Join 3,572 readers in helping fund MetaFilter (Hide)


European Parliament says Echelon exists
July 4, 2001 10:39 PM   Subscribe

European Parliament says Echelon exists and is more or less powerless to stop it. All the more reason for government and industry to create encryption standards.
posted by skallas (6 comments total)

 
Encryption standards? Quite the contrary. If you establish standards, there's no protection. It's like everybody using a lock on the doors to their cars and houses which all open using the same skeleton key, and then giving everyone a copy of the key. Or at best, using the same types of encryption just makes it easier for hackers to figure out how to "lockpick the safe." We don't need standards. If you've got something to hide, or need to protect something while making it available on the 'Net, you should have a wealth of opportunities available to you, more than are available now. Not variants on the same theme, but a plethora of opportunities, each at least as difficult to break as the others. Encryption is one place where standards are a detriment.

Europe's unhappy America is peeking through the window? Close your blinds. Don't like it when we pull out the infrared goggles? Counter it with your own technology. Eventually we'll go back to blowing each other up.

Ladies and gentlemen? Welcome to the New Cold War.
posted by ZachsMind at 12:27 AM on July 5, 2001


it may be moot in the coming years should quantum computing become practical. current encryption standards would be obsoleted by the ability of the quantum computer to quickly factor numbers, but there is speculation of (no doubt hyped) "unbreakable" encryption possible through the use of quantum computers. either that, or arthur c. clarke is right: we'll all be using high-atmosphere planes to transfer paper documents from one locale to another as a matter of the highest security.
posted by moz at 12:52 AM on July 5, 2001


(Zach, Kerckhoff's dictum is that "security lies solely in the key". An encryption standard doesn't imply a common encryption key. "Strong" crypto involves algorithms where even when someone knows the precise crypto algorithm, the only way they can attack it is by brute force. Use a long enough key and the solution takes billions of years.)

Yup, Europe needs encryption to protect itself against the mean awful US government. Then the field will be left open for the virtuous upstanding European governments, who won't be stopped by crypto because they'll put you in jail unless you hand them your crypto key.

It's called "putting out a candle while the house is burning."
posted by Steven Den Beste at 5:38 AM on July 5, 2001


Without a doubt, the first case brought under the RIP Act will be among the first cases brought to appeal under the "right to privacy" guarantee in the Human Rights Act. It'll be an interesting one.
posted by holgate at 6:59 AM on July 5, 2001


"Encryption standards? Quite the contrary. If you establish standards, there's no protection."

Abosolutely false.

There's a program called PGP -- "Pretty Good Privacy" -- that, despite the name, offers such insanely good encryption that it can keep you safe even from the NSA's supercomputers, at least for a while. This is despite the fact that PGP works on a very basic idea and fairly simple algorithm, one that's clearly and fully documented and easily re-implemented (as evidenced by the GnuPG project).

To explain how it works, I'm going to extend your lock and key analogy. Imagine that you have some extremely confidential papers that you need to deliver, by hand, from your office in NY to HQ in LA. So you put them in a strong box, cuff it to your arm, and stick the key in your pocket. Not such a good idea, is it?

But what if the box has two locks? Your key only opens half, and the only copy of the second key is at the LA office. Suddenly, it's a whole lot more secure, isn't it? Anyone stealing the box would not only need your key, but the second key which is no doubt being heavily guarded.

Well, that's exactly how the PGP system works. You get two keys, a public and a private. The public key is the one that you pass out to all your friends. The private key should never ever be given to anyone.

They work as a team. It would be a lot faster to email those documents to LA, wouldn't it? But email's not very secure. Well, no problem -- all you need to do is encode those documents using the LA office's public key. Once it's encrypted, it can only be decrypted by LA's private key.

But if anybody can encrypt documents with that public key, how do they know it's really from you? Well, a similar process can be used to "sign" documents. The document gets fed through an algorithm along with your private key. The recipient can then take this signature, the document, and your public key, and determine if it was really you who sent the message. This works because you never give out your private key.

Not only does this system work, but it's been pretty well proven, and in place for some time. Not to mention that it's flexible -- the average Joe can use a small, maybe 512 bit key, which is relatively easy to crack, but that's all he needs. The confidential documents above could be encrypted with a 4096 bit key, and it'll take a loooooong time to crack that one. We're talking years of dedicated work with a cluster of supercomputers.

*ahem* So anyway, that's how good encryption with a public/private key pair works.
posted by CrayDrygu at 9:13 AM on July 5, 2001


Encryption standards? Quite the contrary. If you establish standards, there's no protection.

Just want to add a little to this, the problem with encryption is that there are more than a few choices and if your buddy isn't using PGP you'll have to download whatever he's using. Think instant messengers.

What's needed is a standard that's at least 128 bit and comes packaged with popular software suites and a policy (be it gov or industry) to force people to use it. Actually you don't have to force anyone, it could be transparent to the user.

You can buy NIC cards that do encryption on the fly without getting your software involved. If these became standard in a couple years the internet would be sniff proof. You also get the benefit of everyone using encryption so you don't get singled out when sending confidential material.

I know echelon focus mostly on radio and satellite communications but this would be a great excuse to get people, not just europeans, interested in protecting their data.

While I'm at it how about mailers that zip attachments on the fly and then encrypt them.
posted by skallas at 2:49 PM on July 5, 2001


« Older Buying muzak is cool with busy boomers....   |   Terrified xenophobes still nee... Newer »


This thread has been archived and is closed to new comments