Crypto backdoors are in the news again, and as bad for privacy as ever

Posted on May 9, 2018 by Glyn Moody

VPNs are an indispensable part of online life, and they protect many aspects of privacy. But there’s a class of threats that VPNs can’t defend against: crypto backdoors, which allow even the strongest encryption to be bypassed. That’s why it’s important for everyone who cares about their privacy and security to be aware of any attempts to introduce backdoors, something Privacy News Online has written about many times. Unfortunately, the idea is still very much alive and of interest to the authorities, as two recent news stories show.

The first concerns a long-running saga at the International Organization for Standardization (ISO). The US National Security Agency (NSA) has been trying to have two encryption techniques, known as “Simon” and “Speck”, adopted as ISO standards for use with the Internet of Things (IoT). Since the number of IoT devices is expected to run to many billions, the choice of encryption method is a crucial matter with far-reaching consequences. Approved techniques will be used in a wide range of new products such as heating control systems, refrigerators, lighting, smart speakers and wearable devices. These would mostly be connected to the Internet, so backdoors in the encryption protocols would allow any of those devices to be monitored and possibly controlled by external agencies – like the NSA.

The importance of the choice for IoT encryption has made international cryptography experts examining the NSA proposals cautious. They are mindful of the fact that the NSA has a long history of trying to insert backdoors into cryptographic protocols, a practice confirmed by files provided by Edward Snowden in 2013. One of them revealed details of a $300 million program with a stated aim to “insert vulnerabilities into commercial encryption systems”. According to a Reuters report from last year about the ISO discussions, “opponents cited the lack of peer-reviewed publication by the creators, the absence of industry adoption or a clear need for the new ciphers, and the partial success of academics in showing their weaknesses.” The NSA tried to allay those concerns by dropping all but the two most powerful versions of the standards, since these were the hardest to break.

However, a post on the WikiTribune site reveals that even these stronger versions have now been rejected by the ISO group of experts at a meeting in Wuhan, China. The problem remains the NSA’s failure to provide adequate technical information about its encryption techniques:

According to WikiTribune’s source, experts in the delegations have clashed over recent weeks and the NSA has not provided the technical detail on the algorithms that is usual for these processes. The U.S. delegation’s refusal to provide a “convincing design rationale is a main concern for many countries,” the source said.

Another WikiTribune article quotes one of the leading opponents of the NSA proposals, Dr. Tomer Ashur of KU Leuven University in Belgium:

“Many crypto experts both within and outside ISO had concerns about the security of the algorithms,” said Ashur. “The NSA tried to remain as obscure as it could about certain design decisions and parameter choices they have made. As this is out of line with what is perceived as best practices of cipher design, this alarmed some of the delegates, including myself.”

Delegates were probably alarmed because obscurity is precisely what the NSA would use to hide the presence of a backdoor in the algorithm. Moreover, in a short thread on Twitter, Ashur said the NSA tried to “bully their way into the standards”, called the NSA’s behavior “outrageously adversarial”, and claimed it had personally attacked some of the experts as “incompetent”. If corroborated, those actions would seem to confirm that the NSA was really keen to have its proposals approved, but unable to achieve that by following the usual rules for defining cryptographic standards.

The programmer and entrepreneur Ray Ozzie, best known for creating Lotus Notes, has also been thinking about backdoors. He claims to have come up with a way of reconciling the desire of law enforcement agencies to have access to encrypted systems like mobile phones, with the need to preserve people’s privacy and security.

Some details can be found in an article in Wired, but the basic idea is that a PIN code able to unlock a protected phone is encrypted using the public key of the manufacturer. If the authorities wish to unlock a phone they are investigating, they obtain a warrant, power up the phone and send a picture of the displayed QR code containing an encrypted PIN to the manufacturer. The latter uses its private encryption key to unlock the information in the QR code and then send the PIN to the authorities to give them full control of the phone. To avoid the risk that the police might then tamper with the contents of the phone, a special chip inside the phone blows itself up, and freezes the current state of the device.

However plausible Ozzie’s “safe” backdoor scheme might sound, other security experts soon weighed in on its deficiencies. Although slightly more complex, the approach is similar to previous “key escrow” ideas: that there is a kind of “golden key“, stored separately, that can unlock encrypted devices. The problem is keeping that golden key safe while still being able to use it all the time. For example, as Robert Graham writes in a long blog post examining the flaws in Ozzie’s idea:

He’s only solving the part we already know how to solve. He’s deliberately ignoring the stuff we don’t know how to solve. We know how to make backdoors, we just don’t know how to secure them.

Yes, Apple has a vault where they’ve successfully protected important keys. No, it doesn’t mean this vault scales. The more people and the more often you have to touch the vault, the less secure it becomes. We are talking thousands of requests per day from 100,000 different law enforcement agencies around the world. We are unlikely to protect this against incompetence and mistakes. We are definitely unable to secure this against deliberate attack.

The same point is made by another security expert, Matthew Green, who points out a further issue. That special self-destructing chip, which forms an important ancillary element of Ozzie’s “solution”, doesn’t exist:

The richest and most sophisticated phone manufacturer in the entire world [Apple] tried to build a processor that achieved goals similar to those Ozzie requires. And as of April 2018, after five years of trying, they have been unable to achieve this goal – a goal that is critical to the security of the Ozzie proposal as I understand it.

The fact that Ozzie’s proposal won’t resolve the tension between a desire to give the authorities lawful access to encrypted phones, and the need to preserve the privacy and security of everyone, should hardly come as a surprise. If there were a solution to this knotty problem, it would probably have been found by now, given the decades of work seeking one, and the high stakes involved.

What is troubling, though, is that Ozzie’s reputation as one of the foremost engineers of recent years will allow some to claim that the backdoor puzzle has now been “solved” – because Ray Ozzie says it has. That’s definitely not the case, as the two critiques mentioned above, and others elsewhere, make plain. But politicians won’t worry about such technical niceties when it comes to calling for laws that mandate these “safe” backdoors in devices. That’s why it’s important that everyone who cares about their privacy and security should be ready to push back against attempts to turn a flawed idea into a flawed reality.

Featured image by Alexas_Fotos.

VPN Service