Instead of encrypting everything with a single government key, several government agencies need to provide new public keys every day. The private key must be under the control of a court. Each secure encryption channel needs to subscribe to one or more of those agencies. The court must delete those keys after six months.
- No attacker will be able to monitor any channel of communication for a long period of time.
- Generating and sharing new keys can be automated easily.
- A single stolen key will just compromise a small fraction of the whole communication.
- Judges will decide in court which messages can be deciphered during the storage period.
- It’s still possible to decipher all messages of a person if there is a lawful need.
- If a key is lost by accident, the damage is small.
- No one can secretly decode messages.
- The system can be adapted as attackers find ways to game it.
- More complex than a single key or single source for all keys. It will break more often.
- Pretty expensive.
- Judges need to be trained to understand what those keys mean.
- Keys will be in more hands, creating more points of attack.
Always remember that in a democracy, the law isn’t about justice but balancing demands. There are people afraid that embarrassing details of their private communicate will be exposed as well as people trying to cover the tracks of a crime.
Right now, there is no better way to determine which communication needs to be cracked open than a normal court case.
If we used one or a few keys to encrypt everything (just because it’s easier), that would put a huge attraction on this data. Criminals will go to great lengths to steal those. If there are many keys, each one of them becomes less important. The amount of damage each key can cause must be smaller in this case. It would also mean they would have to steal many keys which would raise chances to get caught.
I was wondering if one key per month would be enough but there is really no technical reason to create so few. We have the infrastructure to create one every few seconds but that might be overkill. Once per day or maybe once per hour feels like a sweet spot. Note: When the technical framework has been set up, it should be easy to configure it to a different interval.
If we spread the keys over several organizations, an attack on one of them doesn’t compromise everyone. Also, software developers and users can move around, making it harder for unlawful espionage to track them.
Police officers and secret services should not be left alone with the decision what they can watch. Individuals make mistakes. That’s one reason why you talk to a friend when you make important decisions. Therefore, the keys should be in the hands of the law.
The law isn’t perfect. My thoughts are that we would use the perfect system if it existed. Since we’re using the law, the perfect solution probably doesn’t exist or it doesn’t exist, yet. In either case, using court rulings is the best solution we have right now to balance conflicting demands. The keys could be confiscated when the case is started and destroyed when the case is closed to avoid losing access halfway through the proceedings.
Mistakes will happen. Systems will break, keys will be lost, important messages will become indecipherable, criminals will attack the system, idiots will put keys on public network drives. Is there a way that this can be avoided? I doubt it. Therefore, I try to design a system which shows a certain resilience against problems to contain the damage.
For example, a chat app can request keys from its source. If that fails, it has options:
- Use a previous key
- Log an error in another system which monitors health of the key sources
- Automatically ask a different source
- Tell the user about it and refuse to work
- Let the user chose a different source