Advertisement
Promo

Compliance Toolkit

Story: Police want power to seize encryption keys

  • Previous comment

Posted by: Arthur B. (Saturday 26 August 2006, 11:01 PM)

  • Reply

Nope. The police can't say hidden data is relevant to their case until they discover and unhide that data first. Until then they can only assume the hidden data is relevant to their case (like assuming that file names have to say something meaningfull about the file content).

Furthermore, the police have stated that they've nothing else on the suspects (they all walk free because). Obviously the police can't crack the data themselves or else we wouldn't have this discussion.

So that means that on nothing else but a police assumption (like file names) people are expected to hand over their private keys (never mind if a virus eaten it or people simply forgot under the stress of getting arrested and such) or face serious jail time instead. Wow, and this in cases where the police has nothing else on the suspects but some suspicious looking file names (or else they could bring other criminal charges against the suspects).

Concerning the ability to crack data. Sure, an intercepted PGP encrypted data transmission is nearly impossible to crack (short of a lucky shot). But things change dramaticly to your favour once you have physical access to the originating machine itself. For one, passphrases are commonly phrases people can remember and therefor not so complex as machine based phrases. As such easier to brute force.
Another thing are flaws in the encryption programs used. Most programs contain flaws that are solved over time. It's not unreasonable to think that machines that have been collecting dust for over a year now have (encrypting) programs installed on them for which various security issues are known by now. In other words, if you can't crack the data then crack the program. Furthermore, not everything is PGP encrypted. Plenty of people out there who rely on non PGP based encryption schemas. Plenty of those are much easier to crack.

Somehow I don't think that the police have managed to confiscate the only machines in the entire UK that are fully up to specs to the highest standards of modern security (even though they've been collecting dust for over a year now). As such I wouldn't be willing to hand over my encryption keys whenever the police feels lost. First the police needs to demonstrate a more then average best effort in doing a best effort themselves. There are plenty of creative ways to crack data BUT I WON'T REVEAL THEM IN PUBLIC no matter how many disagreeing comments I get. For those of you who think otherwise nonetheless, do feel safe in your false sense of security. You have my sympathy.

As for the Israel scientists. I've found the press release in question. It turns out to be RSA specific and only mentions PGP as a side note. My apologies for the confussion about that.

  • Previous comment

  • Reply to this comment
  • Return to story
  • Report this as offensive


Full Talkback thread


Video icon

Video

Cloud Watch Special Report

Five cloud computing myths exploded

Five cloud computing myths exploded

Analysis The cloud is providing a fertile habitat for the marketeers and their exaggerated claims. We examine the hokum and debunk the five most frequently peddled misconceptions about the cloud

More Special Reports

Sentry Posts Blog

Authentication risks all too human

Risks to successful online banking identification and authentication using smartcards involve a mixture of human and technological factors, according to the European Network and Information... More

1 comment

Opera censors Chinese content

Opera has updated the Chinese version of its mobile browser to stop users accessing restricted content. Opera Mini was updated on Friday from an international to a Chinese version,... More

2 comments

Symantec website breached

Security company Symantec has said that one of its websites was successfully breached. Romanian security researcher 'Unu' posted details of the breach in a blog post on Monday. Unu... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters