The Problems of Government Cryptographic Policy
Posted by Aaron Massey on 30 Oct 2010.
Here’s a must-read piece from Steven Bellovin, a Professor of Computer Science at Columbia and an internationally recognized leader in computer security research. I’m not sure how I missed this in both of my previous posts on the recent government push to wiretap the Internet. It beautifully ties together several recent stories and the history of government interests in modifying cryptographic protocols. Here’s a teasing snippet:
The oldest cryptographic protocol in the unclassified literature was published in 1978; a previously-unsuspected flaw was found in 1996 — and this protocol, in modern notation, is only three messages long. More recently, a serious flaw was found in crucial cryptographic components of the World-Wide Web. All of these flaws were blindingly obvious in retrospect, but the flaws had gone unnoticed for years. And all of these were for the simplest case: two parties trying to communicate securely.
The administration’s proposal would add a third party to communications: the government. This demands a much more complicated protocol.
Check this out if you’re looking for a broader explanation of why Government involvement in commercial cryptographic protocols is a bad idea.