Security gurus deliver coup de grace to US govt's encryption backdoor demands

Diffie, Rivest, Schneier, and Anderson school FBI

With congressional hearings due on Wednesday to discuss US government plans to force tech companies to install backdoors in their encryption systems, some of the leading minds in the security world have published a paper on how, and if, such a system would work.

The authors of the 34-page paper [PDF] read like a who's who of computer security: they are Whitfield Diffie (who along with Martin Hellman invented public key encryption); crypto guru Bruce Schneier; Ronald Rivest (the R in RSA), Matt Blaze, the killer of the Clipper Chip; Professor Ross Anderson from Cambridge University; and 11 other senior figures in the field.

The writers examine attempts in the early 1990s to allow the Feds to access to encrypted communications, referring back to the infamous Clipper chip proposed by Bill Clinton's administration. Clipper, developed by the NSA, would have allowed the government to unlock encrypted messages, but was shown to be both easily broken and counterproductive.

Back then the internet was in its infancy and encryption was used sparingly. Nowadays the entire e-commerce system relies on encryption, as does much of the mobile telephony industry and corporate systems. Introducing flaws would cause more harm than good, they argue, and would cripple US businesses, since who wants to buy technology with a back door?

The paper also points out that there are massive technical challenges in instituting an encryption key escrow service, such as the one suggested by the director of the FBI, James Comey. Such a system would lock the industry into a specific crypto system and poses a major question – who holds the master decryption key?

Any body, public or private, holding such keys would be an instant target for hacking attacks, the authors point out. As we've seen with cases like the Office of Personnel hack, the White House hack, and various successful hacks against US military targets, there are no government servers where such powerful tools would be safe and yet speedily accessible to law enforcement.

Private companies would be equally vulnerable. Hackers have already cracked RSA's servers to steal its keys, and Apple and Google would be similarly targeted if they held the encryption keys to iOS or Android mobile phones.

Even if such a system could be implemented safely, this wouldn’t stop criminal actors, who could simply buy their technology overseas or from non-compliant companies and countries. The only alternative is to insist on such a system globally, which would mean repressive regimes would need to have their own demands met for master encryption keys.

Another central concern raised in the paper is who would oversee all of this and make sure it was not abused, either by governments or corrupt employees, and how would the technology be checked? The most common mechanism for checking encryption systems is public disclosure so that it can be picked apart, but even that has flaws.

Damaging America's reputation abroad

They cite the Needham Schroeder public-key protocol, first published in 1978. It wasn't until 1995 that an enterprising security researcher named Gavin Lowe discovered that a flaw in the protocol would allow a man-in-the-middle attack to take place.

Finally, the team points out that even if the technology, engineering, and security problems behind such a scheme could be overcome, the resulting system would cripple the image of America in the eyes of the rest of the world, and drastically reduce the nation's soft power – it's influence as a bastion of freedom and democracy.

This reputation is already under threat from, among other things, the ongoing revelations from Edward Snowden and others about the shenanigans that the NSA has been committing at home and abroad. America's reputation needs to be repaired, and this system is only going to make the job harder, they argue.

"This report's analysis of law enforcement demands for exceptional access to private communications and data shows that such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend," the authors conclude.

"The costs would be substantial, the damage to innovation severe, and the consequences to economic growth difficult to predict. The costs to developed countries' soft power and to our moral authority would also be considerable. Policy-makers need to be clear-eyed in evaluating the likely costs and benefits."

The paper is worth reading in its entirety, and it's to be hoped that some of the proponents of the government-mandated encryption scheme read and inwardly digest the case – in particular the FBI director James Comey.

On Monday Comey, who will be testifying at Wednesday's hearings in Congress, wrote a blog post once again touting his plan for encryption that's breakable by law enforcement. In it he states that such a plan is essential because "bad people" use encryption, and says it's up to Silicon Valley to come up with a workable system to help law enforcement catch them.

"I really am not a maniac (or at least my family says so)," he wrote. "But my job is to try to keep people safe. In universal strong encryption, I see something that is with us already and growing every day that will inexorably affect my ability to do that job." ®

Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022