技術權威稱與政府共享加密數據危害巨大
SAN FRANCISCO — An elite group of security technologists has concluded that the American and British governments cannot demand special access to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger.
舊金山——一個由頂尖安全技術專家組成的團隊得出結論,向美國和英國政府提供獲取加密通訊的特殊手段,勢必會令全球最祕密的數據和至關重要的基礎設施陷入危險境地。A new paper from the group, made up of 14 of the world’s pre-eminent cryptographers and computer scientists, is a formidable salvo in a skirmish between intelligence and law enforcement leaders, and technologists and privacy advocates. After Edward J. Snowden’s revelations — with security breaches and awareness of nation-state surveillance at a record high and data moving online at breakneck speeds — encryption has emerged as a major issue in the debate over privacy rights.
在情報和執法部門領導人與技術和隱私倡導人士的交鋒中,由全球14位知名密碼學和計算機科學家組成的團隊發佈的這篇論文,形成了一次排山倒海的攻勢。在愛德華·J·斯諾登(Edward J. Snowden)披露後,隨着網絡入侵事件頻發、對政府監控的戒備意識空前強烈,以及數據在網絡間的高速傳輸,加密已經成爲隱私權爭論的一個焦點話題。That has put Silicon Valley at the center of a tug of war. Technology companies including Apple, Microsoft and Google have been moving to encrypt more of their corporate and customer data after learning that the National Security Agency and its counterparts were siphoning off digital communications and hacking into corporate data centers.
這就讓硅谷成爲了這場拉鋸戰的中心。得知美國國家安全局(National Security Agency)及他國情報機構在竊聽數碼通訊,並侵入企業數據中心後,包括蘋果、微軟和谷歌在內的科技公司已經開始增加對企業和客戶數據的加密。
Yet law enforcement and intelligence agency leaders argue that such efforts thwart their ability to monitor kidnappers, terrorists and other adversaries. In Britain, Prime Minister David Cameron threatened to ban encrypted messages altogether. In the United States, Michael S. Rogers, the director of the N.S.A., proposed that technology companies be required to create a digital key to unlock encrypted data, but to divide the key into pieces and secure it so that no one person or government agency could use it alone.
然而,執法和情報部門領導人認爲,這樣的措施會影響他們監控綁架犯、恐怖分子及其他敵人的能力。英國首相戴維·卡梅倫(David Cameron)威脅要全面禁止訊息加密。而在美國,國家安全局局長邁克爾·S·羅傑斯(Michael S. Rogers)提議,科技公司應該製作一種用於解除加密數據鎖定的數碼密鑰,但是可以把密鑰分成多份,分別妥善保存,這樣沒有任何個人或單一的政府機構可以獨自加以使用。The encryption debate has left both sides bitterly divided and in fighting mode. The group of cryptographers deliberately issued its report a day before James B. Comey Jr., the director of the Federal Bureau of Investigation, and Sally Quillian Yates, the deputy attorney general at the Justice Department, are scheduled to testify before the Senate Judiciary Committee on the concerns that they and other government agencies have that encryption technologies will prevent them from effectively doing their jobs.
這場關於加密的爭論使雙方產生了巨大分歧並處於對戰狀態。按計劃,聯邦調查局(FBI)局長小詹姆斯·B·科米(James B. Comey Jr.)和司法部副部長莎莉·奎利安·耶茨(Sally Quillian Yates)即將出席參議院司法委員會(Senate Judiciary Committee)的聽證會,就以下議題發言:如果他們和其他政府機構使用這種加密技術,就無法有效地完成工作。這些密碼專家故意選擇在此次聽證會的前一天發佈了自己的報告。The new paper is the first in-depth technical analysis of government proposals by leading cryptographers and security thinkers, including Whitfield Diffie, a pioneer of public key cryptography, and Ronald L. Rivest, the “R” in the widely used RSA public cryptography algorithm. In the report, the group said any effort to give the government “exceptional access” to encrypted communications was technically unfeasible and would leave confidential data and critical infrastructure like banks and the power grid at risk.
這份新報告,是公共密鑰密碼學先驅惠特菲爾德·迪菲(Whitfield Diffie)和羅納德·L·瑞威斯特(Ronald L. Rivest)等著名密碼專家和考慮安全事宜的人士對政府提議的首次深度技術分析。廣泛使用的RSA公共加密算法裏的“R”就取自瑞威斯特姓氏的首字母。這些專家在報告中表示,任何賦予政府獲得加密通訊信息等“特殊權限”的做法,從技術層面而言都不具有可行性,而且會使機密數據及銀行和電網等基礎設施暴露在風險之下。Handing governments a key to encrypted communications would also require an extraordinary degree of trust. With government agency breaches now the norm — most recently at the United States Office of Personnel Management, the State Department and the White House — the security specialists said authorities could not be trusted to keep such keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to communications, China and other governments in foreign markets would be spurred to do the same.
把獲取加密通訊信息的密鑰交給政府,需要非同尋常的信任。鑑於政府機構目前頻頻泄密——最近的泄密事件發生在美國人事管理辦公室(United States Office of Personnel Management)、國務院和白宮——這些安全專家表示,他們無法信任當局能保證這些密鑰不被黑客和罪犯竊取。他們還表示,如果美國和英國強行要求持有通訊信息的後門密鑰,那麼也會刺激海外市場上的中國等國家的政府採取同樣的舉動。“Such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend,” the report said. “The costs would be substantial, the damage to innovation severe and the consequences to economic growth hard to predict. The costs to the developed countries’ soft power and to our moral authority would also be considerable.”
“這種權限將對犯罪分子和不懷好意的國家敞開大門,使他們能夠攻擊執法部門試圖保護的那些個人,”報告稱。“代價將會很大,創新將受到嚴重打擊,對經濟增長的影響也將難以預料。發達國家的軟實力和我們的道德權威也將受到重大影響。”A spokesman for the F.B.I. declined to comment ahead of Mr. Comey’s appearance before the Senate Judiciary Committee hearings on Wednesday. Mr. Comey recently told CNN, “Our job is to find needles in a nationwide haystack, needles that are increasingly invisible to us because of end-to-end encryption.”
FBI的一個發言人拒絕在科米週三出席參議院司法委員會的聽證會前發表評論。科米最近告訴CNN,“我們的工作就是在整個國家的這片大海中撈針,因爲端到端的加密,這些針現在越來越難找了。”A Justice Department official, who spoke on the condition of anonymity before the hearing, said that the agency supported strong encryption, but that certain uses of the technology — notably end-to-end encryption that forces law enforcement to go directly to the target rather than to technology companies for passwords and communications — interfered with the government’s wiretap authority and created public safety risks.
司法部的一名官員在聽證會前匿名錶示,司法部支持強有力的加密,但是這種技術的某些使用——尤其是端到端的加密——會影響政府的監聽權限,從而帶來公共安全隱患,因爲它會迫使執法部門直接去找目標,而不是去找技術公司索要密碼和通訊信息。Paul Kocher, the president of the Rambus Cryptography Research Division, who did not write the paper, said it shifted the debate over encryption from how much power intelligence agencies should have to the technological underpinnings of gaining special access to encrypted communications.
蘭巴斯密碼研究公司(Rambus Cryptography Research Division)總裁保羅·科克(Paul Kocher)並沒有參與這篇論文的撰寫。他表示,論文把針對加密的爭論對象,從情報機構究竟應該擁有多大權限,變成了獲取加密通訊信息的特殊權限的技術基礎。The paper “details multiple technological reasons why mandatory government back doors are technically unworkable, and how encryption regulations would be disastrous for computer security,” Mr. Kocher said. “This report ought to put to rest any technical questions about ‘Would this work?’ ”
論文“提供了多個技術原因,詳細解釋了爲何強制性的政府後門在技術上行不通,以及加密法規爲何會給計算機安全帶來災難性的影響,”科克說。“這篇報告應該會終止一切關於‘這樣是否可行’的技術問題。”The group behind the report has previously fought proposals for encryption access. In 1997, it analyzed the technical risks and shortcomings of a proposal in the Clinton administration called the Clipper chip. Clipper would have poked a hole in cryptographic systems by requiring technology manufacturers to include a small hardware chip in their products that would have ensured that the government would always be able to unlock scrambled communications.
撰寫報告的這些人此前也曾反對過關於獲得加密權限的提議。1997年,他們分析了克林頓政府一個被稱作“曲別針芯片”(Clipper Chip)的提議項目的技術風險和缺點。曲別針項目會通過要求科技產品製造商在產品中加入一個小型芯片硬件,在加密系統裏形成一個漏洞,以此保證政府總能解密複雜的通訊信息。The government abandoned the effort after an analysis by the group showed it would have been technically unworkable. The final blow was the discovery by Matt Blaze, then a 32-year-old computer scientist at AT&T Bell Laboratories and one of the authors of the new paper, of a flaw in the system that would have allowed anyone with technical expertise to gain access to the key to Clipper-encrypted communications.
在該團隊的分析表明曲別針項目在技術上行不通後,政府放棄了這一提議。馬特·布拉茲(Matt Blaze)的發現對該提議形成了最後一擊。他當時32歲,是AT&T貝爾實驗室(AT&T Bell Laboratories)的一名計算機科學家,他也是這篇新論文的作者之一。他發現,系統裏存在一個漏洞,任何擁有專業技術技能的人,都能獲得曲別針加密通訊信息的密鑰。Now the group has convened again for the first time since 1997. “The decisions for policy makers are going to shape the future of the global Internet and we want to make sure they get the technology analysis right,” said Daniel J. Weitzner, head of the MIT Cybersecurity and Internet Policy Research Initiative and a former deputy chief technology officer at the White House, who coordinated the latest report.
現在,該團隊召開了自1997年來的第一次會議。“政策制定者的決定將改變全球網絡的未來,我們希望確保他們搞懂了相關技術分析,”麻省理工學院網絡安全與網絡政策研究行動(MIT Cybersecurity and Internet Policy Research Initiative)負責人、前白宮副首席技術官丹尼爾· J ·魏茨納(Daniel J. Weitzner)說。魏茨納負責協調整理了這份最新的報告。“The government’s proposals for exceptional access are wrong in principle and unworkable in practice,” said Ross Anderson, a professor of security engineering at the University of Cambridge and the paper’s sole author in Britain. “That is the message we are going to be hammering home again and again over the next few months as we oppose these proposals in your country and in ours.”
“政府有關特殊權限的提議存在原則性錯誤,而且也不可行,” 劍橋大學(University of Cambridge)安全工程教授、該報告唯一的英國作者羅斯·安德森(Ross Anderson)說。“我們未來幾個月將會反覆傳達這一信息,因爲我們反對在你們和我們的國家實施這些提議。”
