Given the ongoing demonisation of cryptography we have translated an article for you, written by Erich Möchel, an ORF journalist. The use of encryption stays an important component for information security, regardless which version of the Crypto Wars is currently running. While most of the voices in news articles get the threat model wrong, there are still some sane discussions about the beneficial use of technology. The following article was published on the FM4 web site on 25 January 2015. Have a look and decide for yourself if the Crypto Wars have begun again (provided they came to an end at some point in the past). Maybe you work in this field and like to submit a presentation covering the current state of affairs. Let us know.
EU Economy needs secure Encryption
The fuss about the call of the EU Council of Ministers for backdoors in encryption software will revive on Tuesday, when Gilles de Kerchove, the EU counter-terrorism coordinator, will elaborate on this highly controversial plans in front of the European Parliament. Explanations are necessary, because until now there were no concrete proposals, only diffusely formulated desires heard from the Council.
Meanwhile the presentation of the Committee for Technology Assessment at the European Parliament (STOA) on mass surveillance remained largely unnoticed. The STOA Committee strongly recommends safe “end-to-end” encryption – the very opposite of the demands of the Council of Ministers. The Austrian MEP and STOA Chairman Paul Rübig (EPP) explained to ORF.at why safe “end-to-end” encryption is a top priority for EU economy and why the promotion of “open source” software comes a close second.
Foul Play against the Euro
“First and foremost we have to protect our trade secrets”, explains Rübig. The EU decision makers have become aware of this as early as the Euro crisis in 2008/2009, when “hedge funds and other speculators have bet on a massive destabilization of the Euro”. “The EU has been at least ripped off twice”, says Rübig. On several occasions it turned out that speculators knew about planned EU countermeasures in advance and were able to thwart them even before they came into force.
“Our guess was that current information from the state chancelleries has been passed on from intelligence to these groups,” says Rübig. For him that’s the main explosive fact about the news reports concerning NSA attacks on the mobile phone of German Chancellor Angela Merkel.
STOA recommends EFF, GPG, TOR
The two-part STOA study is fairly voluminous. It is therefore advisable to start with this four-page briefing. The whole study includes a total of several hundred pages with attachments and recommends no less than the active support of free encryption projects and independent platforms by the EU. This includes support of “security test programs of independent institutions such as the Electronic Frontier Foundation” and the possible creation of EU-own test programs for product safety.
In addition, the funding and support of important “open source” projects like “OpenSSL, TrueCrypt, GPG, or TOR” is recommended as well as the creation of an European “bounty hunter”-project to maintain such essential encryption tools properly and keep them flawless. So, the Committee for the Assessment of Science and Technology of the European Parliament calls for a bonus system for the detection of backdoors in encryption programs, while the Council of Ministers just discusses the targeted integration of these backdoors.
The Position of the Ministry of the Interior
What the national interior and justice ministers actually have in mind yet remains a mystery; especially as telecom and Internet providers are obliged to allow access to encrypted data if presented with a search warrant since the 1990s. But of course these obligations only apply to providers own cryptographic applications – they have no access to the “end-to-end” encryption of their customers (such as VPN corporate networks for example).
Right now there are also no concrete demands on the part of the interior ministry, said ministry spokesman Karl-Heinz Grundböck on request of ORF.at. Grundböck emphazises that the Interior Ministry by no means demands to make the deposit of second keys a general duty . “We do not want to pre-empt the discussion at EU level and therefore currently can not go further into detail.”, Grundböck said. The questions to him were sent via GPG / PGP-encrypted mail, especially because the Interior Ministry maintains a PGP infrastructure for e-mail communication with citizens.
The so-called “Crypto Wars” of the 90s
The stir about a possible obligation to key escrow – which in fact is a kind of encryption ban – refers to the “Crypto Wars” of the 90s, when strong encryption programs like PGP weren’t allowed to be exported. Web browsers such as Netscape or Internet Explorer were only allowed to be distributed with 40-, and then 56-bit encryption keys, a size which already at that time was ridiculously small.
Instead NSA and GCHQ tirelessly propagated state “key escrow” databases containing duplicate keys, alternately arguing to fight against child molesters, terrorists, or hooligans – justifications common to then current news articles. Because the permitted weak encryption of browsers made the planned roll-out of Іnternet banking and e-commerce impossible, the pressure of the banks, the rising Internet industry, and a ,in comparison tiny but vociferous, handful of civil liberty activists increased.
Around the turn of the millennium this unusual alliance managed to sweep away such insecurity measures, despite the fierce opposition of the secret services. First cryptography applications were released in France, Germany, Austria, and then all over the EU. Not quite surprisingly Great Britain was the last to follow suit.
PGP-mail Contacts of the BMI
The degree of restraint of the Interior Ministry (BMI) to speak about backdoors in encryption programs is understandable – obviously the Ministry has the necessary know-how and may not wish to speak against their better judgment. The only reason why the web interface of the database with the public keys of various departments of the BMI failed to get top marks in the [Qualys] SSL test, was because it accepts RC4 algorithms, which are said to be compromised. Usually RC4 algorithms are permitted to not exclude WindowsXP users with Internet Explorer 6.0.
This service is being offered for years, said ministry spokesman Karl-Heinz Grundböck on request of ORF.at. There’s no record of the number of encrypted emails received but in any case it is not an high amount. Maybe because there’s no easy option for users, like a safe upload form (HTTPS), and public keys are only available via email request. To accelerate this process, so that in an emergency, no valuable time is lost the ministry points out a shortcut:
Encrypted contact with the BMI is possible through this contact page: http://www.bmi.gv.at/cms/bmi_impressum/kontakt
You send a blank email and receive the address of the website securemail.bmi.gv.at.
There, you select “Key / Certificates Search” and type “firstname.lastname@example.org” into the form field.
The Study of ENISA
The comprehensive study of the STOA committee is not the only recent study in this field. At the beginning of the year the EU agency for network and information security (ENISA) published a study entitled “Privacy and Data Protection by Design”, containing very similar and respectively complementary conclusions to the STOA report. ENISA also recommends secure encryption programs, which should be mandatory and already considered in the floor plans of system architecture, so that vulnerabilities can be prevented in the first place.
However if vulnerabilities are intentionally set, this is called a backdoor and the plans of the Council point in this direction. On Thursday, EU interior and justice ministers in Riga will informally meet to discuss measures against terrorism. But given the nebulous formulated section on encryption in the meetings documents, it’s not likely to expect further information on what is actually planned.
More “Cloudy Information” from the Council of Ministers
They want to explore rules to oblige telcos and Internet service providers, “to give relevant national authorities access to communications, for example through the transfer of keys,” it says in the documents of the meeting of Ministers. That doesn’t clarify, because in end-to-end encryption by the client, the provider does not have the key.
“Crypto Wars” and the State of War
Precisely because current media reports talk of “Crypto Wars 3.0”, it should be noted that this now familiar term for the conflict between civil society and military about encryption in the 90s was not used by neither the participating civil society groups nor by the industry. This term has been coined much later, and it was the involved military intelligence who invented it.
Consequently, NSA and GCHQ named its subsequent programs to undermine cryptographic applications Bullrun and Edgehill – after two battles of the respective national civil wars. Therefore the military secret services, financed by the civil society to protect it, define their relationship with the very same civil society as a kind of “state of war”.