Hi all,
i found this very interesting paper on China Encryption Import/Export/Domestic Regulations done by Baker&Mckenzie in the US.
It’s strongly business and regulatory oriented giving a very well done view on how china regulations works and how it may behave in future.
Read here Decrypting China Encryption’s Regulations (form Bakernet website) .
In the ’90, closed source and proprietary cryptography was ruling the world.
That’s before open source and scientifically approved encrypted technologies went out as a best practice to do crypto stuff.
I would like to remind when, in 1992, USA along with Israel was, together with switzerland, providing backdoored (proprietary and secret) technologies to Iranian government to tap their communications, cheating them to think that the used solution was secure, making also some consideration on this today in 2010.
That’s called The Crypto AG case, an historical fact involving the United States National Security Agency along with Signal Intelligence Division of Israel Ministry of Defense that are strongly suspected to had made an agreement with the Swiss cryptography producer company Crypto AG.
Basically those entities placed a backdoor in the secure crypto equipment that they provided to Iran to intercept Iranian communications.
Their crypto was based on secret and proprietary encryption algorithms developed by Crypto AG and eventually customized for Iranian government.
You can read some other facts about Crypto AG backdoor related issues:
The demise of global telecommunication security
Breaking codes: an impossible task? By BBC
Der Spiegel Crypto AG (german) article
Now, in 2010, we all know and understand that secret and proprietary crypto does not work.
Just some reference by top worldwide cryptographic experts below:
Secrecy, Security, Obscurity by Bruce Schneier
Just say No to Proprietary cryptographic Algorithms by Network Computing (Mike Fratto)
Security Through Obscurity by Ceria Purdue University
Unlocking the Secrets of Crypto: Cryptography, Encryption and Cryptology explained by Symantec
Time change the way things are approached.
I like very much the famous Philip Zimmermann assertion:
“Cryptography used to be an obscure science, of little relevance to everyday life. Historically, it always had a special role in military and diplomatic communications. But in the Information Age, cryptography is about political power, and in particular, about the power relationship between a government and its people. It is about the right to privacy, freedom of speech, freedom of political association, freedom of the press, freedom from unreasonable search and seizure, freedom to be left alone.”
Any scientist today accept and approve the Kerckhoffs’ Principle that in 1883 in the Cryptographie Militaire paper stated:
The security of a cryptosystem should not depend on keeping the algorithm secret, but only on keeping the numeric key secret.
It’s absolutely clear that the best practice for doing cryptography today obbly any serious person to do open cryptography, subject to public review and that follow the Kerckhoff principle.
So, what we should think about closed source, proprietary cryptography that’s based on security trough obscurity concepts?
I was EXTREMELY astonished when TODAY, in 2010, in the age of information society i read some paper on Crypto AG website.
I invite all to read the Crypto AG security paper called Sophisticated Security Architecture designed by Crypto AG of which you can get a significant excerpt below:
The design of this architecture allows Crypto AG to provide a secret proprietary algorithm that can be specified for each customer to assure the perfect degree of cryptographic security and optimum support for the customer’s security policy. In turn, the Security Architecture gives you the influence you need to be fully independent in respect of your encryption solution. You can determine all areas that are covered by cryptography and verify how the algorithm works.The original secret proprietary algorithm of Crypto AG is the foundation of the Security Architecture.
I have to say that their architecture is absolutely good from TLC point of view. Also they have done a very good job in making the design of the overall architecture in order to make a tamper-proof resistant crypto system by using dedicated crypto processor.
However there is still something missing:
The overall cryptographic concept is misleading, based on wrong encryption concepts.
You may think that i am a troll telling this, but given the history of Crypto AG and given the fact that all the scientific and security community does not approve security trough obscurity concepts, it would legitimate to ask ourself:
Hey, i think that they have very depth knowledge on telecommunication and security, but given that the science tell us not to follow the secrecy of algorithms, i really have serious doubt on why they are still providing proprietary encryption and does not move to standard solutions (eventually with some kind of custom enhancement).
The cyber conflicts are really reaching a point where war and cyberwar merge together.
NATO countries have the right to use the force against attacks on computer networks.
You should know that Israel is a country where if a company need to develop encryption product they must be authorized by the government.
The government don’t want that companies doing cryptography can do anything bad to them and what they can do of good for the government, so they have to first be authorized.
Companies providing interception and encryption must apply to a license because Israel law on this is so restrictive to be similar to china law.
That’s because those kind of technologies are considered fundamental for the intelligence and espionage capabilities of Israel country.
To give some example of “Licensed by Israel Ministry of Defense” companies:
GSM encryption products “Licensed by Israel Ministry of Defense” - Gold-lock
Interception of communication products “Licensed by Israel Ministry of Defense” - Verint
HF encrypted Radio “Licensed by Israel Ministry of Defense” - Kavit
Surveillance services and equipment “Licensed by Israel Ministry of Defense” - Multi Tier Solutions
For example how to apply for a “License by Israel Ministry of Defense” if you do encryption technologies in Israel?
Be sure to be an israeli company, click here and fill the forms.
Someone will contact you from encryption-control@mod.gov.il and will discuss with you whether to give you or not the license to sell.
What does the department of defense will require from an israeli company in order to provide them the authorization to make and sell interception and encryption products?
Well, what they want and what they really ask nobody knows.
It’s a secret dealing of Israel Ministry of Defense with each “licensed” company.
What we know for sure is that Verint, a “Licensed by Israel Ministry of Defense”, placed a backdoor to intercept companies and governments in the US and Netherland into the interception systems they was selling.
CIA officier reported that Israel Ministry of Defense was known to pay Verint a reimbursement of 50% of their costs in order to have from Verint espionage services trough their commercial activity on selling “backdoored” interception equipment to spy foreign users.
It can be a legitimate doubt that the cooperation within the Israeli Ministry of Defense may be problematic for an Israeli company that want to sell interception and encryption product abroad.
Those companies may be forced to make the interests of Israel Ministry of Defense and not the interests of the customers (like Verint scandal is a real-world example).
So, how would a “Licensed by Israel Ministry of Defense” be a good things to promote?
It represent the risk that the “Israel Ministry of Defense”, like is publicly known that it has already have done with Verint, will interfere with what the company do.
It represent the risk that the “Israel Ministry of Defense” may reasonably provide “reimbursement” of costs paying the company and get what they would likely would like to get.
So, what does really “Israel Ministry of Defense” want from Israel companies doing encryption and interception technologies?
Should we ask ourself whether Israeli companies doing encryption and interception businesses are more interested to do business or to do “outsourced espionage services” for their always paying customer, the “Israel Ministry of Defense”.
For sure, in the age of financial crisis, the Israel Ministry of Defense is a paying customer that does not have budget problem…
Strict control, strict rules, strong government strategic and military cooperation.
Be careful.
If you want to read more about this matters, about how technologies from certain countries is usually polluted with their governments military and secret services strategies stay tuned as i am preparing a post about this .
You will much better understand about that subjects on the “Licensed by Israel Ministry of Defense”.
This post is to talk about the “unfair” marketing approach of Gold-Lock, an israeli company doing mobile voice encryption authorized by Israeli Ministry of Defence .
Following an announcement seen on Linkedin “Information Security Community” group:
GoldLock is offering US$ 100.000 and a job for an unencryption
GoldLock, an israeli encryption and security company is offering US$ 100.000 and a job to anyone capable to decrypt a cellular conversation contained in a file provided in their site ( https://www.gold-lock.com/app/en/?wicket:interface=:8 ::::).
The transcription must be sent back to GoldLock until February 1st, 2010.
The contest is open to all and any tools or technology may be used.
Good luck to all!!!
I commented:
Not having a public protocol specification is not even scientifically serious to make a marketing tricks like this.
I would say to gold-lock, let’s release the source code and let anyone compile the cryptographic engine if you trust not to to have something nasty inside… ;)
Toni Koivunen from F-secure said:
So… They will pay $100k if you get through the AES and the hassle with keys.
If someone would pull it off they would certainly make a truckload more money elsewhere. Plus they would retain the rights to the code/technology that they created, which isn’t the case if they go for the $100k since the License pretty clearly says that:
# An assignment letter to Gold Line, in a form satisfactory to Gold Line of your technology and the Work Plan (the “Technology”). Such assignment form shall enable Gold Line to transfer the rights on the Technology to Gold Line, including the right to register patents and all other rights.
# A release and waiver form, in a form satisfactory to Gold Line, duly executed by you and any other participant of any rights to the Technology.
Plus of course Gold Line retains the right to change the rules of the game with prior notice. Or needing to notify afterwards either.
Sounds fair :)
Michel Scovetta from Computer Associates said:
It sounds like the purpose of this is to get some cheap testing out of it, and to be able to say something like, “The best crypto experts in the world tried to break it, and were unable to.”
According to some of the docs on Gold Lock’s website, they use ECC-256 and a “modified DH key exchange” (which tingles my spidey senses), SHA-256, and then XOR for the actual data encryption. They use practically blasphemous language like, “Each component of the Gold Lock Enterprise solution is tested and proven secure against any conceivable attack.”
*Proven* secure? *Any conceivable* attack? Yikes!
In another doc on their site, they talk about their first layer relying on 1024-bit RSA. GoDaddy doesn’t even allow 1024-bit keys to be used anymore when generating $20 SSL certificates. They quote 300 billion MIPS-years to break, but if my math is correct, that comes down to about 52 days on the top supercomputer right now. Not trivial, but this is an offline attack, so time is on the side of the attacker.
The description then talks about the device generating 16k keys when you register the device. If the protocol is “secure”, then it should be “secure” with only a single key. If it’s not secure with a single key, then generating 16k keys could only make it 16k times more secure, which is far off from a proof of security.
I agree with Fabio - a fair contest would be to include source code and the cryptographic specification. Also, as other contests have proven (e.g. SecureWebMail), the weakest point isn’t usually the cryptography. It’s all of the other stuff, and it doesn’t look like any of it is being disclosed for the contest.
http://xkcd.com/538/Mike
I would say that all those considerations from security experts from well known and established security companies bring us to consider that:
Voice security is a sensible matters and lacks of transparency and governmental relationship for cryptographic choices usually does not provide anything good…
Think about it…
In 2005 and 2007 in Brazil million of people was targetted by a blackout.
Initially it appeared like an accident.
Now it’s known that was caused by a cyber attack against electricity control systems.
That was just a preview of what a cyber attack in a cyberwar means.
In near future we’ll probably see something like ‘virtual custom offices’ at internet borders, defining what get in and what get out like several “not so democratic” countries are doing.
Does the cyberwar will affect digital rights? Probably yes, even i hope not.
Russia is a very beautiful place for any committed cybercrime business owner.
FBI and Mcafee are trying to do something, do they will ever succeed?
I don’t think so, it’s a political issue as russia is not going to extradite any cybercriminal and is not going to provide strong international cooperations.
Always remember that in Russia Business Network has been strongly suspected to had done cooperations with Russian government that leveraged in different occasion their power and skills.
Are russian politicians more interested to protect their cyber-warriors skills and activities or to provide international cooperation?
Quite easy to answer…
Hi all,
in the past few years i saw an incredible increase in the amount of “public” news about espionage against different western countries and usually coming from far-east, typically china.
China want to be the largest economic power within 2020 and it’s following a grow rate of 8% per year. Their “controlled” capitalism without the inefficiency of the democracy it’s something that’s beating the western countries, less efficient because democratic.
China, in order to quickly grow it’s R&D capacity make an extensive use of espionage, it’s estimated that Chinese government have more than 1.000.000 intelligence agents worldwide.
And they know how to do espionage, their “spy” does not cost that much like western countries’ spy, less guarantee, less payments.
Also they are using cyber espionage as an important source of information and competitiveness against western countries companies and government R&D results. China is so un-cooperative that now also western countries spying each other, or even Russian, use chinese internet space as the “start base” for their internet based espionage activities.
I knew of a USA phisher that used to build it’s own trojan with a chinese version of Windows Xp with a chinese version of the Microsoft Visual Studio development suite. Why? For information deception, in order to tweak the forensics effort of the FBI analyst and have them think that it’s own attacks was coming from China!
Any investigators that see an attack coming from china typically think “oh shit, it comes from china, we’re lost”, and now even cybercrime use China like a far-west, untouchable base for cyber attacks.
Back tracing attacks coming from china it’s like trying to find out what’s inside a black hole, it’s a one-way trip and no information comes back.
To give better an idea of what i am speaking about just get the following list of reference:
Germany accuses China of industrial espionage
Chinese trainee goes on trial as French industry fears espionage
U.S. Vulnerable to Chinese Cyber Espionage
Massive Chinese Espionage Network
Cyber Spy Network Also Targetting Finland
How do the western countries defend themself?
That’s a nice points to speak about because there’s no simple way to defend against espionage other than considering it like a serious and concrete threat.
Governments should be able to get more understanding that their approach to informations systems and information security policy must not only exists on paper but also be applied everywhere in order to be effective. Governments are complex organizations and only a few are enough smart to be able to quickly and efficiently make security policies really be implemented organization-wide. But they are trying to, especially the most competitive ones like USA, UK and Germany .
Companies instead should acquire awareness of the problem that is present, available, concrete as concrete is the chance that someone enter into the offices to steal good (not for espionage). For that reason companies place alarm systems, access control with badge, camera monitoring systems.
But espionage does not mean fighting and protecting against poor thieves but instead against more sophisticated, either technically and socially, attacker that can use old school intelligence techniques always effective. Getting employed and stealing information while working. Simulate to be customers to establish a link trust with a salesman and then find a reason to let him execute some malicious software “hey, but my modellization software demostrate that your model used to measure the performance of your product it’s not the one you advertised. Check it out, see your self with the software we used!”. What do you think the salesman will do in order to catch the prospect customer?
Only awareness, knowledge about the issues can make such risk to be considered seriously.
Governments should provide financing to industrial associations, chamber of commerces and similar agencies in order to make such awareness national wide and let entrepreneurs became conscious and became prepared to recognize, identify and stop espionage activities.
The law perspective
Governments should strenghten their laws in order to be able have the required rights tools to enforce the protection from espionage.
Look at the analysis made by my smart cousin Angelo Pietrosanti on espionage “Is the European R&D Equally protected from espionage as in the US R&D?”
| Country | Civil Sanction against trade secret threat | Criminal Sanction against trade secret threat | Year of last modificationg |
|---|---|---|---|
| USA | 5 mln $ | up to 10(for domenistic) or 15 (for foreigners) Years of Jail | 1996 (Economic Espionage Act) |
| Germany | YES | up to 3 Years of Jail | 1986 |
| France | 0.03 mln $ | up to 2 Years of Jail | 1992 |
| UK | YES | NO | 1984 |
| Italy | YES | up to 2 Years of Jail | 1942 |
| Switzerland | YES | up to 3 Years of Jail | 1986 |
| Finland | YES | up to 3 Years of Jail | 1990 |
| Sweden | YES | up to 6 Years of Jail | 1990 |
| The Netherlands | YES | up to 4 Years of Jail | 1992 |
What this table show?
Maybe some european policy on this could help.
In conclusion
We are in an economic war where the winner is not the one having more forces, but the one being more technologically advanced, and economically clever.
Chinese are demonstrating to be enough aggressive and clever, will the western countries be able to react both on the defense and the attack in this war?
The intelligence strength is increasing everywhere… also in Switzerland that had a well known privacy protection approach!
Read the WikiLeaks Article
Nice attempt to place backdoors inside Blackberry devices.
It seems that UAE government wanted to do something nasty placing backdoors trough software upgrades in Etilsat (local mobile operator) blackberry devices, obviously with the cooperation of the mobile operator itself.
Fortunately, the power of the security community discovered and unveiled the facts. Check it out.
Etisat patch designed for surveillance
Wired magazine: Blackberry spies
Security exists only with transparency.
It’s amazing.
A chinese guy has been engaged within an espionage activity for the People’s Republic of China buying and exporting cryptographic equipments, radio and other secure hardware on eBay.
It’s unbelivable, read there, Chi Tong Kuok found on eBay:
It’s important to underline that good crypto should not require “secret methods” as the security methods should be secure even if revealed, like any cryptographic technology.
But chinese probably understood that this is not the approach of NSA that prefer using custom, self-made, self-analyzed cryptographic technologies that are probably a lot weaker than nowadays cryptographic standards.
So, why not buy some export restricted military secure technology on ebay?
I will make some in depth articles about how voice encryption really works in government environments.
The open standards and open source still have to reach the military and government environments for what’s related to secure speech.
To give you an idea of the complexity and kind of particular issues that exists, look at the USA 3G Wireless Security: A Government Perspective and the A Waveform Architecture to Support Security and Interoperability in Multi-National Wireless Networks for Tactical Communication .
They are using so-custom protocols like Secure Communications Interoperability Protocol that require the use of patented MELPe ultra-narrowband codec that there’s not a real market of application and equipment using this. Only a small elite of government controlled companies from few countries manage this de-facto lobby.
Should we change this bringing open standards also to government sectors?
It seems that in UK the management became illuminated, they discovered that the most efficient way to fight a cyber war is to hire soldier that play in the battlefield everyday, only for passion.
 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |
 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |