REGULATION OF INVESTIGATORY POWERS BILL

 

What’s it reasonable to expect from investigative decryption?

BRIEFING FOR STANDING COMMITTEE CONSIDERATION OF PART.III (Tuesday 4th April)

 

This note consists of a series of points relevant to decryption of information for investigative purposes.  They are intended to be comprehensible and not misleading, although of necessity fine technical detail has had to be omitted. 

1.        Authority may easily come by what appears to be encrypted material; there is no way to distinguish properly encrypted material from random material.  Additionally, to the untrained eye material that has simply been compressed looks very like encrypted material; if compression were completely successful you would not be able to tell the difference.

2.        Encrypted material is usually preceded by an introduction which says that what follows is encrypted.  If material starts with such an introduction, then it is extremely likely that it is indeed encrypted.  The introduction is usually inserted automatically by software, and expert knowledge is needed to prevent the insertion.

3.        If the apparently encrypted material is found stored, then if it is stored on a disc part of which is blank, it is likely that the appearance is correct.  If none of the disc is blank, then it is possible that the material is blinding matter for a steganographic file system; alternatively someone may have taken great care to erase previous contents by writing random material over them.

4.        Properly encrypted material is not altogether easy to generate, and in many cases in practice it may turn out that investigators can be fairly sure that they have obtained encrypted matter.

5.        To decrypt encrypted matter you need a key.  This may or may not be the same key as was used to encrypt the matter.  The person who sent the matter may or may not be in a position to decrypt it.

6.        If the recipient of a message, whether subsequently stored or not, is able to decrypt it clearly the recipient “knew” the key.  The word “knew” is in quotes because only people can know things; machines either store them or they don’t.  Machines are quite often recipients.  The fact that somebody possesses an encrypted message, or has received it, does not of itself indicate possession or knowledge of the key.  The only reasonable thing to do with material you can’t decrypt is to throw it away, but this may well not happen instantly.  Regular email users receive a great deal of unsolicited and indeed unwelcome mail.

7.        The key that actually decrypts a message, often called a session key, is often transmitted with the message, itself encrypted using what we will call a long-term key.  If an investigator has obtained the encrypted matter, the session key is sufficient to decrypt it, and obtaining the session key has little if any logical difference from obtaining the clear text of the encrypted matter after the recipient has decrypted it.  In particular it does not give any ability to decrypt past or future messages.  Obtaining the session key does though reassure the investigator that he has not been given a substitute message of an appropriate length.

8.        For the sake of completeness, it is not considered practical to have encrypted matter that decrypts to an innocent message with one key and a different message with another.  The encrypted matter has to be a lot longer than either decrypt, attracting instant suspicion.  [This perhaps comes close to over-simplification, but is sufficient for present purposes.]

9.        To the recipient of messages, the long-term key is often a matter of great importance and sensitivity.  In particular it may be very difficult and expensive to change at other than long intervals.  This is particularly true of long-term keys of institutions that depend for their functions on receipt of confidential information from many different sources.

10.     In such circumstances to be obliged to disclose a long-term key could have very damaging effects on institutions.

11.     With current technology it is practical to say to an individual “decrypt this communication and give me the result”; if you say “decrypt all communications from X in the next year and give me the results” that is practical too.  If you say “put me in a position to decrypt all communications I intercept to you from X in the next year” this may well only be practical if the investigator is put in a position to decrypt all communications from anyone to the same recipient.  This may be reasonable if the message recipient in question has no known function in life other than as a reputed villain; it is less reasonable, for lack of proportionality, if the recipient is Barclay’s Bank or other large and respectable, or at any rate respected, institution.  

12.     It would be extremely onerous for institutions to feel they had to maintain per-customer long-term keys in order to avoid the loss of confidence that would ensue if it ever became known that all inbound communication could be monitored by outsiders as a result of the institution being required to facilitate monitoring of communications from one of its clients.

13.     In (3) above mention was made of a steganographic file system.  Such systems require knowledge of a key to disclose the existence of information on, for example, a hard disk.  The user of such a system can disclose the existence of files, and if need be their content, selectively by classes or security levels.  The investigator has a problem forcing the user to disclose something for the existence of which the investigator has no evidence.  Two observations may be made about this type of technology:

·         It is not as yet well-developed but has certainly been shown to be feasible

·         Capacities of commodity disc drives are now such that efficient utilization of them is not as important  as it used to be; steganographic filing systems tend to be rather vigorous in disc use.

14.     An  investigator may destroy the content of a steganographic file system, but presumably he wanted to see it.

Now some rather different points.

15.     If the initial protection of encrypted material is via a password or pass phrase, then it is often possible for an expert with full access to a system to decrypt material without knowing the password.  Thus it may be possible for an expert to decrypt stored data from seized equipment without needing cooperation from anybody.

16.     Correctly managing the security of systems is hard.  In circumstances where there were very few distinct security environments and very strong motivation to be secure, practical security management failure has been a leading cause of insecurity.  It would be interesting to know how high a proportion of investigations of encrypted material could be achieved by the use of experienced hackers together with seizure of equipment, without any resort to enforced key disclosure.  Taking this approach together with the point made in (15) it is quite conceivable that this proportion would turn out to be high enough that contentious disclosure powers were in practice unnecessary.  The only evidence available on this point is scattered and anecdotal.

Finally

17.     None of the above has had anything to do with digital signatures or authentication.  It has solely been concerned with confidentiality. The two issues are not quite orthogonal, unfortunately, but trying to discuss both in one note would generate confusion.

Conclusion

There are limits of various sorts on what can be achieved by investigative decryption.  Some of them are purely technical, some come from avoiding collateral damage.  Nothing seems to have appeared in the public domain to show that the results of forced disclosure exceed those of skilled hacking.