Cryptography

AES may have been broken. Serpent, too. Or maybe not. In either case, there's no need to panic. Yet. But there might be soon. Maybe.

Some of the confusion stems from different definitions of "attack." To a cryptographer, an attack is anything that breaks the algorithm faster than brute force, even if it is completely impractical. To an engineer, an attack is something that is practical, or at least might be practical in a few years. An attack that breaks AES to a cryptographer might not to an engineer. The rest of the confusion stems from not being sure the attack actually works.

AES is the standard encryption algorithm that was chosen by a recent standards process to replace DES, which has been in use for years in both government and commercial environments. If it's seriously broken, it's bad news, since it has been included in the design of most commercial products making use of encryption.

Freedom and security are two essentials that citizens look to the government to provide. Whatever balance is struck, someone will be unhappy. But negative attitudes to the state simply distort the debate.

How to strike the right balance between our privacy and our expectation that the state will protect us and facilitate our freedom is one of the most difficult challenges facing us all. I don't say this lightly. The recent argument about how we regulate official access to communications data was politically embarrassing for the government, serving as a lightning rod for broader public concern about protecting individual privacy, particularly in the light of the enormous growth in mobile phone and internet usage in recent years.

So, the UK view on freedom is "A gift from the government"? "negative attitudes to the state simply distort the debate"? They are subjects, not citizens, and I guess they realize it.

A little more than one month after the Sept. 11 terrorist attacks, public enemy No. 1, Osama bin Laden, predicted that "freedom and human rights in America are doomed. The U.S. government will lead the American people - and the West in general - into an unbearable hell and a choking life."

How right he was. Neither he nor any other terrorist around the world has had to lift a finger against the emerging totalitarian empire state known as the United States.

And, no, this does not refer to the United States of America, although it is the people of the many states that feel the repercussions.

Cheating on income taxes or neglecting to pay sales taxes on online shopping could get you five extra years in prison if the government succeeds in restricting data-scrambling technology, encryption-rights advocates fear. Such a measure, they worry, might also discourage human rights workers in, say, Sri Lanka from encrypting the names and addresses of their confidants, in case they fall into the wrong hands.

Here is one example of the far-reaching harmful effects of these bills. Both bills would flatly ban the possession, sale, or use of technologies that "conceal from a communication service provider ... the existence or place of origin or destination of any communication". Your ISP is a communication service provider, so anything that concealed the origin or destination of any communication from your ISP would be illegal -- with no exceptions.

This is a link to the Texas version of the bill (not yet law).

As this article is being written, more and more people are becoming aware of the intricate surveillance capabilities possessed and used by government agencies and the private sector to monitor the daily communication of law-abiding American Citizens. Whether it be the ease of wiretapping and email capture that was granted under the 'Patriot Act' or the data collection brought about by the Carnivore program, few people can argue the link between personal privacy and personal freedom.

The longest-running court case against the government's encryption 
regulations has come to an end, for now.

The regulations were challenged by Daniel J. Bernstein, a professor of
mathematics, statistics, and computer science at the University of
Illinois at Chicago. Bernstein filed his lawsuit in February 1995 and
won four court decisions against the constitutionality of the
government's previous regulations.

In an October 2002 court hearing on the current encryption regulations,
Department of Justice attorney Tony Coppolino told the court that the
government would not enforce several portions of the regulations.

``I can assure you that the regulatory authority does not want
[researchers who are collaborating at conferences] sending us an e-mail
every time they change something in an algorithm,'' Coppolino told the
court. Coppolino also said that commmercial book publishers and
assembly-language publishers did not need to obtain licenses.

As observers predicted after the hearing, Chief Judge Marilyn Hall Patel
of the United States District Court for the Northern District of
California relied on the government's promises and dismissed Bernstein's
case without deciding the constitutionality of the current regulations.

``If and when there is a concrete threat of enforcement against
Bernstein for a specific activity, Bernstein may return for judicial
resolution of that dispute,'' Patel wrote, after citing Coppolino's
``repeated assurances that Bernstein is not prohibited from engaging in
his activities.''

``I hope the government sticks to its promises and leaves me alone,''
Bernstein said in a statement today acknowledging Patel's decision.
``But if they change their mind and start harassing Internet-security
researchers, I'll be back.''

Ari David Levie, who was convicted of taking illegal photographs of a nude 9-year-old girl, argued on appeal that the PGP encryption utility on his computer was irrelevant and should not have been admitted as evidence during his trial. PGP stands for Pretty Good Privacy and is sold by PGP Inc. of Palo Alto, Calif.

  But the Minnesota appeals court ruled 3-0 that the trial judge was correct to let that information be used when handing down a guilty verdict.

"We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him," Judge R.A. Randall wrote in an opinion dated May 3.

The court didn't say that police had unearthed any encrypted files or how it would view the use of standard software like OS X's FileVault. Rather, Levie's conviction was based on the in-person testimony of the girl who said she was paid to pose nude, coupled with the history of searches for "Lolitas" in Levie's Web browser.

I don't have any sympathy for the defendent, who appears to have been rightfully charged and convicted through real evidence.  But I am concerned by the claim that the presence of PGP software was relevant to this case.  The prosecution apparantly did not allege that PGP was actually used to hide evidence, just that it was present.  It's easy for encryption software to be present, and used for entirely legitimate purposes.  Mere presence does not imply criminal activity.

If there's any doubt about this, consider the case of a web browser.  All modern PC-based web browsers support encryption.  Is that evidence of criminal activity?  Many modern email clients support encryption.  What about that? 

The fact is, encryption technology is just software.  It can hide evidence, but it can also hide things that are perfectly legitimate.  The 5th Amendment tells us we aren't obligated to self-incriminate -- and that means that we shouldn't have to hand over encryption keys upon a police demand.  (I make no promises that a court would agree, of course).  What encryption software can't do is actually hurt anyone.   It doesn't commit crimes.  It's just information about information.

If the mere presence of encryption software is allowed to create a presumption of guilt, or even be included in a trial as "evidence" of criminal intent, then everyone who uses a computer "has criminal intent". 

Even in this case, we don't need silly gyrations around encryption software to catch, charge, and convict.