Thursday, 24 January 2008

Decryption Key Decision

The US Federal Government decision to appeal the Vermont “Decryption Key Decision” of Judge Niedermeier (January 16, 2008) really hinges on two issues, the key and the passphrase. PGP drive encryption is protected using a private key and a passphrase protects the key. These are both issues that are analogous to existing case law.

The issues come from the courts prior decision that by unlocking the combination lock of a suitcase a defendant consented to a search [United States v. Cox, 762 F. Supp. 145 (E.D. Tex. 1991)]. In the initial search, the Canadian man handed investigators the system unlocked. This in effect mitigated his US 4th Amendment protections. Further, the Supreme Court explicitly stated that their opinion does not apply to private papers, leaving open the question of whether a person could be bound to turn over a journal or diary if there were mere evidence of a crime [425 U.S. 391 (1976) at 414.] and this could be extended to the PC.

At this point the need to do forensic captures on live systems and use memory forensics to find previously entered passphrases is amply demonstrated.

The issue in dispute comes from Doe v. United States [487 U.S. 201 (1988)]. The court determined the issue of a comparison between being compelled to surrender a key to a strongbox containing incriminating documents and being compelled to reveal the combination to a wall safe. It was decided that forcing the combination to the wall safe would be a testimonial act, surrendering the key to a strongbox would not be a testimonial act. As such, the US government can force the surrender of a key, but not the surrender of a combination.

To align this with the current case we can see the private PGP key as being functionally equivalent to the strongbox and the PGP passphrase to be analogous to the wall safe combination. What this in effect means is that the US government investigators have the right to the PGP Private Key but no to the passphrase that protects the key. If the PGP Passphrase is strong, it will resist efforts to crack it. If it is a simple password, the key MAY be enough.

It was stated in Doe v. United States that “A defendant can be compelled to produce material evidence that is incriminating. Fingerprints, blood samples, voice exemplars, handwriting specimens, or other items of physical evidence may be extracted from a defendant against his will. But can he be compelled to use his mind to assist the prosecution in convicting him of a crime? I think not. He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe -- by word or deed.” [487 U.S. 201 (1988) at 210 n.9].

The problems in the case have come from the interchanging use of password and key by the attorneys. The US Government has the right to the private key without the password (or passphrase) but has no right to force the passphrase to the key. A further key point highlighted by this case is the need to train lawyers in the correct use of technical terms.

No comments: