[liberationtech] What would you reply to this?

Seth David Schoen schoen at eff.org
Sun Jun 14 21:13:59 CEST 2020 

Yosem Companys writes:

> Alex Nicholson  10:43 AM [...]
> However, I would argue that the conversation is severely
> under-estimating the sophistication of the Chinese govt. The
> US’s NSA can crack any encryption in the world and listen to any
> communications it wants. Why would we think China’s version of
> the NSA is any less sophisticated? Commercial encryption prevents
> interception by hackers and criminals, low-level operations without
> the budgets or resources of state actors. The intelligence services of
> major world powers have the skills and tools to crack any company’s
> best attempt at encryption.

I would reply

(1) What's the evidence that either NSA or another agency "can crack
any encryption in the world"?

(2) When governments have special-purpose hardware to take advantage of
some insight into cracking crypto, for example as described in section 4.2
of the "Imperfect Forward Secrecy" paper, that hardware is not free to
build or operate and doesn't necessarily scale up to attacking all
communications.  So that capability would end up getting used against
a subset of communications and not, for example, for keyword searches or
archives of all plaintext.

(3) Adi Shamir famously said that "cryptography is typically bypassed,
not penetrated"; I have personally not seen any indications that this is
wrong, as a general rule.  Forcing spies to actively attack your devices
or to come into physical proximity to you in order to bypass your
cryptography, instead of performing a passive attack, increases their
costs and risks, including creating possibilities of detecting the
attack, designing new countermeasures, and attributing the attack.  An
attack that requires proximity or software or hardware tampering with
your device has the huge benefit to you (and everyone else who may be
targeted by the same methods or organizations) that there is something you
can potentially notice.  Yes, hardware and software implants can be
extremely stealthy, but the attacker is still conceptually taking a huge
risk by delivering them into your possession.

(4) If the Chinese government had a class break against a primitive like
AES, the U.S. government would probably not keep allowing, or requiring,
its own agencies to use it to protect their own communications.
https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107

More information about the LT mailing list