This requirement came across my desk recently as part of an RFP from a government agency that will remain nameless.
4.20 Data Decryption
The agency may request the service of decrypting of source materials for which the decryption algorithm and/or decryption keys are unknown. The Offeror must provide a list of decryption protocols for which they can offer this service and any other restrictions their tools or methods create (e.g., AES256 decryption).
To provide some context, this wasn’t part of military or intelligence effort to snoop on foreign governments or a white-hat project to validate the security of encryption protocols. No, this was an administrative agency that had collected a bunch of documents from its employees and possibly from other agencies/companies and needed to import them into a content management system.
The implicit assumption is that there is an industry standard tool that can decrypt an arbitrary file and do it quickly enough to run it against an arbitrary number of files in a reasonable amount of time at a reasonable cost per document. They just need a company to run that tool as part of an import workflow.
I’m by no means a cryptography expert, but even assuming I had absolutely no knowledge of security or computers beyond the definition of encryption I think I could detect the major problems with this request.
Translating out the techno-geekery makes the paradox quite apparent.
Translation: We have used technology to secure our files so that no outside person can unlock and read them without our secret key. We are looking for an outside person to unlock and read these files for us without the key.
Mr. Obvious says: If you really believe this capability is readily available and can be done cheaply why do you bother encrypting files in the first place?
Mr. Paranoid says: Is the RFP a pernicious plot to lure black-hat hackers into the open so they can be escorted to Guantanamo promptly by a guy in an overcoat?
Mr. Sarcastic says: If a black-hat hacker had this technology, wouldn’t he/she be better off using it to hack into the bank and just take the Government’s money rather than bidding on a contract?