[Bradford] U.K. Court, in David Miranda Case, Rules Terrorism Act Violates Fundamental Rights of Free Press

[Robert Burrell Donkin]

On Thu, Jan 21, 2016 at 1:02 PM, Nick Rhodes <nick at ngrhodes.co.uk> wrote:

> One important point I forgot is that my point relates to allowing
> discussion about using open software that can be inspected for back doors,
> have strong encryption with no keys for anyone else, and the methods used
> by authorities and others to infiltrate and work around these, some of
> which Snowden uncovered.
>

The Soviots used weak keys to spy on their own officials. The experience in
the Soviot Union seems to be that weak keys had the disadvantage it's much
more difficult to calculate just how weak key island is than to discover
one in the first place. Often not only the issuing authority was able to
crack them easily but lots of other people they didn't expect too. In my
opinion, going down the weak key route would be a really, really bad idea.
Weak key generation algorithms are the sort of subtle but dangerous back
door that authorities could look to introduce covertly in the near future,
probably first into the signing infrastructure which secures HTTPS.

Though some subtle attackers (for example, timing or entropy pool) are hard
to detect by pure source code analysis, both covert channels and weak keys
algorithms are things that are easy to spot from the source. For example,
in order to work out why my unit tests kept failing, I had to read up on
the covert channel in OpenPGP. (For the conspiracy minded, this channel was
introduced by the NSA.)

I recommend that proprietary key generation software should now be treated
as untrustworthy, and that you take particular care in verifying the source
before generating keys.

Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/bradford/attachments/20160121/0bedf28f/attachment.html>