[Kim_Bruning]

If you weaken encryption so that your government can get access, now other sides can get access too. Including criminals and other governments.

No I would not like to weaken encryption for my bank (obviously), my personal information (if only due to spear fishing), cryptographic authentication like passkeys in general and ssh keys in particular, and absolutely no one gets access to any teenager's phone anywhere. (unless it's their parents maybe,... that one is debatable).

ps the term "NOBUS fallacy" is apparently not a thing yet. (I thought it was!)

[FuriouslyAdrift]

Harkens back to the days when we could only export 40 bit encryption due to ITAR (which still applies to a lot of stuff... just not the 40 bit part)

https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...

[russianGuy83829]

You don't have to weaken your encryption to your bank though. The author proposes extending the TLS protocol so that the bank declares themselves responsible for the contents of communication and full strength encryption can be used.

[tptacek]

"NOBUS" isn't a fallacy. We can build systems that have access mechanisms that are for all intents and purposes NOBUS.

[tialaramex]

I don't buy it. These systems are always multiparty. In a single party cryptosystem we can have internal integrity. We know we're not the bad guys and we didn't share the private information with the bad guys, therefore the bad guys don't have the data.

Once you're multiparty that goes away, any other party can definitely betray you and then it's game over, your own integrity doesn't matter.

Historically NOBUS was about having a particular technological lead, that's very fragile and didn't work out long term. If anybody has that lead today it's the Chinese, but realistically nobody has such a lead.

[Kim_Bruning]

The other party doesn't even need to betray you, just have their systems compromised. See also, eg. : Salt Typhoon.

* https://en.wikipedia.org/wiki/2024_global_telecommunications... "The hackers were also able to access wiretapping systems used to conduct court-authorized wiretapping."

[tptacek]

The argument about who the trustworthy "us" is is deeply uninteresting to me. I just care that there's precedent that if you stipulate the existence of such an "us", computer science does allow for NOBUS-y access mechanisms.

[Kim_Bruning]

Interesting. My understanding has always been that there wasn't, at least in practice. But you're so insistent, so maybe I've missed something. Do you have some references? I'll go read!

[nemomarx]

At minimum, bad actors inside the government could always use the access mechanism. What's your concept for preventing other bad actors from getting it though?

[tptacek]

"What if 'us' is bad" is a separable question from "is NOBUS possible".

I'm not advocating for it, I'm just saying the computer science of this matters, and a lot of people have objections to the concept of NOBUS that are more ideological than empirical.

[AnthonyMouse]

I don't think it's a computer science claim to begin with. To my knowledge nobody has ever broken 256-bit AES, but that's not the part of the system that fails. There are two things that prevent it from working in practice:

The first is that "us" would be something like "governments in the US"; but then that's too big of an organization to sustain as free from compromise. There are tens of thousands of judges in the US, well over a million police and military. All it takes is one of them to be corrupt or incompetent or lazy and the bad guys get to use the skeleton keys to everything in the world, which can unlock secrets worth billions or get people killed. And that's assuming they only compromise the authorization system; if they actually gets the keys it's practically armageddon.

And the second is that it's not just one government. If the UK makes Apple and Google build a system to unlock anybody's secrets, is Australia not going to want access? Is China? Let's suppose we're not going to give access to Russia; can the fallible humans operating this system fend off every attack once the FSB has been ordered to secure access by any mean necessary?

It's a system that combines many points of compromise with an overwhelming incentive for everyone from state-level attackers to organized crime to break in and severe consequences when they do.

[Nasrudith]

The logistics are non-trivial. If you have to be nation-state intelligence level of scale then no, you cannot maintain NOBUS level of secrecy because you have too many people involved. That sounds pretty damn empirical to me. The objections to NOBUS aren't ideological, they are moral by the way. They are literally choosing to keep vulnerabilities in place for others to discover under arrogant assumptions that they will be the only ones who will know.

[dragonwriter]

> The objections to NOBUS aren't ideological, they are moral

“ideological” and “moral”, as bases for objection, mean exactly the same thing, though people will often use “ideological” to mean “based in principles of right and wrong that I don’t agree with” and “moral” or “ethical” to mean “based in principles of right and wrong that I agree with”.

[nemomarx]

I think any practical implementation needs to have an "us" that's like "with a valid warrant" or secured on the govt end anyway, right? Otherwise you have to deal with "what if someone in the govt leaks the keys" or "what if someone in the govt is a spy". I consider those outcomes the same as foreign governments getting backdoor access basically.

[Kim_Bruning]

If 100 different governments think "nobody but us have access", between 99 to 101 governments are wrong. O:-)

(I will grant number 101 is the hard one to defend.)

[throw0101c]

> "NOBUS" isn't a fallacy. We can build systems that have access mechanisms that are for all intents and purposes NOBUS.

Have any such system been built?

[commandersaki]

China iCloud? Not sure it is actually a NOBUS or just key escrow mechanism with administrative controls.

[tptacek]

Have the private keys for Dual EC ever been disclosed, or is there any evidence of them having leaked?

[AnthonyMouse]

Sort of:

https://blog.cryptographyengineering.com/2015/12/22/on-junip...

But also, Dual EC was suspected of being backdoored from day one, was slower than existing CSPRNGs, and was therefore avoided like the plague. Whereas the premise is that if you put all the world's secrets behind one set of keys, there doesn't exist a level of defense that can withstand the level of attacks that will attract. Which doesn't apply when it isn't widely used.

On top of that, the attackers would be the likes of foreign intelligence agencies, and then them not getting it and the public not hearing about them getting it are two different things.

[tptacek]

That was a Juniper supply-chain backdoor, not a compromise of the Dual EC keys.

[AnthonyMouse]

Exactly. They built a backdoor that "only they" could get into and then somebody else slipped into it anyway.

The backdoor is a vulnerability even if you don't have the keys because it requires the trappings of third party access. If you try to get something in the shape of a backdoor through code review, you should get knocked back. But if something in the shape of a backdoor is required then a change in who has the keys to the lock is much smaller, more subtle and easier to sneak in.

[immibis]

Why are all of your comments consistently just nonconstructively calling other people wrong?

[ls612]

And then Salt Typhoon happens and suddenly it isn't NOBUS anymore and we are hosed.

[bccdee]

NOBUS is only NOBUS until a spy gets their hands on the escrow master key (or until Donald Trump shares it at a dinner party on a lark, for that matter). If RSA's signing keys can be compromised¹, anything can be compromised.

[1]: "The Full Story of the Stunning RSA Hack Can Finally Be Told," https://www.wired.com/story/the-full-story-of-the-stunning-r...

[tptacek]

I don't understand the latter assertion. What's so special about RSA getting compromised?

[bccdee]

They're a world-class security organization. If a nation-state actor can get access to their most important keys the hard way, then a nation-state actor has a decent shot at compromising any private key on the planet, if they're willing to put enough money into it.

[tptacek]

They were just an enterprise software company. People have weird ideas of what RSA was. They bought the name RSA.

[bccdee]

They're a large, trusted enterprise software company specializing in security. I'm very comfortable using them as a heuristic for the most secure that a regularly-used private key can possibly be.