UK Government Wants a Backdoor Into Windows

REBloomfield writes "The BBC is reporting that the British Government is working with Microsoft in order to gain backdoor access to hard drives encrypted by the forthcoming Windows Vista file system. Professor Anderson, professor of security engineering at Cambridge University, urged the Government to contact Microsoft over fears that evidence could be lost by suspects claiming to have forgotten their encryption key."

China & PGP

[eldavojohn]

Well, to be fair, a few people do believe that Microsoft has a backdoor built into their OS [cnn.com] that would allow the United States Government to shut down all Chinese Government PCs running Windows.

Oh, and there are a few people who also consider encryption a matter of freedom of speech [wikipedia.org].

Funny the U.S. government targets Phil Zimmermann [philzimmermann.com] for three years but hardly raises so much as an eye when an encryption enabled OS is distributed. From Mr. Zimmermann's homepage:

Philip R. Zimmermann is the creator of Pretty Good Privacy, an email encryption software package. Originally designed as a human rights tool, PGP was published for free on the Internet in 1991. This made Zimmermann the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread worldwide.

I think that his "criminal activity" was creating an encryption tool that allowed messages to be encrypted beyond what the United States government was capable of deciphering in a timely manner. Does anyone know if this is still enforced? Does anyone know what the max key length is now if it is? I think it was something like 128 bits (that the government could crack) around the time of PGP.

Truecrypt

[ivan kk]

Let them try.
We have alternatives.
http://www.truecrypt.org/ [truecrypt.org]

What's the point when you have RIP?

[TheEvilOverlord]

I don't really see why the need this anyway.

The government has the RIP Act [wikipedia.org] (Regulation of Investigatory Powers Act 2000) which allows them to detain you, with a press gagging order if you refuse to hand over the encryption key they need to decrypt your data. If you refuse or claim you have forgotton and they don't believe you, then it's two years in gaol for you sonny jim.

They only really got this into law because most people don't understand it. Oh and don't forget that since this government came to power the amount of time they can hold you, uncharged, under the terrorism act has gone from 7 to 28 days... and the police want 90! Yes ninety days, 3 months, 2160 hours!

"Forgetting" your key is an offense

[Colin Smith]

Not turning over the key (for any reason) is an offense punishable by a couple of years in prison anyway.

 

Re:China & PGP

[Your Anus]

In the mid-to-late 1990's the US Government loosened the rules significantly. They recognized that strong encryption is already available outside the US, so export controls are useless. In fact, there is encryption built into the Linux kernel to handle ipsec among other things. The only requirement now is some sort of notice regarding where the encryption product is stored. I'm not sure about commercial products, but the PGP source is exempt under the same rules.

Where will it end?

[NimbleSquirrel]

Not that I would ever buy Windows Vista, but why would I want Microsoft deciding who gets backdoor keys to my machine?

I recall some years ago, someone found supposedly secret NSA backdoor keys buried in Windows98. I don't recall if it was actually proven, but I would not be surprised if the NSA already has backdoor keys in 98/ME/XP and now Vista. Now the British Government wants their turn. Where will it end? Once MS bows to the British, surely other governments will also demand backdoor keys. Who decides which of those governments get it?

Sooner or later, other organisations (like the RIAA and the MPAA) will also want their keys too (if they don't already have them thanks to their DRM chips). Where will MS draw the line? I highly doubt MS would be very open about how many different governments or other organisations really have backdoor keys.

It is easy for us to say that we'll never use it, or that there are other options out there, but I'm more worried for less computer savvy members of the public who think they are buying a secure system. I know most of those users will never use encryption, but this will set another precident that will further erode all of our rights.

Re:China & PGP

[m50d]

Funny the U.S. government targets Phil Zimmermann for three years but hardly raises so much as an eye when an encryption enabled OS is distributed.

Not anymore, they have at last relaxed their restrictions, but they still did for a while - remember Debian nonus mirrors? The weak SSL in versions of IE4 shipped outside the US? OpenSSH having to be developed in Europe? The fact that you still have to download a separate file to get unlimited strength crypto in Java? And officially speaking you still have to notify the US government you're distributing strong encryption.

I think that his "criminal activity" was creating an encryption tool that allowed messages to be encrypted beyond what the United States government was capable of deciphering in a timely manner.

He was charged with exporting the munition - the problem wasn't so much that he'd created said encryption tool as that he'd put it on an ftp where $NASTY_REGIME could get it.

Does anyone know if this is still enforced?

As I said, officially speaking you have to notify the US government if you are exporting strong crypto from the US, and I think you're not allowed to directly export to anyone on their list of bad guys. In practice I don't think they care any more, crypto is so widely available.

Does anyone know what the max key length is now if it is? I think it was something like 128 bits (that the government could crack) around the time of PGP.

You weren't allowed to export more than 40, and AFAIK that hasn't changed.

Re: Anybody know of a system that works like that?

[karlandtanya]

Yes.
Marutukku [wikipedia.org], pronounced rubberhose. [wiretapped.net]. (or is it rubberhose, pronounced maru tukku? I forget...)

Any politically active programmers out there want to take a crack at maintaining it?

Re:Why?

[mikerich]

This simply doesn't make sense. What prevents an user, using a different tool without said backdoor?

Nothing, but in the UK it is an offence to refuse to pass encryption keys to the Police if you are requested to do so.

This TCP idea doesn't give users access to the keys, so it falls outside of the Regulation of Investigatory Powers Act - hence the supposed need for a backdoor into the encryption system.

Now we just have to wait for the media companies, that lobbied for TCP in the first place, to demand access to the back door so that they can check machines for illegal movies.

Re:Why?

[arivanov]

They will still need the original computer to decrypt the media files as they will not have the TPM modules and the hardware keys to their disposal.

Even if the password is recoverable they will still have to go through a considerably more complex forensic exercise.

I am saying if, because TPM can allow any OS (be it Vista, be it Linux with TPM) to lock down access to any data (and even booting) based on a combination of machine keys and credentials. I can bet that this will be used massively in corporate rollouts to prevent data theft and unauthorised access.

Many of these features are available even now. What scares the police is not the encryption, it is the fact that it all can be locked up and encrypted without user concent on the average machine of John Smith. Automagically...

Re:Interesting Points

[yo_tuco]

"If I remember right, that was part of the reason encryption on OpenBSD was done in Canada."

Read about it here: http://www.openbsd.org/crypto.html [openbsd.org]

From the link:

"The cryptographic software components which we use currently were written in Argentina, Australia, Canada, Germany, Greece, Norway, and Sweden."

"When we create OpenBSD releases or snapshots we build our release binaries in free countries to assure that the sources and binaries we provide to users are free of tainting."

And a summary of Canada's export controls on cryptographic software here: http://www.efc.ca/pages/doc/crypto-export.html [www.efc.ca]

I don't trust the MS Encryption anyways

[MBGMorden]

I used to use BestCrypt as a means of keeping encrypted volumes, but I found TrueCrypt a while back and have been very satisfied. It's open source, cross-platform, and generally works very, very well. For something as important as encrypted data I want to be able to look at the code myself (and more importantly, I want a lot of other people looking at it so they can blow the whistle on any inappropriate backdoors and such).

Re:China & PGP

[Ctrl-Z]

Yes. See export of cryptography [wikipedia.org] on Wikipedia.

Re:Private Disk

[Anonymous Coward]

"The point is that they might use some obscure algorithm nobody knows - which has no guaranteed strength; thus one cannot rely on it. They can also implement standard algorithms such as AES or DES - but were they correctly implemented?"

It sounds like you haven't done that much research on Truecrypt. It uses industry standard algorithms like Blowfish, Twofish and AES.

For relying that a piece of software does what it says, you have to rely on Peer review.

I understand what your saying and how for business use you want to have some certified but if you do your homework you may find that your're able to place just as much trust if not more in OSS project than you can with closed source commercial projects.

ANyway that's my 2 cents.

Re:Plausible deniability ... nice! not really!

[Rich0]

If you supplied only the first code the system would see a 100MB partition, not 50MB. It would see the 50MB hidden partition as free space, and would begin overwriting it if data were modified.

The algorithm does in fact provide plausible deniability.

Only irreversible hash of password is stored

[Anonymous Coward]

see subject.

Lotus Notes was 'compromised' thus long ago

[maggard]

Lotus Notes was 'compromised' thus long ago. See http://www.google.com/search?q=Lotus+Notes+Swedish +Parliament [google.com].

Re:China & PGP

[deblau]

Does anyone know what the max key length is now if it is? I think it was something like 128 bits (that the government could crack) around the time of PGP.

This information can be found from the Bureau of Export Administration's regulations [gpo.gov], in particular, the Commerce Control List (CCL), 15 C.F.R. 774 [gpo.gov]. The alphabetical index lists "encryption software" as deisgnation "5D002", and the numerical index places 5D002 under "Information Security - Software". A hop over to that section [gpo.gov] says the following:

Encryption software is controlled because of its functional capacity, and not because of any informational value of such software; such software is not accorded the same treatment under the EAR as other "software"; and for export licensing purposes, encryption software is treated under the EAR in the same manner as a commodity included in ECCN 5A002.

5A002.a.1 includes equipment
designed or modified to use "cryptography"
employing analog principles when implemented
with digital techniques.

                    a.1.a. A "symmetric algorithm"
employing a key length in excess of 56-bits; or

                    a.1.b. An "asymmetric algorithm" where
the security of the algorithm is based on any of the
following:
                              a.1.b.1. Factorization of integers in
excess of 512 bits (e.g., RSA);

                              a.1.b.2. Computation of discrete
logarithms in a multiplicative group of a finite
field of size greater than 512 bits (e.g., Diffie-
Hellman over Z/pZ); or

                              a.1.b.3. Discrete logarithms in a
group other than mentioned in 5A002.a.1.b.2 in
excess of 112 bits (e.g., Diffie-Hellman over an
elliptic curve);

Re:Private Disk

[Anonymous Coward]

> Can someone really good at hi-tech maths come up with a nifty method that will generate the right output for the specified input AND do some background stuff, without getting caught?

Yes. In closed source software, test vectors are useless. But in open source, test vectors provide results that can be fully trusted.

> I understand the idea, but then, if we follow the same logic - how is open source security real security when it relies on methods chosen by the government?

AES was selected in an open process. Rijndael (the algorithm chosen as the AES) was designed by Europeans. Moreover, TrueCrypt does not use only government-chosen ciphers. It also offers Blowfish, Serpent, and Twofish.

Re:Backdoor code

[sconeu]

"plover" gets you out of the emerald room.
"fee fie foe foo" gets your money back from the troll.

Re:Private Disk

[Kjella]

Well, TrueCrypt is freeware and open-source, but there is also another aspect that has to be taken into account - [snip]

Let's try this one more time, closer to how it actually works:

Lots of people come up with crypto ideas - DES in the US, Rijendael in the EU, GOST in Russia. If this a conspiracy, it's a pretty damn wide one. These are published standards, with reference implementations, test vectors and the works. Crypto analyzers from all over the world are whacking away at them, and if you can find a way to crack them you're doing something what most of the worlds most brilliant theoretical mathematicians can't.

The only software which doesn't use open, well-tested algorithms are what we call "snake-oil". From a reference implementation, You don't need to do more than wrap some simple data passing operations around it - I've made such programs myself. So what could in theory happen?

1. Someone could include a backdoor - this is much more likely to happen on a closed source system
2. You manage to subtly break the algorithm during optimization so it'll pass the test vectors, but possibly spill plaintext data in other cases. The chances of these are slim and none, since changing one bit anywhere in any round should lead to a completely different output - ciphertext is supposed to be pseudorandom. Even in the event you did manage to break it, all you probably did was to produce garbled output that can't be decrypted. Important if you care about availability - not much of a security risk.
3. Your program spills data - for example writes the decryption key to swap or a temp file or some other unsafe practise which lets an attacker do an end-run around the entire brute forcing problem. If you are really paranoid, this may be a reason to get a certified program - but most likely not. I doubt they check that much what you do "outside" the algorithm. You'd be much better of to do your own analysis of the key-passing code - which is pretty much the only one you need to worry about.

Re:Private Disk

[null-loop]

You're right about the commercial software bit, check out his "blog", exclusively made up of links to http://www.dekart.com/ [dekart.com] who make a product that is a direct competitor... someone's been suckling at the MS teat. Hmmmm FUD.