Internet firms to be banned from offering unbreakable encryption under new laws

The Telegraph UK ^ | 02 Nov 2015 | By Tom Whitehead, Security Editor

[Swordmaker]

UK -- Companies such as Apple, Google and others will no longer be able to offer encryption so advanced that even they cannot decipher it when asked to under the Investigatory Powers Bill

Internet and social media companies will be banned from putting customer communications beyond their own reach under new laws to be unveiled on Wednesday.

Companies such as Apple, Google and others will no longer be able to offer encryption so advanced that even they cannot decipher it when asked to, the Daily Telegraph can disclose.

Measures in the Investigatory Powers Bill will place in law a requirement on tech firms and service providers to be able to provide unencrypted communications to the police or spy agencies if requested through a warrant.

The move follows concerns that a growing number of encryption services are now completely inaccessible apart from to the users themselves.

It came as David Cameron, the Prime Minister, pleaded with the public and MPs to back his raft of new surveillance measures.

He said terrorists, paedophiles and criminals must not be allowed a "safe space" online.

[Swordmaker]

Either I'm on crack, or they came up with some new permutation math, or that's supposed to be 223^144. ;)

Brain Fart.

[IncPen]

The government wants to know everything about everybody.

People forget that 'the Government' is nothing more than the guy down the street who works for the IRS or the post office...

'The Government' is your neighbors, people who have no business having any authority over you.

You would not let your neighbor snoop in your business, nor should you let 'The Government'.

[familyop]

The Investigatory Powers Police State Bill

[Swordmaker]

But knowing the UUID, for a person known to have a four-character passcode, couldn't they just brute force the 223^4 possible combinations of that with the UUID, hash, and find the one that matches? 223^4 is 2.47x10^6, so that's still a lot, but not past the death of the universe or anything.

Nope, the key will be 132 characters of which any of the characters can be any of 223 possible characters. . . The four digits can appear any where in the 132 characters. As I understand things, they do not know this UUID. . . or where the four passcode characters were entangled in this UUID or how. . . and the UUID and the entangled passcode are only the basis for creating the key, not the key itself.

There is an algorithm that actually creates the key. All of this occurs inside the A9 processor and is never allowed outside of the processor. HASHes of all of this are kept in the Secure Enclave portion of the Processor which is not accessible from outside the processor.

[familyop]

"People forget that 'the Government' is nothing more than the guy down the street who works for the IRS or the post office...

'The Government' is your neighbors, people who have no business having any authority over you.

You would not let your neighbor snoop in your business, nor should you let 'The Government'."

That's the best description of what's going on.

[Swordmaker]

And indulge me one more question. How does this affect or not effect data stored in the cloud? If you are backing up to the cloud, if they cannot open your phone, cant they essentially get that data from the provider?
Or does the encryption reach that deep?

The same key is used to encrypt what leaves the iOS device and is sent to the iCloud. Apple gets pre-encrypted data. According to the white paper I read on the subject, Apple then takes the pre-encrypted data from the user, splits in four pieces entangles it with four other users according to an algorithm, encrypts it again with another 256 bit AES encryption to which they DO have the key, and then store it on their or leased servers. When the customer wants his data back, the process is reversed, his data is extracted and sent back. If the government requests data with an appropriate search warrant, Apple will provide them with the encrypted files, but will help no further, meeting the letter of the law. In other words, they get a pile of un-decypherable gobble-de-gook, useless without the users' key and ONLY decipherable on the user's device, where the original UUID is available. (Grin). They have to have BOTH pieces PLUS the algorithm that makes the key. Without all three, either piece and even both are useless. Essentially the white paper stated that any decryption had to be done on the device it was created on.

They also stated there's an increasing delay in each attempt at trying to do it. . . slowing down the process if they do attempt passcodes by brute force on the device. . .

[Still Thinking]

Oh OK, so I guess we're talking about encryption for stuff stored on the phone and stuff that can be transmitted already encrypted and not decryptable by anything other than that phone, IOW the key never needs to get transmitted anywhere and is built from a UUID no one else knows.

If that's the case, then it makes sense. If they can get the UUID, then I stand by my previous question. Obviously, having put the entanglement algorithm into the phone, they know what the rules are and can recreate the steps, given the UUID. But if they don't know and can't discover the UUID, then it should be secure.

[Still Thinking]

Essentially the white paper stated that any decryption had to be done on the device it was created on.

That's what I inferred would have to be the case but didn't realize they'd actually implement that (given that you can't decrypt on another Apple device that you own, etc.).

[FourPeas]

There’s a good selection of Android side-load apps for various types of encryption on FDroid

[FourPeas]

He said terrorists, paedophiles and criminals must not be allowed a "safe space" online.

By that same logic, people should be able to be stopped and searched at any moment. Wouldn't want to give terrorists, paedophiles and criminals a "safe space" on the roads, sidewalks, their homes or anywhere else.

[Swordmaker]

There’s a good selection of Android side-load apps for various types of encryption on FDroid

It has been discovered that Android keeps the keys in an unencrypted Text file in a Library outside of any locks and not even hidden. If one knows where to look, even the unlock key is there. They found even Samsung's Knox key in it. . . after they were given the US government's OK for full access secrets. OOPS.

[Tolerance Sucks Rocks]

PING!

[Swordmaker]

Another article on the subject:

Apple can't decrypt your iPhone: Why it matters

[GingisK]

It is time to discuss personal issues only when sitting next to a nice waterfall.

[sergeantdave]

David Cameron has declared himself a fascist NWO pig and sealed his fate. He can either stay in Britain and be hanged as a traitor or try to flee the country and end up brutalized and shot dead on the hood of an SUV like Qaddhafi. The NWO is going down, and it will be very bloody for them and their families.

[ThunderSleeps]

This is an Apple suit, but I'm sure the results will apply to all smart devices. - ANDROID PING!
Android Ping! If you want on or off the Android Ping List, Freepmail me.

[Scrambler Bob]

Carrier pigeons?

That’s why wind farms have been erected.

[the scotsman]

Uh-huh.

[Southack]

http://www.technologyreview.com/news/543511/claimed-breakthrough-slays-classic-computing-problem-encryption-could-be-next/