If you are a US company, you are already compromised.

One of the most effective cryptosystem attacks

Silicon valley folks seem to forget that technology is always limited, especially around cryptography. From Bloomsberg:

The companies, burned by disclosures they’ve cooperated with U.S. surveillance programs, are protecting user e-mail and social-media posts with strengthened encryption that the U.S. government says won’t be easily broken until 2030.

That’s all great and all, but there’s a big problem here. It doesn’t matter at all.

Cryptosystems always have the “large-bag-of-money” attack, the “rubber-hose” attack and the “throw-you-into-jail” attack. In the US, the “throw-you-into-jail” attack is particularly easy to use, and is being used as shown by Lavabit, comments by Yahoo’s CEO and the Snowden leaks.

You see, cryptography requires trust, the ability to know that the secret keys have not been transmitted to a untrusted third party. In the US, with the Lavabit case, it has been shown that a US company can be coerced to give up the primary private keys for its cryptosystems. What is worse is that they can be forced to do this and forced to not tell anyone.

This means, put simply, as long as you are an American business, your security must be considered suspect until such laws are put into place forbidding the US government from requesting blanket access to such keys.

It doesn’t matter if you have a gold plated private fiberoptic wire encrypted with the finest 512-bit AES encryption, and guarded at both ends by men with assault rifles and hand grenades. If the US government can demand that they get the get private key, all bets are off.

The only possible way for US cloud services to be considered secure/trustworthy moving forward is for them to either blatantly violate the law (ala Lavabit), force the law to change through heavy lobbying, or move all of their operations off shore and legally ensure that the private keys are out of the reach of the US court system.

If you believe this security theater by Google and other Silicon Valley folks will make a real difference, you are a fool.

One thought on “If you are a US company, you are already compromised.

  1. Offshoring isn’t a solution in the long run. The powers that be have proven that they’ll bypass even another nation’s laws to get what they want. Also, governments share information with their partners. The first real attempt at a long-term solution is to have a multipart key with pieces in as many countries as possible. The second is to make it deniable that someone even has ever had the key. These are both within the current state of the art.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s