November 2007 - Posts

Did the NSA put a backdoor in a new encryption standard?

Posted Thu, Nov 15 2007 6:04 PM by Autonomist0
Because the government is a major consumer of crypto products, government entities create or approve most of the encryption standards used in the industry.  One of the key ingredients of crypto technology are random number generators.  Getting random numbers from a computer is a very tricky problem, so the U.S. government actually publishes random number algorithms created by computer scientists and government agencies.  This year, the government produced a new standard, which may soon be integrated into crypto software worldwide.  Three of the four algorithms in the standard are based on industry standards, but one comes from the National Security Agency.  The NSA's algorithm is more complex and slower than the others, so many people wondered why the NSA pushed to have it included. 

In a recent CRYPTO 2007 conference, some computer scientists discovered that the algorithm has a possible backdoor key, which allows the numbers it generates to be predicted.  While we don't know whether the NSA has the key, we can be sure that either it has the key or it released a dangerously broken standard.  (Now that the vulnerability is known, vendors are unlikely to use it, so the NSA wouldn't have knowingly released a faulty standard unless it had the key.)

A paranoid person might wonder if having failed to force broken crypto on us at the hardware level, the government has some kind of nefarious plan to sneak one in.  Simply requiring that the standard be used by government contractors might be sufficient to get it adopted by the industry due to its market share.  People take much more care in selecting and testing encryption algorithms than random number generators.

Reassuring answers on this issue are not likely to be forthcoming, so here are some rules of thumb:
  • Real security requires evaluating the whole process, not just a good encryption algorithm.
  • Don't trust a security solution just because it is widely used or government approved.
  • Don't trust a security solution that is isn't open to peer review.

 

with 18 comment(s)
Filed under: ,

Crypto-autonomy: a call for freedom and privacy in the digital realm

Posted Mon, Nov 12 2007 8:59 PM by Autonomist0

Welcome to crypto-autonomy.  The purpose of this blog is to discuss the movement commonly known as "crypto-anarchism," including both theoretical and practical considerations.  I would like to make this a collaborative blog, so contributions and comments are welcome.  With that out of the way, let's talk crypto:

The information age is a harbinger of a social paradigm shift

Human civilization is currently in the midst of a paradigm shift, a change in the basic assumptions of the way our society works.  This change will be at least as important as the invention if the printing press and perhaps much more so.  The enabling tool behind the transformation is information technology.  More broadly, it is the automation of intelligence into non-biological automatons.  The true meaning and possibility of the "information age" is only grasped by a few of the most far-reaching of technologists and futurists.  The changes made possible by the electronic age will transform society in fundamental ways, and question the very basic premises of government, commerce, intellectual property, and individual autonomy and identity. 

The threat and promise of the information age

Information technology is a tool, and like any tool, it may be used for good or evil.  It brings the possibility of universal connectedness, privacy, and surveillance.  This is both a promise and a threat: we may finally be free of the threat of an omnipotent State, or we may become victims of total surveillance and control.  Once a staple of dystopian novels and films, the threat of ever-present electronic surveillance by the state is no longer just a staple of science fiction - not with the existence of Carnivore, Echelon, and millions of surveillance camerasCurrent surveillance programs are very crude analogs of the intelligent content analysis that will be possible with further evolution of technology.  Just as banking companies use artificial intelligence to discover fraudulent transactions in your credit card record, digital agents will soon be able to sift through audio and video recordings, purchases, bank records, and electronic communications to determine the meaning of conversations, build complete profiles on individuals, and uncover anomalous or suspicious behavior.  Unchecked, such unprecedented control over our lives will turn individuals into cogs in the machinery of the State, and lead to social and economic disaster.

The power of the individual

Despite the risk, there are two substantial advantages enjoyed by individuals over states.  First, free and open societies are inherently more prosperous than interventionist ones, and total control is likely to lead to total social collapse in short order.  (Though that would not be very comforting knowledge to those in the midst of the collapse.)  Second, the same technologies that make ubiquitous surveillance possible also allow ubiquitous secrecy.  Individuals finally have the power to keep their communications private and virtually undecipherable by even the most powerful computers.  As an increasing share of the values being traded by our civilization takes the form of digital information, the possibility of maintaining a private life will exist even when physical freedoms are restricted.  With technologies such as 3D printers and virtual reality, even material values will become information goods.  The potential will exist for large-scale organization and trade of information goods beyond the reach of the state.  These developments will make it both more difficult and more tempting for states to restrict trade and interaction between individuals.  As distant as such a scenario might seem today, present action is necessary to create and distribute the enabling crypto-technologies, so that when the state awakens to its full potential, crypto-technology will be too integrated into the social framework to eradicate.

Substantially legitimate usage is crucial

The key to the success of crypto technology is to make it ubiquitous.  If people only use crypto when they have something to hide, the use of encryption and anonymity will automatically be suspicious.  However, if everyone uses crypto because it is automatic and transparent, then not only will forbidden behavior be easier to hide, but there will be a public outcry at the (inevitable) attempts to ban crypto and end privacy.  This is why it is essential to communicate the threat of the surveillance state and the promise of practical application of crypto.  It is also important that programmers make easy-to-use crypto tools and make it the default (or at least an option) for all electronic communications and transaction.  These considerations are my motivation for writing this.

Why crypto-autonomy?

I prefer the term "crypto-autonomy" to "crypto-anarchism" because it is more accurate.  "Anarchy" refers to the absence of a government, or alternatively to a lack of any authority.  Cipherspace does not require any particular political system, and it is not opposed to (naturally arising) rules and authority.  Existing communities in cyberspace have organizational structures which are both democratic and dictatorial.  They key is the freedom of individuals in cipherspace is, to quote Ludwig von Mises, "that the individual is in a position to choose the way in which he wants to integrate himself into the totality of society."

Further posts to this blog will elaborate on the following concepts and enabling technologies of crypto-autonomy:

Essential concepts of crypto-autonomy

  • Privacy:  privacy is the ability of individuals to control information about them, or created by them. 
  • Anonymity: is the ability to conceal information that connects our actions and statements to our material identities.  Complete anonymity is impossible, so anonymity is always relative to the current monitoring technology.
  • Plausible deniability:  the ability to conceal the use of crypto, or to connect crypto to a particular individual.  In situations where even the use of cryptographic technology may be dangerous, steganography allows information to be encoded in commonplace media such as images.  Also, encrypted messages may be hidden inside an encrypted envelope so that the existence of the information can be plausibly denied even if forced to reveal the outer message.
  • Trust: despite the lack of material identities, reputation and accountability are essential to any community.   
  • Cipherspace: a domain in cyberspace where ubiquitous encryption ensures the anonymity of all participants.  For example, Tor.
  • Public key infrastructure: an arrangement that allows users to security identify each other and send encrypted messages by means of a trusted authority.
  • Digital currency: a representation of value that may be tied to a commodity such as gold, or tradeable for a real-world currency.

Crypto-autonomy and Austrian Economics

The crypto-anarchist movement has been strongly influenced by free-market thinkers.  That's not surprising - the ciphersphere is in a way, the ultimate market.  It is neither the "perfect competition" model of the neo-classical economists, nor a non-material realm, but a place where all institutions evolve organically, and coercive monopolies are very difficult to maintain.

with 1 comment(s)
Filed under: , ,