On Wednesday 21 November 2007 18:09:09 Vic wrote:
> > There are crypto programs which use 100 random character passwords (each
> > character using 250 characters of the ASCII character set). The
> > passwords are in a file which is encrypted. If the file gets damaged you
> > lose your passwords.
> >
> > There is no way you can remember the password. The programs have been
> > designed this way.
> >
> > Can give a demo of such a crypto program.
>
> You miss the point.
>
> It's not the difficulty of remembering the key that matters.
>
> It's not whether you store the key in your head or in a key-safe programme.
>
> The salient point is that if you do not surrender the key to the
> authorites on demand, or else provide a cleartext version[1] of the
> encrypted lump, they can send you to prison.
>
> The way you generate your keys has little importance in comparison to the
> loss of your liberty *just because some plod thinks something might be an
> encrypted file, even if it's not*. Failure to decrypt something that
> cannot be decrypted (because it is just rubbish - not an encrypted file at
> all) is a criminal offence under RIPA. Don't think they won't use those
> powers...
>
> Vic.
>
>
> [1] Quite how the Police Farce are going to prove that some random text is
> unrelated to the encrypted lump is beyond me; I expect it's down the the
> defendant to prove his innocence again, though.
On Wednesday 21 November 2007 18:09:09 Vic wrote:
> > There are crypto programs which use 100 random character passwords (each
> > character using 250 characters of the ASCII character set). The
> > passwords are in a file which is encrypted. If the file gets damaged you
> > lose your passwords.
> >
> > There is no way you can remember the password. The programs have been
> > designed this way.
> >
> > Can give a demo of such a crypto program.
>
> You miss the point.
>
> It's not the difficulty of remembering the key that matters.
>
> It's not whether you store the key in your head or in a key-safe programme.
>
> The salient point is that if you do not surrender the key to the
> authorites on demand, or else provide a cleartext version[1] of the
> encrypted lump, they can send you to prison.
>
> The way you generate your keys has little importance in comparison to the
> loss of your liberty *just because some plod thinks something might be an
> encrypted file, even if it's not*. Failure to decrypt something that
> cannot be decrypted (because it is just rubbish - not an encrypted file at
> all) is a criminal offence under RIPA. Don't think they won't use those
> powers...
>
> Vic.
>
No I have not missed the point. If the key is unavailable because it has been
deleted and the key is 100 random characters long then the authorities cannot
expect you to produce something that is impossible to give them.
It is up to you to show the judge and a jury how a password was produced. It
is up to you to show a judge and jury that the passwords that your program
uses is impossible to remember. If the password produced demonstrates to a
jury that it is something impossible to remember then you are halfway there.
The law deals with intent. The law is required to show that you deliberately
deleted your password file. If your password file was screwed by a program
hipcup accidently. This is easily done by pressing wrong keys and answering
the phone at the same time. Then the law must prove that you deliberately
deleted the file. The laws forensic expert must show that the file was
deleted at a time frame when the computer was being in the process of being
seized.
The law is designed to deal with passwords or pass phrases that can be
remembered. So a forty character pass phrase can be remembered and the law
can claim you are being untruthful for not remembering it. The law has a
good point.
Passwords that are impossible to remember has to be subject to a different
law. This law is not on the statute books yet. English law deals with the
letter of the law.
The law must prove a criminal offence. Human Rights law comes in here. False
imprisonment is a subject of human rights violations. You are entitled to
have your own computer forensic expert to show that what is present is random
data and not an encrypted file.
Simarly the law have their expert who has to prove that what you have is an
encrypted file and not a random data file. Intent is again the key.
Needless to say you will need an expensive solicitor to argue the case for you
in court.
Human Rights law would be on your side in this matter. Again another
expensive solicitor.
If you have the computer programs which can demonstrate what you say and your
expert can show this in a manner that a jury can understand then the jury
will find you not guilty of breaking the law. For it is a jury who decide in
these matters.
The law says that it must be beyond resonable doubt.
The law does not require you to keep all the files you have every produced.
I cannot afford to ask for a barristor's opinion on this. Is there anyone in
the LUG who is a barristor and can elaborate further on this topic?
Many peoples knowledge of crypto programs are quite rudimentry and tend to
think along the lines of the programs they know. Bruce Schneier can probably
think of a few programs which the RIPA law will have problems handling.
http://www.schneier.com/crypto-gram.html has an archive of back issues of
CRYPTO-GRAM. Bruce Schneier has also discused this laws failings in one of
the issues.
John Eayrs
