23 February 1998


Date: Tue, 24 Feb 1998 00:14:41 GMT
From: Adam Back <aba@dcs.ex.ac.uk>
To: ukcrypto@maillist.ox.ac.uk
Subject: the spooks _do_ want your keys


On this debate where Nicholas Bohm seems to be arguing that there is a
distinction between (1) spooks getting your keys, and (2) spooks
tarting up the process of getting your keys by having a cover
organisation do the dirty work for them...

Granted there is that distinction.

However I think the distinction has little practical meaning, which
should not be too surprising as it is a PR tool invented by the US
spooks.

The techniques historically proposed by the US, and UK spooks have
included:

1) for PR purposes spooks claim the cover organisation will only hand
over keys when authorised by a court of law, but in reality spooks will:

  a) keep a master copy of all the keys for "national security purposes", or

  b) authorise leakage of keys by a secret military court which is not
  accountable to anyone, and ensure the cover organisation is not
  allowed to disclose volume of keys authorised for "national security
  purposes", or

  c) covertly obtain copies of key database without cover org's knowledge,
  and presumably:

  d) keep keys after they are requested indefinately regardless of
  supposed claims of limitations on time-period of use

2) spooks "allow" use of feeble encryption (56 bit) if software
vendors leak 24 of those bits to the spooks, and spooks proceed to:

  a) tout this as an industry led solution, and 

  b) offer export perks to such companies.

3) spooks "offer" their own proprietary, dubious algorithms, whilst
doing their best to spin it as a helpful gesture to those they foist
such algorithms on.  Said algorithms are variously classified, and/or
available in hardware only, and/or generally tied in to systems
providing some master backdoor access for the spooks.  (eg red pike,
CASM (or it's PR rename "cloud cover"), clipper, etc).

4) spooks generally bully, deny import and export (yes even import
into UK despite their being no import regulations to my knowledge),
bribe with defense contracts complicitous companies (eg TIS (who John
Leach works for, and which readers may observe as the reason for his
various claims and positions)).  Said process being to bribe companies
into doing the spooks bidding in making keys available for spooks.

5) doing deals with companies to leak key material in hardware
products, or otherwise weaken systems (eg. report of Crypto AG
complicity referenced on this list recently, laughably weak A5 (and
A5X!))

So, in summary, yes the spooks really do want your keys.  The rest is
window dressing.  Yes, you can quote me on the above.

I observe that some have suggested it is extreme to dare to state any
of this.  Foo on that.  The spooks are getting away with covertly
imposing their wire tapping special interests to the detriment of the
economy, privacy, and law and order.  People need to see the whole
picture, else they will be fooled into believing lies and PR spread by
the spooks agents, and delegates, in DTI, and freshly converted Labour
politicians.

It seems well out of order that DTI officials (that means you Nigel
Hickson), supposedly with the task of helping UK companies to compete
are apprently furthering spook special interests instead.  It is all
pretty obvious and transparent where the pressure is coming from.

The reason that you don't see many people talking openly about such
issues to any great extent is that it might be economically difficult
for a businessman.  For example GCHQ might take a dislike to such a
businessman, he might lose government contracts at GCHQ's request, or
might get export requests turned down, etc.  All unofficially of
course.

Adam