|
|
(26 intermediate revisions by 2 users not shown) |
Line 1: |
Line 1: |
| '''Encryption''' is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not prevent interception, but denies the message content to the interceptor. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. | | '''Encryption''' is the process of encoding data in such a way that only authorized parties can read it, encryption does not prevent interception but it stops others from reading what the data contains without the correct key. Encryption algorithms are used to generate unreadable data that can be left at rest in your hard drive or sent over the Internet. Many applications like WhatsApp automatically encrypt and decrypt your messages without any user interaction, the downside is that you must trust the company doing the encryption for you not to violate your privacy, Google is known to scan files<ref>https://www.extremetech.com/internet/330076-googles-child-abuse-detection-tools-can-also-identify-illegal-drawings-of-children</ref> you upload to Google Drive for child porn and cartoons, Microsoft, Apple and many other companies do that too. |
|
| |
|
| The process, as most commonly seen, involves a one-way process, in which movement in one direction is easy (encryption), but movemenr in the other (decryption) is hard.
| | When encryption has been well designed and it contains no backdoor, there is no way to break it, the most commonly used scheme to break encryption is trying to guess the passphrase used, there are programs that can try thousands of password combinations a minute but well designed encryption programs slow these bots down by not allowing more than four or five tries every minute making it unfeasible to guess the password in a reasonable amount of time that does not involve hundreds of years. |
|
| |
|
| For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. | | == How encryption works == |
| | :''For more information, see [http://en.wikipedia.org/wiki/Key_size Key size] and [https://en.wikipedia.org/wiki/Cryptographic_hash_function Cryptographic hash function] |
| | All modern cryptographic systems are based on the factoring of numbers. It is easy to multiply two numbers and come up with a product. To take a number and determine what the numbers were that were multiplied to "create" it (called "factors") is very difficult. Despite serious looking by very bright people, no method or algorithm to solve "finding the factors" —for example, that the factors of 21 are 7 and 3, and those of 551 are 19 and 29 — has been found. Other than the simplest of methods, what could be called "no method at all", trying every conceivable solution (called the "brute force" method). The number of solutions to be tried is incredibly huge, astronomical. To even attempt it the most powerful computers are needed, so as to get results within a usable time frame. If it takes three years to get the missing key (password), probably it's not going to do you much good. The makers of encryption software try to create a number so huge that the number of solutions is just impossible to test. The makers of decryption software try to come up with shortcuts thst reduce the number of numbers that must be tested, or at least prioritize some numbers to test before others. |
|
| |
|
| t is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, large computational resources and skill are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.
| | The more the speed of the hardware increases, the more it is possible to defeat encryption by a brute force attack (which is the only method because it's the only method that covers every possible answer). These are custom-built, single-purpose computers;.a single-purpose computer is always faster than a general-purpose computer. The original use of computers, during World War II, was to calculate coordinates for misiles (what angle up or elevation should they be at, among other things). Now it is to penetrate encryption, or try to. That's where the action is, in computing hardware. |
|
| |
|
| == Purpose of encryption ==
| | This is a great simplification of a complicated area. However, it is the root of the whole system. |
| The purpose of encryption is to ensure that only somebody who is authorized to access data (e.g. a text message or a file), will be able to read it, using the decryption key. Somebody who is not authorized can be excluded, because he or she does not have the required key, without which it is impossible to read the encrypted information..
| |
|
| |
|
| == How encryption works == | | == Degrees of security in encryption == |
| :''For more information, see [[Key length]].''
| | Any encryption must have a key, or in more basic terms a password. This is a string of characters which, in practice, describes the type of encryption used and provides the recipient's software the means to decrypt the message if authorized. The keys are easy to create but hard to undo. |
| All modern cryptographic systems are based on the factoring of numbers. It is easy to multiply two numbers and come up with a product. To take a number and determine what the numbers were that were multiplied to "create" it (called "factors") is very difficult. In Despite serious looking by very bright people, no method or algorithm to solve them has been found. Other than the simplest of methods, what could be called "no method at all", trying every conceivable solution. The number of solutions to be tried is incredibly huge, astronomical. To even attempt it the most powerful computers are needed, so as to get results within a usable time frame. If it takes three years to get the missing key (password), probably it's not going to do you much good. The makers of encryption software try to create a number so huge that the number of solutions is just impossible to test. The makers of decryption software try to come up with shortcuts thst reduce the number of numbers that must be tested, or at least prooritize some numbers to test before others.
| | |
| | The longer the password the more possible passwords have to be tested by the person that wants to break the encryption and view the message without permission. An eight-character password permits only about a billion possible passwords, and free software will break this in seconds on an ordinary desktop computer (2016). There are various standards, but 256 characters is commonly seen (2016). The longer the better. |
|
| |
|
| The more the speed of the hardware increases, the more possibility
| | A significant problem is providing the desired recipient the key (password) so the message can be decrypted. It should not be given over any type of electronic communication. Better give it in person, or on a flash drive sent through the mail. |
|
| |
|
| == PGP == | | == PGP == |
Line 20: |
Line 22: |
| == Boylovers and encryption == | | == Boylovers and encryption == |
|
| |
|
| Many boylovers encrypt files related to boylove to keep themselves safe along with using programs like [[Tor]]. It is often recommended that boylovers use full disk encryption with a program like [https://www.grc.com/misc/truecrypt/truecrypt.htm truecrypt], [https://veracrypt.codeplex.com/ veracrypt], or [https://www.ciphershed.org CiperShed] There is some debate over whether or not truecrypt should still be used as the project has been abandoned by it's authors. However, truecrypt is the only open source encryption tool which has been audited and the audit found: "The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.<ref>http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html</ref> [http://istruecryptauditedyet.com http://istruecryptauditedyet.com] Some believe that the new break offs from truecrypt, such as veracrypt and CiperShed, could contain backdoors. There is no evidence for this and all three programs are open-source. An extensive comparison of all available encryption programs can be found on the wikipedia page [https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software Comparison of disk encryption software] Whichever platform you use, a strong password is the most important thing to remember. See: [https://www.boywiki.org/en/Internet_security_tutorial#Using_secure_passwords Using secure passwords] | | Many boylovers encrypt files related to boylove to keep themselves safe along with using programs like [[Tor]]. It is often recommended that boylovers use full disk encryption with a program like [https://veracrypt.fr Veracrypt], a free open source program that has been audited<ref>https://threatpost.com/veracrypt-patches-critical-vulnerabilities-uncovered-in-audit/121342/</ref>, a few vulnerabilities where found during the audit and fixed, although it might sound alarming that vulnerabilities where found, Veracrypt is one of the very few encryption programs that has been publicly audited, with other software you must trust what the vendor says whereas in Veracrypt there is a third independent party that you can trust. An extensive comparison of all available encryption programs can be found on the Wikipedia page [https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software Comparison of disk encryption software] Whichever platform you use, a strong password is the most important thing to remember. See: [https://www.boywiki.org/en/Internet_security_tutorial#Using_secure_passwords Using secure passwords] |
|
| |
|
| One need not only use encryption if they have illegal files; even totally legal files related to boylove can destroy a person's life if brought to light. Sometimes it is difficult to know what even is legal with regard to boylove.[https://en.wikipedia.org/wiki/State_v._Dalton The State v. Dalton]is a legal case in the United States state of Ohio involving the prosecution of a man for recording fictional tales of alleged [[child pornography]] in a diary. He had no images, either drawn or photographed, just writings in a journal and it was deemed to be [[child pornography]]. Altogether the man spent over 10 years in prison for simple writings.<ref>http://www.nytimes.com/2001/07/14/us/child-pornography-writer-gets-10-year-prison-term.html/</ref> This case highlights how important it is to encrypt everything related to boylove. | | One need not only use encryption if they have illegal files; even totally legal files related to boylove can destroy a person's life if brought to light. Sometimes it is difficult to know what even is legal with regard to boylove.[https://en.wikipedia.org/wiki/State_v._Dalton The State v. Dalton]is a legal case in the United States state of Ohio involving the prosecution of a man for recording fictional tales of alleged [[child pornography]] in a diary. He had no images, either drawn or photographed, just writings in a journal and it was deemed to be [[child pornography]]. Altogether the man spent over 10 years in prison for simple writings.<ref>http://www.nytimes.com/2001/07/14/us/child-pornography-writer-gets-10-year-prison-term.html/</ref> This case highlights how important it is to encrypt everything related to boylove. |
|
| |
| Also, in the USA, even totally clothed photographs can be considered [[child pornography]]. See: https://www.boywiki.org/en/Child_porn#Definition This further demonstrates that boylovers should use encryption of anything having to do with children or boylove. What is legal today may not be legal tomorrow.
| |
|
| |
|
| ==Key (password) disclosure laws== | | ==Key (password) disclosure laws== |
Line 37: |
Line 37: |
| == Legislation by nation == | | == Legislation by nation == |
|
| |
|
| === Antigua and Barbuda ===
| | For an updated list of key disclosure laws by nations visit [https://en.wikipedia.org/wiki/Key_disclosure_law WikiPedia Key disclosure law page] |
|
| |
|
| The Computer Misuse Bill, 2006, Article 21(5)(c), if enacted, would allow police with a warrant to demand and use decryption keys. Failure to comply may incur "a fine of fifteen thousand [East Caribbean] dollars" and/or "imprisonment for two years."<ref>[http://www.laws.gov.ag/bills/2006/computer-misuse-bill-2006.pdf Antigua and Barbuda: The Computer Misuse Bill, 2006]</ref>
| | ==See Also== |
|
| |
|
| === Australia ===
| | * [[Steganography]] |
| | | * [[Tor]] |
| The Cybercrime Act 2001 No. 161, Items 12 and 28 grant police with a magistrate's order the wide-ranging power to require "a specified person to provide any information or assistance that is reasonable and necessary to allow the officer to" access computer data that is "evidential
| | * [[Internet security tutorial]] |
| material"; this is understood to include mandatory decryption. Failing to comply carries a penalty of 6 months imprisonment. Electronic Frontiers Australia calls the provision "alarming" and "contrary to the common law privilege against self-incrimination."<ref>Electronic Frontiers Australia. [http://www.efa.org.au/Issues/Privacy/security.html#ccb01 Privacy Laws in Australia: Security / Cybercrime]. Retrieved 2010 November 8.</ref>
| | * [[Email security]] |
| | | * [[Hard drive]] |
| The Crimes Act 1914, 3LA(5) "A person commits an offence if the person fails to comply with the order. Penalty for contravention of this subsection: Imprisonment for 2 years."<ref>{{Cite web|url=http://www.comlaw.gov.au/Details/C2015C00111/Html/Volume_1#_Toc415554770|title=Crimes Act 1914|last=AG|website=www.comlaw.gov.au|language=en|access-date=2016-04-30}}</ref>
| |
| | |
| === Belgium ===
| |
| | |
| The ''Loi du 28 novembre 2000 relative à la criminalité informatique'' (Law on computer crime of 28 November 2000), Article 9 allows a judge to order both operators of computer systems and telecommunications providers to provide assistance to law enforcement, including mandatory decryption, and to keep their assistance secret; but this action cannot be taken against suspects or their families.<ref>[http://cwisdb.kuleuven.be/pisa/fr/jur/infocrimewet.htm#Art.9 Loi du 28 novembre 2000 relative à la criminalité informatique: Article 9]. 2000 November 28. Retrieved 2010 November 9.</ref><ref>[http://www.ejustice.just.fgov.be/cgi_loi/loi_a1.pl?DETAIL=1808111930%2FF&caller=list&row_id=1&numero=7&rech=9&cn=1808111930&table_name=LOI&nm=1808111901&la=F&dt=CODE+D%27INSTRUCTION+CRIMINELLE&language=fr&fromtab=loi_all&sql=dt+contains++%27CODE%27%26+%27D%27%26+%27INSTRUCTION%27%26+%27CRIMINELLE%27and+actif+%3D+%27Y%27#Art.156 Code d'instruction criminelle. Livre II, titre I, Art. 156.] 1808 November 19. Retrieved 2010 November 9. (''in French'')</ref> Failure to comply is punishable by 6 months to 1 year in jail and/or a fine of 130 to 100,000 Euros.
| |
| | |
| === Canada ===
| |
| | |
| Canada implements key disclosure by broad interpretation of "existing interception, search and seizure and assistance procedures";<ref>[http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00118.html The Digital Economy in Canada: Summary of Canada’s Policy on Cryptography]. Industry Canada. Last modified 2009-02-11. Retrieved 2010 November 19.</ref> in a 1998 statement, Cabinet Minister John Manley explained, "warrants and assistance orders also apply to situations where encryption is encountered — to obtain the decrypted material or decryption keys."<ref>[http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00119.html The Digital Economy in Canada: Speaking Notes for John Manley: Canada's Cryptography Policy]. Presentation to the National Press Club, Ottawa. October 1, 1998. Industry Canada. Last modified 2009-02-11. Retrieved 2010 November 19.</ref>
| |
| | |
| === Finland ===
| |
| | |
| The Coercive Measures Act (Pakkokeinolaki) 2011/806 section 8 paragraph 23<ref>{{Cite web|url=http://www.finlex.fi/fi/laki/ajantasa/2011/20110806#a806-2011|title=Coercive Measures Act (Pakkokeinolaki)|language=fi|access-date=2016-04-30}}</ref> requires the system owner, its administrator, or a specified person to surrender the necessary "passwords and other such information" in order to provide access to information stored on an information system. The suspect and some other persons specified in section 7 paragraph 3 that cannot otherwise be called as witnesses are exempt from this requirement.
| |
| | |
| === France ===
| |
| Law #2001-1062 of 15 November 2001 on Community Safety allows a judge or prosecutor to compel any qualified person to decrypt or surrender keys to make available any information encountered in the course of an investigation. Failure to comply incurs three years of jail time and a fine of €45,000; if the compliance would have prevented or mitigated a crime, the penalty increases to five years of jail time and €75,000.<ref>Articles 30–31, {{cite French law|number or usual name=n<sup>o</sup> 2001-1062|date in French=15 novembre 2001|full name=relative à la sécurité quotidienne|language=French|lower case=yes|URL=http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000222052}}</ref>
| |
| | |
| === India ===
| |
| | |
| Section 69 of the Information Technology Act, as amended by the Information Technology (Amendment) Act, 2008, empowers the central and state governments to compel assistance from any "subscriber or intermediary or any person in charge of the computer resource" in decrypting information.<ref>[http://police.pondicherry.gov.in/Information%20Technology%20Act%202000%20-%202008%20(amendment).pdf Information Technology (Amended) Act, 2008] (PDF); Government of India – Ministry of Law, Justice and Company Affairs (Legislative Department); '''XI''' (69) pp. 27–8.</ref><ref>[http://220.227.161.86/18962sm_finalnew_isca_cp10.pdf Paper – 6 : Information Systems Control and Audit] (PDF) '''10''' pp. 42–3. [http://www.icai.org/post.html?post_id=5777 Study Material - Final (New)] The Institute of Chartered Accountants of India.</ref> Failure to comply is punishable by up to seven years imprisonment and/or a fine.
| |
| | |
| === New Zealand ===
| |
| | |
| New Zealand Customs is seeking Power to compel Key disclosure.<ref>{{Cite web|url=http://www.stuff.co.nz/technology/digital-living/67449940/customs-downplays-password-plan|title=Customs downplays password plan|website=Stuff|access-date=2016-04-30}}</ref>
| |
| | |
| === Poland ===
| |
| | |
| In relatively few known cases in which police or prosecutor requested cryptographic keys from those formally accused and these requests were not fulfilled, no further consequences were imposed on the accused. There's no specific law in this matter, as e.g. in the UK. It is generally assumed that the Polish Criminal Procedure Code (Kodeks Postępowania Karnego Dz.U. 1997 nr 89 poz. 555.) provides means of protecting against self-incrimination, including lack of penalization for refusing to answer any question which would enable law enforcement agencies to obtain access to potential evidence, which could be used against testifying person.<ref>[http://webhosting.pl/W.jaki.sposob.sluzby.moga.uzyskac.dostep.do.zaszyfrowanych.danych Webhosting.pl - W jaki sposób służby mogą uzyskać dostęp do zaszyfrowanych danych]{{Dead link|date=April 2016}}</ref>
| |
| | |
| === South Africa ===
| |
| | |
| Under the RICA Act of 2002, refusal to disclose a cryptographic key in your possession could result in a fine up to ZAR 2 Million or up to 10 years imprisonment. This requires a judge to issue a decryption direction to a person believed to hold the key.{{Citation needed|date=September 2014}}
| |
| | |
| === Sweden ===
| |
| | |
| There are currently no laws that force the disclosure of cryptographic keys. However, there is legislation proposed on the basis that the Council of Europe has already adopted a convention on cyber-crime related to this issue. The proposed legislation would allow police to require an individual to disclose information, such as passwords and cryptographic keys, during searches. The proposal has been introduced to make it easier for police and prosecutors. The proposal has been criticized by The Swedish Data Inspection Board.<ref>{{Cite web|url=http://www.publikt.se/artikel/di-kritiserar-nya-it-regler-46346|title=DI kritiserar nya it-regler|date=2013-09-26|website=Publikt|language=Swedish|access-date=2016-04-30}}</ref><ref name="Swedish Data Inspection Board">{{Cite web|url=http://www.datainspektionen.se/Documents/remissvar/2013-09-25-konvention-it-brottslighet.pdf|title=Remiss av betänkandet Europarådets konvention om it - relaterad brottslighet (SOU 2013:39)|language=Swedish|format=PDF|access-date=}}</ref>
| |
| | |
| === The Netherlands ===
| |
| | |
| Article 125k of the Wetboek van Strafvordering allows investigators with a warrant to access information carriers and networked systems. The same article allows the district attorney and similar officers of the court to order persons who know how to access those systems to share their knowledge in the investigation, including any knowledge of encryption of data on information carriers. However, such an order may not be given to the suspect under investigation.<ref>{{Cite web|url=http://wetten.overheid.nl/BWBR0001903/EersteBoek/TitelIV/Zevendeafdeling/Artikel125k/geldigheidsdatum_12-01-2015|title=wetten.nl - Regeling - Wetboek van Strafvordering - BWBR0001903|website=wetten.overheid.nl|access-date=2016-04-30}}</ref>
| |
| | |
| === United Kingdom ===
| |
| | |
| The Regulation of Investigatory Powers Act 2000 (RIPA), Part III, activated by ministerial order in October 2007,<ref>{{cite news|first=Jeremy |last=Kirk |url=http://www.washingtonpost.com/wp-dyn/content/article/2007/10/01/AR2007100100511.html |title=Contested UK encryption disclosure law takes effect |agency=PC World |publisher=Washington Post |date=October 1, 2007 |accessdate=2009-01-05}}</ref> requires persons to supply decrypted information and/or keys to government representatives with a court order. Failure to disclose carries a maximum penalty of two years in jail. The provision was first used against animal rights activists in November 2007,<ref>{{cite news|last=Ward |first=Mark |url=http://news.bbc.co.uk/1/hi/technology/7102180.stm |title=Campaigners hit by decryption law |work=[[BBC News]] |date=2007-11-20 |accessdate=2009-01-05}}</ref> and at least three people have been prosecuted and convicted for refusing to surrender their encryption keys,<ref>{{Cite news |url=http://www.theregister.co.uk/2010/10/06/jail_password_ripa/ |title=Youth jailed for not handing over encryption password |work=[[The Register]] |date=6 October 2010 |first=John |last=Oates}}</ref> one of whom was sentenced to 13 months' imprisonment.<ref>{{Cite news |url=http://www.theregister.co.uk/2009/11/24/ripa_jfl |title=UK jails schizophrenic for refusal to decrypt files |work=The Register |date=24 November 2009 |first=Christopher |last=Williams}}</ref>
| |
| | |
| === United States ===
| |
| | |
| The right not to be forced to incriminate oneself is guaranteed by the Fifth Amendment to the United States Constitution. At present there is no legal requirement that forces anyone to reveal a password.<ref>http://www.coreyvarma.com/2015/07/encryption-vs-fifth-amendment/ |title=Encryption vs. Fifth Amendment |first1=Corey |last1=Varma |website=www.coreyvarma.com |accessdate=July 28, 2015}}</ref> However, this is an active area of the law. The question of whether one can be forced to reveal a password that would ostensibly only incriminate ''someone else'' being investigated (and whether incriminating evidence ”accidently" revealed concerning the password holder can then be used against them) is unanswered. Various password holders are in jail right now (2016) for Contempt of Court: violating the order of a judge, who says his order is legal. Disobeying a judge is technically not a crime, but you're still in jail.
| |
| | |
| Encryption is an active political topic today (2016) in the United States.
| |
| | |
| However, the federal case ''In re Boucher'' may be influential as case law. In this case, a man's laptop was inspected by customs agents and child pornography was discovered. The device was seized and powered-down, at which point disk encryption technology made the evidence unavailable. The judge held that it was a foregone conclusion that the content exists since it had already been seen by the customs agents, Boucher's encryption password "adds little or nothing to the sum total of the Government's information about the existence and location of files that may contain incriminating information."<ref>{{cite web|url=http://volokh.com/files/BoucherDCT.1.pdf |title=In re Grand Jury Subpoena to Sebastien Boucher, Memorandum of Decision |date=February 19, 2009 |format=PDF |work=The Volokh Conspiracy |accessdate=2009-08-29 |archive-url=https://web.archive.org/web/20140716161430/http://www.volokh.com/files/Boucher.pdf |archive-date=July 16, 2014}}</ref><ref>http://www.cnet.com/news/judge-man-cant-be-forced-to-divulge-encryption-passphrase/ |title=Judge: Man can't be forced to divulge encryption passphrase |first=Declan |last=McCullagh |publisher=CNET |date=December 14, 2007 |accessdate=October 19, 2014}}</ref>
| |
| | |
| In United States v. Fricosu, a district court judge ordered a Colorado woman to decrypt her laptop so prosecutors can use the files against her in a criminal case: "I conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer," Colorado U.S. District Judge Robert Blackburn ruled on January 23, 2012.<ref>{{cite web|url=http://www.wired.com/threatlevel/2012/01/judge-orders-laptop-decryption/ |title=Judge Orders Defendant to Decrypt Laptop |first=David |last=Kravets |publisher=WIRED |date=January 23, 2012}}</ref> In Commonwealth v. Gelfgatt,<ref>{http://scholar.google.com/scholar_case?q=GELFGATT&hl=en&as_sdt=2006&case=13313310379620456644&scilh=0</ref> the court ordered a suspect to decrypt his computer, citing exception to Fifth Amendment can be invoked because "''an act of production does not involve testimonial communication where the facts conveyed already are known to the government...''".<ref>http://arstechnica.com/tech-policy/2014/06/massachusetts-high-court-orders-suspect-to-decrypt-his-computers/ |title=Massachusetts high court orders suspect to decrypt his computers |first=Cyrus |last=Farivar |publisher=Ars Technica |date=June 26, 2014 |accessdate=October 19, 2014}}</ref>
| |
| | |
| However, in United States v. Doe, the United States Court of Appeals for the Eleventh Circuit ruled on 24 February 2012 that forcing the decryption of one's laptop violates the Fifth Amendment.<ref>https://www.eff.org/press/releases/appeals-court-upholds-constitutional-right-against-forced-decryption |title=Appeals Court Upholds Constitutional Right Against Forced Decryption |first1=Marcia |last1=Hofmann |first2=Hanni |last2=Fakhoury |publisher=Electronic Frontier Foundation |date=February 24, 2012 |accessdate=October 19, 2014}}</ref> <ref>http://arstechnica.com/tech-policy/2012/02/appeals-court-fifth-amendment-protections-can-apply-to-encrypted-hard-drives/</ref>
| |
| | |
| The Federal Bureau of Investigation may also issue national security letters that require the disclosure of keys for investigative purposes.<ref>https://nakedsecurity.sophos.com/2014/01/29/lavabit-appeals-contempt-of-court-ruling-surrounding-handover-of-ssl-keys/|title=Lavabit appeals contempt of court ruling surrounding handover of SSL keys|date=2014-01-29|website=Naked Security|access-date=2016-04-30}}</ref> One company, Lavabit, chose to shut down rather than surrender its master private keys.
| |
| | |
| Since the summer of 2015, cases were fought between major tech companies such as Apple over the regulation of encryption with government agencies asking for access to private encrypted information for law enforcement purposes. A technical report was written and published by MIT Computer Science and Artificial Intelligence Laboratory, where Ronald Rivest, an inventor of RSA, and Harold Abelson, a computer science professor at MIT with others, explain the technical difficulties, including security issues that arise from the regulation of encryption or by making a key available to a third party for purposes of decrypting any possible encrypted information. The report lists scenarios and raises questions for policy makers. It also asks for more technical details if the request for regulating encryption is to be pursued further.<ref>https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf |date=6 July 2015 |title=Keys Under Doormats: Mandating insecurity by requiring government access to all data and communication |work=MIT Computer Science and Artificial Intelligence Laboratory }}</ref>
| |
| | |
| Most recently, as noted above, a person may now be indefinitely detained for refusing to unencrypt their drives.
| |
| | |
| "A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives. The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child porn crimes. Instead, he remains indefinitely imprisoned in Philadelphia's Federal Detention Center for refusing to unlock two drives encrypted with Apple's FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices. The man is to remain jailed "until such time that he fully complies" with the decryption order." <ref>http://arstechnica.com/tech-policy/2016/04/child-porn-suspect-jailed-for-7-months-for-refusing-to-decrypt-hard-drives/</ref>
| |
| | |
| ==See Also==
| |
| *[[Steganography]] | |
| *[[Tor]] | |
| *[https://www.boywiki.org/en/Internet_security_tutorial Internet security tutorial] | |
| *[https://www.boywiki.org/en/Email_security Email security] | |
| *[https://www.boywiki.org/en/Hard_drive hard drive] | |
|
| |
|
| ==References== | | ==References== |
Encryption is the process of encoding data in such a way that only authorized parties can read it, encryption does not prevent interception but it stops others from reading what the data contains without the correct key. Encryption algorithms are used to generate unreadable data that can be left at rest in your hard drive or sent over the Internet. Many applications like WhatsApp automatically encrypt and decrypt your messages without any user interaction, the downside is that you must trust the company doing the encryption for you not to violate your privacy, Google is known to scan files[1] you upload to Google Drive for child porn and cartoons, Microsoft, Apple and many other companies do that too.
When encryption has been well designed and it contains no backdoor, there is no way to break it, the most commonly used scheme to break encryption is trying to guess the passphrase used, there are programs that can try thousands of password combinations a minute but well designed encryption programs slow these bots down by not allowing more than four or five tries every minute making it unfeasible to guess the password in a reasonable amount of time that does not involve hundreds of years.
How encryption works
- For more information, see Key size and Cryptographic hash function
All modern cryptographic systems are based on the factoring of numbers. It is easy to multiply two numbers and come up with a product. To take a number and determine what the numbers were that were multiplied to "create" it (called "factors") is very difficult. Despite serious looking by very bright people, no method or algorithm to solve "finding the factors" —for example, that the factors of 21 are 7 and 3, and those of 551 are 19 and 29 — has been found. Other than the simplest of methods, what could be called "no method at all", trying every conceivable solution (called the "brute force" method). The number of solutions to be tried is incredibly huge, astronomical. To even attempt it the most powerful computers are needed, so as to get results within a usable time frame. If it takes three years to get the missing key (password), probably it's not going to do you much good. The makers of encryption software try to create a number so huge that the number of solutions is just impossible to test. The makers of decryption software try to come up with shortcuts thst reduce the number of numbers that must be tested, or at least prioritize some numbers to test before others.
The more the speed of the hardware increases, the more it is possible to defeat encryption by a brute force attack (which is the only method because it's the only method that covers every possible answer). These are custom-built, single-purpose computers;.a single-purpose computer is always faster than a general-purpose computer. The original use of computers, during World War II, was to calculate coordinates for misiles (what angle up or elevation should they be at, among other things). Now it is to penetrate encryption, or try to. That's where the action is, in computing hardware.
This is a great simplification of a complicated area. However, it is the root of the whole system.
Degrees of security in encryption
Any encryption must have a key, or in more basic terms a password. This is a string of characters which, in practice, describes the type of encryption used and provides the recipient's software the means to decrypt the message if authorized. The keys are easy to create but hard to undo.
The longer the password the more possible passwords have to be tested by the person that wants to break the encryption and view the message without permission. An eight-character password permits only about a billion possible passwords, and free software will break this in seconds on an ordinary desktop computer (2016). There are various standards, but 256 characters is commonly seen (2016). The longer the better.
A significant problem is providing the desired recipient the key (password) so the message can be decrypted. It should not be given over any type of electronic communication. Better give it in person, or on a flash drive sent through the mail.
PGP
Boylovers and encryption
Many boylovers encrypt files related to boylove to keep themselves safe along with using programs like Tor. It is often recommended that boylovers use full disk encryption with a program like Veracrypt, a free open source program that has been audited[2], a few vulnerabilities where found during the audit and fixed, although it might sound alarming that vulnerabilities where found, Veracrypt is one of the very few encryption programs that has been publicly audited, with other software you must trust what the vendor says whereas in Veracrypt there is a third independent party that you can trust. An extensive comparison of all available encryption programs can be found on the Wikipedia page Comparison of disk encryption software Whichever platform you use, a strong password is the most important thing to remember. See: Using secure passwords
One need not only use encryption if they have illegal files; even totally legal files related to boylove can destroy a person's life if brought to light. Sometimes it is difficult to know what even is legal with regard to boylove.The State v. Daltonis a legal case in the United States state of Ohio involving the prosecution of a man for recording fictional tales of alleged child pornography in a diary. He had no images, either drawn or photographed, just writings in a journal and it was deemed to be child pornography. Altogether the man spent over 10 years in prison for simple writings.[3] This case highlights how important it is to encrypt everything related to boylove.
Key (password) disclosure laws
Key disclosure laws, also known as mandatory key disclosure, are laws that require individuals to surrender cryptographic keys (passwords, though actual words are rarely used today) to law enforcement. The purpose is to allow access to material for confiscation or digital forensics purposes and use it either as evidence in a court of law or to enforce national security interests. Similarly, mandatory decryption laws force owners of encrypted data to supply decrypted data to law enforcement.
Nations vary widely in the specifics of how they implement key disclosure laws. Some, such as Australia, give law enforcement wide-ranging power to compel assistance in decrypting data from any party. Some, such as Belgium, concerned with self-incrimination, only allow law enforcement to compel assistance from non-suspects. Some require only specific third parties such as telecommunications carriers, certification providers, or maintainers of encryption services to provide assistance with decryption. In all cases, a warrant is generally required.
In the United Kingdom and Australia, it is a criminal offense not to reveal an encryption key when requested by law enforcement. In the United States there is no such law, nor is their any legal obligation to cooperate with law enforcement unless a warrant has been issued by a judge. The Fifth Amendment to the United States Constitution, on which there is a Wikipedia article, prohibits the government from requiring anyone to testify against himself (self-incrimination). Whether supplying a password constitutes self-incrimination has not been ruled on definitively by the courts. However, a judge, usually at the request of law enforcement, can give a key holder immunity for anything discovered using the key; the material revealed by use of the key can not be used as evidence against the key holder or to get an indictment of the key holder. That the encrypted material might give law enforcement leads on where to find new evidence that could be used to indict the keyholder, or might lead to indictment of someone other than the key holder — typically an ally of some sort — is not relevant to a judge. Judges can and do hold persons in Contempt of Court for failing to follow a judicial mandate. (Search warrants and arrest warrants are judicial mandates.) A judge can order someone the judge finds guilty of Contempt of Court to be incarcerated indefinitely, until the judge's order is complied with.
"A Philadelphia man suspected of possessing child pornography has been in jail for seven months and counting after being found in contempt of a court order demanding that he decrypt two password-protected hard drives. The suspect, a former Philadelphia Police Department sergeant, has not been charged with any child porn crimes. Instead, he remains indefinitely imprisoned in Philadelphia's Federal Detention Center for refusing to unlock two drives encrypted with Apple's FileVault software in a case that once again highlights the extent to which the authorities are going to crack encrypted devices. The man is to remain jailed "until such time that he fully complies" with the decryption order." [4]
Legislation by nation
For an updated list of key disclosure laws by nations visit WikiPedia Key disclosure law page
See Also
References
External links