Senate Intel Cmte – Attacking Encryption Again

On CSPAN there was the Senate Intelligence Committee meeting on encryption. The Director of the FBI was basically complaining that “terrorists” can be tracked during the recruitment phase (on Twitter) but then when one looks “promising” the message will be sent to “move to this app using encryption” on a mobile phone. At that point they go dark. That a communication happens can still be seen, but the contents can not. Due to strong encryption with disposable keys.

The rest of the meeting was largely spent admiring the problem. Mostly focused on how to “compel” companies to let the government get the information, or how to compel the device makers to hand over keys, or how to compel in some way or another access to the communications. There was occasional lip service to the notion that this might harm US industry, technical growth, or citizen privacy; but then it was back on the Jihad Trail against strong encryption. Oh, and they admired that Britain and France had already passed legislation… though did note that while Britain had legislation, they had no idea how to make it work…

The “fix” for the British Problem was US legislation, as some saw it. That if only ALL the technologically advanced western nations had British like laws, then Britain would not be faced with a law, but no ability to enforce a company in California to hand over keys and messages.

I’m here to remind The Committee of the past, explain a bit about the future, and let everyone else know why this is a Brain Dead Idea and doomed to failure.

We’ve been down this road before. We’ve seen the movie. (A few times…). It isn’t a mystery. Oh, and we, the people, already have taken steps that obsoleted this approach. That technology is now global, and NOT controlled by any “company”. There is literally “nobody to compel”. I know because I’m one of those nobodies.

DES – 40 bits and a mule

In The Beginning, the US Govt wanted us all to use a 40 bit encryption standard called DES Data Encryption Standard. This was a hobbled form of the 56 bit DES that cost a bit too much in compute power and $US for The Govt to regularly crack. There were devices made with DES chips in them (now all on the junk pile or in museums of failed ideas) and the USA rapidly fell behind the ROW Rest Of the World in encryption. In short order the ROW was on 56 bit DES or even “Triple DES” or 3DES, where 56 bit was done 3 times in a row.

Moore’s Law has not (yet) hit a wall.
20 years ago it was cranking too.

It says that every 18 months, the amount of computes you can do for a $US will double. Exponentials are amazing things. I first ran into this property in an ancient story. It was that of a king buying services from a saviour who only asked on grain of wheat on the first square of a chess board, then 2 on the second, then 4 on the next, then doubled to 8, then 16, etc. The King agrees. In the end, he loses his entire kingdom as that last square on the chess board needs more grain than would fill a train to the moon and back. The King was bankrupted. This matters.

2^8^8 or 2^64 is a very large number.

https://en.wikipedia.org/wiki/Wheat_and_chessboard_problem

(They present it as 2^63 since the first square starts with 2^0 which equals one grain, but there are 64 squares and 64 exponentiations – thus my shorthand above.)

On the entire chessboard there would be 264 − 1 = 18,446,744,073,709,551,615 grains of rice, weighing 461,168,602,000 metric tons, which would be a heap of rice larger than Mount Everest. This is around 1,000 times the global production of rice in 2010 (464,000,000 metric tons).

This ties in with something called the “Second Half Of The Chessboard” problem.

In technology strategy, the second half of the chessboard is a phrase, coined by Ray Kurzweil, in reference to the point where an exponentially growing factor begins to have a significant economic impact on an organization’s overall business strategy.

While the number of grains on the first half of the chessboard is large, the amount on the second half is vastly (232 > 4 billion times) larger.

Computing with electrical machines really began somewhere between 1936 ( Z1 a German electromechanical device) and about 1943 (the British Colossus). Call it 1940. That’s 75 years to now. Divide by 1.5 and you get 50. Well past the 32 squares that make up “the first half of the chess board”. We are very very far into the second half of the chess board on computing.

Two human accessible examples:

In about 1987 I was managing a $40 Million Cray Supercomputer. We had the astounding speed of 400 Mega FLOPS or million floating point operations per second. It used a 64 bit word in a time of 8 bit micros, and 32 bit mainframes. Storage was 8 mega-words of memory (about 64 megabytes…) and we eventually added a tape robot for 1/2 Terabyte of slow storage. About 5 to 8 years ago I bought an HP Laptop for $400 ish dollars. It came with a 500 GB disk, or that 1/2 Terabyte and had 4 processor cores just like our Cray had 4 cores. The total processing power was greater than the Cray. I/O to that disk was faster than to the tape, too. Oh, and it had a gigabyte of main memory as memory had become quite cheap…

Now, just a few years later, I’m going to buy a Raspberry Pi Model 2. The original Model One had 1 core running at 700 MHz. This one has 4 cores running at 900 MHz. The cost is the same. I will be getting about 5 times the compute power of that older model, bought just a couple of years back, for the same price. The whole kit, powersupply, case, and all, costs $70. Add a 2 Terabyte disk for another $60 ( I bought one a few weeks back) and for about the cost of a nice dinner out for the family, you have a compute engine so fast folks don’t know what MFLOPS it will do. “It depends on the problem” is mostly what you get:

This is talking about the 2012 “old” model one named “B”, so multiply everything by at least 5 for the newer one.

https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=22362

by docteur.blanchard » Wed Nov 07, 2012 10:13 pm
Dear all,

I have the model B 512Mo RAM.

I wish to know how to calculate the number of CPU FLOPs and GPU FLOPs given by different values of overclocking offered by the raspi-config.

Can you help me to know how to calculate and/or does someone has such of informations ?

Thanks for your help
[…]
by jamesh » Thu Nov 08, 2012 5:59 pm
The GPU is difficult to quantify – it has many different processors on it – you could just add up all the values, but since not all the processors can run entirely in parallel, that’s not fair (although seem to be the way some people add them up – for example some A10 based boards are 2x700Mhz cores, so they are advertised at 1400Mhz…).

But the number 24 GFLOPs rings a bell for the GPU. Which is a big number.

Volunteer at the Raspberry Pi Foundation, helper at Picademy September, October, November 2014.
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 13911
Joined: Sat Jul 30, 2011 7:41 pm
by tk321 » Tue Nov 13, 2012 7:27 pm
I believe the theoretical peak performance of the ARM cpu is only 350Mflops double precision at 700 MHz. I’m not sure but I would guess fused multiply-add is not available on the Raspberry Pi, because its math unit is only vfpv2 and from the arm doc:

The fused multiply-add instructions are only available on NEON or VFP systems that implement the fused multiply-add extension. The VFP system that implements the fused multiply-add extension is VFPv4.

I timed faddd and fmuld (double prec add and mul) a while ago and I think it was something like

faddd: 8 cycles latency, 2 cycles throughput
fmuld: 9 cycles latency, 2 cycles throughput

So in the best case it still takes 2 cycles for one operation and then 700MHz/2 = 350 Mflops. In the worst case where in your algorithm the result of the current operation is required for the next operation, ie pipelining can’t be used, it takes 8 cycles for one operation and we end up with 700MHz/8 = 87.5Mflops.

The GPU is impressively fast, but I’d guess the 24 GFlops are single precision.

The GPU is the Graphics Processing Unit. These are roughly the same structure as the old Cray Vector Processors, but do a heck of a lot more computes a lot faster. They are used for graphics rendering. Our Cray acceptance test was to render an owl flying at night for the trailer of a movie. Took hours for that chunk of movie, and now we do it real time in all our phones… The GPU, with a small bit of programming, can be used for general compute problems.

But look just at the one number: 350 MFLOPS from the CPU. Now multiply by 5 for the Model 2. 1750 MFLOPS. Our Cray did 400 MFLOPS. 1750/400 = 4.375 times the computes. So over 4 times the computes. For $70 for the system, $130 with storage. And we are not yet done with the second half of the chessboard…

Now I’m about to buy a computer that’s more than 4 times the speed of a “Munition” from the early 1990’s where we were forbidden, under severe penalties, to let any foreigner onto the machine without vetting, nor could they be sold to various countries; and I’m doing it through the mail for $70 for the system ( I already have the disk). BTW, it is designed in Britain and built in China, so good luck restricting it.

Back At 40 DES

Now that 40 bit DES “standard” was almost a joke at the time. It became a running laughing stock inside a few years. Now it is ancient history. Folks largely ignored the government demands and used 56 bit DES for cheap things, and did it three times for important things (called “Triple DES”). As Moore’s Law moved on, DES became a joke. Folks now routinely brute force crack DES in minutes. About 1998 folks designed a dedicated hardware DES cracker that, for $250,000, would crack DES in a couple of days. As that is about 10 doublings of Moore’s Law ago, that same machine ought to cost about $250,000 / 2^10 or $244. Then again, IF my guess is off by 1.5 years, it’s only $122. And in a few more years it will be nearly free.

In 1998, the EFF built Deep Crack for less than $250,000. In response to DES Challenge II-2, on July 15, 1998, Deep Crack decrypted a DES-encrypted message after only 56 hours of work, winning $10,000. This was the final blow to DES, against which there were already some published cryptanalytic attacks. The brute force attack showed that cracking DES was actually a very practical proposition. Most governments and large corporations could reasonably build a machine like Deep Crack.

That Raspberry Pi “kids toy” educational board can crack DES, it just takes it a bit longer. Or buy the next year model…

So just what would our National Security be now if, back then, we HAD gone ahead and put DES 40, or even DES 56 into phones, computers, network encryption, etc. etc.?

It would be “toast”. Non-existent. A Joke.

And that is why “people like me” said “No”. (Not just “no”, but “Hell No!”).

A bunch of folks went on their own ways and did their own things and told you in the government suits to bugger off. Some work was done overseas. Some in basements and attics. Some paid, some volunteer. My part was minor. Mostly just rooting from the sidelines (rather like now) and buying equipment that worked.

Some folks got themselves arrested, imprisoned, fined, lives messed up. By The Government. Guess what, there was nothing “special” about those folks. When Phil Zimmerman made Pretty Good Privacy, he was not the only one who knew about it. He was just the one willing to do it more publicly.

https://en.wikipedia.org/wiki/Pretty_Good_Privacy

https://en.wikipedia.org/wiki/Phil_Zimmermann

Criminal investigation

After a report from RSA Data Security, Inc., who were in a licensing dispute with regard to the use of the RSA algorithm in PGP, the United States Customs Service started a criminal investigation of Zimmermann, for allegedly violating the Arms Export Control Act. The United States Government had long regarded cryptographic software as a munition, and thus subject to arms trafficking export controls. At that time, the boundary between what cryptography was permitted (“low-strength”) and impermissible (“high-strength”) for export from the United States was placed such that PGP fell on the too-strong-to-export side of the boundary. The boundary for legal export has since been raised and now allows PGP to be exported. The investigation lasted three years, but was finally dropped without filing charges.

After the government dropped its case without indictment in early 1996, Zimmermann founded PGP Inc. and released an updated version of PGP and some additional related products. That company was acquired by Network Associates (NAI) in December 1997, and Zimmermann stayed on for three years as a Senior Fellow. NAI decided to drop the product line and in 2002, PGP was acquired from NAI by a new company called PGP Corporation. Zimmermann served as a special advisor and consultant to that firm until Symantec acquired PGP Corporation in 2010. Zimmermann is also a fellow at the Stanford Law School’s Center for Internet and Society. He was a principal designer of the cryptographic key agreement protocol (the “association model”) for the Wireless USB standard.

Now Phil was a very bright guy, and ahead of most of the pack on this. BUT… The Law Of Mutual Superiority says that eventually someone else can improve his stuff, and, had he been shut-up, someone else would have moved the prior art forward.

I was involved with the Arms Export Control Act since our supercomputer site was considered a “munition” under those rules. If I let anyone from our foreign offices log onto the Cray, that was “constructive export” and My Butt could end up in jail. So I was responsible for assuring that didn’t happen.

The net result was that stronger encryption and really good computing started coming out of all sorts of other places outside the USA.

The same thing will happen again.

People do not change. Somewhere there is the “Next Phil”. Kid with an idea and time to put onto it.

The simple fact is that The Law and Congress can’t move at Moore’s Law speeds.
You will never get ahead of it, and in reality can’t even keep up with it.

The notion that you will somehow have a key repository for all the encryption and be able to open the boxes on demand is just insane. What you will find inside is another encrypted box for which you do not have the key. The code is already released “in the wild”. I have a dozen variations on my machine just from personal interest. There are literally millions of computer folks who deal with this technology on a daily basis covering the entire world. It is used in everything from your “HTTPS” secure web pages to your banking to your VPN sessions to… well, everything secure. We will not just forget how to do this and flush all the code to do it on demand.

Furthermore, have you learned nothing from Phil Zimmerman, Edward Snowden, Julian Assange, and the hundreds of un-named in similar situations around the world but for lesser governments and with lesser press? The “Climategate” leaker, for example?

WE are INSIDE and WE have a moral compass. That is WHY you hired us. My job was to keep things secure. I did it very very well. But that means that once you are seen as The Bad Guy, all those instincts demand our obedience to morality. I have watched as recent intrusive snooping has become pervasive. I have not changed, but I’m now more of a “Grey Hat” than a “White Hat”. Not because I have changed, but because my government has moved more toward the Black Hat side. So in their eyes, I’m not “on board” as much as before. The simple fact is that if you squeeze this tomato too much you get covered in tomato juice as things blow up on you. Don’t piss off your own soldiers.

So pass stupid laws, the code and methods will move to other places. The code will not be slowed, stoped, or even channeled. It flows and grows. Folks will work on it in basements and attics again. Darknets are already in existence, they will just become darker. ( I have already laid out the method for a completely dark net with distributed data stores that can not be stopped; and I’m not even very good at it. I’ve not published it as it would do more bad than good. The ones better than me are likely already doing it. ) Do you really think India, Pakistan, China, heck, even South Africa have no good programmers? Think Russian programmers give a damn about you and your laws?

The Competition

What happens when you weaken security is that the weakness is found and exploited.

Period.
Full stop.
Always.
Non-negotiable.

That is why I’ve hated so much the ‘backdoors’ and deliberate weaknesses put into various codes by manufacturers at the request of the NSA (via programs such as PRISM). Yes, you can keep a weakness hidden for a little while, but eventually it gets found.

WHEN that happens, and it IS a when, not an if, then all that infrastructure is laid bare for all to pillage.

Microsoft did a broken form of 3DES where one round was null and another round was only 1/2 key length. Essentially a thing you would only do to give the NSA cheap access. That is now known “in the wild”. Anyone who didn’t close that door immediately is hacked. Any traffic that used it, and was recorded, is now hacked. Any system that isn’t patched is hacked. Any system hacked prior to public release was hacked for an unknown length of time.

Want to know WHY China can run through your networks, your PCs, your Microsoft world with impunity? Look in the mirror. The lack of just that “strong encryption” and “strong security”, most likely IMHO at the request of Three Letter Agencies, is why. NSA via PRISM, per Snowden, has made sure they can get into Microsoft products, Cisco products, etc. etc. And, in 2012, Apple Products joined the “team”. (Any wonder that just after that Apple started selling a lot more into major corporations and Big Government, and was discouraged prior to signing up?)

Now scatter security holes all over for the easy access of your TLA Agents, and what happens?

Folks Notice.

My fantasy is that the Chinese Team was watching packets and data flow (rather like I do… blinky lights are your friend) and noticed “odd things”. Then investigated. They found UDP squibs going to strange places. They found they could crack Microsoft “3DES”. They found the backdoors with weak locks. And proceeded to use those ‘exploits’ for their own.

Why do I say that?

Because it is what I would do.

Something I’ve done for decades is that I have a hub or router with ‘blinky lights’ on it between my computer and the wall. IF the lights start to blink when I’ve not explicitly told the computer to talk to the network, something is “wrong” and I investigate. Simple. Crude. Prone to false alarms. But it always tells you when someone tries to suck your disk down the wire… More than once I’ve punched the “disconnect” button (many hubs had uplink swap sense buttons that could be used to disconnect) and gone searching. Once or twice found someone pushing traffic at me that ought not… I can easily imagine a similar Chinese security guy seeing ‘blinky lights’ and looking at the sniffer recordings and figuring out the backdoor open key…

They then proceeded to make Kylin as their default operating system. It is exactly what I would do. Well, in reality, very much like what I already have done in the past. The way I kept Apple Engineering secure for 7 1/2 years was via using BSD based Unix boxes, hardened and locked down; and Kylin is BSD based, hardened and locked down. It took me hiring 4 of the best Unix guys I could find to do it. I’m sure China has far more than 4 who are just as good.

So where has that left us?

With a China that has seen our weak places, is blocking them at home and making themselves secure and opaque to us; while exploiting those weak places here.

IMHO Russia has found them too, and is also exploiting them, but with less visible tracks other than loads of credit card charges on stolen numbers…

Now some Idiot Suits want to make things LESS SECURE by design? It’s already too damn insecure by design.

We have nearly monthly Hack Of The Month reports of huge and dramatic intrusions and data thefts. IMHO there’s likely nearer one a day than one a month, but not all are reported and in many cases they are likely not even detected.

Make the encryption less secure, you will have more data loss, more credit card fraud, and more problems.

You will also have fewer “terrorists” caught as they will move to stronger systems further from your reach. At least now you get the “contact trace”. That will go away as they move to things like “photo sharing” sites based in foreign countries. You will see a photo of the family eating icecream. They will be sharing steganographic messages hidden in the bits. No, you will not be able to block them by dithering the small order bits. There are already ways around that.

The simple fact is that you can be secure with strong privacy,
or you can be exposed and exploited with weak privacy.

There is no other choice.

We already know that.

We who build it, salute you…

though push too much stupidity and it will be the “one finger salute”…

Specifics

If you go to key escrow, the keys must transit to the escrow. That will need strong encryption. The thing you want to outlaw… Doh!. The escrow needs to be perfect. NO security is ever perfect.

All the honey will be in one giant honey pot. It will be attacked with a ferocity you can not imagine. The weakest link will be personnel inside the facility. The going rate to get a janitor to stick a thumb drive into a PC will be in the “few thousand dollars” range… but that is likely not needed. Thanks to all the weaknesses in things like FLASH players, Microsoft, and Javascript, just a tasty attractive web site will do… someone will browse that “News Story about Key Archive Vulnerabilities”… likely the top management who will have “exceptions” and allowances to the “no browsing” rules…

Moore’s Law makes all encryption methods a ‘wasting asset’. Use 100% of your CPU power today to encrypt a message, and in 10 to 15 years that recorded message is read easily. And yes, other folks record messages too, not just the NSA. Passing those encryption keys, used for multiple messages, means that in just a few years all YOUR emails will be read by your counterparties in other nations. Do you really want your Russian, Chinese, and Iranian counter parties to know what you were saying about them 5 or 10 years ago? How about 2?

Make your encryption weaker (say, by reusing that same escrowed key multiple times) and that time window drops to months, weeks, or maybe even days. (Enigma was partly broken thanks to repeated use of settings and repeated use of the closing phrase “Heil Hitler”… a ‘known text’ attack…) ANY design or legal mandate passed into law today will be obsolete and worthless in a decade, and weak in 5 years. Most likely subject to Major Power hacking in 2 to 3 years. Do you really think Congress can keep up that schedule of oversight and new laws and have industry then implement those new approved methods on that schedule?

It is simply the case that Congress can never have the needed level of expertise to respond in the right way and with the proper timing to issues of encryption and data security. Heck, even the NSA is a bit behind the power curve right now and they are the best in the world. By the time Congress finds out, we have already moved on to better things. Oh, and the more you legislate, the faster we move on… we’re not dumb either… See the history to date for a refresher on that… Ask Phil if you get stuck on the concepts…

That’s just the simple “top bits”. Think you can solve all of those fine? And do it again and again and again every single year forever? “Good luck with that” comes to mind. Oh, and remember you only need to screw it up once for ALL the secure infrastructure built on that ‘approved system’ to come crashing down. Look at the recent credit card number hacks and the Federal Employees records theft for what you can expect. Those came from being almost but not quite state of the art fully secure. Just a little weak. Now you want things to be even weaker… Think about it. Please.

In Conclusion

Congress is in session, so we are all at risk.

The Senate Intel committee and the FBI once again want to be free to riffle through your ‘papers and effects’ at will, constitution be damned; but worse, want to assure nothing is too hard to crack open. Down that path lies ruin. Not to mention it is impossible.

We’ve trod this road before in the 40 DES, 56 DES, and 3DES wars. Unix encryption code moved overseas. (Well, in theory… really lots of folks had it in their basement and elsewhere… ‘just in case’). Phil Zimmerman went public with something good that shifted the dialog for 20 years (despite threats of incarceration). In the end, strong encryption was done by everyone everywhere with a bit of an “up yours” sneer.

Now, a quarter century later, we have even better methods. AES, Blowfish, and more. The Code is free in the wild globally. It can not be erased. It takes no “devices” approved by “agencies” to do the encryption. Apps on cell phones are fine. Make the approved apps ‘buggered’, folks will ‘jail break’ their phones and use unapproved apps. I will publish how to do it. (Not a big deal, as 10,000+ others will have already done so by the time I find out). General purpose compute engines are everywhere now. ANY of them are sufficient to do strong encryption and many already do. While looking to buy a new WiFi router, I found that a large number now can have Linux based software installed, all with strong encryption already built in. $35 is the entry price point and millions of them are made each year. Force their firmware to be pre-hacked, we will just install our own firmware. Directions widely exist on the net. Think you can block firmware updates? That’s been tried for 30+ years and failed.

So block all that? Well, there’s that “roll your own” Raspberry Pi board and the 100 and one cousins of it.

There are already “make your own cell phone” and “make your own tablet” maker scripts out there. I’m in the process of “making my own” web browsing “desktop” out of one just for fun. Cost point is $40 for the board. Software is globally distributed. Boards are fabbed in China. Complexity is about 8th grade skill level to make one. (Banana Pi clonish board is all China. Other knockoffs from other countries. The tech is nearly trivial to do. It’s doing it for $35 instead of $50 that’s hard, but a “terrorist” is not going to be worried about the extra $15 …) All have strong encryption already in them. To think you can stop that tide is to be worse than thinking that Canute can stop the ocean tides…

Sidebar: The Old College Roomie teaches robotics clubs at high school level. These kids are able to build fully functional robots. That’s why I say the ‘roll your own’ workstation or phone is about 8th grade. It is likely the brighter 4th graders can do it. By high school they are working on robots and the next level of artificial life to come… things like transplanting genes to glow in the dark into worms and goldfish… Doing encryption for them would take about one weekend to master. BTW, China, Russia, and India are just as good at it…

I’m sure “this too will pass”, but I’d really rather not relive the late ’80s and early ’90s all over again.

As recent hacks have shown, our present problem is not too much encryption and too hard to crack systems; it is too little security, too little encryption, and systems that are too weak (IMHO at the request of TLAs and with TLA directed designs). Making things weaker is not the right way to go, and will ultimately result in ever more massive data beaches and much higher skills outside the country.

If you really want to crack terrorist cells, do what has always worked. Put agents inside them. Convert folks to double agents. Do your job the old fashioned way. It works, and it does not require exposing the rest of us to a world of very good system crackers. Heck, just have good agents looking a bit wild eyed hang out at the local mosques and wait to be ‘recruited’. Find the folks who browse the ‘terrorist websites’ daily or weekly (ask the NSA, they have a record of all of it…) and do a profile on each of them. That’s your best data, not my encrypted recipe for Mom’s Chocolate Chip Cookies and certainly not my Amex transaction to pay from my next Raspberry Pi from Amazon. Anything “subversive” I’ve got to say is going to be in clear text right here anyway… and that mostly will consist of “Don’t be so God Damned Stupid, please.”

Subscribe to feed