It is believed to be infeasible to break secure encryption. More precisely, secure encryption algorithms are math problems that are nearly universally believed by mathematicians to be computationally intractable (even with billions of times more resources that the most powerful organizations). It is not the theoretical basis for encryption that is the weakest link. One way that encryption can be broken is through implementation errors that are not part of the mathematical model (e.g. if your computer gets slightly hotter when it is decrypting a 1 as opposed to a 0 bit you could detect that).

But even such implementation errors are insignificant compared to more oblique attacks like social engineering and trojans. Your encryption is only as safe as your keys and the software running on your computer. The most successful attack against encryption is simply to gain access to the victims computer using a trojan or otherwise. This is well within the realm of feasibility of government. And it becomes trivial if they can "convince" a device or operating system manufacturer to provide backdoors for them. If your computer obeys someone else all is lost. A related example is that, although Skype calls are encrypted, Skype will gladly provide means to decrypt those calls to government agencies.

-- ElidedElided - 29 Oct 2009

If I understand Professor Moglen's main points in "So Much for Savages" correctly, he is suggesting that an entirely encrypted internet would present an impossibly large (and costly) problem for the government to decipher, which would therefore render fruitless government attempts at deciphering private communications. I know very little about cryptography, but this makes sense based on the linear relationship between the number of encrypted signals and the cost required to decipher them all. What I don't understand is why the government (or anyone) would need to break the encryption for the whole internet in order to break the encryption for any given piece of encrypted information. For example, if the government wanted to determine the contents of an encrypted email message between me and my wife, couldn't it do so be just breaking my encryption? If so, then even if all of the interent were encrypted wouldn't the government still be able to "listen in" on a conversation between any individual that was for whatever reason suspicious? On the flip side, would complete encryption of the internet really prevent theft of financial transaction information, or would it be possible for the thieves to simply focus their encryption-breaking efforts completely on communications from banks?

-- SethLindner - 29 Oct 2009

<--/commentPlugin-->