Wanted: Universal Key to Open Our Front Door

This requirement came across my desk recently as part of an RFP from a government agency that will remain nameless.

4.20     Data Decryption

The agency may request the service of decrypting of source materials for which the decryption algorithm and/or decryption keys are unknown.  The Offeror must provide a list of decryption protocols for which they can offer this service and any other restrictions their tools or methods create (e.g., AES256 decryption).

To provide some context, this wasn’t part of military or intelligence effort to snoop on foreign governments or a white-hat project to validate the security of encryption protocols. No, this was an administrative agency that had collected a bunch of documents from its employees and possibly from other agencies/companies and needed to import them into a content management system.

The implicit assumption is that there is an industry standard tool that can decrypt an arbitrary file and do it quickly enough to run it against an arbitrary number of files in a reasonable amount of time at a reasonable cost per document. They just need a company to run that tool as part of an import workflow.

I’m by no means a cryptography expert, but even assuming I had absolutely no knowledge of security or computers beyond the definition of encryption I think I could detect the major problems with this request.

Translating out the techno-geekery makes the paradox quite apparent.

Translation: We have used technology to secure our files so that no outside person can unlock and read them without our secret key. We are looking for an outside person to unlock and read these files for us without the key.

Mr. Obvious says: If you really believe this capability is readily available and can be done cheaply why do you bother encrypting files in the first place?

Mr.  Paranoid says: Is the RFP a pernicious plot to lure black-hat hackers into the open so they can be escorted to Guantanamo promptly by a guy in an overcoat?

Mr. Sarcastic says: If a black-hat hacker had this technology, wouldn’t he/she be better off using it to hack into the bank and just take the Government’s money rather than bidding on a contract?

One Response

  1. This is exactly why, despite working in and around Washington, DC for over a decade, I avoid government contracts like the plague.

    If you speak with someone who’s experienced the “Catch-22” style lunacy of such “security” first-hand, I’m sure you would hear even more ridiculous stories.

    We had one non-government client that had me deliver an unencrypted CD by hand (fortunately a short walk from my apartment), because he didn’t trust that email was secure enough. What was the top-secret cannot-be-compromised data on that CD? Resumes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: