23 February 1998
Date: Tue, 24 Feb 1998 00:14:41 GMT From: Adam Back <aba@dcs.ex.ac.uk> To: ukcrypto@maillist.ox.ac.uk Subject: the spooks _do_ want your keys On this debate where Nicholas Bohm seems to be arguing that there is a distinction between (1) spooks getting your keys, and (2) spooks tarting up the process of getting your keys by having a cover organisation do the dirty work for them... Granted there is that distinction. However I think the distinction has little practical meaning, which should not be too surprising as it is a PR tool invented by the US spooks. The techniques historically proposed by the US, and UK spooks have included: 1) for PR purposes spooks claim the cover organisation will only hand over keys when authorised by a court of law, but in reality spooks will: a) keep a master copy of all the keys for "national security purposes", or b) authorise leakage of keys by a secret military court which is not accountable to anyone, and ensure the cover organisation is not allowed to disclose volume of keys authorised for "national security purposes", or c) covertly obtain copies of key database without cover org's knowledge, and presumably: d) keep keys after they are requested indefinately regardless of supposed claims of limitations on time-period of use 2) spooks "allow" use of feeble encryption (56 bit) if software vendors leak 24 of those bits to the spooks, and spooks proceed to: a) tout this as an industry led solution, and b) offer export perks to such companies. 3) spooks "offer" their own proprietary, dubious algorithms, whilst doing their best to spin it as a helpful gesture to those they foist such algorithms on. Said algorithms are variously classified, and/or available in hardware only, and/or generally tied in to systems providing some master backdoor access for the spooks. (eg red pike, CASM (or it's PR rename "cloud cover"), clipper, etc). 4) spooks generally bully, deny import and export (yes even import into UK despite their being no import regulations to my knowledge), bribe with defense contracts complicitous companies (eg TIS (who John Leach works for, and which readers may observe as the reason for his various claims and positions)). Said process being to bribe companies into doing the spooks bidding in making keys available for spooks. 5) doing deals with companies to leak key material in hardware products, or otherwise weaken systems (eg. report of Crypto AG complicity referenced on this list recently, laughably weak A5 (and A5X!)) So, in summary, yes the spooks really do want your keys. The rest is window dressing. Yes, you can quote me on the above. I observe that some have suggested it is extreme to dare to state any of this. Foo on that. The spooks are getting away with covertly imposing their wire tapping special interests to the detriment of the economy, privacy, and law and order. People need to see the whole picture, else they will be fooled into believing lies and PR spread by the spooks agents, and delegates, in DTI, and freshly converted Labour politicians. It seems well out of order that DTI officials (that means you Nigel Hickson), supposedly with the task of helping UK companies to compete are apprently furthering spook special interests instead. It is all pretty obvious and transparent where the pressure is coming from. The reason that you don't see many people talking openly about such issues to any great extent is that it might be economically difficult for a businessman. For example GCHQ might take a dislike to such a businessman, he might lose government contracts at GCHQ's request, or might get export requests turned down, etc. All unofficially of course. Adam