New UK crypto law and an idea on how to defeat it
Sean Rima
Sean Rima <thecivvie@penguinpowered.com>
Wed, 1 Dec 1999 16:55:28 +0000
--x+6KMIRAuhnl3hBn
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Hi Adam!
You ignore a couple of major points of British law, in that the police chief
would need reasonable grounds to believe that Bob was involved somehow in a
crime. He would not be able to demand Bob's key if he believed that Bob was
having an affair with his wife. Don't forget that the police chief is also
answerable to British law. But I also understand that you were using it as
an example.
The second mistake you make is that if Bob used such a program, he would
have to hand over both sets of keys. He would not be able to say that there
was only one. Should the police chief find that the file was locked also
with a second key then Bob would be automatically guilty of failing to hand
over the keys.
Bob would not be able to claim that the files were encrypted using random
keys without his knowledge as he would have had to start the process.
My personal view is that such a bill may not happen. But if it does, it will
be mainly used for Organised Crime and Pedophile and not against the
average person on the street.
Sean
On Wed, 01 Dec 1999, Adam Lock wrote:
> I understand that it will (or might) soon be necessary in the UK to hand
> over crypto keys to the police if they so demand them. The penalty for
> not doing so is a term in prison.
>=20
> So here's an idea on how to defeat it.
>=20
> Imagine Bob is having an affair with the police chief's wife and has all
> their encrypted love letters in his possession. The police chief
> suspects the affair and is prepared to abuse his powers to obtain the
> letters for a divorce proceeding in his favour. He knows he can force
> Bob to give him the decryption key by threatening him with prison term
> for not doing so. Bob doesn't want to go to prison so he "reluctantly"
> hands over the key. The chief gleefully decrypts the message hoping at
> last for evidence of his wife's infidelity but all he sees is a cooking
> recipe! Curse that Bob!
>=20
> How is this done?
>=20
> Simple. Write a tool that encrypts two or more plaintexts each with a
> separate key and concatenates them into a single ciphertext.
>=20
> But there's a problem. The police chief finds out that there are
> multiple plaintexts in the ciphertext. He goes back to Bob and demands
> the proper key or he'll definitely go to prison. How can Bob claim that
> he has "truthfully" given up the correct key the first time and has no
> idea what the other key is?
>=20
> Again simple. Make the tool capable of encrypting one or more plaintexts
> and zero or more *random* plaintexts (with random keys) into a single
> ciphertext.
>=20
> Bob can't be sent to jail because he can validly claim that the other
> plaintexts in the cipher were randomly generated and so he couldn't
> possibly know what the other key was let alone hand it over. The police
> chief might *suspect* Bob was lying, but there's no way he could prove
> it short of Bob's admission. Effectively, Bob has defeated the
> requirement to hand over his key, but has still kept his secrets secret.
>=20
> Does this sound like a feasible idea?
>=20
> --
> Adam Lock
>=20
>=20
>=20
Sean
--=20
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...
--x+6KMIRAuhnl3hBn
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: See Headers for details about obtaining my key
iEYEARECAAYFAjhFUwAACgkQGdiK9pK50M8FPgCfWzbM42sqMVV87oas52QiU/bC
ikkAnjUiky8GjwugouWKrFalSFUg27id
=Zuw9
-----END PGP SIGNATURE-----
--x+6KMIRAuhnl3hBn--