Thoughts on the coming Crypto Wars

I'm writing own my thoughts because I'm not sure they are fully formed nor logically correct. However, they have been bouncing around my head for a few months. There have been enough confidants who have heard and opined on my thoughts that the end result of nearly every conversation has been, "I think you should publish." Here we are.

Crypto Wars 1995-2005

I hate things being called wars for the sake of amplifying the fact that there are disagreements between two opposed sides. However, the name has stuck, so I'll begrudgingly use it because it is a popular reference. The Open Rights Group has a good summary of the past crypto war as fought in courts and through policies. This was a political and legal fight over making ciphers and encryption being considered as weapons; and therefore subject to all controls normally associated with weapons. On the one hand, the cryptographers won. On the other hand, laws like RIPA still exist and are enforced today.

A very brief and selected history of cryptography

Some of the earliest, successfully implemented ciphers were from the Roman Empire. The Polybius square provided the Roman's with an edge over their compatriots. It was considered unbreakable and messages encoded with it would stay secret against the test of time. It was reportedly used by prisoners in Vietnam to communicate securely as well. A few thousand years difference between the original and adapted uses of the square.

Another cipher of Ancient Rome was the Caesar cipher. It's a basic shift cipher and relied upon by Julius Caesar for important communications.

And our final example is the most recent, the Enigma Cipher from World War 2. It was used by the Germans for sensitive communications. It was broken as part of an Allied effort early in the 1940s.

In all cases, the creators and users of the ciphers believed their encrypted messages would stay secret forever, or at least throughout multiple lifetimes. In reality, all are broken with the power available to us with 1940s-era technology. Polybius Squares and Caesar Ciphers were broken thousands of years ago too. Sometimes by gaining access to the secret decoder tools, sometimes by understanding how it worked and doing some basic cryptanalysis on collected messages. Smart people have existed throughout history.

An interesting corollary here is that RSA was independently developed twice, once in 1973 in secret and then 4 years later in public. It's believed RSA 1024 bits and less is no longer safe. And therein lies the conundrum.

Strong Encryption Everywhere: Good and Bad

We're at the beginning of an age where the usage of strong encryption is booming. Apple and Google have both announced products using strong encryption. People use encrypted versions of website (HTTPS) regularly. The general populace has access to strong encryption in many, many products they use every day. Products such as bitkeeper, off-the-record encryption for instant messaging/chat, Skype, Pretty Good Privacy (PGP), and even Blackberry. I'm purposely skipping over implementations, I'm not saying any of these products are more or less secure than others, simply that they contain strong encryption.

Law enforcement, for the most part, hasn't kept up. The FBI, GCHQ, and others have been publicly stating that all of this encryption makes their job more difficult. I believe them. Rather than simply accessing a filesystem or grabbing readable content off the wires, they have to figure out the keys, passwords, or vulnerabilities to get access to the data which may or may not prove innocence of alleged criminals. The use of encryption requires law enforcement hire a different class of person than in the past.It takes time and skills to break into an encrypted device.

Faith in the Future

There are a number of concepts and realities of math that make modern-day strong encryption strong. One of them is that current computing power means solving problems takes time, in some cases a very long time. The key here is current computing power. Just like the generals of past militaries believed their encryption systems were unbreakable, we make the same assumptions. Future generations will likely consider this a quaint notion, as they read through all of our messages encrypted with strong encryption. High school students break messages encoded by virtual Enigma machines for homework.

Quantum computers are quickly becoming a reality. Massively parallel computers is already a reality. Some future computing paradigm may blow apart all strong encryption as a trivial exercise. While I have faith in math, the test of time will likely show that all encryption is contemporary and yet broken over longer spans of time.

The Challenge of Data Retention

Data retention is the storage of data in some format generally for archival reasons. The problem with this is people will store their data, or have their data stored for them with or without their consent, and often encrypt it. One assumption is that this encrypted data is safe for a very long time, sometimes many lifetimes. Given the advances in computer technology, for how long is this true? RSA-1024 is likely broken in under 40 years. The current computing paradigms suggest that most encryption is still strong and will be so for millennia. I think we've heard this before. Perhaps you may feel differently about the NSA, GCHQ, and possibly others storing all of your data forever. If only we could make data requests to get our data back in the event of catastrophes.

The Real Fight

A former NSA lawyer put it most succinct,

“The crypto wars have about as much to do with the outcome of security as the Soviet-Finnish war of 1939 had to do with the outcome of WW2.”

Governments and large corporations will always have an advantage over the individual, with regards to strong encryption. The question is not whether we fight technology with more technology, but whether how our governments are allowed to use such technology against its own citizens. My belief is that all technology will be usurped over time. Governments outlast technology. Their power and constraints should be carefully considered. The powers and rights of an individual should be weighted with more value than that of government powers.

Do we want our governments simply having a technology arms race against its citizens? Who wins in this scenario? Unlikely it's the citizens. Citizens have always done best to check government powers. The fact that any former colony of an empire is now an independent country itself is a testament to the power of the citizenry.

Concession

And yes, much like you, I can think of plenty of examples where revolutions or former colonies failed to make people more free (or even have the ability to check government powers). They seem to simply swap one empire for another, or worse, an abusive dictator from the populace. However, in free countries, checking government powers is a well-trodden path.