US government calls for “responsible” – as in breakable – encryption

Készült: 2017. október 12
Nyomtatás

It may seem unlikely – or even impossible – but there is agreement between the former Obama administration and the Trump administration on at least one thing: Neither likes unbreakable encryption.

Deputy Attorney General Rod Rosenstein gave a couple of speeches in recent weeks focusing on encryption – one at a cybersecurity conference in Boston and another at the Naval Academy – that sounded almost like they could have come from former FBI director James Comey. Ironically enough, it was Rosenstein who signed off on President Trump’s decision to fire Comey last April.

But their philosophical arguments on this are essentially the same – strong encryption jeopardizes the lives and safety of Americans because it prevents law enforcement from gathering evidence, even when they have a warrant in hand.

The FBI famously took Apple to court last year over its inability to access an iPhone belonging to one of the San Bernardino terrorists. That conflict never got settled – it was dropped after the agency hired a vendor that was able to break the access code.

But this past March, at a conference in Boston, Comey argued that strong encryption was allowing major swaths of the criminal and terrorist underworld to “go dark.”

There has always been corner of the room that was dark – that was where sophisticated actors like nation states operated… (but now) more and more of the room is dark. It’s not just sophisticated actors. Now it’s drug dealers, pedophiles and other bad actors. That shadow is spreading.

He argued that he “loves privacy” and supports encryption. But he said the current level of it, with no way for government to break it, breaks the “bargain” that government is allowed to invade privacy with probable cause and a warrant.

That was the argument from Rosenstein as well. While he declared he had no intention to “undermine” encryption, he said that when it is designed with no means of lawful access…

… it allows terrorists, drug dealers, child molesters, fraudsters, and other criminals to hide incriminating evidence. Mass-market products and services incorporating warrant-proof encryption are now the norm.

Where he went further than Comey was describing how he thinks, “responsible encryption is achievable.”

Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization. Such encryption already exists. Examples include the central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop. No one calls any of those functions a “back door.” In fact, those capabilities are marketed and sought out by many users.

It’s not the first time that the US government has looked at the central management of encryption keys. In the early nineties it tried to introduce the Clipper chip – an encryption and decryption chip for consumer devices that came with a backdoor for law enforcement.

It was found to harbour a number of vulnerabilities, was never widely adopted and was quickly made obsolete by strong encryption that wasn’t controlled by the government, such as Phil Zimmermann’s PGP.

Clipper didn’t impress cryptographer Bruce Schneier (now CTO at IBM Resilient), who described the idea of a global key escrow system as “far beyond the experience and current competency of the field”.

He isn’t impressed this time around either. Speaking in a podcast this week with Paul Roberts of the Security Ledger, he said it is absurd to think that Rosenstein’s vision of encryption is possible:

…for encryption to work well unless there is a certain piece of paper (a warrant) sitting nearby, in which case it should not work.

Mathematically, of course, this is ridiculous. The math either works or it doesn’t. You don’t get an option where the FBI can break encryption but organized crime can’t. It’s not available technologically.

Indeed, the government’s track record on securing everything from employee data (the Office of Personnel Management breach) and malicious exploits developed by US spy agencies suggest that if it has the technology or the keys to defeat encryption, the threat of it being compromised would be very real.

The National Security Agency (NSA) failed to secure an exploit it had developed called EternalBlue. It was leaked by the hacker group Shadow Brokers on April 14, and used as part of the worldwide WannaCry ransomware attack in May, the NotPetya cyberattack in June and reportedly part of the Retefe banking Trojan since early September.

Those and other instances of lax government security, privacy advocates say, means weakening encryption for government would be much more of a threat to public safety than criminals’ ability to “go dark.”

Even if the government could make the use of unbreakable encryption illegal it would still have to contend the most basic of realities: criminals don’t obey the law. Law abiding citizens would be forced to use hobbled encryption while criminals continued to choose the strongest encryption available.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, who debated Comey about a year ago at a conference hosted by the American Bar Association, argued that the Fifth Amendment does indeed give American citizens an absolute right to privacy.

To Comey’s assertion that the FBI had custody of 650 phones it could not decrypt (Rosenstein said that number is now about 7,500 “mobile devices”), Rotenberg noted that in 2013 alone, more than 3.1 million cell phones were stolen. Without strong encryption on those phones, “crime would be much higher in the United States,” he said.

And Shahid Buttar, director of grassroots advocacy at the Electronic Frontier Foundation (EFF), said encryption is often the only thing protecting journalists in repressive countries, whistleblowers even in the US, and religious minorities such as Christians in Muslim countries.

At the root of this is a misapprehension of what security means. To them (law enforcement) it’s a matter of the power of their agencies. To the rest of us, it’s who has access to our private communications.

The debate – obviously – will continue.

Rosenstein said if companies are allowed to created “law-free zones” for their customers, the consequences would be that, “crime cannot be solved. Criminals cannot be stopped and punished.”

But Schneier said the math works the other way. In an era when hostile nation states are trying to tap classified communications, “it’s hard to have a system that is made deliberately weak for law enforcement that doesn’t make it weak for other governments.”

But he added that he doubts there will be any serious moves in Congress to mandate that government can defeat encryption. “It’s all rhetoric,” he said. “And for now it’s too controversial.”

Source: Naked Security

Hozzászólások

Hacktivity 2014

Események

Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

A frissítés nélkül hagyott szoftverek magas aránya még mindig aggodalomra ad okot

A Secunia biztonsági cég jelentése azt mutatja, hogy az Egyesült Államokban rengeteg frissítés nélküli szoftver

Önmegsemmisítő Facebook- és Twitter-üzeneteket és fotókat kínál a Dstrux

Egy cég, amely az üzleti dokumentumok biztonságba helyezésével foglalkozik, egy „Mission: Impossible” jellegű ö

Új titkosítási szabvány kerül bevezetésre az Apple-nél és a Google-nél

Az Apple azon bejelentésének nyomán, miszerint egy olyan fejlesztést eszközölnek az iOS8 operációs rendszerükön,

Az FBI igazgatója szerint az Anonymous veszélyesebb, mint az al-Kaida

Múlt héten rendezték meg San Franciscóban az RSA biztonsági konferenciát, ahol az FBI jelenlegi igazgatója, Robert Mueller

CEO vs. CISO, avagy a biztonság két szemüvegen keresztül

A vállalatok igazgatói továbbra is nagyon eltérően tekintenek a kockázatokra és a védelmi teendőkre, mint a biztonsági v

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az Index.hu újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az Antivirus.blog nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ