... So these 9 server administrators are going to be forcibly drafted? No one who should have the job could possibly want to be the target of attempted coercion by every government and criminal organization in the world.
posted by PMdixon at 10:12 AM on January 9, 2016 [4 favorites]

Nine separate backdoor key holders is totally unnecessary. You could cut it down to five and just station your servers in the US, UK, Australia, New Zealand and Canada — five upstanding democracies with strong human rights records. Distributed! Responsible!
posted by indubitable at 10:13 AM on January 9, 2016 [22 favorites]

You know one of those bad action movie where the team has to break through nine separate vaults, each controlled by a separate security system in order to get to the loot? You ever notice how they always manage to get through all nine? Chaum has apparently never seen one of those movies.

Then we have the fact that, depending on who you ask, "generally recognized as evil" can mean anything from insulting the king to drawing a particular deity to organizing a protest to unleashing Sarin on the subway to taking over a stockpile of nuclear missiles. The UN can't even agree on a system by which its diplomats should try to park legally, but we're going to have worldwide agreement on this?
posted by zachlipton at 10:14 AM on January 9, 2016 [13 favorites]

Nine separate backdoor key holders is totally unnecessary. You could cut it down to five and just station your servers in the US, UK, Australia, New Zealand and Canada — five upstanding democracies with strong human rights records. Distributed! Responsible!

Aye Aye
posted by fullerine at 10:23 AM on January 9, 2016 [1 favorite]

How about we all work to get quantum entanglement working on global enterprise computing scales already :-)
posted by Annika Cicada at 10:24 AM on January 9, 2016

quantum cryptography is pretty much worthless/inapplicable for what people are using cryptography for right now.
posted by rr at 10:25 AM on January 9, 2016

Aye Aye

I think you meant Aye Aye Aye Aye Aye.
posted by PMdixon at 10:29 AM on January 9, 2016 [9 favorites]

You need these nine servers, then seven more for the dwarves and three for the elves.
posted by stevis23 at 10:33 AM on January 9, 2016 [82 favorites]

Well, for as long as there has to be a trust model, encryption remains vulnerable correct? Seems to me that ECC ciphers are good enough for the near term, so long as the nation states serving as the ultimate trusted key holders, right are not "bad". Which, that's just laughable to think any nation-state could be trusted at all.

I'm just failing to understand exactly how PrivaTegrity solves the problem of needing to encrypt my client to server traffic from the internet beyond faithfully hoping that a nation-state has not stood up an MITM attack against their citizens.
posted by Annika Cicada at 10:34 AM on January 9, 2016

So the critiques look to be as follows:

1. This is a 'gift' to the FBI, showing that backdoors in crypto are possible.
2. How do you prevent all 9 servers from being compromised.
3. This solution will be unacceptable to the intelligence community.

...
My thoughts on these.

1 - well, this isn't the first backdoored crypto solution proposed (see clipper chip, others), so the FBI already knows that compromised crypto is possible. This is more novel in that it has better safeguards than other systems. While I understand the distaste for this proposal, I don't think crypto researchers should stop lines of inquiry merely because the intelligence community might like the work that they are doing.

2. This is a fair point, IMHO. APT's are advanced, persistent, and threatening. If you have one codebase and open source the server software, this makes the job much easier. If you have closed source then you are attempting security through obscurity. If you have 9 codebases then your surface area is greater, and you have less scrutiny by the research community on any given codebase. If you deploy this system, you can be assured that intelligence folks will be working hard on cracking it.

3. This is a pretty good point as well. 5 keyholders would be acceptable, as indubitable points out, if they were the 5 eyes. Having 9 keyholders, including ones that aren't in the pocket of the NSA (Iceland? Switzerland? maybe so); the NSA/FBI/CIA won't like this at all. Presumably when you wanted to de-anonymize a person, you'd have to show some evidence to 9 countries - any one of which could be compromised (and could tip off the 'bad guy'). So all 9 countries need to be having someone with security clearance, and then this entire system is run by spooks (albeit competing spooks, perhaps). This gets pretty messy and I can't imagine the US intelligence community being happy with it.

...

Chum seems to wave away the details on how the key exposure would work as implementation details. It's fair given he's constructing a technical solution, but the implementation issues are pretty key to how this would actually work. Law enforcement isn't going to share any details of an investigation unless they can trust everyone they are sharing data with. Would this look like 9 court orders from each jurisdiction, with the keyholders not being given any evidence? Would the process take too long to move quickly in cases of actual emergencies? The details Chum is hand waving away are pretty important, and need to be explained before anyone can give any real analysis to the potential problems.

Chum also doesn't seem forthright about if this will be a commercial system or not, or if the code will be open source. If its not open source, that seems to be a non-starter. "Trust me" is something that doesn't work with crypto.

If the US (and UK and other) intelligence agencies finds this 'solution' unacceptable (and it's hard to imagine they'd like this plan), then what kind of compromise is it? How would it end the crypto wars if the various intelligence agencies hated the solution?
posted by el io at 10:34 AM on January 9, 2016 [1 favorite]

I built a system in the 1990s based on Shamir's key-splitting system to perform key recovery inside a government agency's email system. We used 3-of-5 key split, and let me tell you, the number of issues that this creates may actually be 1000x more than just burning the whole data center to the ground.

The issues you have to deal with are so numerous and create so many new attack vectors that it's staggeringly complicated to get right. We tried.

Finally, the key splitting algorithms have not been examined with enough intensity yet to really say much about their trustability. How much additional information leaks between key components? Each component you have reduces the search space enormously. One alone may be enough to reconstruct the key within an acceptable time period.
posted by petrilli at 10:41 AM on January 9, 2016 [23 favorites]

I think you meant Aye Aye Aye Aye Aye.

D'awwww you colonial chaps are so cute.
posted by fullerine at 10:48 AM on January 9, 2016 [1 favorite]

Assuming it's technically possible to build a secure system this way, I might be in favor of it provided that there was a technically enforceable contract that any backdoored data would be instantly and globally public. Something like Etherium (https://www.ethereum.org/) with it's software contracts, for example.
posted by alpheus at 11:05 AM on January 9, 2016

Distributed! Responsible!

I'm torn between quoting Dr. Bronner here (Dilute! Dilute!) or this old Bloom County strip.
posted by Mr. Bad Example at 11:14 AM on January 9, 2016 [6 favorites]

Novel strategy for ending the crypto wars: unconditional surrender.

If only we'd thought of it before. We could have prevented so much inconvenience.
posted by eotvos at 11:19 AM on January 9, 2016 [8 favorites]

The other thing missing here is that, even if you did put this system in place, AND you somehow forced everyone to use it, how do you keep criminals from adding PGP or another simple but strong form of encryption on top of it? This is an idea that will make everyone less safe and secure, but will not actually help catch any remotely crypto-savvy terrorist or drug dealer.
posted by Aizkolari at 11:30 AM on January 9, 2016 [6 favorites]

Chaum. Not Cham, not Chum. David Chaum. He's quite smart and famous as a designer of practical cryptosystems. Backdoored encryption is nothing new; you might very well be using one without even knowing! The main reason this particular proposal gets any attention is Chaum's name on it.
posted by Nelson at 11:38 AM on January 9, 2016

depending on who you ask, "generally recognized as evil" can mean anything

I hear there's an already-deployed system at the North Pole we might be able to use.
posted by RobotVoodooPower at 12:13 PM on January 9, 2016 [1 favorite]

For those that haven't been following the proceeds from Snowden's data dumps closely, I want to explicitly point out the Five Eyes and related treaties which conducts the mass surveillance we live under, over a majority of the world.
posted by fragmede at 12:41 PM on January 9, 2016 [2 favorites]

Reminds me of something I saw on Halfbakery over a decade ago:

Split up your key with a "threshold secret-sharing" scheme that creates, say, 5000 shares where any 500 of them can be put together to reconstruct the key. Send one share to each of 5000 randomly selected people on the 'net... The point of all this is that while anyone can recover a key, no one can do it *secretly*. Law enforcement could also get keys to decrypt suspected criminals' files, but only in a way that's open to public scrutiny.

posted by baf at 12:50 PM on January 9, 2016

> Each component you have reduces the search space enormously

My understanding is that this is not correct. If you have k-1 shares, each possible value for the kth leads to a different value for the initial secret, and the distribution function for each share is flat.
posted by Horselover Fat at 1:14 PM on January 9, 2016 [1 favorite]

Off the top questions that pop to mind:

Who watches the watchers?
What happens when one of the keys is compromised?
Is there an undefeatable mechanism that guarantees that when any key is compromised, that fact WILL AUTOMATICALLY be broadcast worldwide?
What undefeatable mechanism will automatically replace a compromised key and/or server with one which cannot be compromised in the same way?
posted by Twang at 2:34 PM on January 9, 2016

"We don’t have to allow terrorists and drug dealers to use it. We can have a civil society electronically without the possibility of covert mass surveillance."

What this seems to suggest is essentially making everything a darknet... and darknet users don't advertise much.

The difficulty for states being: how do you actually find the terrorists and the drug dealers without sifting through the haystack to find the needles? I can't see states being happy about this, unless some acceptable way of doing this was implemented... which would make a whole lot of other people unhappy.
posted by markkraft at 3:48 PM on January 9, 2016

> Each component you have reduces the search space enormously

My understanding is that this is not correct. If you have k-1 shares, each possible value for the kth leads to a different value for the initial secret, and the distribution function for each share is flat.

This is true of the underlying math. It may or may not be true of any particular implementation of that math into working code.
posted by PMdixon at 4:11 PM on January 9, 2016

This is true of the underlying math.

To correct myself --- not a crypto expert, so I'll rephrase that as "This is true of the underlying math behind key splitting systems that are in a conceptual sense equivalent to repeatedly XORing the entire plaintext with some version of each of the keys."
posted by PMdixon at 4:20 PM on January 9, 2016 [1 favorite]

key splitting systems that are in a conceptual sense equivalent to repeatedly XORing the entire plaintext

Splitting a secret key (rather than a plaintext) into nine parts that can be XOR'd all together to recreate the key is not difficult. So yeah in that case one is certain that nothing leaks out from just one of the values and you need all 9 to know anything at all about the entire key. There are similar methods where you'd need only 5 of 9 or whatever, not so much more complicated. It's well-known how to split up secrets like that.

It's not what Chaum is proposing, though. How his system might work I have no idea, having just now heard of it, but I suppose it probably needs some more complicated features involving the proving of who knows what about whom, and so on. If the client were just generating its own keys, splitting them into nine parts and giving one to each server, it could just as easily give them all garbage unrelated to the real key and they wouldn't know it until all 9 cooperated to discover it.
posted by sfenders at 5:02 PM on January 9, 2016

Splitting a secret key (rather than a plaintext) into nine parts that can be XOR'd all together to recreate the key is not difficult

True fact but people fuck up the implementation of things that are not difficult all the time, is the point I was trying to make.
posted by PMdixon at 5:29 PM on January 9, 2016 [1 favorite]

Oh man, I had totally forgotten how mix networks operate. It's been a while. Perhaps slightly more possible to fuck up than an XOR function, but doesn't look too bad in that respect.

cMix: Anonymization by High-Performance Scalable Mixing

If it ever did somehow get up and running, and everyone started using it, a more unofficial version would quickly emerge, illegal or not, consisting of a larger number of mix nodes that promise never to reveal their secrets to anyone. There'd be an app to simply point your instant messaging app at the alternative.
posted by sfenders at 6:18 PM on January 9, 2016 [2 favorites]

Any crypto that can be compromised by n parties in any way is automatically a crypto which can be compromised by party n+1.

This is almost a dictum/law of computer science. You can not say otherwise without showing we can dismiss you from the argument automatically.

-security through obscurity is not secure.
-if one party can break it, another can, too.
-it WILL be hacked. It's just a matter of time.

These are facts. Things you will just have to live with and can't handwave away. And it follows from these facts that

-the most secure data is that which is not stored in the first place
-the most secure crypto is that which no one (not even one party) can hack (yet!)
-your data and crypto must be designed with the assumption that one day it will be hacked

Any other stance is ... uninformed? ... stupid? ... a plain statement that 'you just don't fucking get it and should be ignored whilst the grown-ups who do know about this shit talk?'.
posted by MacD at 6:38 PM on January 9, 2016 [1 favorite]

You need these nine servers, then seven more for the dwarves and three for the elves.

And one more, unbeknownst to the others, for Dick Cheney?
posted by wierdo at 6:51 PM on January 9, 2016 [2 favorites]

stevis23: "You need these nine servers, then seven more for the dwarves and three for the elves."

Forget the elves. They're nothing but uppity immigrants...
posted by Samizdata at 7:54 PM on January 9, 2016

Either this will be capable of being exploited by the NSA and friends (say, if the servers were all under the control of colluding governments)...

Or this will be unacceptable to the U.S. government.

So if this does what it claims, it will never be implemented. If it is implemented, you can be sure it is not doing what it was claimed to do.
posted by edheil at 8:32 PM on January 9, 2016 [1 favorite]

I'll read that cMix paper, maybe something interesting, despite his talk's lack of content. I'm dubious that Chaum bothered with real security proofs, ala Sphinx, but maybe his coauthors handled that. In any case, folks dislike imposing wrap resistance, and universal composability sucks to use directly, so not likely he'll do any better than Sphinx.

At first blush, his pre-compute phase reminds me of HORNET, which uses Sphinx to lay symmetric-only routes. HORNET fails utterly by dropping replay protection, but otherwise it's pretty good. Afaik nobody knows when circuits, like Tor and I2P, work best and when stateless except for replay protection, like HORNET if fixed, work best. All depends on traffic patterns.

Appears they say the users do not participate in pre-computation, so it's basically a cascade build from a mixnet. It'll almost surely fail the mixnet security model, but probably claim some different adversary. There are cool arguments you can make better with cascades, like the differential privacy analysis in Vuvuzela, but mostly they sounds like intersection attack traps to me.
posted by jeffburdges at 11:41 PM on January 9, 2016 [1 favorite]

“a carefully controlled backdoor” … hahaha no.
posted by scruss at 10:00 AM on January 10, 2016

Actually, it's quite carefully controlled : Bad state actor like the NSA can ever be exposed, nor even any sufficiently powerful company or individual, just pay off one of the nine ring holders. Yet, anyone actually trying to make the world a better place, like activists or journalists, can easily be targeted by bad state actors simply by compromising the nine ring holders.
posted by jeffburdges at 3:36 AM on January 11, 2016