REGULATION OF INVESTIGATORY POWERS BILL
BRIEFING FOR STANDING
COMMITTEE CONSIDERATION OF PART.III (Tuesday 4th April)
This note consists of a series of points relevant
to decryption of information for investigative purposes. They are intended to be comprehensible and
not misleading, although of necessity fine technical detail has had to be
omitted.
1.
Authority may
easily come by what appears to be encrypted material; there is no way to
distinguish properly encrypted material from random material. Additionally, to the untrained eye material
that has simply been compressed looks very like encrypted material; if
compression were completely successful you would not be able to tell the
difference.
2.
Encrypted
material is usually preceded by an introduction which says that what follows is
encrypted. If material starts with such
an introduction, then it is extremely likely that it is indeed encrypted. The introduction is usually inserted
automatically by software, and expert knowledge is needed to prevent the insertion.
3.
If the apparently
encrypted material is found stored, then if it is stored on a disc part of
which is blank, it is likely that the appearance is correct. If none of the disc is blank, then it is
possible that the material is blinding matter for a steganographic file
system; alternatively someone may have taken great care to erase previous
contents by writing random material over them.
4.
Properly
encrypted material is not altogether easy to generate, and in many cases in
practice it may turn out that investigators can be fairly sure that they have
obtained encrypted matter.
5.
To decrypt
encrypted matter you need a key. This
may or may not be the same key as was used to encrypt the matter. The person who sent the matter may or may not
be in a position to decrypt it.
6.
If the
recipient of a message, whether subsequently stored or not, is able to decrypt
it clearly the recipient “knew” the key.
The word “knew” is in quotes because only people can know things;
machines either store them or they don’t.
Machines are quite often recipients.
The fact that somebody possesses an encrypted message, or has received
it, does not of itself indicate possession or knowledge of the key. The only reasonable thing to do with
material you can’t decrypt is to throw it away, but this may well not happen
instantly. Regular email users receive
a great deal of unsolicited and indeed unwelcome mail.
7.
The key that
actually decrypts a message, often called a session key, is often
transmitted with the message, itself encrypted using what we will call a long-term
key. If an investigator has
obtained the encrypted matter, the session key is sufficient to decrypt it, and
obtaining the session key has little if any logical difference from obtaining
the clear text of the encrypted matter after the recipient has decrypted
it. In particular it does not give any
ability to decrypt past or future messages.
Obtaining the session key does though reassure the investigator that he
has not been given a substitute message of an appropriate length.
8.
For the sake
of completeness, it is not considered practical to have encrypted matter that
decrypts to an innocent message with one key and a different message with
another. The encrypted matter has to be
a lot longer than either decrypt, attracting instant suspicion. [This perhaps comes close to
over-simplification, but is sufficient for present purposes.]
9.
To the
recipient of messages, the long-term key is often a matter of great importance
and sensitivity. In particular it may
be very difficult and expensive to change at other than long intervals. This is particularly true of long-term keys
of institutions that depend for their functions on receipt of confidential
information from many different sources.
10.
In such
circumstances to be obliged to disclose a long-term key could have very
damaging effects on institutions.
11.
With current
technology it is practical to say to an individual “decrypt this communication
and give me the result”; if you say “decrypt all communications from X in the
next year and give me the results” that is practical too. If you say “put me in a position to decrypt
all communications I intercept to you from X in the next year” this may well
only be practical if the investigator is put in a position to decrypt all
communications from anyone to the same recipient. This may be reasonable if the message recipient in question has
no known function in life other than as a reputed villain; it is less
reasonable, for lack of proportionality, if the recipient is Barclay’s Bank or
other large and respectable, or at any rate respected, institution.
12.
It would be extremely onerous for institutions to feel they had to
maintain per-customer long-term keys in order to avoid the loss of confidence
that would ensue if it ever became known that all inbound communication could
be monitored by outsiders as a result of the institution being required to facilitate monitoring
of communications from one of its clients.
13.
In (3) above
mention was made of a steganographic file system. Such systems require knowledge of a key to
disclose the existence of information on, for example, a hard disk. The user of such a system can disclose the
existence of files, and if need be their content, selectively by classes or
security levels. The investigator has a
problem forcing the user to disclose something for the existence of which
the investigator has no evidence.
Two observations may be made about this type of technology:
·
It is not as
yet well-developed but has certainly been shown to be feasible
·
Capacities of
commodity disc drives are now such that efficient utilization of them is not as
important as it used to be;
steganographic filing systems tend to be rather vigorous in disc use.
14.
An investigator may destroy the content of a
steganographic file system, but presumably he wanted to see it.
Now some rather different points.
15.
If the initial
protection of encrypted material is via a password or pass phrase, then it is often
possible for an expert with full access to a system to decrypt material without
knowing the password. Thus it may
be possible for an expert to decrypt stored data from seized equipment without
needing cooperation from anybody.
16.
Correctly
managing the security of systems is hard.
In circumstances where there were very few distinct security
environments and very strong motivation to be secure, practical security
management failure has been a leading cause of insecurity. It would be interesting to know how high a
proportion of investigations of encrypted material could be achieved by the use
of experienced hackers together with seizure of equipment, without any resort
to enforced key disclosure. Taking this
approach together with the point made in (15) it is quite conceivable that this
proportion would turn out to be high enough that contentious disclosure
powers were in practice unnecessary.
The only evidence available on this point is scattered and anecdotal.
Finally
17.
None of the
above has had anything to do with digital signatures or authentication. It has solely been concerned with
confidentiality. The two issues are not quite orthogonal, unfortunately, but
trying to discuss both in one note would generate confusion.
Conclusion
There are limits of various sorts on what can be
achieved by investigative decryption.
Some of them are purely technical, some come from avoiding collateral
damage. Nothing seems to have
appeared in the public domain to show that the results of forced disclosure
exceed those of skilled hacking.