So in today's tweet storm, let's discuss Barr's call for crypto backdoors, where he claims citizens don't need as strong crypto as the military: "After all, we are not talking about protecting the Nation’s nuclear launch codes". This is a fallacy, which I'll show with math.
People's instinct treat crypto strength as LINEAR. You see that in TV shows when a stymied hacker is able to "bypass the encryptions" by simply typing twice as hard on the keyboard. This isn't how it works.
Crypto is instead EXPONENTIAL in difficulty. What that means is that encryption is either breakable by EVERYBODY or breakable by NOBODY, without much difference in between.
In the past 20 years, we've gone from 40-bit encryption keys being the standard to 128-bit keys. 40-bit keys can be cracked by everyone almost instantly, whereas 128-bit keys can be cracked by nobody, not even the NSA using all the world's computing power.
In the following graph I show the time it takes to crack keys by length, using three devices, a $35 Raspberry Pi, a $1000 desktop computer, and the NSA buying a million desktops for a billion dollars.
This cracking is brute-force, trying all combinations of a key until you find the one that decrypts a message. The thing to learn about this is that a 80-bit key is not twice as difficult to crack as a 40-bit key, but a trillion times more difficult.
Said another way, the thing that's twice as difficult to crack as a 40-bit key is a 41-bit key: each additional bit doubles the the number of combinations you have to try. This exponential growth is why the graph goes quick from near zero to a straight line going up so fast.
So your neighbor's teenager can crack anything less than 50-bits with a computer they bought with their baby sitting money, and yet, the NSA with a billion dollars will still struggle cracking 70-bit keys.
It's the same fallacy as being a little bit pregnant. It's virtually impossible to create crypto that works a little bit. We know how to create 128-bit crypto that works for everyone, but not some weaker crypto sufficient for consumers that's less than military-grade.
This is the "military grade" fallacy. You hear that phrase a lot from people pimping security products, but it's not a thing. In fact, the crypto protecting the military is less than what protects consumers.
Your iPhone has all the latest advances in crypto. It gets updated monthly. Nuclear silos still use floppy disks. Consumer grade crypto is therefore way better than what's protecting our launch codes, simply because it's newer.
Barr is calling for crypto that "achieve(s) a 99 percent assurance against cyber threats to consumers". We don't know how to build that that. As the graphs above show, we only know how to build either 100% or 0%.
This is why the crypto community reacts so viscerally to Barr's call for partly pregnant crypto. Barr starts from a reasonable* legal theory about how the 4rth Amendment balances the right-to-privacy* and police ability to invade that right given a warrant/probable-cause.
But such balance doesn't exist for crypto. We only know of 0% or 100% secure. We know of no "balance" that delivers 99% security. Everything we know about crypto tells us that such a thing is impossible.
Of course, Barr isn't asking for 1% crackable keys. However, all the other things he is asking for reduce down to this problem, that there's isn't a 1% hole that he can open in the back that doesn't becomes a 100% hole.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Rob Graham, will be at DEFCON/BSidesLV, hit me up
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!