Is it time to ban encryption?
by Flash Wilson, October 4th 2001Click here to hear Flash read this article.
Since the events of September 11th in the USA
there have been many discussions and newspaper columns suggesting that
the encryption of internet traffic should be banned or moderated.
For example
this editorial in The Observer says
"We object to proposals to intercept every email, bank transaction and
mobile phone call. Generalised surveillance of this type is typified by
its uselessness as an effective line of defence, but enormously and
unnecessarily increases the power of the state." The author suggests
that encryption should be banned, apart from with legitimate
users whose keys should be escrowed.
Security Focus has a good
column against this, and
there are people in many forums making educated arguments;
the basis being that there is no way to police it, and terrorists will
continue to use encryption and generally do as they please. I am unsure
whether other columnists avoid the technical arguments through lack of
understanding or inability to convey them to their readership.
Well ok, lets ride with them and see how their ideas might work.
Firstly let's look at how this might work - an example of how my
daily life as a system administrator might be,
after legislation against encryption has been brought in.
After that, a look at the practical challenges of implementing and
defending this potential legislation.
I go to work, fire up the PC, and read my email. I work for an Internet
Service Provider. Ive got a request to change the mailserver record
for a customer's domain. It will only take a minute to do, so I login to
the DNS server to make the change. To login, I use secure shell (ssh)
because other methods send my login details across the net in plaintext,
and we can't risk a hacker snooping them - they would then have access
to affect all of our customers! The software has been changed to allow
me to access the key used to encrypt the connection. They havent managed
to change it to use one key per user, so it still generates a new key
every time I login. I get the key and dutifully upload it to the
government database. Finally I connect to the
server and make the change - my quick task has just taken twice as long
as it used to. Its also the 143rd key Ive uploaded this week. I wonder
how much diskspace the government has to hold its database.
A bit later, a customer wants to register a new domain. I need to email
Nominet, and sign with my PGP private key so that they know the request
came from my company. At least there is only one key for that!
At lunchtime, I decide to buy my mother a book for her birthday. If
I buy online I can get it delivered to her house directly, so I open
my browser and hunt for the book. The website I usually use is down.
They were hacked when they didnt have time to test new, but compliant,
encryption software, so they reverted to insecure methods. Their website
now reads that "s1l4s 0Wn J00". I find another booksite and order
with them, although as I havent used their site before I have to spend
a while setting up an account, only to find I have to come back when
the key that will encrypt my bank details has been lodged with the
government database. They say to allow an hour for the registration process,
but my lunchtime will be over before then. I give up and go to the bookstore,
observing that the government is murdering e-commerce.
Then it dawns on me. What is to stop me using my old software? How
will the government know? Well, they can monitor all my traffic, and
then try to decrypt traffic with all known keys, and then when they
eventually find traffic that is encrypted with an unknown key, try
to prosecute the company or owner of the originating computer. Could
take months, if it ever happens. They still
havent managed to catch the thief who took my wallet in a pub, so
the chances of the traffic being noticed is slim. And how can they
pin it on ME? Im pretty confident that no organisation can have the
means to monitor all internet traffic, and I dont see why I should
be a target for their observations.
Suppose that my machine is at a university. It's used by hundreds of
people. It could have been anyone who connected out to another
server. We can't attach keys to specific machines, they have to
attach to individuals or organisations. Yet I dont know who sat down
and connected out from the machine in those five minutes. Yes,
we have logs but as new users passwords are distributed in plaintext
they are not hard to steal. Criminals are not going to put their keys
into escrow. They ARE going to find ways to stay hidden as long as
possible.
Simply, there is no way that the government can police the banning
of encryption or the escrow of keys. Responsible users will remain
responsible, and criminals will remain criminal.
Apart from making my life a whole lot messier, encryption isnt
going to catch the real criminals at all.
To prove this lets try a calculation for a minute. 25% of all IPv4 space
is advertised on the internet. Put simply, this means that 25% of
all possible internet addresses are answered by a computer. This
is about 100,000,000 addresses. A few of these will be answered
by the same machine, for example a commercial server hosting
different websites, each with its own address. However this is
easily outweighed by NAT, where several machines are used internally
but all traffic going out to the internet is seen as coming from
just one IP. For example the Department of Health has about 6000
computers and all that traffic appears to come from just one address.
If you want to know which actual computer it came from, you will
have to rely on the competence of the system administrators at
that company to find out, assuming their software makes it possible
to do so. So as a minimum, 100,000,000 computers are on the internet.
Many of these are in the UK. Traffic from others may be routed through
the UK. Some will be making encrypted connections to a computer in
the UK.
All of these will be sending traffic out. Lots and lots of traffic.
For example a server that I do not use very much at all, and which
has no other users, sent out 37 packets of information in a second
while I watched. There is going to be no way that the government,
or even combined governments of the world will be able to monitor
all of that traffic. The traffic will not all be encrypted, but
the government will have to monitor it all to find what it wants.
Even if it manages to log a sample of the traffic, the data sent
must now be examined and an attempt made to decrypt the data with
all known keys. Possibly this could be reduced to "all known keys
registered to be used on the originating computer" - although I might
send encrypted mail from flash@gorge.org from any one of several
machines. At a university or large institution, there
will be a large number of users who may use the machines, so there
are a few thousand possible keys which may have encrypted the
traffic. This may or may not be done for "legitimate" reasons, but
the government will still have to decrypt the data to make checks.
If they cannot decrypt the data, the government will now have to
go to the organisation or owner of the computer. Supposing, as I
mentioned before, there are 6000 users, all of whose traffic appears
to come from the same address. The government now requires the
system administrator to check firewall logs and hopefully identify
the computer from which this encrypted data originated. Maybe a
contractor was in that day and he plugged his laptop in on their
network to send an email. Of course, his key wasnt registered under
that company. And you cant expect the government to test encrypted
data with all known keys, surely? There will be thousands of those,
too.
When the government has found some encrypted data that it cannot
read, what will it do? Send a speeding ticket type fine, with 30
days to appeal and say it wasn't you driving at the time? Send
armed police to surround the originator? (As
I can login to an account on a machine in another country and send my
encrypted email from there, that will be impractical, even if the
police from both countries could agree on how to proceed.)
There are other issues we have not even touched on. How will the
government manage to be able to monitor any/all internet traffic?
It could monitor traffic passing through the London Internet Exchange
(LINX) and potentially catch MUCH of it... How will they handle
traffic that appears to be passing between two machines in different
countries and just routing through the UK to get to its destination?
How will they deal with traffic traversing an encrypted connection
between the UK and one other country? How can they be certain that
when they have the ability to snoop and decrypt traffic, that hackers
will not be able to? Can we even trust the government to keep our keys
- and all information of ours that they have snooped - secure?
Meanwhile, while you have been reading this, a terrorist could have left
a message under a keyboard in a web cafe, and nobody else have noticed.
Have a nice day.
This page last updated: 01 September 2022
If you have a comment, please leave it in the guestbook. To contact Flash directly, complete this form. Like this site? Buy me a drink!
This site moved from a fixed width to the current layout in 2009. Some older content such as photo sets may still have a fixed width. However if you notice any pages which are actually broken, please be kind enough to let me know via this form.
© Flash Wilson 1999-2010. I charge a fee for use of my photos.