As a result, DUAL EC DRBG has been incorporated into a range of products, including those from security company RSA, in operating systems such as Microsoft Windows,and in a version of OpenSSL (a tool commonly used to facilitate website encryption). The integration of the standard with operating systems was significant because, by changing the default method by which the operating system encrypted communications traffic, an intelligence agency could decrypt data now encrypted using DUAL EC DRBG.
Dual_EC was never the default in Microsoft Windows, and you'd have to put effort into building a version of OpenSSL that used it. The article is overstating its case here.
Dual_EC was famously the default for some versions of RSA BSAFE, and RSA BSAFE seems to have acknowledged accepting money from the USG to set that default. But BSAFE's licensors used it primarily to mollify RSA's patents, which expired over a decade ago. Lots of vendors that license BSAFE don't use it for anything meaningful. OpenSSL is much, much more popular in closed-source enterprise tools than BSAFE is.
I believe it also overstates or miss-represents the way the wireless telecommunications networks operate.
While I'm honestly not familiar with the SGES or all the rules the article is alluding to about decryption,
I think this article also miss-represents the way wireless telecommunications networks work. The encryption used by networks such as UMTS and LTE are international standards specified by the 3GPP, and to my limited knowledge do not draw on DUAL EC DRBG in any way. However, my experience in this portion of the encryption is extremely limited.
Anyways, the encryption used by UMTS and LTE networks as specified by the 3GPP, are international standards, and are used to authenticate users SIM cards, and to protect the air interface for integrity and confidentiality. As such, the telephone communications should be difficult to intercept on the radio interface only, but when it enters the network the need for encryption is no longer needed.
To maybe draw a parallel to a web service, many load balancers offer SSL termination. SSL between the browser and the web server, is important to protect the connection between the client and any intermediate networks. However, once it get's to the load balancer, many services will just pass the traffic internally without encryption. Many systems like connections to a database will may also not be encrypted. Once you're within your own network, you don't keep everything encrypted at every step. The cellular network can be thought of in a similar way, the encryption is used to bring the service into the network in locations where it can be intercepted from outside the network.
Now if you think of something like say Internet traffic, for you to visit hacker news. You phone or tablet, will activate a cellular connection, and will send packets to the cellular network. The radio connection will be encrypted, but it will be decrypted by the network, because Hacker News doesn't know or understand the cellular encryption protocols, there are no end-to-end guarantee's provided. Also, the cellular network will eventually turn into an IP network, and the IP routing headers will be needed for regular Internet routing. When it leaves the cellular network, it will just be IP traffic like any other Internet traffic. What you are protected from, is that someone following you around with a special radio, can't listen in on your conversations, messages, etc.
In the case of Hacker News though, SSL is used, so that regular Internet traffic is also encrypted at a layer above TCP/IP, and the contents will be unknown.
Anyways, I hope that made sense. The article may have a lot of merit about what's going on, but in my experience it miss-represents how the mobile network operates.
To be fair, and what may be relevant, is the 3GPP did cripple cellular encryption technologies at one point, for use in countries with export restrictions if I remember correctly.
Also, at least the older encryption algorithms have known flaws. And there are also documentation of other flaws, such as being able to trick certain phones into using null encryption for example and then intercepting the radio traffic. Or getting the UE to trust a network that it shouldn't be able to.
Now for the mandatory disclaimer, the information provided are my own views, and in no way represent my employer. I do work in the wireless telecommunications sector in Canada, and all the information I provided is available to the public if you know where to look.
This was a great read. As a Canadian, I get the feeling that (most) people get Harper is bad news, but don't quite get all the details. I'll be sharing this one.
This article doesn't mention warrants at all. Are those even a consideration of these laws?
Can a Canadian government agency simply say "Gimme this info" to Canadian businesses with no oversight or accountability?
Also, the C-13 provisions regarding a crime under foreign law reeks of US involvement. However, it's also a restriction on Canadian sovereignty, making the nation beholden to any crazy law anywhere in the world. (or simply broadening the ability for selective enforcement to pull in any reason they can think up)
Speaking of weakening wireless communication, what ever happened to the Gemalto sim card revelations? This was big news 6 months ago then it just disappeared.
As far as I know, no recall ever happened. So we are all still using the compromised sim cards?
> Speaking of weakening wireless communication, what ever happened to the Gemalto sim card revelations? This was big news 6 months ago then it just disappeared.
> As far as I know, no recall ever happened. So we are all still using the compromised sim cards?
A local company was specifically named in leaked documents about the gemalto SIM compromise. When contacted by the news media, they asked Gemalto about it and were told an internal investigation had not revealed any evidence of breach. They proceeded to do nothing, and all those SIM cards are still in circulation.
I can't speak for what other carriers did, but certainly some of them are still out there, and I would hazard a guess that it would be most of them.
If it were the case that the telecom company is providing the government decrypted information, wouldn't they be giving the government an already-encrypted information if I were to use a VPN app like expressVPN on my smartphone?
The Queen of Canada must provide royal assent for legislation to pass.
The Governor General of Canada is her appointed representative who acts on her behalf.
The Queen of Canada also happens to be the Queen of the United Kingdom.
Canada could, if they wanted to, pass a new Succession to the Throne Act which could change who inherits the crown.
If Canadian laws surrounding the order of succession were different to the UK, the monarchs of the two countries could diverge. Canada's Canada Act 1982 prevents the UK parliament legislating for Canada, which since then means if the UK changes succession to the throne laws, Canada has to mirror it in their legislation, or they will potentially have different monarch. Canada had to do this a couple of years back when the UK changed the how the crown was inherited (made the oldest child of the monarch inherit it, regardless of sex ... I think)
Dual_EC was never the default in Microsoft Windows, and you'd have to put effort into building a version of OpenSSL that used it. The article is overstating its case here.
Dual_EC was famously the default for some versions of RSA BSAFE, and RSA BSAFE seems to have acknowledged accepting money from the USG to set that default. But BSAFE's licensors used it primarily to mollify RSA's patents, which expired over a decade ago. Lots of vendors that license BSAFE don't use it for anything meaningful. OpenSSL is much, much more popular in closed-source enterprise tools than BSAFE is.