Five Eyes backdoor in Encryption

Now I’m pretty sure, the majority of the people here to visit this forum are from a nation that is part of the Five Eyes intelligence agreement. These countries are the United States of America, Canada, the United Kingdom and the oceanic nations Australia and New Zealand who have leverage over the remaining pacific nations.

For those who don’t know what this in-tales, here’s a brief rundown.
These nations all agree to the UKUSA agreement. This classifies these nations as FVEY nations and requires them to monitor and share international intelligence in the name of fighting terrorism. On the plus side, in theory, this agreement prohibits these five eye nations from being targets as part of the agreement. This includes being targets from the extended 9 eyes and 14 eyes nations.
the 9 nations include the addition of Denmark, France, the Netherlands and Norway. Extending on that, the 14 nations add Germany, Belgium, Italy, Spain and Sweden.

The Five Eye nations unofficially are assigned to spy on these nations
Australia - South and East Asia
Canada - Russia, China and Latin America
New Zealand - Southeast Asia and the western Pacific
United Kingdom - Europe, European Russia, Middle East, Hong Kong
United Stated - Middle East, China, Russia, Caribbean and Africa.
Sourced from https://web.archive.org/web/20140205220700/http://www.cdfai.org/PDF/Canada%20and%20the%20Five%20Eyes%20Intelligence%20Community.pdf

However, whether you believe Snowden to be a criminal or hero of the people, We know from information he leaked, the restriction on spying on the five eye nations is ignored by these nations spying on their own people and sharing that information with each other.

So why am I talking about 2013 news?

Essentially, Last week, the five eye nations met in Australia and while not a lot of information has been reveled, it’s apparent that there has been a change in direction of all five eye nations.

The Five Eyes nations have told the tech industry to help spy agencies by creating lawful access solutions to encrypted services – and warned that governments can always legislate if they don’t.

Ministers from the Five Eyes grouping of New Zealand, Australia, Canada, the United States and the United Kingdom have agreed to new measures to combat global threats, including seeking access to encrypted data and communications

Among them was agreement that there was an urgent need for law enforcement agencies to gain access to encrypted data and communications, subject to conditions.

“We have agreed to a Statement of Principles on Access to Evidence and Encryption that sets out a framework for discussion with industry on resolving the challenges to lawful access posed by encryption, while respecting human rights and fundamental freedoms,” the communique said.

https://www.homeaffairs.gov.au/about/national-security/five-country-ministerial-2018/access-evidence-encryption

So the Five Eye nations wish to put a back door into encryption for the sake of fighting terrorism. What’s wrong with that?
The problem is, Encryption is a range of mathematical algorithms. The algorithms themselves are relatively simple. Simple enough that anyone with a decent background in math can understand them in an afternoon. Their security comes from their complexity of result. As soon as you engineer a backdoor into an encryption algorithm, that backdoor is the weak point and compromises the entire system. And this ignores the single obvious issue with their plan.

Encryption algorithms are public. You engineer a new encryption algorithm with a back door to allow access to a users raw information? The public will find out. And if they find out, Criminals and Terrorists won’t use that encryption. As I mentioned earlier, Encryption algorithms like RSA, ECC, AES, DSA and others are not mathematically complex. they are not hard to engineer. You can look at a white paper and create your own implementation in a matter of hours.

Criminals and Terrorists will use known, secure encryption methods and there is nothing the government can do about it. There are only two routes the governments can go down.
A, let encryption be and tackle terrorism through different methods.
B, restrict encryption use to organizations with a license, leading to user data encrypted. Allowing for spy agencies to hunt down unlicensed encrypted traffic.

I believe the Five Eye nations are moving towards option B. Something that would completely break the privacy and security of the internet and moves the world towards a 1984 Orwellian future.

This is something I have seen nothing discussed and only a few articles, hidden away behind articles like free range eggs not actually free range and is this a door or a beach articles. Discuss, This is a huge piece of news that broke and no one is talking about it.

two days

I have to agree, the only reason I know of this now is because of this thread

I do have some questions for option B though. How would so called encryption licensing work? Is it paid to some “neutral authority” or are keys distributed by a govt?

Wait, wow. government issued encryption keys, thats a frightening thought.

From my experience working with encryption, would be with every packet sent over the internet encrypted, A hash of the contents of the packet is included along side. That hash would have a nonce/key relating to the license for the encryption algorithm, specifically for that organization. It would probably be required that all received data should have their hash checked against a government api. Very simple to do thanks to Bitcoin and the ever growing demand for hashing power.

Any hashes that fail the check would cause a flag with the organization that supposedly hashed and encrypted the packet and with a government agency. This would stop people from just copying a license from another organization for the sake on encryption. The only flaw being hiding the nonce/key from the user but that could be mitigated by using asymmetric hashing/encryption. Two keys that allow for the sharing of data without sharing private keys.

Essentially you could use SHA256 to hash the packet, encrypt that with an RSA key where the public key is always available. No one could encrypt that hash themselves without the private key saved by the organization.

It is possible to do. Just the whole backdoor in encryption defeats the purpose of encryption entirely.

Just a side note, The last time this was discussed publicly was in June 2017.

That would utterly tank streaming services as the overhead would be massive.

The solution I mentioned is for TCP connections. Encrypted UDP connections would use a single hash for multiple packets or an extension on already current encryption/validation data streams.

I wouldn’t be surprised if ASIC chips were built into systems for the purpose of encryption and hashing to mitigate those issues anyway.

Though I’m not supporting these ideas to begin with. Rather explaining how they could be viable.

This among other things you have written shows a fairly large bias.

Where did it say they want to put a back door into encryption? What do you mean by this?

No where in the link you provided did it say anything about putting backdoor into encryption algorithms.

I would propose this question. In the statement of principles you linked to, what specifically do you think is an issue and why?

I think more progress can be made if we acknowledge that this has nothing whatsoever to do with “fighting terrorism”. That phrase is simply there to control the narrative, quash dissent, and frame any who would object to the government’s plans as “unpatriotic” or “suspicious”.

The biggest threat to empires in decline is the discontent of their own citizens — and that’s precisely what measures like this are targeting.

Did you read it?

criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution.

So, not just terrorism.

Congratulations on your whistleblower article. Now what the fuck are we supposed to do?

Offline data? More conventions?

Probably.

To me this sounds illegal as fuck.

Also, you know, anyone that touches encryption at all.

You know what this makes that shit back in 2015 and Ajit’s BS about encryption really not being all that cool and we should just ditch it make a LOT more sense…

What exactly do you mean by that? Nowhere does it say that, the opposite in fact.

Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.

I’d suggest reading it in full…

The USA uses civil asset forfeiture laws — supposedly enacted to combat organised crime — primarily to rob innocent citizens. The UK uses anti-terrorism laws to compromise journalists’s sources. France uses anti-terrorism laws to curb protests about labour laws. Australia uses metadata collection laws — supposedly introduced to combat child pornography — to prevent supermarkets from selling abnormally-sized lamb cutlets.

The point, @Eden, is that governments say that they are taking away your rights and freedoms for Reason X, whereas, in reality, the laws are then primarily used for Reason Y. That strategy works really effectively on citizens that are blinded by nationalism — wave the flag, their brains shut off, then the government can strip their rights and freedoms with no protest.

The different labels are used simply to appeal to/target different segments of the population. To paraphrase an oft-quoted president:

“Either you are with us, or you are with the terrorists.”
“Either you are with us, or you are with the child sex offenders.”
“Either you are with us, or you are with the organised crime groups.”

It’s easy to use words to manipulate common folk into thinking that the issue is black and white and there is no real option but to support the government — regardless of how contrived, fake, absurd, or insane the thing is that is being proposed. Manufacturing consent is a well-documented process. You should look into it some time.

Like I said: More progress will be made if we acknowledge who these measures are really aimed at… and recent history shows us exactly who that is.

Not sure why you think what I wrote was biased but none the less.

Governments and intelligence agencies strive to control and bypass or circumvent cryptographic protection of data and communications. Backdooring encryption algorithms is considered as the best way to enforce cryptographic control.

According to the draft legislation, Australian police would be able to get a warrant from a court and then use that to demand tech companies open up their vaults and allow them to monitor encrypted messages.

Security experts have repeated time and time that what these law enforcement agencies are requesting is impossible. Encryption backdoors aren’t possible, or, more specifically, it’s not possible to give someone like the FBI, for instance, a way to decrypt data without weakening the encryption process for hundreds of millions of users.

For this to be possible with end to end encryption between two users, the use of encryption algorithms with a back door is required. Without it, the Australian bill is not possible what so ever.

From this article

Ministers from the Five Eyes grouping of New Zealand, Australia, Canada, the United States and the United Kingdom have agreed to new measures to combat global threats, including seeking access to encrypted data and communications.

There are only a few ways to do this is to create a back door in the encryption algorithm or to remove peer to peer encryption anyway. Communications between users on a service would have to be decrypted, logged, then encrypted when sent to the receiver. There is fundamentally no way around this issue.

For governments to have access to encrypted data, either that data must be stored by the organization, the keys used to decrypt that data must be stored with the organization, or a backdoor needs to be designed into the encryption itself.
Either way, this will seriously damage the security of systems and removes proof that communications may remain private. This is less about dick picks and gossip but rather things like SSL having a back door to allow for government decryption of data.

The Five Eye nations want access to encrypted data. That’s a fact. The only way to viably gain complete access is to force the use of encryption algorithms with mathematical back doors. Attempting to force organizations to do this is an approach to push the blame from the governments onto the organizations themselves. If a backdoor is broken/found for example, it’s the organization that’s at fault, not the policy that forces them to implement it.

But ignoring all of this, any terrorist organization that uses encryption to communicate, will be able to encrypt their communications using algorithms proven to work while legal organizations are forced to use methods that offer government spying of data.

Look, I get the media reports are reporting on this in such a way that doesn’t explicitly back up what I have said, but it’s worth noting, how are these policies these nations wish to introduce going to combat international encrypted traffic? The only reason these policies could hold value is if your target was internal, organizations that you have legal power over. Sure it might stop some pedo’s on facebook and maybe police can use it to gain access to criminals facebook accounts and such. But what are the repercussions?

The power that policies that allow government to spy on everything in their nation is immense. While offering little actual value in combating international terrorism. With tools like PRISM, XKeyscore, Tempora, MUSCULAR and STATEROOM existing already that would become more usable with the introduction of access to encrypted data, it’s not hard to see the direction that Five Eyes is heading.

Another two articles that backup the notion that five eyes nations are pushing to break encryption some how.

EndGame: “It is hereby an offence to use any cryptographic method not listed in Schedule 3 to encrypt communications. Maximum penalty: 25 years imprisonment.”

Schedule 3, of course, lists a handful of methods, all of which have government backdoors.

I do not believe this problem has a technological solution. Eventually a white-list approach will be legislated and then it’s game over for privacy.

The only solution in such a scenario is the abandonment of widespread and public encryption methods. If you and Party B want to communicate privately, you will have to come up with your own, custom way to do so, and not make the method public.

That is, of course, the way the real “bad guys” already operate… and have operated for centuries… They do not place their trust in systems they do not control or understand. They couldn’t care less about government installing backdoors in widespread/public encryption methods because they don’t use such methods so the laws won’t affect them.

If they gain ground with this, we in the tech industry need to make absolutely sure that there are no devices that are shall we say, exempt? Unaffected?

For instance, the devices used by the… people… who want this put into place?

Clearly we need to ban open source and EMP it for orbit. It the only way to be sure a terrorist does not have strong encryption code.

If Intels disaster of a CPU it not enough to make shit being secure is important. It is of concern.

I’d like a back door into everyone bank, government, military and wives undies. But thats why back doors no longer work. We made encryption and built it well.

As the Western world we will have to devolve to china and control or stay free and encrypted. I can see the West wanting to claw into peoples everything.

Because your post was talking about putting back-doors into encryption algorithms despite the fact that the publication from the Australian government never says this, and in-fact suggests potentially the opposite, yet no one mentioned that at all. In fact with it being the whole reasons this topic exists, it seems no one has read it either.

Do how do 9 people have something to say on this when only a couple of them actually clicked the link? Are they jumping to conclusions based on past media and/or media bias on this new information?

What do you think is the reasons for the contradiction in information from the most recent publication compared to the previous publication?

It wouldn’t. The new publication suggests they are aware that it wouldn’t work as well.

Governments should recognize that the nature of encryption is such that that there will be situations where access to information is not possible, although such situations should be rare.

Encryption is vital to the digital economy and a secure cyberspace, and to the protection of personal, commercial and government information.

Along with the last statement there’s no suggestion that they would want to implement something like this. right at the start they say they know encryption is needed to keep peoples information secure, suggests that they know everyone needs to be able to use encryption.

You can see why I picked at your statement? Your statement changed drastically as soon as it was challenged and you provide no information or evidence to back up your claims.

Everyone here seems to be going for what-ifs, conspiratorial scenarios (regardless if true or not), and quoting the register for some reason. Has anyone actually read the publication and thought about talking about what they’ve actually said?