after reviewing the thread Forcing developers of encryption algorithms to give the gov’t a key? it got me thinking if the gov’t forced all encryption program makers to hand over the key, is it possible to make a keyless one?
1st let me say that I know very little about encryption (you may be able to tell that from my post). I assume that when something is encrypted the encrypter enters a code that somehow is given to the decrypter. That code tells the encryption program how to get this back into usable form. I also assume that the gov’t is not talking about this user entered code but more like a master key that can be used on all encrypted messages by that software.
If I got is basically right then it would seem that the programmer doesn’t have to even make a master key. If I got it wrong maybe a mod can change the title to "how the heck does encryption work?
Encryption takes a clear message and converts it into a cyphermessage using a key.
The cyphermessage can then be transmitted over an unsecured channel and the receptor then takes the cyphertext and uses a key to decrypt it and recover the cleartext.
The encoding and decoding keys can be identical, in which case you have a simetrical system or they can be different, in which case you have an asimmetrical system.
And the idea of making a system which needs no key makes no sense as it just means anyone can decipher the messages.
I am not sure I understand your question. The keys are not made by the programers. They are generated later by the user. Does that answer your question?
BTW, I use PGP regularly and would recommend that everybody learn to use it as it is very simple and useful. I have certain files encrypted so that, even if my computer is stolen, the thief cannot get to the information.
I am not aware of any “keyless” encryption algorithm. While I am not a cryptography expert, I do have some indepth knowledge of cryptography.
In most encryption schemes, there exists a key (usually secret). Others may involve only an algorithm, which is then like a key (google steganography for more info). If you are really interested in learning more, I would suggest that you read the sci.crypt FAQ found here. It would probably take less than an hour, and covers the topic quite extensively.
That’s what I assumed, but is that the key that the gov’t wants? or some other ‘master key’ or backdoor to decrypt all messages from that particular program?
If it’s the latter (if a ‘master key’ even exists) I would assume it would be possible to make it so there is no master key and the only key would be user entered.
It is possible to encrypt data such that more than one private key will be able to decrypt it. The government wants it so that the only encryption software available will encrypt such that it would be readable by a private key that they have knowledge of, in addition to the private key of the intended recipiant.
I think the idea was that the govt. wanted programmers to put in a master key or backdoor if one did not already exist.
This is a good reason to use and support open source software, such as the earlier (pre-version 7) PGP. It would be difficult to hide something like this. Not that I personally read the source code, but I’m confident that some people have.
[url=“http://ciphersaber.gurus.com/”]CipherSaber** is a project to give even neophyte programmers the ability to implement their own strong encryption. It is based around the symmetric-key RC4 cipher, which is very simple and secure.
Keyless encryption is a contradiction in terms: The key is simply the secret information that limits access to the encrypted information.
Knowing the key, the algorithm, and the ciphertext is the equivalent of knowing the plaintext. Remove any of those three and the message is no longer known. Keeping the ciphertext secret defeats the purpose of cryptography, so that is not done. Keeping the algorithm secret is not viable, although some people still try it. Security through obscurity is simply not possible, not least because secure encryption algorithms are hard to develop and harder to test. A seemingly secure algorithm could have weaknesses in it that compromise messages when the ciphertext is subjected to certain tests. It’s far, far better to make the algorithm publically known so it can be subjected to public scrutiny. Therefore, the key must be kept secret.
First of all, it is difficult to ascertain what key is the one the “government wants”, since no one has specifically referenced the (proposed?) law. As sailor aptly described in the other thread, it is the “decryption” key they want. What form that key takes is a matter of the encryption system employed.
[Generalization]
Most broadly applicable crypto systems are based on asymmetric cryptography, referred to as Public Key systems. Due mainly to processor speed and other practicalities, these systems use long-held public/private key pairs to encrypt symmetric encryption keys. The symmetric encryption is used to actually create the ciphertext. The ciphertext and the (public/private key encrypted) session key are then transmitted together. Other processes for authentication and integrity are also normally employed.
[/Generalization]
If you wish to understand this more, please see the reference material linked in my post above.
IIRC, the government WAS interested in creating a grand key escrow database of private keys. With the systems described above, that would allow the government to decrypt all the session keys used by that individual, and hence, be able to decode all their cipher text. Like many other forays of the government in technical matters, they failed to understand the complexity and impact of such issues. The issue died a few years ago, and really hasn’t been heard from since.
Keyless encryption isn’t strictly an oxymoron - you could still have other, very simple forms of encryption, like substitution, that don’t rely on keys.
The “key” would then be the encryption process itself. Key is whatever you need to decrypt the cyphermessage. In any case, it would be child’s play to decrypt. One of the fundamental axioms of cryptography is that the enemy knows all the details of the full encryption/decryption process and only lacks knowledge of the key, which can be changed regularly. Anything else would not even be considered.
A system is considered robust when the process is public and considered robust by experts and the key needed to decrypt is only known to me. The idea that the key is embeded in the system and can be kept secret is a nonstarter.
Just wanted to make note of a technology (SRK), it is a key-management software that does not transmit keys during secure information transfers or streaming data. SRK does not store or transmit keys, which is the major problem with today’s secure encryption. Eventually that key will be susceptible to a hack (case and point- Sony PS-3).
SRK is 1000x faster than PKI or 11x faster than elliptical curve.
It has a <5% overhead and takes <1% of the bandwidth.
I can provide more information if anyone would like it.
Thanks,
Jay
Unless your name is along the lines of Ron Rivest (the person who created RC4), Vincent Rimjen (one of the AES developers or Bruce Schneier, writing your own security is usually a really bad idea.
RC4 is not exactly the best tool in the box these days. It’s a streaming cipher, so it may not be so useful for encrypting drives or files, which are usually encrypted with block ciphers. It’s also the core technology in WEP, which has been utterly broken for several years.
You caught me in some clumsy phrasing. I should have said ‘implement your own based on a known algorithm’, but I thought I implied that. Almost nine years ago. Before the snake oil salesman resurrected this. (Specifically, it seems to fall foul of #3 and #7 in this list here.)
Block-vs-stream isn’t relevant to strength, AFAIK, and you aren’t understanding the key trade-off CipherSaber (which ‘corrects’ to ‘Decipherable’ in FF5’s default spellcheck dictionary… troubling) is built around: It’s meant to be simple enough a single person can implement it from memory, yet strong enough to fall afoul of laws against strong cryptography. It’s yet another example of software as political speech, which was a lot more relevant in this country when strong cryptosystems were still classified as ‘munitions’ under ITAR.
The attack used on WEP can be protected against without dropping RC4 entirely; CipherSaber does, in fact, do something to protect against it. That said, it’s probably not very strong at this point.
(Specifically, it seems to fall foul of