
The Horror of a 'Secure Golden Key' - jashkenas
https://keybase.io/blog/2014-10-08/the-horror-of-a-secure-golden-key
======
jordanpg
Schneier 5 days ago:

"Ah, but that's the thing: You can't build a "back door" that only the good
guys can walk through. Encryption protects against cybercriminals, industrial
competitors, the Chinese secret police and the FBI. You're either vulnerable
to eavesdropping by any of them, or you're secure from eavesdropping from all
of them.

Back-door access built for the good guys is routinely used by the bad guys. In
2005, some unknown group surreptitiously used the lawful-intercept
capabilities built into the Greek cell phone system. The same thing happened
in Italy in 2006.

In 2010, Chinese hackers subverted an intercept system Google had put into
Gmail to comply with U.S. government surveillance requests. Back doors in our
cell phone system are currently being exploited by the FBI and unknown
others."

[http://www.cnn.com/2014/10/03/opinion/schneier-apple-
encrypt...](http://www.cnn.com/2014/10/03/opinion/schneier-apple-encryption-
hysteria/)

~~~
bren2013
There is a subfield of cryptography called kleptography, which studies the
"secure golden keys" talked about.

The DUAL_EC_DRBG is a great example of how "golden keys" can be implemented
securely, because the underlying problem is the same one that a lot of
elliptic curve cryptosystems rely on.

 _Only_ the NSA could predict the output of the generator with the same level
of security as ECDH or ECDSA.

~~~
AnthonyMouse
> The DUAL_EC_DRBG is a great example of how "golden keys" can be implemented
> securely, because the underlying problem is the same one that a lot of
> elliptic curve cryptosystems rely on.

I think it was Schneier who described encryption algorithms as being like a
single fence post which is a thousand miles high. The vulnerability is not the
encryption algorithm. The attacker is not going to break the encryption, the
attacker is going to get access to the key.

The ways attackers might do that have very little to do with cryptography.
Espionage, corruption, social engineering, bureaucratic incompetence,
completely unrelated vulnerabilities in government networks, etc.

~~~
bren2013
So what you're saying is, "golden keys" are no less secure than any other form
of encryption.

People are repulsed when you call it a back door or a "golden key," but
"secure golden keys" are simply key escrows. Escrows are one of the first
things you learn to build after asymmetric crypto.

Escrows are well understood, secure, and generally regarded as a good idea.
However, "back doors" are scary, sordid, and insecure?

~~~
AnthonyMouse
> So what you're saying is, "golden keys" are no less secure than any other
> form of encryption.

The encryption is using the usual cryptographic primitives. The problem is
that the encryption is not the problem.

> Escrows are well understood, secure, and generally regarded as a good idea.

They are not. Because they're the same thing as back doors.

Using key escrow as a method of e.g. password recovery _is_ a security
vulnerability. And at least then you're choosing who you trust and the trusted
party doesn't have a nuclear neon target painted on it because the keys in
escrow are only for specific parties rather than everybody everywhere.

That's really the main issue. It is manifestly unwise to create a system
which, if broken, yields the keys to everything. Because it makes the ROI of
breaking it so enormous that the quantity and strength of the attackers you
attract will overwhelm any imperfect system, and all systems are imperfect.

~~~
bren2013
> Using key escrow as a method of e.g. password recovery _is_ a security
> vulnerability.

I have no idea what you mean by "security vulnerability" in this case. Key
escrows are _the primary way_ asymmetric crypto is used in practice. An escrow
recovers the symmetric key a message was encrypted with and you proceed as
normal.

> the trusted party doesn't have a nuclear neon target painted on it

By that logic, government agencies should operate exclusively by typewriter.
They don't because crypto primitives are designed to be secure against
unrealistically strong adversaries. No crypto paper has ever said, "Our
construction is secure in the standard model as long as the ROI is less than
epsilon."

You can go down the path of "what if there's another Snowden, and it's a snow
day in Kentucky...," but you aren't doing cryptography anymore--you're just
developing mild paranoia.

~~~
AnthonyMouse
> I have no idea what you mean by "security vulnerability" in this case. Key
> escrows are the _primary way_ asymmetric crypto is used in practice. An
> escrow recovers the symmetric key a message was encrypted with and you
> proceed as normal.

You're using an unusually broad definition of what "key escrow" means.

[http://en.wikipedia.org/wiki/Key_escrow](http://en.wikipedia.org/wiki/Key_escrow)

And your definition is covering the scenarios that nobody would call a back
door, so I'm not sure what point you're trying to make.

Giving a third party access to your private information is a security
vulnerability unless you can trust the third party, and "you can trust the
government" is a statement contrary to evidence.

> By that logic, government agencies should operate exclusively by typewriter.
> They don't because crypto primitives are designed to be secure against
> unrealistically strong adversaries. No crypto paper has ever said, "Our
> construction is secure in the standard model as long as the ROI is less than
> epsilon."

Once again, the crypto is not the issue. Nobody is expecting the attacker to
solve the discrete logarithm problem. But breaking the cryptosystem is not the
only way to obtain the encryption keys. You have a serious security
vulnerability if the expected value of the attacker obtaining the secret key
is larger than the amount of money required to bribe the relevant government
employee(s). Or if the servers the government keeps the keys on are vulnerable
to heartbleed/shellshock/whatever at any point after attackers learn of the
vulnerability, regardless of the strength of the escrow cryptosystem.

> You can go down the path of "what if there's another Snowden, and it's a
> snow day in Kentucky...," but you aren't doing cryptography anymore--you're
> just developing mild paranoia.

It's not doing cryptography at all. It isn't a cryptographic problem. The
strength of the cryptography makes little difference because the cryptography
is not the weakest link.

~~~
simonh
That's an excellent rebuttal and I agree completely, but there is another
issue with the golden key concept. If the key was only ever goign to be kept
ina secure vault burried under Fort Knox forever, it woudl probably not
constitute a significant vulnerability. That's the picture golden key
proponent paint when they describe such a system.

The problem is that government agencies have demonstrated very clearly that
they will use such a key as often and as liberally as they can get away with.
Every time the key is brought out and used, it becomes vulnerable to
interception or disclosure to the point where pretending that it is sure to be
safe is just completely out of touch with reality.

~~~
freshhawk
> If the key was only ever going to be kept in a secure vault buried under
> Fort Knox forever, it would probably not constitute a significant
> vulnerability

I think that's the main point when people disagree about this kind of thing.
One side says "but theoretically our fort knox vault solution would be secure"
and the other side says "What I just heard you say is 'If I sprinkle magic
pixie dust around this intentional vulnerability and ignore it then it would
be secure' and that's ridiculous, a group of humans would not almost certainly
not act securely around that vault because they never have".

Of course the "other side" is right, but people don't think that way naturally
so this kind of proposal/argument keeps coming up.

------
malgorithms
Author of the post here. (Thanks, Jeremy.)

There are many details I avoided in the essay that people will get sidetracked
on. Such as whether Apple is actually doing it right or not. This is discussed
and speculated on elsewhere. And right now I'm far more worried about a world
in which they're legally prevented from trying. When the FBI starts talking
about our kids getting kidnapped, I think bills start getting drafted.

There are tangents I think HN would've cared about, but which would've been a
distraction. For related controversy, Keybase - which I work on - lets users
symmetrically encrypt their asymmetric keys, and store that data on our
servers. We also let you do crypto in JS. Many hate this! Many love it! But I
want to be legally allowed to write this kind of software and release it
without a backdoor.

It's hard enough when we all fight about implementation details and security
vs. convenience. It'll be a real crap show when we know for _certain_ that
security has lost. I'll go program video games or something. Or just play
them.

~~~
panarky
The Powers that Be are conducting a coordinated disinformation campaign to
keep and expand their backdoor access by scaring the bejesus out of the
public.

 _Apple will become the phone of choice for the pedophile._

What happens when they blame strong cryptography for the next gut-wrenching
tragedy involving innocent kids and a bombing / school shooting / kidnapping /
pedophile?

Your arguments will be swept away by a tsunami of grief, hatred and blind
patriotism. Is it possible to make an equally emotional argument in favor of
the freedom to be secure?

Secure information deserves the same prestige and protection as the Four
Freedoms.

[https://en.wikipedia.org/wiki/Four_Freedoms](https://en.wikipedia.org/wiki/Four_Freedoms)

~~~
aqme28
I hate to make this kind of argument but it isn't hard:

If a hacker gets access to this golden key, they can use data gleaned from
your child's phone to stalk or hurt them.

~~~
zoips
The problem is that the general public is going to take "unbreakable
encryption" at face value. So don't worry, unbreakable encryption prevents the
hacker from getting access to the golden key, because without the golden key
even the government can't break into things. The whole thing feeds on itself.

~~~
Arnor
So here's what we do guys: put the golden key in the black box!

------
SixSigma
The Ultimate Godwin reason.

The French people, presumably, trusted the French govt. in 1936 when they
filled in their census data.

Big Data is not a modern phenomena. It was invented in the 1930s by IBM and
the Hollerith machines. The success of tabulating 40+ million Prussians was
repeated across Europe.

The French census data was bravely protected by prevaricating French
administrative staff who had realised the consequences but delay turned into
eventual capitulation.

[http://www.ibmandtheholocaust.com/](http://www.ibmandtheholocaust.com/)

You cannot trust your _future_ government, it could be anybody, with any
agenda.

~~~
cheepin
I think this is a big point that gets overlooked. The question isn't really
whether or not the current powers are trustworthy with your data. It's really
whether every possible steward of your data is trustworthy over an arbitrarily
long time-span.

~~~
r00fus
Not just governments, but corporations as well.

~~~
Ar-Curunir
At some point the difference ceases to matter.

------
RKoutnik
The rhetoric that a 'Golden Key' will only be used by the 'good guys' is like
thinking we can create a 'Golden Gun' that will only shoot the bad guys.

The two issues I see are:

1) The bad guys might still be able to get the key (as the article discusses)

2) We _don 't know who the 'good guys' are_. It's very comforting to think
that there's some mysterious superhero who will only fight for good but this
ignores the large issue: no one can really agree on what "good" is.

~~~
PythonicAlpha
As much I see today, there are no good guys at all in the world.

There are only some guys, who try to be good, but so many fail.

~~~
spopejoy
Thank You!

It's very depressing to see constant regurgitation of cops-and-robbers
morality.

The FBI has deep historic ties to the Pinkertons, and has historically spent
at least half of its resources (conservatively) on anti-radicalism. The DEA is
so deeply interwound with the CIA that half of the drug dealers in the world
are protected and immune.

Local police forces are the only entity that is serious about "fighting
crime," and their trustworthiness is inconsistent from region to region, to
say the least. When you consider that the largest, most economically damaging
crimes are being committed by banks and hedge funds, we can basically conclude
that society is preyed upon by forces that have no counter.

Instead, we're arguing over a fantasy that somehow we need the police and FBI
to protect us, thereby meaning we have to give up whatever meager protections
we have against them.

I'm no Apple fan. In fact I'm still incredulous that this really means what
they say it does -- that iDevices are secure _by default_. But if it's
actually true, then freaking HOORAY FOR APPLE. Enjoy it while it lasts.

~~~
PythonicAlpha
You are welcome.

    
    
      we can basically conclude that society is preyed upon by forces that have no counter.
    

That is, what distresses me also! It is more and more uncovered, that there is
no moral anchor anymore in our societies -- and where reference is made to a
higher being (as on the Dollar bill), situation is even worse. In Germany, we
have a "christian" party with "christian" explicitly in its name -- but that
is also the party, that is most ensnared with lobbyists and corporation
interests and cares the least about people. It is just a tradition, to
brainwash the people.

------
Someone1234
This Golden Key idea is one of those classic "I'm just an idea man, I don't
have to figure out the nitty gritty details!" claims.

Everything is easy if you can leave figuring out the intractable problems to
someone else. When you actually sit and think about this for a few minutes the
problems quickly become apparent.

The closest real world system to this is DRM on games consoles (e.g. XBox
360). They use secret "Golden Keys" to protect authoring but still need to
allow users access to that same information.

However the way DRM worked in that context was a combination of hardware (e.g.
roll-back proof) and tieing the whole thing into a mandatory update system
(i.e. no games without updates).

That DRM actually got cracked several times, but because updates were required
they could just ignore it and move on. The problem with the Golden Key
suggestion here is that once your data is compromise it is game over forever.
There's no do-overs as there is with DRM systems.

~~~
drvdevd
> This Golden Key idea is one of those classic "I'm just an idea man, I don't
> have to figure out the nitty gritty details!" claims.

Most definitely. And even the way it was proposed at the end of the original
WaPo editorial was very nonchalant:

> However, with all their wizardry, perhaps Apple and Google could invent a
> kind of secure golden key they would retain and use only when a court has
> approved a search warrant.

Let's all be sure to remind the "non-technical" public that there is no
wizardry involved here. It's logic, mathematics, and science and some things
are possible and some things just are not. Encryption in this sense is very
black and white: either your data can be decrypted by a 3rd party or it can't.
And if it can be decrypted by one 3rd party, you must assume it can be
decrypted by _any_ 3rd party.

------
chiph
I'm surprised that the Clipper Chip wasn't mentioned. That was an attempt to
have the government hold the (a) key for encryption hardware. It failed for
obvious reasons - too big a hole, and no one trusted the NSA (correctly, as it
turns out).

~~~
pdkl95
I remember the Clipper Chip well - it was one of the first issues to introduce
me to the EFF and the (still growing) war against general purpose computing.

Regarding the Clipper Chip, there is an observation that I haven't seen talked
about in these discussions. There is an important difference in the NSA's
tactics with their Clipper Chip proposal and their more recent activities:
while technically and socially flawed, the key-escrow plan at least _attempts_
to respect the constitution.

By keeping the keys at a 3rd party, in theory the NSA was limited to what they
could ask for. Automatic rubber stamped warrants may allow them access to a
lot of data, but it (again, in theory) would have been tiny in comparison to
their current dragnets.

At first I took this as implying a change in the goals or leadership at the
agency; a lot can change in a decade. But then we were introduced to BULLRUN
and how it may have targeted[1] IPSEC. Given that the IPSEC working group was
started in 1995, this suggests the NSA may have been trying to subvert
opportunistic crypto _during_ the Clipper Chip imbroglio.

While it is speculation, this could raise the possibility that the Clipper
Chip was just a distraction, while NSA's eye's were on the larger goal was the
crypto standards themselves. Of course, any proof, if any, of this is buried
deep in the NSA and not likely to see the light of day anytime soon.

[1] [http://www.mail-
archive.com/cryptography@metzdowd.com/msg123...](http://www.mail-
archive.com/cryptography@metzdowd.com/msg12325.html)

~~~
wahern
"this suggests the NSA may have been trying"

Well, we know that an NSA contractor on the IETF removed opportunistic crypto
from the PPP protocol. See [http://cryptome.org/2014/01/nsa-rep-
dirt.htm](http://cryptome.org/2014/01/nsa-rep-dirt.htm)

I think it would be prudent to believe that the NSA was systematically
throwing up road blocks then, and it would be prudent to believe that they're
doing it now. I can't even see how such a claim would be controversial. It is
their job after all, at least given the presumption that foreign bad guys use
and rely on domestic technology. And we know that the NSA makes that
presumption.

------
amosgewirtz
The Post's proposal is so obviously ridiculous it's almost difficult to
discuss fruitfully. The fact is, it just doesn't really matter who has access
to certain individual's security; as long as somebody other than the owner has
access, than privacy is violated. There's no such thing as half measures when
it comes to security and there's no such thing as a semi-permeable security
"membrane", so to speak.

A story: The Belgian census bureau in 1930-31-32-33 conducted a nationwide
survey, noting down, among other things, people's religion. Although this was
done innocently for records' sake, when the Nazis invaded the country, they
had access to a perfect registry of Belgian Jews.

The takeaway is that the "good guys" won't always be in possession of
sensitive information, no matter how good they are. Safety comes in people's
ability to manage their own information, not in their ability to manage
others'.

------
crazygringo
> _If Apple has the key to unlock your data legally, that can also be used
> illegally, without Apple 's cooperation. Home Depot and Target? They were
> recently hacked to the tune of 100 million accounts. Despite great financial
> and legal incentive to keep your data safe, they could not._ ... _your data
> is only as strong as the weakest programmer who has access._

That's the main point here, which is excellently put.

Also, the graph by the bottom is great too -- the point that our data is
becoming more and more intimate is really relevant. That's something really
salient, which you rarely hear mentioned these days.

~~~
IgorPartola
To me, that's not the main point. The main problem with a universal backdoor
"so that the good guys could get in" is that the good guys with all their good
intentions have no business pawing through your private stuff. It's not about
having a good reason, or having a mandate. It's about your rights to not be
subjected to warrantless searches, which is exactly what a golden backdoor
would enable.

In other words, even if some genius devised a backdoor that was perfectly
secure (allowed access only to those who were explicitly granted that access),
had it verified by an international group of geniuses 10x smarter than she is
to be sure it's actually secure, and granted access to only the most
trustworthy organizations, which would of course act in the most transparent
way possible with a clear cut mandate and individual accountability, it's
still a violation of your privacy, a violation of your rights, and in the US a
violation of the constitution.

~~~
AnimalMuppet
Maybe the way to present that to laypeople is to say, "If law enforcement can
unlock a child predator's stuff and look through it, then they can also unlock
_your_ stuff and look through it. _All_ of it."

The last sentence is important. A large number of people have some area(s)
that they wouldn't particularly care to have law enforcement looking at
closely, even if they aren't overtly criminal in any way.

~~~
A_COMPUTER
>"they can also unlock your stuff and look through it. All of it."

I have had this conversation. The response is, "I have nothing to hide. My
life is boring." I have gotten this response from people I _know_ have things
to hide. One guy had cheated on his wife and was illegally selling marijuana.
But he said "I'm a small fish. They have more important things to deal with."

For people who warned about NSA spying, they watched as the response went from
"that's impossible" to "that's illegal" to "that's not happening" to "it's
targeted" to "it's everybody overseas only" to "it's everybody but why do you
care." What I learned is, many people are apolitical and they will just use
whatever is the most convenient excuse that justifies continued inaction.

------
abruzzi
Its interesting that there are a lot of arguments against backdoors in the
comments here that sound similar to NRA/gun rights arguments. Whatever I (or
you) may think about guns: I don't think that is a bad thing. It may be a hint
in how arguments for keeping strong crypto strong could be successfully made.
Yes the NRA may go over the top and many think they're evil, but aside from
cultural arguments, most of their arguments boil down to self protection, and
they've been very successful making those arguments part of the US culture.

------
peterkelly
The other worrying thing is the American-centric view of these issues.
"Foreign governments" seems to implicitly imply "governments outside the US".

As one of the 6.7 billion people on the planet that is _not_ a US citizen or
resident, to me, the US is a foreign government.

For American companies to gain trust of markets outside the US, they have to
take this into account. Apple and Google know this very well. Want to sell to
China? Germany? Brazil? If the US government wants to enforce a backdoor on US
products, that's going to do tremendous damage to their companies ability to
compete in the global market.

~~~
toyg
_> If the US government wants to enforce a backdoor on US products, that's
going to do tremendous damage to their companies ability to compete in the
global market._

Nah, they'll just go "f*ck this" and share the backdoor with other governments
(who will be extremely grateful). And then all these golden keys will
magically show up on Iranian and Pakistani servers, Kim Jong-un will parade
them, etc etc.

------
dmix
This old picture (from SOPA I believe?) sums up Washington Posts editorial
board
[https://pbs.twimg.com/media/By8I4QGCcAELNPV.jpg](https://pbs.twimg.com/media/By8I4QGCcAELNPV.jpg)

------
hadoukenio
"A well regulated militia being necessary to the security of a free state, the
right of the people to keep and bear arms shall not be infringed."

    
    
      - Second Amendment to the United States Constitution
    

As US law classifies cryptography as a munition, isn't it every US citizens
right to use encryption?

~~~
aric
ARMs.

~~~
hadoukenio
Arms is short for armament.

Armament = Weapon.

The Department of Justice classified cryptography as a munition.

Munition = Weapon.

In law, it's always about the technicalities, down to the definition of words.
Prove me wrong.

~~~
toyg
I'm not disagreeing with you, just pointing out that if crypto is ammunition,
then the actual weapon is _the computer_. So this could be read as the
amendment forbidding the government from _taking away your computers_.

It would be a fabulous interpretation, although I'm somehow skeptical that
we'll ever find a court endorsing it.

~~~
hadoukenio
I think you're getting armament, munition and ammunition confused. The US
Justice Department classifies cryptography as a "munition" (aka a weapon), not
"ammunition" (used by a weapon).

~~~
toyg
"Munition" is originally a word for "fortification", and was then expanded to
mean "weapon" or "ammunition" interchangeably. It's a generic term, so you can
interpret it both ways.

------
drivingmenuts
Do the guys who suggest these things like "Secure Golden Keys" actually talk
to their own IT staff before coming up with something that stupid?

Seems like that could have been curtailed by a five-minute trip to the
computer room and asking the guy with the longest beard.

~~~
pluma
Everybody knows IT people are just lazy and will always tell you it's
impossible.

Everything anybody needs to know about IT people can be learned from watching
Star Trek.

~~~
throwwit
The problem is that a technical solution is probably an order of magnitude
more complex than a bit torrent or bit coin system; and will take a bit of
cross discipline imagination.

------
higherpurpose
The US government is a bunch of hypocrites. They pretend to care about
"cybersecurity", but:

1) don't allow you to _actually_ secure yourself properly, because then you'd
also be secure against _them_ , and that seems to be a big NO-NO

2) with each new "cyber-threat" they seem to want to remove even more of our
rights and liberties

So forgive me if the next time the US government yells CYBER PEARL HARBOR
PEDOPHILES TERRORISTS - I'm not in a rush to believe them.

------
sarciszewski
The problem with a 'Secure Golden Key' is that it will, in almost every case,
result in the creation of an illegal number; e.g. 09F9 1102 9D74 E35B D841
56C5 6356 88C0

And, of course, these illegal numbers can be leaked.

~~~
danw3
Can you elaborate further? Specifically - what is an illegal number and why is
it commonly associated with a 'Secure Golden Key'?

~~~
cheald
An illegal number is a number which is ostensibly illegal to know or
distribute under legislation like the DMCA. In this case, the OP is
referencing the cryptographic key used for DVDs, which the MPAA licensed to
DVD player manufacturers. Since knowledge of it enabled the bypassing of
encryption (otherwise known as "decrypting the content with the key"), the
MPAA attempted to invoke the anti-circumvention clause of the DMCA to prevent
people from publishing it.

Any "Secure Golden Key" would be a number which is the encryption backdoor
key. Knowledge of that number would enable you to decrypt any content
encrypted with that key, and if someone who were not a government actor were
to discover that number, it would doubtless be decried as illegal to know,
possess, or publish.

------
haberman
A "golden key" only makes sense to me if it is exchanged for transparency of
when it is used.

Imagine a hardware device that can vend session keys to any device, but will
not do so unless it can push a notification to a public server that publishes
the identity of both the accessor (who must authenticate themselves) and the
identity being backdoored.

If the argument is that law enforcement will only use this when going through
proper channels, let this be enforced by forced transparency.

The hardware device would be designed to never let the underlying key leave
the device. So for the key to fall into the wrong hands, the hardware device
would have to physically fall into the wrong hands.

The hardware would therefore need to be housed in a secure location.

This is what I personally would require before I could ever support a golden
key.

~~~
rqebmm
>A "golden key" only makes sense to me if it is exchanged for transparency of
when it is used.

This is a very interesting point. Sadly it's just as impossible to guarantee
transparency when using the key as it is to guarantee the security of the key
:(

------
placebo
The idea of a secure golden key would be wonderful if you could always trust
the keepers of that key to do the right thing. But you can't. The same applies
to the idea of "you have nothing to fear if you have nothing to hide", which
incorrectly assumes that what you perceive today as nothing to hide will
always be perceived the same way by others that can view your communications.

The ironic thing is that eventually, those that the golden key is aimed at
today will probably be the least hurt by it. The bad guys will take
precautions and not trust the security of public services (they'll be using
their own secure channels) while the good guys will continue to loose their
privacy and liberty.

------
j_baker
> How to resolve this? A police “back door” for all smartphones is undesirable
> — a back door can and will be exploited by bad guys, too. However, with all
> their wizardry, perhaps Apple and Google could invent a kind of secure
> golden key they would retain and use only when a court has approved a search
> warrant.

I don't get it. What's the difference between a "backdoor" and a "golden key"
other than that one sounds less threatening than the other? It's seriously
clear that WaPo simply has no idea what they're even talking about. Did they
not have a Software Engineer on hand they could run this past?

------
rqebmm
Based on the thesis "perhaps Apple and Google could invent a kind of secure
golden key” so that the good guys could get to it if necessary."

The bottom line is: Sadly, there's no way to tell who the "good guys" are.

~~~
jerf
That's a weak argument because there's a lot of people who aren't willing to
consider the possibility that an assumed-good guy might actually be a bad guy,
either now or at a date in the future, and may even mock you for suggesting
it. The HN gestalt itself has varied opinions on this matter depending on the
topic.

Much better is just to observe that any such key can't be kept from the bad
guys, whoever they may be, and backdoored encryption over time tends to be no
encryption at all. This is simply the truth. For all we know Snowden carried
out some encryption keys, and if he didn't, for all we know Snowden II will.

Making the former argument puts you in a position of trying to argue uphill
against what may be some very solid presuppositions about the goodness of the
good guys; the second argument is undeniable, and very simple. (Of course some
will managed to deny it anyhow; there's no such thing as a perfectly effective
argument. But it's _much_ stronger.)

~~~
rqebmm
I don't think we disagree. My point is very much in line with "any such key
can't be kept from the bad guys, whoever they may be".

Even if you give it to only the "good guys" and somehow ensure that nobody
else could get it, there's no way to know the "good guys" will always be
"good". It all depends on context. If the NSA is stopping people from harming
innocents, they (rightfully) think they're the good guys. If they are secretly
spying on said innocents without their consent, people (rightfully) think
they're the bad guys.

------
AnimalMuppet
Here's another argument against it: Market share.

Scenario 1: Apple creates a secure system without a backdoor. Everybody uses
it.

Scenario 2: Apple creates a "secure" system with a golden key that lets US law
enforcement in. Nobody with a clue outside the US uses it. Several European
governments ban it. Apple (and US) market share declines around the world.

------
x1798DE
"OK, just spitballing here, but how about instead of leaving a back door open,
we just don't lock one of the windows? Is that a good compromise for
everyone?"

------
ChrisAntaki
This threat tends to be underplayed by our intelligence community.

> Threat #2... Even if you trust the U.S. government to act in your best
> interest (say, by foiling terrorists), do you trust the Russian government?
> Do you trust the Chinese? If a door is open to one organization, it is open
> to all.

~~~
tkinom
China's potential iphone market likely be bigger than US. Chinese gov can
easily say: "Give us the golden key, or your phone is not getting into the
China Cell market."

------
nathan_long
> perhaps Apple and Google could invent a kind of secure golden key they would
> retain and use only when __a court __has approved a search warrant

Even if the Washington Post has no idea how cryptography works, this is
incredibly naive politically.

"A court", you say? From which country? Google and Apple do business
worldwide. Can China's courts access my data? Iran's? If Apple employees have
the key, they decide. And if they decide, any country with enough monetary
leverage can get the key. "You can't do business in China unless you give us
access."

(Not to mention the head-in-the-sand implication that the US government would
only get data using due process.)

The only way this can work is if the tech firm _cannot_ access the data.

------
roywiggins
Isn't there a 'Secure Golden Key' at the base of DNSSEC? I guess the damage
would be somewhat less if that key was exposed, but still.

~~~
valarauca1
Golden Key security underlines DNSSEC and TLS. Fundamentally you are trusting
1 or very few agencies that they in fact have your security and best interests
in mind.

This is normally when somebody starts talking using GPG to replace TLS and
DNSSEC systems. But this is normally somebody who doesn't realize how graph
theory or at least path finding works, so they are ignored.

~~~
wahern
It's not the same as a Golden Key because you're not handing over your private
keys to somebody else, nor are you trusting them to store private information.

There's no substantive analogy to be made at all.

Also, there are quite decent alternatives to DNSSEC. In particular, DNSCurve:
[http://dnscurve.org/](http://dnscurve.org/)

PKI is admittedly a mess at the moment. News at 11. But that's irrelevant to
arguments regarding Golden Keys, aka backdoors to your own, private
information.

------
lotsofcows
The good guys? Who are the good guys? The integrity of which government
departments do you trust?

------
swagasaurus-rex
> Your personal pics, videos... will all be leaked, a kind of secure golden
> shower

The humor writes itself

~~~
brianmcc
I pretty much sprayed my monitor with coffee when I read that in the article.
Tremendous :-)

------
sopooneo
I think there are two sides to this, but for the most part neither side will
admit the negative aspects of their stance. Any "golden key" backdoor that is
implemented, no matter how emphatic the promises, _will_ be abused. On the
other hand, having truly inaccessible data, no matter how much it enables the
our valid right to privacy, will also make communication between criminals,
including terrorists, easier.

~~~
avn2109
Ben Franklin (allegedly) said, "Those who would give up essential Liberty, to
purchase a little temporary Safety, deserve neither Liberty nor Safety."

The old guy is seeming more and more prescient nowadays. Pretty clear that BF
wouldn't have supported backdoors (especially not with the grim Orwellian
doublespeak name "Golden Key.")

~~~
krapp
Although, it is entirely possible that what Ben Franklin actually _meant_ was
not what many believe[0]...

But who knows? I think it's a bit silly to presume what the Founding Fathers
would have thought about modern concepts like cryptographic backdoors, when
they[1] would have probably been far more appalled by all of the black people
and women running around unattended than at the existence of a standing army
or laws governing interstate commerce or whatever.

[0][http://www.lawfareblog.com/2011/07/what-ben-franklin-
really-...](http://www.lawfareblog.com/2011/07/what-ben-franklin-really-said/)

[1]generally speaking... i'm not implying all of the Founding Fathers
supported slavery, obviously, just that their political and social priorities
would not necessarily be what we might expect.

------
InclinedPlane
It's interesting how often the lessons of history need to be relearned. It
doesn't matter that we can trust the government of today (to the degree we
can, which isn't much, in my opinion), it's never wise to give governments
ultimate power. Because it means that if the government then becomes
untrustoworthy the results are much remedy the situation. Moreover, our little
"free" bubble is not the entire world, the governments that most of the people
of the world live under are not merely untrustworthy, in many cases they are
exploitive or oppressive. Not the sorts of organizations you'd want to give
the ability to snoop into everyone's business.

Many folks are blessed with the fortune of living lives without turmoil or
great consequence, and for those folks it may seem perfectly normal to allow
the state into their affairs. But we should not force the state to be in
everyone's affairs, we should not chose to live in a police state out of some
fool notion that there will be less crime or less terrorism there. That's not
how it ever works out.

------
boie0025
I keep having flashbacks to 1994... Clipper Chip saga.. anyhow, here's a good
read.. looks the the debate hasn't changed too much.
[http://www.nytimes.com/1994/06/12/magazine/battle-of-the-
cli...](http://www.nytimes.com/1994/06/12/magazine/battle-of-the-clipper-
chip.html?src=pm&pagewanted=1)

------
7952
I understand the rightful distaste for backdoors. However, it occurs to me
that any encryption system that could get widespread use would need some kind
of mechanism to recover data in the event of loss of
password/hardware/authentification device etc. The more valuable data is the
more important backups are. I think that the general public would be reluctant
to use any complete encryption product that could lead to loss of personal
data such as email in the event of common human error. We need ways to recover
data, and if those methods exist they could always be used by law enforcment.
Encryption has to exist within the world as it is (with comprimises), not how
you may want it to be. A secure encrypted backup recovery standard may
actually make users safer, because what we have now is so much more
vulnerable.

~~~
jleight
I think the real point to take out of this is how important it is to have
secure backups of your encryption key. Making sure that the encrypted data is
backed up is common sense. Backing up the encryption key is just as important.

If I were to lose my encryption key, I would absolutely expect to lose my
data. That's how encryption works. That's how encryption _should_ work. If I
can get my data back without the encryption key, someone else can too.

------
lingben
this is a little tangential but I continue to be astonished that dropbox has
been able to continue operating without client side encryption, especially
after the 2011 debacle

~~~
api
Users don't care about security or privacy. This has been demonstrated again
and again, with Dropbox as a premier case in point.

By "care" I mean "change buying habits" or "plop down money." Talk is cheap.
People will _say_ they care about security or privacy but since they do not
change their spending behavior these are just words. Where people spend money
is the only thing that matters in terms of steering corporate behavior or
product road maps.

What users care about is convenience, overall user experience (UX), and cost,
in roughly that order.

Enterprises and governments do care a bit more about security, but they often
don't understand it and make poor buying decisions in that space.

* Edit: A _few_ tech-savvy or politically concerned users do care about security and privacy, but this is (1) a small category, and (2) generally a group that doesn't want to pay for things and thinks everything should be free. #2 is the most significant factor-- if you don't pay for things you don't exist.

~~~
jamwt
That and the fact that they will inevitably lose their data when they
mishandle or misplace their keys. In the rare case that they are the
sophisticated type of user who will most likely (and even that likelihood
could be debated) safely handle and retain their irrecoverable secrets,
they're already solving their problem by doing client-side encryption on their
own.

Maybe that's what you meant by convenience/user experience. Client side
encryption with a nontrivial, irrecoverable key that must be remembered and
kept secret by the end user is not a very usable system for the vast majority
of people.

------
dpeck
Tom Cross (security researcher, activist, etc) has been talking a lot about
potential abuses of lawful intercept for a while, if you like this article and
looking for something deeper his 2010 Blackhat paper is worth a read
[https://www.blackhat.com/presentations/bh-
dc-10/Cross_Tom/Bl...](https://www.blackhat.com/presentations/bh-
dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf)

------
mangeletti
Keybase absolutely MUST implement a "we haven't received any FISO requests,
etc." type of page on their website, one which can be taken down in the event
of an illegal intrusion by the government via this mechanism, before it's too
late. One cannot add a page stating that they _have_ had such a request, so
the former is the only option.

------
shkkmo
I'm not sure "Threat #4. It Protects You From the future" is quite accurate.
It protects your form the near future where the time taken to break the
encryption is long. However, Moore's law and the discovery of flaws in present
encryption methods mean that eventually, even items for which the only key has
beed destroyed will not be private.

~~~
wyager
> Moore's law

There are physical limitations on Moore's law. If you were to design a
mathematically good/perfect n-bit cryptosystem that took 2^n tries to break,
you can make some _very_ strong guarantees. For example, even a perfectly
efficient computer (1 electron flip per attempt) would (on average) take more
energy than the sun will ever emit to break an ideal 256-bit cryptosystem.

> discovery of flaws in present encryption methods

This is the kicker. However, I'm hopeful. We have some really old
cryptosystems that are still going 20-30 years later. As analytical techniques
advance, I bet we'll find some even more rigorous constructions.

~~~
Filligree
You'd better double that bit count; there's a generalised algorithm which lets
you break symmetric encryption of N bits in 2^(N/2) time.

This probably still means that 256 bits is good enough. Of course, then
there's RSA to worry about..

~~~
wahern
Are you thinking about the Birthday Paradox? Because a) that usually applies
to hashes, and b) it applies when you're trying to find collisions by between
two variable strings, not one fixed and one variable.

Otherwise, you may want to get on the phone with everybody using AES-128, et
al and let them know. 2^64 would be rather trivial to crack these days.

~~~
taejo
I think Filligree could have been referring to Grover's algorithm (requires
many qubits of quantum computing power, which we don't know how to build, but
we do know the algorithm)

------
franciscop
Yet we have to recognize that _a single, strong password that only you know_
is __not good enough __. Given the processing power evolution, a password that
would be cited to take 100 years to break by a strong computer, in 10 years it
would take 3 and in 20 years it would take 35 days.

I hope by then we're thinking about which secure system to migrate to.

------
Animats
What we need is forced disclosure of interception by the Government. I propose
the following:

\- Anything the Government intercepts must be disclosed to the parties
intercepted after some period of time.

\- After three years, longer than the length of most criminal investigations,
the Government must disclose intercepts, except that the Government may choose
to withhold information for no more than 25% of intercepts. This allows for
long-running intelligence operations and criminal investigations, while
forcing disclosure of excess interception.

\- Every three years thereafter, the Government must disclose all but 25% of
the withheld disclosures. So, over time, more intercepts are disclosed, until
all are.

\- Records of all interceptions, listing the parties involved and all other
pertinent data but not the content of the interception, made within the US or
of persons or entities within the US, must be reported within 7 days to the
office of the Attorney General of the United States, the Administrative Office
of the U.S. Courts, and the Librarian of Congress, there to be held
permanently and securely. This puts a copy of the data in the hands of each
branch of government.

~~~
spacehome
> the Government may choose to withhold information for no more than 25% of
> intercepts.

Be careful of unintentional incentivization. The govn't could just intercept 4
times more than it really wants.

------
praptak
I would perhaps consider a system where N independent keepers of keys need to
agree to a privacy override. Balance of power and stuff. It is possible from
the crypto point of view but it doesn't really matter because...

...first we'd have to find at least one worthy keeper and it's a social
problem, not a technical one.

------
jimbobimbo
Good observation on "golden key" == "backdoor". That reminded me George
Carlin's "Euphemisms":

[https://www.youtube.com/watch?v=vuEQixrBKCc](https://www.youtube.com/watch?v=vuEQixrBKCc)
(May have strong language)

~~~
sanderjd
I don't think it was a euphemism at all! I think that the author of the
article had no sense that "secure golden key" is just an implementation detail
of "back door". Which is the sort of misunderstanding of "how stuff actually
works" that becomes dangerous when influencing and defining policy.

There is a good debate to be had here, but it really shouldn't contain the
word "wizardry" anywhere.

~~~
jimbobimbo
It might be an honest mistake today, but tomorrow it could be picked up as a
word that would let some legislation go trough without alerting general
public. I think, it's important for the security community to make sure that
the "golden key" won't become an euphemism in the future. This article is a
great start.

------
atmosx
Call me crazy but the first time I saw the article I thought I was reading a
NSA press release. I'm very sceptical on the source of the this article, did
the author (and the newspaper) came with the idea alone or he driven by third
parties.

------
visarga
The "Secure Golden Key" is as secure for the internet as the "Wonderful
Beating Stick" is "wonderful" for a kid. Just because we put "wonderful" in
the name of a beating stick does not make it so.

------
revelation
The Washington Post is stuck reliving the crypto wars. Just close the tab, we
can always let them back in when they have catched up to the 21th century.

Just a shame they managed to trick Orin Kerr into that mess they call
journalism.

------
golemotron
Has anyone ever tried to pass a law like this for the physical world?
Something like: all safes and houses must have locks with a universal key that
only the police know.

------
towski
"Good guys". Apple. Google? Whuy? Why do adults have the moral understanding
of a 10 year old.

------
bhhaskin
Who decides who the "good guys" are?

------
tom_buzz
This is just the key escrow debate of the 90s all over again.

~~~
natch
It may be the same debate, but that doesn't mean the war is over, if that's
what you're saying.

------
crististm
the clipper chip is back on the radar

------
mangeletti
Seriously, epic.

I hope this stays at the top for 3 days.

------
garimagupta95
I don't understand why this is being posted here.

------
comrade1
Started reading. Sounded interesting. Saw picture of He-Man. Closed window.

~~~
sarciszewski
That was not very relevant or meaningful.

~~~
comrade1
It's kind of hard to take the article seriously... This topic - government
held keys for encryption services - is an old debate. If I remember, some
countries even implemented key escrow. The He-Man picture lets you filter out
the article pretty quickly.

~~~
sp332
If it's an old debate, why are we still having it?
[http://www.businessweek.com/news/2014-09-30/u-dot-s-dot-
seek...](http://www.businessweek.com/news/2014-09-30/u-dot-s-dot-seeks-to-
reverse-apple-android-data-locking-decision)

~~~
wahern
The debate over Key Escrow was shut down by Clinton through unilateral
executive action.

The political viability and constitutionality of the myriad issues mandatory
escrow systems would give rise to were never tested. Furthermore, by the time
key escrow was dropped the existing CALEA legislation was already a huge win
for the FBI and DoJ. And given that it's 2014 and opportunistic/pervasive
encryption is still more a pipe dream than a reality, the FBI and DoJ didn't
care to expend more political capital pressing their case.

But now that we're potentially on the cusp of more pervasive encryption, we
should all be prepared for some major PR battles going forward.

------
eli
I know this may be a minority opinion, but I'm personally much less likely to
share articles with my colleagues when they have cartoon images in them.

