Encryption used to transmit
data in ultra-secret form
You're only as secure as your least encrypted hop.
2017 US government: We can jail you indefinitely for not decrypting your data http://j.mp/2x9gJZM
2016 Moxie Marlinspike helped create the Edward Snowden (9/1/2020 VINDICATED) approved messaging app Signal, and assisted WhatsApp with 1 billion users, deploy end-to-end encryption in the process.
How I Cracked a Keylogger and Ended Up in Someone's Inbox and the comments
2016 Security Researcher Publishes How-To Guide To Crack Android Full
Disk Encryption
He published a step-by-step guide on how one can break down the encryption protections on Android devices
powered by Qualcomm Snapdragon processors. The source of the exploit is posted on GitHub. Android's disk
encryption on devices with Qualcomm chips is based only on your password. However, Android uses your
password to create a 2048-bit RSA key (KeyMaster) derived from it instead. Qualcomm specifically runs in
the
Snapdragon TrustZone to protect critical functions like encryption and biometric scanning, but Beniamini
discovered that it's possible to exploit a security flaw and retrieve the keys from TrustZone. Qualcomm
runs
a small kernel in TrustZone to offer a Trusted Execution Environment known as Qualcomm Secure Execution
Environment (QSEE), which allows small apps to run inside of QSEE away from the main Android OS. Beniamini
has detailed a way for attackers to exploit an Android kernel security flaw to load their own QSEE app
inside this secure environment, thereby exploiting privilege escalation flaw and hijacking of the complete
QSEE space, including the keys generated for full disk encryption
Jan. 9, 2003: The Justice Department drafts the Domestic Security Enhancement Act of 2003, aka
"Patriot Act II" As Congress debated the USA Patriot Act after the Sept. 11, 2001, terrorist
attacks, supporters of strong encryption worried that lawmakers would use the climate of fear and
anxiety
to slip in a provision targeting encryption. That didn't happen; the Patriot Act didn't address the
subject at all. But nearly two years after it took effect, President George W. Bush's Justice Department
prepared a successor bill, the Domestic Security Enhancement Act of 2003, that did address encryption—in
a
major way.
August 2007: Security researchers expose Dual_EC backdoor in NSA-backed encryption protocol. Edward
Snowden siad the “NSA became the sole editor” of the standard.
May 4, 2012: FBI pushes legislation to ensure a wiretap-friendly Web
June 6, 2013: The second Snowden document exposes a massive Internet surveillance program. Silicon
Valley
exploded with outrage in response to the PRISM revelations, which came from former NSA contractor Edward
Snowden's trove of documents. A few months later, more Snowden files revealed that the NSA had
penetrated
the links between data centers owned by Google and Yahoo around the world.
Sept. 5, 2013: Snowden documents expose NSA campaign to break encryption
September 2014: Apple and Google add full-disk encryption to their mobile operating systems
Oct. 10, 2015: Obama administration says it won't seek encryption backdoor legislation Nov. 17, 2015:
Congress starts looking at encryption
Dec. 17, 2015: Firewall maker reveals likely backdoor in its code Almost two years after NIST told
companies to stop using the Dual_EC random-number generator in their encryption, Juniper Networks
announced the discovery of “unauthorized code” in several versions of its ScreenOS software, which ran
on
its NetScreen firewalls. A few days later, security researchers revealed that the code was based on
Dual_EC, the NIST pseudorandom-number generator that the NSA had secretly sabotaged with a
backdoor.
Dec. 23, 2015: China says it modeled its new encryption policy on U.S. law
Jan. 4, 2016: The Netherlands becomes the first country to formally reject backdoors
Jan. 21, 2016: U.S. state lawmakers propose bans on unbreakable encryption
Feb. 10, 2016: House lawmaker introduces bill to prevent state encryption bans
Feb. 29, 2016: New York judge denies government's request for iPhone unlocking order
March 31, 2016 security engineers—especially those at One Infinite Loop—began processing an unsettling
fact: Someone had given the U.S. government a previously unknown iPhone exploit. According to Reuters,
the
government didn't own the technique—it had only bought the ability to use it—so it couldn't submit the
exploit to the White House-coordinated disclosure review process. Another problem was that the FBI
had classified the tool that it designed with the exploit and used on the phone, limiting the
government's
ability to speak publicly about it.
April 13, 2016: Senators Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) officially introduced
their
bill requiring companies to provide authorities with encrypted user data in an “intelligible” format or
render any assistance necessary to make it readable. Security experts immediately assailed the bill,
dubbed the Compliance with Court Orders Act of 2016. University of Pennsylvania professor Matt
Blaze said it was worse than the Clipper chip, the NSA backdoor device whose
major flaw he famously exposed in the 1990s, leading the Clinton administration to
shutter its plans to mandate the chip's use in consumer technology.
April 20, 2016: U.K. law-enforcement official confirms that new spy bill would let cops force companies
to
decrypt data
“As a result of the Snowden revelations,” Clapper said at a Christian Science Monitor breakfast, “the
onset of commercial encryption has accelerated by seven years.” Clapper attributed the finding to an NSA
analysis. Snowden, a staunch advocate of strong encryption, responded by tweeting, “Of all the things
I've
been accused of, this is the one of which I am most proud.”
End-to-End Encryption and
the Web
W3C TAG Finding 15 July 2015
History
Cant is an example of a cryptolect, a characteristic or secret language used only by members of a group, often used to conceal the meaning from those outside the group. Cryptographic Message Syntax Email
National
Cryptologic Museum in Laurel, Maryland -- Pictures
The National Cryptologic Museum is the National Security Agency's principal gateway to the public. It
shares the Nation's, as well as NSA's, cryptologic legacy and place in world history. Located adjacent
to
NSA Headquarters, Ft. George G. Meade, Maryland.
Bletchley Park Headquarters of British code-breaking during World War II. Invented in 1918 the Enigma cypher "Britain's best kept secret" -- the place where the German Enigma was finally deciphered in an incredible cooperative super-effort.Detailed tutorials for the mathematically inclined explain how the Enigma cipher machine worked and how the Lorenz code was broken by the British-built Colossus machine. A Bletchley Park photo album presents snapshots of an ordinary-looking, extraordinary place.
Cipher Machines - Hagelin Ciphers
1925 Arvid Gerhard Damm of Sweden was the last of the four cipher machine inventors at
the end of WW1 to file for a patent on his rotor based cipher machine. Two investors were K.W. Hagelin
and
Emanuel Nobel (nephew of Alfred, famous for his dynamite and Prize). Hagelin had his son, Boris, join the firm in 1922 in order to protect his investment.
The first cipher machine produced was the B-21, which had two rotors and two pairs of pinwheels to
produce
an irregular stepping action for the two rotors. This mechanism will continue to play a key role in all
the future mechanical cipher machines from Hagelin's firms and also for the later derivative cipher
machine from the Swedish company Transvertex. The B-21 had a light panel like the Enigma
machine.
In 1940, Hagelin took his C-38 to the US and sold his design to the US government. This machine was
manufactured by the L.C. Smith-Corona Typewriter Company under license from Hagelin's firm.
After WW2, Sweden passed laws classifying cipher machines as munitions which could not be exported.
Hagelin moved his company to Zug, Switzerland in 1952. Crypto AG was founded in 1952 by the legendary (Russian born) Swedish
cryptographer
Boris Hagelin. During World War II, Hagelin sold 140,000 of his machine to the US Army.
What the users of these Hagelin machines did not know was the single greatest coup in the
history
of military intelligence. In 1957, William Friedman was called out of retirement by the US NSA to make a secret deal
with Boris Hagelin, giving the US access into all the secret communications using the Hagelin
machines. The US shared this information with England. Later, as the cipher
technology advanced from mechanical devices to electronics, the new Hagelin machines installed a back
door
written by the NSA. Dictators and madmen, such as the Iranian Islamic regime, Saddam Hussein, Moammar
Gadhafi, Ferdinand Marcos, Idi Amin, as well as friendly nations and the Vatican all had their most
secret
communications read instantly by Washington and London. This unfettered access would continue for
decades.
This open book into the world's secrets would start to unravel in 1983.
The ownership of Crypto AG has been to a company in Liechtenstein, and from there
back to a trust company in Munich. Crypto AG has been described as the secret daughter of Siemens but
many
believe that the real owner is the German government. The German secret service, the
Bundesnachrichtendienst (BND), is believed to have established the Siemens' connection.
Several members of Crypto AG's management had worked at Siemens. At one point in time, 99.99 percent of
the Crypto AG shares belonged to Eugen Freiberger, the head of the Crypto AG managing board in 1982.
Josef
Bauer was elected to the managing board in 1970. Bauer, as well as other members of Crypto AG
management,
stated that his mandate had come from the German company Siemens.
1993 Matt Blaze and The clipper chip
Phil Zimmermann and PGP
The clipper chip invented in 1993 is a little-known tale of the battle between US government code makers
and private citizen code breakers which placed the privacy rights of US citizens in the balance. In this
battle of wits, the code-breakers were victorious, keeping Big Brother government from trampling the
privacy rights of all US citizens. The code breakers took advantage of this window of opportunity to
release a public domain encryption program called Pretty Good Privacy or PGP, which was quickly adopted
world wide. In the battle of wits between the code makers and code breakers, this was a major win for
the
code breakers and especially the US public.
The first release of this software on the internet, including source code, was made on June 5, 1991. By
February of 1993, Zimmermann was the target of a federal criminal investigation for exporting
"munitions" without a license. Software encryption was classified as a munition and export
outside of the US carried severe penalties.
Zimmermann was never charged, but came up with a creative solution for future releases of software. He
published the source code in a book which could be purchased for $60, scanned into a computer as text
and
then compiled for use as a program. His reasoning was that export of munitions, including encryption
software, was illegal but export of a book was protected by the First Amendment.
By the late 1990s, laws restricting export of encryption software were liberalized, PGP and
other
encryption hardware and software were no longer classified as munitions.
Cracking Code, Encryption Software used to transmit data in ultra-secret form 1998 - 2011
11/11 Full-disc
encryption is too good at keeping your computer secure. So good, in fact, that it's got
digital
CSI teams tearing their hair out.
Computer security engineers, including a member of the US Computer Emergency Response Team, are
complaining in a
research paper this week that crooked bankers, terrorists and child abusers may be getting away
with
crimes because it is proving impossible for digital investigators to unlock their encrypted hard drives.
As New Scientist related in February, full-disc encryption is a major
consumer
security leap. It scrambles everything on a drive when you turn off your computer, time out or log out.
But the flipside, of course, is consternation for some crime fighters.
7/11/11 When
Asked To Disclose Laptop Password, Woman Invokes 5th Amendment
Robert Siegel talks with Declan McCullagh, chief political correspondent for CNET, about a federal case
in
which Ramona Fricosu, a Colorado woman, is refusing to disclose a laptop
password
to authorities — arguing it would violate her Fifth Amendment right against self-incrimination.
Fricosu is facing several charges related to a mortgage scam. The encrypted laptop was seized from her
bedroom during a police raid. McCullagh tells us more about the case — and what legal implications it
may
have.
Can You Keep A Secret?
3/5/98 Encryption is simple enough. But when millions of people want to ensure privacy on a medium as
public as the Internet, things get complicated. By John J. Fried
If you conduct business over the Internet, use the Web to transmit sensitive documents, or like to chat
on your favorite cybersites without leaving tracks, you are at the center of a furious battle in
Washington.
Maybe not you personally and directly, but your right to have access to encryption software used
to transmit data in ultra-secret form.
This may come as a surprise, because for much of the last decade, the clash has centered on
Washington's efforts to regulate the export of strong, hard-to-break encryption programs.
Now, however, legislators and law enforcement agencies, most notably the Federal Bureau of
Investigation,
are clashing with cyberlibertarians and powerful commercial interests over efforts to extend controls on
so-called strong encryption to domestic uses.
The worry once was that strong encryption would aid America's enemies abroad. More recently, some
members of Congress and the FBI have begun to worry that without domestic fetters on strong encryption,
home-grown criminals, too, will have free rein on the Internet.
Cyberlibertarians, meanwhile, fret that new efforts to control encryption will rob
Americans of privacy. And major business interests warn that anything less than strong encryption will
cripple their efforts to move commerce fully onto the Internet and into the 21st century. Says David
Banisar, a lawyer and senior policy analyst for the Electronic Privacy Information Center, a nonpartisan
Washington research organization focusing on civil liberties issues concerning electronic communication:
``The FBI is determined that nothing passes they won't accept. Industry and the public is not
thrilled
with what the FBI wants. It is a fairly intractable problem."
There is no argument over the basics of encryption.
Secret codes are simple to use when only a small group of people depend on them. Before exchanging
messages, the users simply exchange solutions to the codes. But when millions want to keep secrets on a
medium as public as the Internet, things become more complicated.
What is required then, is an encryption method that guarantees tha only the right person gets the
decoding
key to a message. Moreover, the process by which the secret communication is carried out has to
guarantee
that the last decoding key does not decode the sender's next message. Peter may want Paul to read a
message with a credit-card number - but not the love letter to Mary.
The solution rests in using public-key encryption.
With that method, the encryption code has two component keys.One, called the public key because it is
available to anyone who wants to use it, encrypts the message. For now, such public keys are available
because they are part and parcel of late-model Web browsers such as Netscape and Internet Explorer.
Eventually, every Net user - whether a corporation or a private person - will have an individualized
public key that will be published for all to see. The other, private key, however, remains in the hands
of
the recipient of the message.
It works this way:
Suppose that you have an Internet browser armed with a strong encryption utility. And suppose that you
want to do business on your financial service's Web site, which also has an encryption utility. Once
contact is established, the encryption utilities exchange public keys. With the help of private keys at
each end, your site and your broker's site encode and decode messages as they flow back and
forth. When you log off, all traces of the communication vanish, leaving nothing behind that anyone else
can use.
Public-key cryptology is only part of the answer to computer security.
Encryption codes - written in bits or sequences of zeros and ones, the language of computers -
have relatively short shelf lives. As recently as last year, at least one message written in a 56-bit
key
- which could comprise 70 quadrillion (that's 15 zeros after the 70) secret combinations - was
solved
by computer experts.
As a result, 128-bit encryption - think of the possible combinations as an eight followed by 37 zeros -
is
gaining favor. And 192-bit and 256-bit codes are on the horizon.
The idea that the 128-bit code and its successors may fall into the wrong hands is what has kept a lot
of
people in Washington staring at the ceiling in the middle of the night.
For most of the 1990s, the concern was that strong encryption would be used by terrorists, hostile
governments, and international drug cartels for encoding data. To stop that from happening, Washington
imposed export controls on strong encryption software.
U.S. software developers were allowed to export only if they agreed to give copies of private keys to
third parties. Those key holders would be required to make key copies available to government agencies
if
they obtained judicial permission to have them.
Encryption software vendors grumbled that the key escrow requirements would cut them out of the massive
and growing international market for their software, but most found ways to live with them - some by
applying for and getting exemptions from the controls.
``The number of export licenses granted on this special case, on that special case" slowly mounted
during 1997, so that the export restrictions have come to ``resemble the Massachusetts blue laws that
say
that there is not much you can do on Sunday unless it is on this list of 400 special cases," says
Daniel E. Geer Jr., vice president of Certco LLC, a Cambridge, Mass., company specializing in Net
security.
Some firms have set up manufacturing subsidiaries abroad or joined forces with foreign companies that
develop and sell encryption programs.
But now, as Congress prepares to deal with several encryption bills and a fistful of variations on some
of
them, the struggle over encryption has increased substantially.
According to James X. Dempsey, senior staff counsel at the Center for Democracy and Technology, a
Washington nonprofit public interest organization that defines itself as protector of cyberspace
civil liberties: ``The FBI radically changed the nature of the debate by saying that they not
only oppose changes in the export law, but wanted domestic controls on encryption."
In testimony to Congress, FBI Director Louis Freeh put it starkly: Drug dealers, members of organized
crime, pedophiles, and a host of other criminals stand ready to take full advantage of strong
encryption.
``Unless we have some solution to unbreakable encryption, we will be devastated with respect to our
ability to fight crime and terorrism," Freeh said.
Freeh is not alone in believing that key escrow holds the secret to civil safety.
The Senate Judiciary Committee's subcommittee on terrorism, technology and government
information has received letters from every major law enforcement agency, arguing against strong
encryption.
To many on Capitol Hill, the argument that law enforcement agencies should be able to tap into
computer communications just as they can tap into telephone
conversations makes sense.
If they don't get that right, U.S. Sen. Dianne Feinstein (D., Calif.) said during the
hearings with Freeh, ``it's going to just create enormous problems downstream."
But the notion that law enforcement agencies should have access to encrypted communications appalls
civil
libertarians, who see in key escrow the potential for unbridled intrusion into the lives of
Americans.
The proposal also has rattled the business community.
Leaning heavily on the opinions of many cryptography experts, businesspeople argue that a key-escrow
system would make hash of secure Internet communications. The computers of third parties holding keys in
escrow, they say, would be subject to successful criminal hacking efforts.
More to the point, the opponents say, there is no guarantee that employees of escrow companies
themselves
would not steal crucial keys, sell them to criminals, or give them up in response to blackmail
threats.
Even if hackers were unable to crack key-escrow accounts, the mere possibility that they could do so
would
undermine electronic commerce, critics of the plans say. Buyers and sellers who want to renege on
Internet
transactions could claim that transactions bearing their secret codes were fraudulent, that argument
goes.
Some observers in Washington think that the FBI and its allies would be willing to back off on domestic
encryption controls if a proposal for establishing a national technology center were to pass.
Under the the provisions of one of the encryption bills moving through Congress, such a center would
help
law enforcement officials at the federal, state and local levels deal with decryption and other
electronic
challenges.
``That logic says that we should focus on developing the right tools" to cope with illegal
encryption, rather than force encryption ``technology back into the bottle," says a Washington
privacy expert who did not want to be identified.
Still, some Washington experts think there is a 50-50 chance that Congress will send encryption-control
legislation to President Clinton for his signature this year.
Given that the White House wants to keep a tight grip on the crime issue, which it has wrested from the
Republicans, the chances are good that Clinton would sign a bill that would deny criminals a safe harbor
in encryption, those observers say.
Other observers, meanwhile, think that no matter what tack Congress and the White House take, the courts
are likely to come up with the solution that civil libertarians and businesses are hoping for.
In a suit challenging the validity of the controls on exporting encryption software, a U.S. District
Court
in California has ruled of speech protected by the First Amendment.
That case is before the Federal Court of Appeals for the Ninth Circuit in California.
In hearing arguments, the appeals-court judges asked questions that seemed to indicate that they were
leaning toward accepting the lower court's ruling, said David Banisar, of the Electronic Privacy
Information Center.
A sculpture called Kryptos, created by DC artist James Sanborn, commissioned in 1988, when the CIA was constructing a new building behind its original headquarters is 865 characters of seeming gibberish, part of a sculpture called Kryptos punched out of half-inch-thick copper in a courtyard. 20 years after its dedication, the text has yet to be fully deciphered. With Kryptos Sanborn has made his strongest statement about what we don't see and can't know.
4/16/98 Commerce Chief Calls Encryption System Flawed
Source: New York Times Author: Jeri Clausing Issue: Encryption
http://www.nytimes.com/library/tech/98/04/cyber/articles/16encrypt.html
Yesterday, Secretary of Commerce William M. Daley said in a speech to the high-tech industry that the
Clinton Administration's attempts to control encryption technology has failed and are forcing U.S.
software makers to "concede ground" to foreign competitors. Secretary Daley's comments are
the strongest indication to date that the administration is considering "parting ways" with
the
FBI and other law enforcement and spy agencies over the issue of data scrambling. "We are headed
down
a lose-lose path, and we have to get back to win-win," Sec. Daley said.
Internet security systems can be bypassed
1997 Commerce Chief Calls Encryption System Flawed Internet security systems can be
bypassed
by Paul Andrews
It sounds like a computer user's worst nightmare: Someone gains access to your personal computer via
the Internet and deletes files. Alters money accounts. Destroys information stored on the hard
disk. And it all takes just a minute or two. Fred McLain demonstrated how in San Francisco,
renewing heated debate over a nagging concern of computer users today: Internet
security.
Using a Microsoft technology called ActiveX and Microsoft's Internet Explorer Web browser, McLain
invaded a remote computer on the World Wide Web and moved files, altered a bank account, called up tax
records and wreaked digital havoc on the PC's hard disk using Net-transmitted
programs.
McLain's feat became the talk of JavaOne, the conference where he put on the demonstration and where
about 10,000 developers who use the software language called Java were in attendance.
Other technologies with similar capabilities are on the horizon. The risk comes with the ability
to gain access to a Web user's hard drive from a remote computer. Java, which until now has
protected against disk access, is being altered to provide just that. Java
supporters say they are building in extra security layers to protect against
ActiveX-type
incursions. But security experts say any disk-access technology poses risks. In any case, McLain
said, "I'll be right there to expose" potential risks to computer users "from any
technology." So far, the focus is on fast, compact Internet-transmitted
programs,
called applets, which need access to a computer's hard disk to work. The benefits of
using
applets are considerable, and many observers believe they are the next big phase of advancement for the
Internet. These little applications - hence the term "applets" - can handle
everything from text and numbers to games, animations, finances, health advisories and shopping
aids.
Hard-disk access is also key to the current big wave of new Web technology, called "push."
Advertisers, vendors and company information-systems directors are expected to use push
technology
to automatically "broadcast" a variety of applications and services over the Web to
users who have indicated specific interests and needs. The commercial potential of push is estimated in
the billion-dollar range.
For push to work, however, the door to your computer will have to be left open. And that poses
risks.
Estep sees a culture clash at the heart of the hacker ethic. Broadly speaking, he sees
the people who run computer networks and design their programs as wanting an open environment to enable
free exchange of files, programs and information. Corporate managers, however, worry about theft or
abuse
of proprietary information.
Hackers can be viewed as performing a whistle-blower function for the user public,
their
defenders say. "Security is always more important to corporations and consumers than to
companies selling software," Littman said. "Hackers are doing a service for
the public. The industry may not like it, but ultimately it's to their
advantage."
Netscape co-founder Marc Andreessen acknowledged as much when his company's
market-leading browser was under fire from hackers. "I'm happy hackers are
concentrating
on trying to break our products," he said. "As a result, we get to improve
them."
McLain's demonstration and a similar ActiveX program he posted last fall on the Web called
"Internet Exploder" have gotten him in hot water with a leading security certifier on the Web.
"Exploder" seized control of a remote PC on the Web and shut the computer down after making
sure
no programs or data would be damaged. The effort gave McLain the distinction of being the only person to
have his license revoked by VeriSign, a Silicon Valley company that authenticates the digital identity of a program's
source.
"What Fred's doing is entirely legitimate," said Ben
Thorsteinson, like McLain a veteran Seattle bulletin-board system operator. "Sun, IBM (and)
Microsoft
know Fred, and know that Fred knows what he's talking about."
Title: Daley Calls For Compromise in Encryption Debate 4/16/98
Source: Telecom AM http://www.telecommunications.com/am/
Issue: Encryption Description: Speaking to an Information Technology Policy Council forum, Secretary
William Daley warned that if the sides of encryption debate don't start compromising, the data
security industry will move overseas and US policy and products will become obsolete. Sec Daley called
for
1) online intellectual property legislation from Congress and 2) the industry to start doing a better
job
on self-regulation on privacy. A Commerce Department report says that electronic commerce lowers
purchasing and marketing costs, increases inventory flexibility, and improves customer service. The
report
also find many companies waiting for a resolution of the encryption debate before they expand their
Internet business.