1996-10-14 - binding cryptography

Header Data

From: um@c2.net (Ulf Moeller)
To: everheul@mail.rijnhaave.nl
Message Hash: edc4f4b94c7dc08708b87e68440121706228df93825074234c219ef8f3daff8d
Message ID: <9610141953.AA27896@public.uni-hamburg.de>
Reply To: N/A
UTC Datetime: 1996-10-14 19:53:39 UTC
Raw Date: Mon, 14 Oct 1996 12:53:39 -0700 (PDT)

Raw message

From: um@c2.net (Ulf Moeller)
Date: Mon, 14 Oct 1996 12:53:39 -0700 (PDT)
To: everheul@mail.rijnhaave.nl
Subject: binding cryptography
Message-ID: <9610141953.AA27896@public.uni-hamburg.de>
MIME-Version: 1.0
Content-Type: text/plain


   liberal (Japan) to non-liberal (France). We believe that "binding
   cryptography" is flexible enough to achieve this: a liberal crypto
   policy might use no Trusted Retrieval Parties at all, while a very
   non-liberal country might want one (government controlled) TRP, a
   compliance check on all network traffic and a ban on other crypto.

I doubt that even French internet providers would want their routers
to perform six modolo exponetiations and four modolo divisions
whenever someone opens a secure socket...

   We offered a solution for the *first* task not for the *second*; the
   point is that criminals(!) do not gain any real advantage from using
   the system in that way as they - among other things - still face the
   key-management problem. The above dicussions are only relevant in
   countries where the use of crypto outside the structure would be
   prohibited.

Of course, criminals do get real advantage from this system. They can
use strong encryption for their messages and super-encrypt them using
"binding" cryptography. So their illegal messages look perfectly
inconnous as long as their government trusts in the "binding" property
of this scheme. Only when the GAK key holder tries to decrypt a
message, they notice that they cannot read it.

Can you imagine that anyone would ever create a program that tries to
look like a conforming implementation, but generates invalid "binding"
data -- when it is so much easier to simply use PGP, and (if
necessary) disguise that fact using the government-approved encryption
software?  I don't, so in my opinion the verification process is
abolutely useless. One might say, binding cryptography, like several
other cryptographic protocols, is a nice 'solution', but one with no
corresponding 'problem' in the real world. :)  It doesn't help in
legitimate law enforcement, but it causes trouble to network operators
and it deprives law-abiding citizens of their privacy.

And criminals don't face "the key-management problem". In any GAK
scheme, the official keys can be used to certify other un-escrowed
encryption keys. Binding cryptography makes it just a little easier,
because there is no need to create any "illegal" key pairs. Everyone
can encrypt messages using the government-certified ElGamal keys,
and then repeat that process, this time including the data required
for goverment access.

   that use of other systems will always be possible. Also, the above
   discussions already showed that if such a system is voluntary, then
   there are lots of way to go around it.

Criminals will always find ways around these systems -- even if they are
mandatory. Just those who actually "have nothing to fear", will not
go in the risk to use illegal encryption. So governments can wiretap
law-abiding citizens, but not criminals. What useful is a system like
that?

-- 
one ring to rule them all, one ring to find them
one ring to bring them all and in the darkness bind them
in the land of mordor where the shadows lie.





Thread