undefined | Better HN

0 pointsDoctorOetker7y ago0 comments

impressive calculation for the per phone case!

but as I wrote, its not necessary in Ozzie's scheme: Apple only needs to store the single private key. All the phones contain the same public key corresponding to it. All phones encrypt the user passcode to the same public key. When a user tries to unlock his own phone with his correct passcode, the phone encrypts his passcode and arrives at thee same encrypted key, unlocking the phone. When the government seizes the phone, with a special device they have the phone show the encrypted pass code, dump the encrypted GB's of encrypted phone contents, and burn an irreversible efuse in the processor disabling it. They send the encrypted passcode to Apple, who verifies its the government indeed. Apple uses its single private key to decrypt the user passcode. Apple sends this pass code to the government. The government can decrypt the image.

In the proposal there is no need for a massive database of key material. It's nonsense.

(in practice Apple would use treshold crypography, so that at least k out of n private keys each belonging to specially trained and screened employees are necessary to decrypt)

(in practice each phone has a hardcoded random nonce in efuses and instead of encrypting the user passcode, it encrypts [passcode+nonce], otherwise the government could just bruteforce 10^4 encryptions to the public key)

I am only saying that this can be done efficiently, not saying that I agree with the desirability of key escrow. This idea of key escrow is as old as cryptography.

0 comments

kurthr7y ago

Totally agree that they only _need_ a single secure key and a BUNCH of insecure nonces. However, if I was forced to keep a key in escrow and wanted it to be secure I'd put a uniquely generated (lots of lava lamps?) key for every one on paper and force anyone who wanted to look them up to do it physically, in person, with paper. Out go the digital public keys, in stay the paper private keys in a well observed building full of a zillion boxes of paper. Most insecure part is still the key generator.

If the feds want to audit, they can... but everyone will see it on video, what boxes they opened, and what pages they (could have) looked at.

I'd hire some magicians for pen testing too.

edit: pi*10^7 sec in a year is a useful approximation

DoctorOetkerOP7y ago

1) regarding BUNCH: the nonces are random and hence there will be as many as there are phones drawn from suitably large n-bit space, but Apple does not need a local copy of the nonces, if the government requests a decryption and Apple agrees, it will decrypt and find the user pass code and the irrelevant nonce.

2) "and force anyone who wanted to look them up to do it physically, in person, with paper" I dont understand your proposal? If the government wants to decrypt a phone, they should come to Apple in person with what paper? How do you insure that everyone knows when a phone is audited? (Ozzie's proposal or what we read of it in the article does not adress insuring the populace finds out whenever a phone is decrypted). In your scenario the well observed building is operated by Apple or by the populace?

kurthr7y ago

The idea is that each of the secret keys (not nonces) would be kept on paper in a well observed location, with only the public keys leaving. The building would be operated by whoever is responsible for generating the keys and showing that their keys aren't (hopefully yet) compromised. They could allow the public to observe and perhaps the boxes could be marked with the range of IMEIs/keys contained within. If the cops want to go in and get a key out of a box, they can get a warrant to do it but everyone can know which few hundred thousand phones have been compromised.

It doesn't completely prevent malfeasance... it just makes it a PITA.

1 more reply

j / k navigate · click thread line to collapse

0 pointsDoctorOetker7y ago0 comments

impressive calculation for the per phone case!

In the proposal there is no need for a massive database of key material. It's nonsense.

(in practice Apple would use treshold crypography, so that at least k out of n private keys each belonging to specially trained and screened employees are necessary to decrypt)

I am only saying that this can be done efficiently, not saying that I agree with the desirability of key escrow. This idea of key escrow is as old as cryptography.

0 comments

kurthr7y ago

If the feds want to audit, they can... but everyone will see it on video, what boxes they opened, and what pages they (could have) looked at.

I'd hire some magicians for pen testing too.

edit: pi*10^7 sec in a year is a useful approximation

DoctorOetkerOP7y ago

kurthr7y ago

It doesn't completely prevent malfeasance... it just makes it a PITA.

1 more reply

j / k navigate · click thread line to collapse