Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/9/2015
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

3 Reasons Why Giving Government A Backdoor Is A Bad Idea

Exceptional access of the kind being demanded by the FBI and others is unworkable and impractical, security researchers say

Any attempt by government to weaken encryption technology so as to enable easier law enforcement access to cryptographically protected content would seriously weaken Internet security, a group of noted cryptographers and security researchers warned in a new report this week.

The report, from the Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Lab, incorporates the views of more than a dozen top security researchers, including noted cryptologists like Bruce Schneier, Whitfield Diffie, and Ronald Rivest.

It expresses alarm over growing efforts by the FBI and other U.S. law enforcement agencies to get data and communication services companies to engineer backdoors in their systems so law enforcement can have access to encrypted data when needed.

Government officials have claimed they need such access in order to be able to pursue criminals conducting transactions online under the cover of encryption and anonymizing services like Tor. In testimony before Congress only earlier this week, FBI director James Comey warned about the “ongoing” and “significant” impact that such technologies were having on the government’s ability to track, pursue, and prosecute criminals.

But according to the researcher, enabling “exceptional access” to systems of the sort being demanded by the government will have devastating security consequences for the rest of the Internet. “These proposals are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”

Here, according to the security researchers are three reasons why:

 

Abandoning Best Pratices

The first reason is that providing exceptional access means abandoning many of the best practices that have been deployed or are being deployed to make the Internet safer. As one example, the researchers pointed to technologies like perfect forward secrecy, a practice where decryption keys are destroyed immediately upon use, so as not to compromise the integrity of data that was encrypted earlier or later. “A related technique, authenticated encryption, uses the same temporary key to guarantee confidentiality and to verify that the message has not been forged or tampered with.”

In order to enable the kind of backdoor access the government is seeking, it would require industry to abandon such best practices, the group said.

 

Increased System Complexity

Implementing an exceptional access requirement would also greatly increase system complexity, the report noted. New technology would need to be developed, deployed, and tested with potentially hundreds of thousands of developers around the world. Because the typical use of such technologies would be surreptitious in nature, security testing would become far more difficult and less effective as well.

“This is a far more complex environment than the electronic surveillance now deployed in telecommunications and Internet access services,” the researchers said.

 

Concentrated Targets

Exceptional access would also require platform providers, law enforcement agencies, or some other trusted third party to hold the credentials needed to unlock encrypted data. Because law enforcement would need rapid access to data it would be impractical to split the keys or store them offline as best practices would typically dictate. They pointed to the recent breach at the U.S. Office of Personnel Management as one example of what can happen when a single organization is entrusted with a lot of data.

Enabling exceptional access would create a similar set of concentrated targets for bad actors to go after, the security researchers said.  “If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege.”

Richard Blech, CEO of Secure Channels, said the government finds itself between a rock and a hard place on the encryption issue.

“You cannot have a backdoor that only the 'good guys' can use; it will be exploited by the bad guys,” he said in an email statement. “Unfortunately, sensitive data is vulnerable if the agencies are left a backdoor.” As a result, due process may continue to be the only way forward, he said. “If there are concerns, go to court and get a warrant.”

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/16/2015 | 3:59:38 PM
Re: Morals too
Good point with the webcam. It is more like periscope or meerkat for the end users point of view where users do not know who is actually watching.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/16/2015 | 3:50:33 PM
Re: Morals too
Agree, but when you provide a back door you are actually breaching checks and balances.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/16/2015 | 3:48:59 PM
Re: Morals too
Government would most likely want the backdoor under any circumstance, they just need to be held responsible when somebody finds out that backdoor. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/16/2015 | 3:46:47 PM
Simple and clear
This is just a simple concept backdoor is a backdoor, it does not matter who has access to it, when you have it, that is a vulnerability.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/10/2015 | 10:59:10 AM
Re: Morals too
Who's watching the watchmen? There are no checks and balances with this system. This also represents as you point out a single point of failure. If government does get a backdoor maybe a private entity should be setup as well to backdoor into government. May not be so eager to see this through if that were the case.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
7/10/2015 | 7:41:01 AM
Morals too
Some great points here, especially about the keys being stolen. It will happen and chances are we wouldn't hear about it.

However it's also worth mentioning that it's morally wrong to give the governmment a back door to encryption. As it stands, we're at least in a bit of a face off with intelligence agencies where most people don't want their communications recorded and readable by government agents. If we gave them a backdoor, it would be the same as welcoming them to put cameras in our homes. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...