Dean Sas's Weblog

Terrorism Bill

// November 19th, 2005 // General

Here’s a copy of an email I’ve just wrote to my MP regarding the recent Terrorism Bill, which she supported under the justification that “Terrorists use encryption” (words mine)

Dear Ms Engel,

I am writing to you about the recent quotation of you in the Derbyshire

Times regarding the Terrorism Bill and in particular clause 23, in which

you said

“Never before have we had to deal with globalised terror networks which use encrypted and hi-tech computer communications”

I believe that the extension of the period of detention to ninety days would do little to help against the “encrypted and hi-tech computer communications”.

The encryption softwares most commonly used around the world for the purpose of emailing each other all work following the openpgp standard [1]. This uses a key for encrypting content, the longer the key (specified in bits) the harder it is to break. There are 2 to the nth power possibilites for each key, where n is the size (length) of the key.

In 1999 roughly 100,000 computers over the world plus a specially developed “encryption breaking computer” all worked together and it took 22 hours and 15 minutes to crack a 56 bit key. [2]

Assuming that the suspect was using the current standard encryption algorithms and most popular piece of software, with the default key length 80 bits (1024 assymetric bits) and the police force are using top-of-the-range custom built computing equipment. It is still thought impossible to crack this key using current technology. An RSA study in 2003 said that

“Starting with the estimates for 80-bit key search today, a 112-bit key search today on a $10 million machine would take about 30 billion years. A machine with the same cost in the year 2030 ? 18 generations from now, would take over 100,000 years to do a 112-bit key search” [3]

This is assuming that computing power continues to double every 18 months.

A hardware cracker for breaking 80 bit keys (or 1024 bit assymetric keys) is still only a hypothesis [4].

Using the current standard OpenPGP compatabile software when you create a key it also allows you to choose 4096 bit assymetric encryption keys (estimated to be around 130 bit), which is thought to be unbreakable in the forseeable future.

As you can see it would take far longer than 90 days to get a suspects private key with which you could read their data.

There is already legislation (the Regulation Of Investigatory Powers Act(RIP)) which says that it is already a criminal offense to withold any keys to encrypted data when requested to do so by a police officer.

Therefore the police forces would not have to “free a possible terrorist” because they can’t crack his hard drive, as they could charge him/her with not handing over his/her private key. Punishment for being guilty of this is a two year imprisonment. Plenty of time for the police force to investigate other crimes the invididual may have commited.

I hope that this gone some way into persuading you that holding suspects without charge for ninety days on the basis that they hold encrypted information is not neccessary.
Yours sincerely,
Dean Sas
[1] http://www.ietf.org/rfc/rfc2440.txt
[2] http://www.rsasecurity.com/press_release.asp?doc_id=462&id=1034
[3] http://www.rsasecurity.com/rsalabs/node.asp?id=2004
[4] http://www.wisdom.weizmann.ac.il/~tromer/twirl/