Compliance Toolkit
Story: Police want power to seize encryption keys
Posted by: Ron B. (Monday 21 August 2006, 5:14 PM)
Arthur B. wrote:
[Quote]
I believe some years ago some Israel scientists proved that PGP can be broken by means of some sort of brute force attack within 8 hours using about a 1000 common PC's or so. Now legally I can't own a botnet of that size (or any size) so I can't point out in public how wrong you are but you might want to rethink how secure any data is if someone with enough resources really wants to break it. Some might think that the police would have enough resources. At least more then most others.
[End Quote]
From Wikipedia:
[Quote]
When used properly, PGP is believed to be capable of very high security. It is widely believed, within the cryptographic community, that — if anyone — only government agencies such as the NSA might be capable of directly breaking properly produced, PGP-protected, messages. However, to the best of publicly available information, there is no known method for any entity to break PGP by cryptographic, computational means regardless of the version being employed. In 1996, cryptographer Bruce Schneier characterized an early version as being "the closest you're likely to get to military-grade encryption" (Applied Cryptography, 2nd ed., p587).
[End Quote]
There is the _possibility_ that NSA has broken PGP. A slim but real chance. If they have broken it, they have not revealed this to any police agency, much less the techniques for doing this. It would not be in NSA's interest to tell anyone that they have broken public key cryptography.
So if PGP has been broken, it is not by any group of "Israel scientists".
I don't know the laws in your jurisdiction, but in the US, there surly is no law against owning a "botnet ... of any size" as long as was not obtained by hacking, trojans or other invasive or illegal method. (You may find this interesting):
Arthur B. also wrote:
[Quote]
As for forensics getting interested in a suspicious computer. I would advise to be far more interested in the communications eminating from that computer then the actual files on that computer. Reason being that there's no way of knowing what kind of tampering could have been done on that computer off-line while the same can't be said from the captured communications eminating from that computer if captured under the right (legal) circumstances.
Furthermore, there are tons of ways to hide data. The worst thing to do is to concentrate on anything that is within the control of the suspect (like the local computer). One needs to concentrate on anything that's (mostly) outside of the control of the suspect.
[End Quote]
All of the above is true, but still misses the point that it is much easier to find hidden data then to decrypt it if properly encrypted. This was my original point.
Full Talkback thread
Story: Police want power to seize encryption keys
-
Encryption keys are _public_ . This won't help th... Ron B. -
Hi Ron,
That's an interesting point, thanks.... Graeme Wearden -
The police want powers seize encryption keys; why... Anonymous
-
The whole question of encryption needs rethinking.... Anonymous
-
Perhaps it is time that civil servants like Simon... Chris Goodman
-
All they have to do is talk to matey boy gates you... pete
-
So we are to believe that terrorists, paedophiles... Arthur B.
-
Why can't there be more people like Arthur B.... Anonymous
-
Arthur B. wrote:
[Quote]
So we are to believe... Ron B.
-
In answer to Arthur B.'s suggestion that... Ron B. -
It seems as though the law and ever... Myles
-
I believe some years ago some Israe... Arthur B.
-
Arthur B. wrote:
[Quote]
I bel... Ron B. -
Nope. The police can't say hidden data is relevant... Arthur B.
