Security Stop Press : Microsoft’s RSA Key Policy Change

Microsoft is making a security-focused policy change that will see RSA keys with lengths shorter than 2048 bits deprecated. RSA keys are algorithms used for secure data encryption and decryption in digital communications, i.e. to encrypt data for secure communications over an enterprise network.

However, with RSA encryption keys becoming vulnerable to advancing cryptographic techniques (driven by advancements in compute power) the decision by Microsoft to depreciate them is being seen as a way to stop organisations from using what is now seen as a weaker method of authentication.

Also, the move by Microsoft will help bring the industry in line with recommendations from the internet standards and regulatory bodies who banned the use of 1024-bit keys in 2013 and recommended that RSA keys should have a key length of 2048 bits or longer.

An Apple Byte : Quantum-Proof iMessage Update

Apple says it’s rolling out an update to its iMessage texting platform that can defend against future encryption-breaking technologies such as decryption by quantum computers.

Apple says its PQ3 “groundbreaking post-quantum cryptographic protocol” offers Level 3 security, i.e. it provides protocol protections that surpass those in all other widely deployed messaging apps. Apple says PQ3 (post-quantum cryptography 3) has the strongest security properties of any at-scale messaging protocol in the world and that it has “rebuilt the iMessage cryptographic protocol from the ground up to advance the state of the art in end-to-end encryption”. 

Although Apple acknowledges that quantum computers with the capability to crack classical public key cryptography algorithms don’t exist yet, it says its PQ3 update offers “the strongest protection against quantum attacks” in the future and is “the only widely available messaging service to reach Level 3 security”.

Featured Article : Temporary Climb-Down By UK Government

In an apparent admission of defeat, the UK government has conceded that requiring scanning of platforms like WhatsApp for messages with harmful content, as required in the Online Safety Bill, is not (currently) feasible.

The ‘Spy Clause’ 

Under what’s been dubbed the ‘spy clause’ (Clause 122) in the UK’s Online Safety Bill, the government had stated Ofcom could issue notices to messaging apps like WhatsApp and Signal (which use end-to-end encryption) that would allow the deployment of scanning software. The reason given was to scan for child sex abuse images on the platforms. However, the messaging apps argued that this would effectively destroy the end-to-end encryption, an important privacy feature valued by customers. This led to both WhatsApp and Signal threatening to pull their services out of the UK if the Bill went through with the clause in it.

Also, some privacy groups, like the Open Rights Group, argued that forcing the scanning of private messages on apps amounted to an expansion of mass surveillance.

Climbdown 

However, in a recent statement to the House of Lords junior arts and heritage minister Lord Stephen Parkinson announced that the government would be backing down on the issue. Lord Parkinson said: “When deciding whether to issue a notice, Ofcom will work closely with the service to help identify reasonable, technically feasible solutions to address child sexual exploitation and abuse risk, including drawing on evidence from a skilled persons report. If appropriate technology which meets these requirements does not exist, Ofcom cannot require its use.” 

In other words, the technology that enables scanning of messages without violating encryption doesn’t currently exist and, therefore, under the amended version of the bill, WhatsApp and Signal will not be required to have their messages scanned (until such technology does exist).

This is a significant climbdown for the government which has been pushing for ‘back doors’ and scanning of encrypted apps for many years, particularly since it was revealed that the London Bridge terror attack appeared to have been planned via WhatsApp.

Victory – Signal & WhatsApp 

Writing on ‘X’ (formerly Twitter), Meredith Whittaker, the president of Signal, said the government’s apparent climbdown was “a victory, not a defeat” for the tech companies. She also admitted, however, that it wasn’t a total victory, saying “we would have loved to see this in the text of the law itself.”

Also posting on ‘X,’ Will Cathcart, head of WhatsApp said that WhatsApp “remains vigilant against threats” to its end-to-end encryption service, adding that “scanning everyone’s messages would destroy privacy as we know it. That was as true last year as it is today.” 

Omnishambles 

Following the news of the government’s ‘spy clause’ climbdown, privacy advocates the Open Rights Group’ (ORG) highlighted the fact that on the one hand, the government had conceded that the technology that would have been needed to scan messages didn’t exist, while on the other hand appeared they to say they hadn’t conceded.  Describing the matter as an “omnishambles,” the ORG highlighted how during an appearance on Times radio, Michelle Donelan MP said that, “We haven’t changed the bill at all” and that “further work to develop the technology was needed.” 

What Does This Mean For Your Business? 

For apps like WhatsApp and Signal, this is not only a victory against government pressure but is also good news for business as, presumably, they will continue to operate in the UK market.

This is also good news for many UK businesses that routinely use WhatsApp as part of their business communications and won’t need to worry (for the time being) about having their commercially (and personally) sensitive messages scanned, thereby posing a risk to privacy and security, and perhaps increasing the risk of hacks and data breaches. It appears that the UK government has been forced to admit the technology does not yet exist that can scan messages on end-to-end encrypted services and maintain the integrity of that end-to-end encryption at the same time. It also appears that it may realistically take quite some time (years) before this technology exists, thereby making the victory all the sweeter for the encrypted apps.

The government’s climbdown on ‘clause 122’ (the ‘spy clause’), is also being celebrated by the many privacy groups that have long argued against it on the grounds of it enabling mass surveillance.

Tech-Trivia : Did You Know? This Week in History …

Consider all the atoms in 10 million galaxies …

At midnight on June 18th, 1997, the DESCHALL Project bore fruit. The challenge had been to use ‘Brute Force’ to discover the meaning of a message which had been encrypted. Going through up to seven billion possibilities per second, the key was cracked after 96 days by thousands of computers running simultaneously. The message was revealed to be “Strong cryptography makes the world a safer place”.

Back then, the specialist software used to brute-force the ‘key’ was designed for use on Pentium 200MHz computers which of course are now very outmoded by chips running faster by orders of magnitude. This forced The National Institute of Standards and Technology to initiate what would morph into the formidable Advanced Encryption Standard (AES). Today, AES 256-bit encryption stands as a standard in the encryption landscape.
One might be forgiven for thinking that this 256-bit encryption is unhackable. After all, the largest number expressed by 256 bits is of the order of magnitude of the number of atoms contained in 10 million galaxies. Give or take a few atoms.

Yet even these mind-boggling large numbers used in current 256-bit encryption standards can’t withstand the onslaught of quantum computing, when it’s fully realised. This means novel methods of post-quantum encryption to secure information must be innovated and this will represent both opportunities and threats for businesses, as is always the case with any kind of disruption.