Posted by Taylor Armerding on March 7, 2019
Selective encryption backdoors don’t work; the laws of mathematics don’t know or care who you are. But the concept was still under intense debate at RSA 2019.
The war on, and about, encryption, with law enforcement and intelligence agencies on one side and privacy advocates on the other, is very much alive. A couple of Tuesday morning sessions at the RSA Conference in San Francisco offered plenty of proof of that.
But perhaps the most interesting claim about that war came from FBI Director Christopher Wray, who said in a keynote interview with Lawfare executive editor Susan Hennessey that he has been hearing from some in the private sector that there is a “solution” in the works that could end the war.
That message wasn’t coming from anybody else on the stage that morning, however—at least not publicly.
An earlier keynote called The Cryptographer’s Panel began with a discussion of the Assistance and Access Act, the law passed by Australia’s parliament in December that gives that nation’s intelligence and law enforcement agencies the power to demand access to the end-to-end encrypted digital communications of criminal suspects—unencrypted.
That, in a word, is a backdoor. The government’s argument is that this access will apply only to the communications of individuals for whom a court order has been issued.
As Wired put it after the law passed, “Intelligence and law enforcement seem to want tech companies to be able to silently loop government officials into a suspect’s encrypted communications.
“For example, an iMessage conversation that you think is just between you and your friend might actually be a group chat that includes an investigator who was invisibly added. The messages would all still be end-to-end encrypted, just between the three of you, instead of the two of you.”
But expert cryptographers have been saying for years that it doesn’t work that way—that it is mathematically impossible for a weakness in encryption to be selective. If there is a backdoor created for Suspect A’s communications, it will eventually become accessible to anybody and everybody, including other criminals and terrorists.
And given that the internet is no more governed by national borders than is sunlight, clouds, rain, or air, a backdoor into encrypted communications on Google, Facebook, Apple, Instagram, or any other platform won’t apply just to Australia—it will be global.
Which came under unanimous condemnation from those on the panel. As Whitfield Diffie, a cryptographer and security expert at Cryptomathic, sardonically put it, if government thinks it can protect victims of crime by repealing the laws of mathematics, then it ought to legislate the repeal of the laws of chemistry and physics as well.
“That way they could protect us from nukes and global warming,” he said, adding that while it may be “easy to disrupt use of cryptography by large organizations, it’s not clear that those rules will have the same effect on terrorists.”
“It’s not going to be productive,” he said. “I would like to see issues of personal privacy taken out of the hands of legislators.”
The Australian law was the first ever passed by a Western country to require government access to encrypted data. And given that Australia is a member of the Five Eyes intelligence alliance along with the U.S., American intelligence and law enforcement officials are watching the post-legislative proceedings with great interest.
Wray, during his interview with Hennessey, kept his rhetoric low-key, but repeated the mantra that he, his predecessor James Comey and top law enforcement officials like U.S. Deputy Attorney General Rod Rosenstein have been using for years—that “responsible encryption” has to include a way for government to defeat it with the approval of the courts.
“Technology is a force multiplier for the bad guys as well as the good guys,” he said. “There is not a week goes by that I don’t encounter some insurmountable problem of people hiding with encryption platforms or devices.
“I’m well aware that it’s a contentious issue, and I don’t want to go to war with anybody,” he said. “But I get upset when I’m told we’re trying to weaken encryption and create backdoors. It [unbreakable encryption] is a problem that is getting worse all the time.”
“We’re duty-bound to protect the American people,” he said. “We have to find a way to deal with it. There can’t be unfettered space that is beyond lawful access.”
What to do? Wray said he’d like to see those on both sides of the divide—from the private and public sectors—come together to seek solutions.
And he said he is seeing signs that will happen. “I’m hearing increasingly that there are solutions,” he said, adding that he is “eager to hear more.”
Bruce Schneier, CTO of IBM Resilient Systems and an encryption expert, has said many times that it is absurd to think that encryption can “work well unless there is a certain piece of paper (a warrant) sitting nearby, in which case it should not work.”
“Mathematically, of course, this is ridiculous,” he said. “You don’t get an option where the FBI can break encryption but organized crime can’t. It’s not available technologically.”
And Schneier said that hasn’t changed. Asked this week if he was aware of the “solutions” to the conflict that Wray suggested could be in the works, Schneier said, “No, of course not. He’s imagining things.”
Indeed, if governments do obtain a secret encryption key, the chances it will stay secret are practically nil. The U.S. government’s record of securing its own crucial data is demonstrably spotty. The dumps by WikiLeaks of hacking tools held by the CIA and NSA (and not shared with the private sector) and the catastrophic hack of the federal Office of Personnel Management (OPM) several years ago that exposed the personal information of about 22 million current and former federal employees are evidence of that.
Get the latest AppSec news and trends sent directly to you.