This might make life interesting

I stand corrected the bill was squashed requiring ALL US companies to include a backdoor. Just zipped around the web looking for it. I remember reading it passed. I just checked and it looks like it was killed pretty early.

Keep on trying to figure out how to word the below

For one major company that provides encryption I know there is a backdoor. Not a fed backdoor; just a backdoor. The one time I did cross paths with them it required a subpoena. This was in 2002. I’m not sure what their status is today.

Even with the above my confidence in a totally encrypted and secure drive is limited. Decrypting on the fly will chew resources. The trade off between usability and security. How secure can it be? Secure to casual thieves? The articles I read didn’t really get into it. If there are some hard facts out there please post a link.

If you collect the other media around the system, you will "probably" get the USB drive that has the bit locker key on it. Then you won't have very many issues.

omagico,
True, but many investigators miss the usb keys. That's why it's now very important to look in the registry as part of the digital walkthrough(preview) to determine what USB devices have been plugged in to that machine before you take the machine down.

All US encryption (or made by US companies) must include a backdoor. All it will take is a subpoena. The courts have also stated that passwords are not protected under the 5th amendment unless the password itself is incriminating. Other countries prob have similar laws. I guess people should create incriminating passwords???

It’s just a bump in the road. Wait until hackers figure out a way to bypass it anyway and then just copy their methods. In a year after its release it will be business as usual. Just one more step added onto a task.

There are requirements for companies to restrict the strength of crypto they export outside the US.

And as a good practice, it is generaly acceptable to place a documented backdoor for system access to a device/system that does encryption so that if keys are lost or if there is some sorta hardware failure the data can still be retrieved.

The typical "backdoor" for that type of access is with a physical connection to a serial port, with a userpass combo.

skip

There are requirements for companies to restrict the strength of crypto they export outside the US.

Not true. These laws were repealed in 1996. There are still certain countries that are defined as 'rouge states' which cryptographic algorithms can not be exported to, but the max 40 bit part has been dropped.

http//en.wikipedia.org/wiki/Export_of_cryptography

And as a good practice, it is generaly acceptable to place a documented backdoor for system access to a device/system that does encryption so that if keys are lost or if there is some sorta hardware failure the data can still be retrieved.

Also not true. The government dabbled with the idea of cryptographic algorithms containing back doors in their skipjack algorithms to be used in the proposed clipper chip and it failed miserably. There was public outcry and the cipher was never widely used.

http//en.wikipedia.org/wiki/Skipjack_%28cipher%29

There are requirements for companies to restrict the strength of crypto they export outside the US.

Not true. These laws were repealed in 1996. There are still certain countries that are defined as 'rouge states' which cryptographic algorithms can not be exported to, but the max 40 bit part has been dropped.

http//en.wikipedia.org/wiki/Export_of_cryptography

And as a good practice, it is generaly acceptable to place a documented backdoor for system access to a device/system that does encryption so that if keys are lost or if there is some sorta hardware failure the data can still be retrieved.

Also not true. The government dabbled with the idea of cryptographic algorithms containing back doors in their skipjack algorithms to be used in the proposed clipper chip and it failed miserably. There was public outcry and the cipher was never widely used.

http//en.wikipedia.org/wiki/Skipjack_%28cipher%29

So you agree, there are restrictions on the strength of crypto you can export…

And you are right, there are not crypto algos with back doors. Its a good thing I didn't say that.
In stead of just copying and pasting what I wrote, so you could read it again, SANS large amounts of alcohol…I'll just write it a little differently.

It IS a good practice to provide a back door to systems that provide crypto functions so that data can be recovered in the event of hardware failure or key loss. This practice is exercised regularly by US government agencies.

Those backdoors are typically implemented through a physical access port, like a serial cable (with user namepassword combos).

Skip

So you agree, there are restrictions on the strength of crypto you can export…

Most crypto we use are imported, therefore there are no limitations for our clients to use them overseas.

It IS a good practice to provide a back door to systems that provide crypto functions so that data can be recovered in the event of hardware failure or key loss. This practice is exercised regularly by US government agencies.

I have worked for several agencies and could not find such examples. Could be just me.

Those backdoors are typically implemented through a physical access port, like a serial cable (with user namepassword combos).

I am still trying to figure out why such practice is good. oops

Those backdoors are typically implemented through a physical access port, like a serial cable (with user namepassword combos).

Many systems do NOT have such a backdoor
E.g. BitLocker is very solid.

Most systems will allow you to escrow the key or save it someplace.
(Recovery password…) or to have a system credential in addition to the user's one.

Also with the proper knowledge on many "backdoor" systems that door can be nailed shut by corrupting the backdoor information.

Maybe the word "backdoor" is confusing people.

How about, "physical administrative control panel".

They only way to use it is to obtain a serial cable, walk into the datacenter or network closet, plug one end into the device and the other end into a laptop, reboot the device then log in with the administrative userpass combo.

Then you can use that access to recover/restore data, recover keys, fix configuration issues, reset root or administrator passwords.

If you can't figure out how this is good then just wait until you have an equipment failure on a device that performs cryptographic functions. Then you will understand the importance of a "physical administrative control panel"

—-

I dont care about the crypto (i suppose you mean encrypted files? or perhaps keys? perhaps you built a device?) you import. I was talking about export (things that EXit the country), export restrictions. You can not develop systems that perform strong encryption and then give/sell/transport or use to communicate with any country you want outside (export = exit) the country. There are things you can't do…or restrictions.