Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
EU Encryption Privacy The Internet Technology

EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto (theregister.co.uk) 83

The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. From a report: In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use. Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach -- by offering member states more support when they actually get their hands on an encrypted device. "The commission's position is very clear -- we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon," security commissioner Julian King told a press briefing. "We're trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."
This discussion has been archived. No new comments can be posted.

EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto

Comments Filter:
  • by Opportunist ( 166417 ) on Thursday October 19, 2017 @10:46AM (#55396891)

    So we have a device of someone that we suspect to be a criminal, now aid us to access it.

    That is something we can actually work with. Provided there is oversight and it's not "we probably have (population count) terrorists in our country, let's find out how to up the surveillance so we can track them all!"

    • Completely agree. This has been the proper course of action from the start, and I'm glad they're finally coming around on it. It's the only path that aligns with the security and privacy interests of businesses and individuals while allowing for law enforcement to conduct lawful investigations.

      There will certainly be additional points to discuss, such as the degree and nature of their collaboration (e.g. Is it—or to what extent is it—okay for them to withhold information regarding vulnerabilitie

  • Do I understand this right that they want brute-force encryption? If so, somebody really should explain complexity analysis to them. These algorithms have been chosen in such a way that brute forcing is computationally hard.

    How exactly... we don't know. Maybe someone has an RSA-cracking supercomputer up their sleeve they're keeping secret. Maybe someone's particularly good with a soldering iron and can read off keys from extracted flash memory chips.

    If any member state has that capability, there is no way

    • by Lennie ( 16154 )

      Remember the FBI Apple iPhone debate in the US and a solution was found how to gain access to the data, my guess would be they could be sharing those kinds of solutions. I would be surprised if they had things even more advanced than that.

    • by Boutzev ( 325568 )

      Please, don't ! Leave them with their brute forcing. In the meantime we can enjoy secure communication.

      I am not sure if this is just an attempt to please the lobbysts of encryption regulation or ignorance.

      • by Megol ( 3135005 )

        It's an example of you not understanding. Brute forcing is (generally) impossible and that's not what this is about.

    • Do I understand this right that they want brute-force encryption? If so, somebody really should explain complexity analysis to them. These algorithms have been chosen in such a way that brute forcing is computationally hard.

      No they want to share methods on how to break devices. No device is 100% secure. Each device probably has an exploit depending on the hardware and OS version. For example, the San Bernandino shooter had an older model iPhone that was bypassed but that took several months before the US government could find someone who could do it. At the very least point the governments in the right direction: "Oh that model Samsung and Android, we used this company to break that phone." It is more so that each government d

    • by Anonymous Coward

      If any member state has that capability, there is no way in hell they'll share it.

      This is simply a request to increase the funding & staffing of EC3 in Europol.
      https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3

      All in all, EU has taken a rational position here.
      Law enforcement cannot simply disregard the issue; they have to do and say SOMETHING.
      A statement "we will NOT be going to ask or push for backdoors & weak crypto" is good enough, especially considering this comes from the LEA / antiterrorism guys, not from DG CONNECT or similar.

    • by gweihir ( 88907 )

      Don't tell them! They are convinced that because they represent nation-states, they are all-powerful. Let them have that illusion!

  • The irony (Score:4, Informative)

    by Rick Schumann ( 4662797 ) on Thursday October 19, 2017 @10:47AM (#55396901) Journal
    The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption), they'd use codebooks and other types of obfuscation (book ciphers, and so on; the list is endless) that have been used for much longer than we've had computers, and goverments and cops would be back at Square One again: needing to do REAL police work, not just be jackbooted thugs with guns forcing their will on everyone. Are they really so blind to all this, or is it just another power-grab?
    • Exactly.... This is really stupid in that it only helps you catch the stupid ones....

      Anybody who thinks about this, won't have an issue communicating securely regardless of if the encryption backdoor.

    • Consider for a moment that while governments may ultimately be varying degrees of evil, that is an emergent property that isn't necessarily present in the humans who make it up.

      Now imagine you're a cop or a politician, and you have criminals and pressure to stop them from getting organized or simply 'getting away with it', and you KNOW there's evidence you could hang them with if you could get your hands on it.

      Of course they're going to try and get official back doors. Now you say those back doors will onl

      • You NEVER trade freedom for security. EVER.
        'Backdooring' encryption RUINS it, plain and simple; there is no compromise that can or should be made there. EVER.
        • >You NEVER trade freedom for security. EVER.

          That's a foolish absolute to stand behind, since you do it all the time in your day to day life.

          >'Backdooring' encryption RUINS it, plain and simple; there is no compromise that can or should be made there. EVER.

          Another silly stance to take. For general encryption, absolutely... but there's nothing wrong with a proprietary system with a back door in it, as long as it's understood to be less than perfectly secured and that it will eventually be cracked (or t

          • No, you're completely and totally wrong, and are you even a U.S. citizen? Or are you some foreigner who has no stake in this? Or are you a government shill? Or are you just a troll/jackass? Regardless you are to be IGNORED as you are no better than these shitty politicians and so-called 'law enforcement'.
            • by Anonymous Coward

              This a joke post? Article is about the EU and you grizzle about whether someone is a "U.S. citizen". And why do "foreigner"s have no stake? It's global. Etc, and so on.

              Truth is you trade freedom for security every day of your life. Every day. Wake up and look around you.

              I am against backdooring general crypto but I don't claim it means the end of civilisation like you do.

            • by PCM2 ( 4486 )

              Are you being willfully stupid?

              You are NOT free to walk into a bank waving a gun. That freedom is denied you. You ARE free, however, to walk into a bank and withdraw a large amount of money, with the reasonable expectation that nobody else in the bank will shoot you and take it from you.

              See how this works?

          • Your "less than perfectly secured" is awfully optimistic. Most people aren't prepared to jump to a new encryption method when the old back door is compromised. Moreover, the system can't ever be trusted, since the user never knows who might know the back door. It might be of some use to some people, but nobody with any sort of security requirements could rely on the system.

    • criminals and terrorists would not just use non-compromised encryption, they'd use codebooks and other types of obfuscation

      Terrorists have shown how clever they are ; that kind of subtlety is out of their league.

    • The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption), they'd use codebooks and other types of obfuscation (book ciphers, and so on; the list is endless) that have been used for much longer than we've had computers, and goverments and cops would be back at Square One again: needing to do REAL police work, not just be jackbooted thugs with guns forcing their will on everyone. Are they really so blind to all this, or is it just another power-grab?

      Of course it's another power-grab. That's almost a given for almost everything Western governments are trying to implement in the encryption/security field. The mistake here is in assuming they're telling us the truth when they tell us they will use it exclusively against criminals & terrorists instead of mostly as another general domestic surveillance tool for politically/ideologically-driven motives.

      They know as well as we do that real terrorists and criminals will simply use other secure methods. The

    • by Kjella ( 173770 )

      The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption)

      Well most suggestions don't involve building an algorithmic backdoor, but about making the manufacturer retain a copy of embedded keys. Like for every iPhone there's a master UID - essentially a 256 bit AES key - fused into the processor during manufacturing. They (supposedly) don't keep a copy, they certainly could and stick in a vault somewhere and in theory they'd only hand individual keys over to law enforcement with a warrant. The "doomsday" scenarios are that a powerful organization robs the vault or

  • Every CPU since 2006 has backdoors built in, they don't need to have backdoors in individual protocols. If they have cyber-backdoor agreements with the nation manufacturing the chips they have a backdoor.
    • Apple designs its own ARM chips, and they've been clear about standing up for user security. I'm not at all convinced that all CPUs have back doors.

      • Apple uses Intel chips, which absolutely have backdoors (they actually beat AMD to it by a couple of years.) They "stand up for" user security because it's bad PR if they don't pretend to.
        • True; I was thinking of the ARM chips on iDevices. Apple in fact got bad PR from the dispute with the FBI relating to the work iPhone 5C that the San Bernardino shooter almost certainly didn't leave evidence on, so I'll give them credit for that. Apple appears to want user security.

          • Apple wants people to believe they have user security. Post-Snowden it would be incredibly ignorant to believe there is any device made by a US company without backdoors.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday October 19, 2017 @11:12AM (#55397107)
    Comment removed based on user account deletion
  • by Anonymous Coward

    Or have they just struck a secret deal somewhere?

    Let's hope the first. Being a big fan of EU (the idea) and sometimes utterly revolted by EU (the implementation), this makes my week.

  • Yes please (Score:5, Interesting)

    by SlashDread ( 38969 ) on Thursday October 19, 2017 @11:16AM (#55397139)

    Do share all your cracking and hacking tricks. Publicly.

    so we can patch the vulns

  • why not publish all those vulnerabilities they're using to decrypt devices (after a suitable period of time given to the manufacturer to fix the defect)? Could it be they don't really care about security in our shared cyberspace? Naw, they could never be so callous.
  • by Anonymous Coward

    Is when the encryption wars began. The war was long and had many casualties. After many years of trying to crack encryption most governments around the world agreed to make encryption used by anyone other than the government illegal.

  • Weakening encryption is bad. Trying to break encryption is expected.

  • Encryption weenies place a lot more faith in it's power than I do. So, are we supposed to trust SSL? I don't. Besides being eat-up with a laundry list of past vulnerabilities, I'm supposed to trust some megacorp that says some other megacorp or boiler-room-scam operation capable of issuing a certificate signing request is trustworthy? Why again? Just because they can pay folks to answer the phone or to supposedly check someone's business license? That doesn't mean *squat*. There are so many instances where
    • by AHuxley ( 892839 )
      Encryption is good to stop random other governments, people, ads, ISP's, telcos as a message moves along the pipes.
      At some time that fully and secure message had to be created and later decrypted for the users convenience.
      Key logging is the solution and will get content at source from the users for the security services.
      A one time pad on paper used once and sent would be secure. The privacy of the message is protected by using a one time pad. Anonymity on networks in 2017 is not protected.
      Interestin
    • by Anonymous Coward

      > So, are we supposed to trust SSL? I don't. ... I'm supposed to trust some megacorp that says some other megacorp or boiler-room-scam operation capable of issuing a certificate signing request is trustworthy?

      TLS/SSL exists independent of the Certificate Authorities. You (and anyone else) can use SSL/TLS without involving a third party: sign your own damn certs. Viola, you have full-strength data-in-flight crypto capabilities.

      The reason you don't really see this on the web is because without cert pinnin

    • Good encryption means precisely one thing: that it is necessary to know the key to access the information, but otherwise it's safe. When using something like AES-256, the only problem is key management. Nobody who can't find or guess my iPhone unlock code is going to be able to read anything off it, and the Secure Enclave makes it very difficult to guess.

      There's a big difference between levels of security. If they're willing to haul you in and torture you for the information, they're almost certainly

  • "when [a member state] gets a device, how do they get information that might be encrypted on the device."

    You don't. If you could, the encryption would be pointless.

  • EU vs Five Eyes (Score:4, Interesting)

    by Hal_Porter ( 817932 ) on Thursday October 19, 2017 @01:12PM (#55398107)

    For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."

    I think they're worried about the Five Eyes countries sharing information with each other, but not with EU countries

    https://en.wikipedia.org/wiki/... [wikipedia.org]

    One of the interesting contradictions of the UK being a member of the EU was that it always had much better intelligence sharing with the Five Eyes countries than it did with any EU country.

  • First, often asking for something (backdoors) is cover for already having it. Second, pretending to not ask for it is cover for getting it without public scrutiny. Third, knowing of vulnerabilities and keeping them secret and exploiting them is ethically just as bad as having backdoors. You find it, you announce it, or you're hurting security for everyone. You think you're the only one that found it? Unlikely. Russians, Iranians, Pakistanis, and Israelis have found it but the only way to block their use of

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...