://webcache.googleusercontent.com/search?q=cache:N2I5m3Kyd9MJ:eprint.iacr.org/2012/064.pdf+%22Ron+Was+Wrong,+Whit+Is+Right,%22&cd=1&hl=en&ct=clnk&gl=uk

Now as “diceware” gets mentioned so often when random number generation is discussed on this blog you can read the diceware authors take on it at,

http://diceware.blogspot.com/2012/02/was-whit-really-right.html

He thinks the research points to a possible signiture to “malware” fritzing the calls to the random number generator.

Now this is far from a new idea Adam Young and Moti Yung proposed this and other ideas to fritz PQ pairs back last century under their ideas for “Cryptovirology”,

http://www.cryptovirology.com/

Whilst I would not rule it out (I’ve done similar things myself as I’ve indicated in the past on this blog) it’s more likely to be poor programing in some code library software engineers are using virtualy sight unseen.