How Security Pros Look at Encryption Backdoors

An anonymous reader shares a report: The majority of IT security professionals believe encryption backdoors are ineffective and potentially dangerous, with 91 percent saying cybercriminals could take advantage of government-mandated encryption backdoors. 72 percent of the respondents do not believe encryption backdoors would make their nations safer from terrorists, according to a Venafi survey of 296 IT security pros, conducted at Black Hat USA 2017. Only 19 percent believe the technology industry is doing enough to protect the public from the dangers of encryption backdoors. 81 percent feel governments should not be able to force technology companies to give them access to encrypted user data. 86 percent believe consumers don't understand issues around encryption backdoors.

On that basis ...

[derek_m]

I can only conclude that almost 20% of security professionals surveyed are utterly incompetent.

Re:On that basis ...

[pr0fessor]

Making something Illegal isn't going to stop a criminal or terrorist. The result is that they will simply use an alternate method without a back door and eventually find the back door placed in the encryption methods by law. This will only make e-commerce less secure.

What if we hide the back door? It's to late for that and it wouldn't work anyway hackers will find the back door and they will use it, finding and creating back doors is their bread and butter.

Re:On that basis ...

[hummassa]

Yep. Every back door is an open door.

Re:On that basis ...

[Joce640k]

Or use the widely-available backdoored method for convenience but with code words.

Re:On that basis ...

Ok, stalin.

Re:On that basis ...

[slashrio]

That's even worse.

Re: On that basis ...

[Thundercat007]

I remember late 90s many sysadmin for some reason had "backdoors" into their website in case they got locked out. Simple port scan would locate it and down went the website lol

Re: On that basis ...

My preferred backdoor is a second copy of sshd hardwired to public key authentication on a fixed account.

Re:On that basis ...

I had a GF who felt the same way. She was a good GF.

Mista Puhtaddah Head!! Mista Puhtaddah Head!!

Backdoors are NOT SECRETS!!

Explain It Like Government Explains It

86 percent believe consumers don't understand issues around encryption backdoors.

Maybe we should start explaining it in the same way that governments try to justify access.

Government claims to need backdoors to keep us safe from terrorists? Maybe we should ask "how is giving terrorists access to our financial information, medical information, power grids, etc, keeping us safe from said terrorists?" Keep it in the public eye that backdoors give terrorists access to our information just as easily as it gives "the good guys" access to it.

Re:Explain It Like Government Explains It

"consumer"

because security is some kind of "product" that you buy.

this is fail, on so many levels.

Re:Explain It Like Government Explains It

giving terrorists access to our financial information, medical information, power grids, etc

I'm not aware of that ever having happened. It would seem that the government is actually doing a pretty decent job of securing this information.

Re:Explain It Like Government Explains It

[Narcocide]

You must live in Switzerland.

Re:Explain It Like Government Explains It

This debate has been with us since the early 1990s when the Clipper Chip (with its LEAF override fields) was introduced. Every time this comes up, the answer is obvious:

With how easy it is for information to leak [1], a deliberately placed backdoor would turn into a gold mine for terrorist organizations, criminal organizations, foreign intel, organizations doing industrial espionage. Especially now, when almost anything winds up leaking due to the popularity of those who will sell out their country for a buck, even if the person doing so knows that their co-workers and their families will be tortured and killed.

Backdoors become security holes. Was true back then; is true now.

[1]: Yesterday, Assange received a lot of classified documents and other info on Russia, but refused to publish it on WikiLeaks. Wonder why he has no interest in attacking anything but US or European interests... hmmm...

I have an idea

Let's put a literal backdoor with a master key lock on every secured building in the country.

Because no criminals are going to get their hands on that master key and make a copy, right?

Re:I have an idea

[Narcocide]

It's dangerous to say stuff like this sarcastically now. Some idiot will think it's a good idea and run with it.

Re:I have an idea

Let's put a literal backdoor with a master key lock on every secured building in the country.

Because no criminals are going to get their hands on that master key and make a copy, right?

It's also amusing because locks that accept master keys are also less secure than locks that do not accept master keys.

87.6543% think stats are fake

It seems it should be an immutable law that if someone else has a key to your encrypted data, your data is no longer your data.

Re:87.6543% think stats are fake

[arth1]

It seems it should be an immutable law that if someone else has a key to your encrypted data, your data is no longer your data.

s/encrypted//

The problem, as I see it, is that concepts like "personal" are losing their meaning. The millennials have grown up without "expectation of privacy", and many don't even seem to understand the concept, nor the concept of not sharing.

Whether encrypted or not, I think people should have a right to their data being safe from others, and "not shared with anyone" being the default state which you need to take steps to change.
It should be up to me who I share with, not the government or private companies, whether it's the logs of my conversations or my genome.
And it should be up to me what someone who is given data is allowed to do with it. Possession should not transfer ownership.

Encryption is just a method of making it harder for those who disregard your rights to get access to the data. It's not the goal in itself - it's a necessary evil.

Re:87.6543% think stats are fake

[ctilsie242]

The zero expectation of data privacy has come at us from many fronts, be it the "free" services where the subscriber is the product, not the customer, the fact that data is valuable, where VCs only will give money to businesses which sling ads and suck analytics.

With the fact that who knows what people/entities have access to remotely stored data, coupled with the concern about some storage providers actively looking for "pirated" stuff, encryption isn't a luxury to "hide from the cops". It is a necessity for the basic functioning of business. Especially how easy it winds up being for an attacker to compromise accounts.

Re:87.6543% think stats are fake

[chuckugly]

The millennials have grown up without "expectation of privacy", and many don't even seem to understand the concept ...

Perhaps, but I also notice many of the older generation (mine and older) who have become used to the illusion of data privacy and the fact of relative anonymity. We still have most of the real world privacy we ever really had, but data collection and availability has tended to reduce the real world anonymity some people seem to cherish. People who live in smaller villages have not had anonymity and they get along fine.

How to describe backdoors

[peragrin]

How to describe encryption backdoors to idiots and non technical people.

Ask them to pull out their house key. Now have them go make 10,000 copies of that key and label each key with their name address and door location. Have them include their normal working hours.

Now they are to pass out those keys to every police officer, fire department, medical service group in their area just in case the government needs to get in their house in an emergency.

Now ask them a question how likely would it be that 1 out of 10,000 would get lost or misplaced and end up in the wrong hands?

100% of the people I have explained it to that way suddenly change their minds. Though it is still a small sample size. Once a generic key has been created and passed around you might as well not have a key

Re:How to describe backdoors

[infolation]

That seems like a good analogy for the common person, because it relates to the fears of the individual. But the vulnerabilities introduced by intentionally compromising strong encryption have financially wider reaching side-effects than the value of the contents of individual houses.

It's not possible to segregate 'consumer' and 'commercial' internet traffic to permit businesses to use unweakened encryption, so the backdoor compromises all financial transactions - offering a criminal prize equivalent to an entire country's electronic GDP.

Securing compromised encryption against that kind of threat vector sounds fairly unworkable.

Re:How to describe backdoors

It's worse than that. Do the same for every house in the city, and make it a *single* shape of key that opens them all. It's a passkey/master key that opens every residence, every business, every car, etc.

Even if it was embodied in a single, solitary key held in some super secure safe that only the chief of police can open under strict court order, guess what? Some enterprising person will know that if they compare between enough different locks they can derive what that key looks like without ever posessing it from the legitimate source (example: getting the HDCP master key).

It's a fundamental design flaw if the "electronic locks" are designed to be opened by one "master" third-party key held by the authorities. It will be a huge target for criminals or spies to figure out that key. You don't need someone "on the inside" to accidentally or intentionally disclose it, although obviously that is a risk as well.

Re:How to describe backdoors

[peragrin]

There is no great analogy. Maybe if you used safety deposit box but less people use those now.

The best analogy is something everyone can relate to. Except the homeless everyone has a house/apartment/home that is their personal space.

Businesses can do the same.

You have to assume someone has been compromised and the key is loose in the wild. That is the real reason backdoors to encryption is wrong. That the backdoors it self is compromised.

Re:How to describe backdoors

[Rick+Schumann]

Now ask them a question how likely would it be that 1 out of 10,000 would get lost or misplaced and end up in the wrong hands?

Worse: Some 'law enforcement officer' decides that since he/she has the key already, there's no reason for them to not go snooping around, warrant or no warrant. In fact let's go snooping through every house on the block, just in case we find something actionable. You know, for the safety and security of everyone. If people have nothing to hide in their homes, they shouldn't have anything to fear from this, right? And since it's 'law enforcement' on 'official business', they should trust them implicitly, right? If they don't trust them, then they MUST have something to hide, therefore justifying the snooping. Anyone making a big fuss over it for no reason probably is a criminal and needs to be investigated further..

Excuse me, citizen; PAPERS, PLEASE..

Re:How to describe backdoors

[chuckugly]

Thanks, I'll use that - good job.

Re:How to describe backdoors

First, I like how clean your analogy is. I'm not sure that its weakness as an analogy is a weakness in its rhetorical effectiveness.

That said, if you change it to every lock accepting two keys -- your's and the "masters of the universe" key -- that is closer to an encryption backdoor. In fact, this idea of an ultimate bypass device has been used in fiction for years. It also illustrates the problem of "why doesn't someone just make a lock that doesn't work with the special key, the answering being that making such a lock would be a criminal (if not terrorist) offense.

Naturally, in your analogy failure to make and distribute the 10,000 keys would be a criminal offense.

Security through obscurity doesn't work.

[Tomahawk]

Using obscurity in encryption just doesn't work. It has to be assumed that everything about the encryption method is known. Which is typically why everything about encryption methods is known - the algorithms and source code are always available to anyone.

What is secret is the key that is used.

Introducing a backdoor would mean that the method of how this backdoor is implemented would be known to everyone - it has to be, or at least assumed to be. So the only way to implement a backdoor "securely" is by using a key. This means hardcoding a public key into all public/private key encryption schemes and using both it and the users' public keys to encrypt the data, which is typically just encrypting the key for the symmetric encryption method (AES, for example) being used.

I don't believe there would be a way to incorporate an extra key in a symmetric encryption system. Certainly not without seriously harming how the encryption works. And how would you hide the key? If the key is hard coded, everyone knows what it is, and can thus decrypt with it.

Then you run into the problem of what happens once these hard coded keys are known to everyone, 'cos you know it's only a matter of time before they are either leaked or found. A global key to unencrypt all internet traffic - ever hacker and cracker, no matter if they are white, grey, black, or any other colour hat, would be searching for that key. And it wouldn't take all that long to find, given enough computing power (read: botnet).

If a government does force this to happen, you know that they will be the first target for all of these people who find the global key(s).

Re:Security through obscurity doesn't work.

Use public key encryption. Each encrypted message also gets it's secret key added to the message, but that key is encrypted by the government public key. That way every message can be decrypted by using the government private key to decrypt the message secret key and then the message secret key can decrypt the message.

Not advocating for it, just giving a simple example of how it could work and be as secure as the government private key. With how valuable that government private key would then be, it would be a very high priority target.

Its not a technical problem at this point, as you try and make the case for. But it is a problem in a non-technical way, or technical completely different than you describe.

Re:Security through obscurity doesn't work.

Just look at present day routers. They have a default password that is prebaked into the firmware, printed on the bottom of the device, and only the manufacturer knows about. Only a press of the reset button is needed to delete all existing settings.

Re:Security through obscurity doesn't work.

[Rick+Schumann]

Friend, here's the deal: Politicians and 'law enforcement' types probably actually understand all this, because they likely have advisors who are well versed in the technology, but the politicians and cops don't care; they want the power to snoop into anything, anywhere, at any time, without any barriers of any kind preventing them from doing so, they don't care what us peasants have to say about it, and they'll burn the world to the ground to get it. Of course none of them will be subject to this, there'd be 'government-grade encryption' that's not compromised in any way, and that's what all their communications and devices will have. Same goes for the rich; they'll have real encryption, while us filthy peasants get the ersatz; they don't even care if people get their identities stolen right and left, or their bank accounts drained, either. That's what their Perfect World looks like; we, of course, have to stop them, in concert with the politicians who don't believe ruining encryption is a good idea for anyone. But it's going to continue to be an uphill battle the whole way. Power always seeks more power, and real encryption stands in the way of that. All their talk about 'national security' and 'terrorism' is just an excuse they're using as leverage to get what they want.

Re:Security through obscurity doesn't work.

[argumentsockpuppet]

As long as we're talking about concepts we don't advocate, let me add some reason for paranoia.

First, consider that any software with automatic updating can be compromised by the company providing the updates. If you get updates that you don't personally compile and test, then you can't prevent the entity with control of the updates from pushing something that would give access to your encrypted information.

Second, consider that almost all at rest data is encrypted with symmetric encryption which means that there is necessarily a key that could be used, without needing your password, for decryption. It may be stored locally in a file someone else has the key to decrypt, or it may be uploaded without your knowledge to a company or government server.

In almost every discussion about "backdoors" people describe the idea of a single key to unlock encrypted data from multiple targets. That's stupid. (Maybe not too stupid for government to demand.) If there were to be backdoor keys, there would be one unique key per device sold, held by the selling company or uploaded to a government server. The consumer would never even know there was such a key. If it's held by the software or hardware manufacturer, the key would be obtained by the government at request or subpoena.

You don't have any way with closed source software to know those scenarios haven't already happened. Even with open source software, in many instances it's practically impossible to prove that your encrypted information doesn't already contain a government accessible back door.

Right now with iOS, Android or Windows, you're probably already getting automatic updates. One of those updates you received may have already included a government mandated unique secret key.

Your device manufacturer may have included the unique secret key that your phone uses to encrypt your data. Your password is only used to decrypt that key which is then used to encrypt your data.

Right now, without any law changes, given sufficient leverage, time, and authority; I could gain access to 99.99% of the data that people think is encrypted without a "backdoor." Granted, I don't think that's happened, because I mostly trust the companies and people responsible for the hardware and software I use. However, that trust only goes so far as assuming I don't present a target worthy of attention from someone with scary level leverage to come after me.

I keep thinking back to the San Bernardino iPhone FBI vs Apple case. The FBI said they could do the decryption by using the auto-update system with a copy of Apple's signing key. They absolutely could have, though they rightly assumed Apple would resist that idea. The question I have is whether the FBI would have gone to court if it weren't for the attempt to set precedent. If a couple engineers from Apple got late night visits from men in black with badges and guns, do you really think the key could have been kept secure? It gets worse. Imagine you're one of the managers who is responsible for keeping the key secure. You go into your office and you have an unexpected meeting with someone who has a badge and letters explaining how you're going to keep quiet about the copying of your signing key that already happened. One the one hand, you could risk your career and all the good parts of your life to invalidate a key that has already been compromised, resulting in a requirement for every iPhone user to come to physically turn in their phone for an upgrade in order to accept new valid keys. On the other hand, you could just keep your mouth shut. Which do you think most people would do? What makes you think that hasn't already happened? What makes you think the same thing didn't happen at Microsoft, Google and your favorite Linux distributors?

Re:Security through obscurity doesn't work.

while you make a valid point, you overlook an alternative that the NSA in fact has already done: compromise the reference implementation so that it the encryption is weakened sufficiently to be reasonably crackable IFF you have certain secret information. It ends up in the same place as having an embedded public key in terms of other interested parties gaining access but (potentially) avoids public scrutiny.

When the NSA first got Microsoft to include their public key in Windows (presumably so that NSA-supplied "updates" would validate) in a terrible opsec failure Microsoft actually called it something like nsa.key. At the time most people (sadly, myself included) told those insisting that it was an NSA backdoor to adjust their tinfoil. But you have to understand, the NSA hasn't always attacked the strength of encryption. They got a lot of cred for improving DES, for example.

Your point about having a target on their back is also the problem with them hoovering all Internet traffic. Every time they put in a new facility to house or manage all of that data do you *really* think the FSB and China (and everyone else that thinks they can play) isn't trying to get a foothold? The US/GB tried it during the cold war on the Soviet embassy in Canada (during its construction) and the Soviets famously planted a listening device in the US embassy in Moscow.

*Naturally* every interested party is going to try like the dickens to obtain any master key. And it is far easier to attack then defend.

At Black Hat

...conducted at Black Hat USA 2017. Only 19 percent look forward to exploiting these encryption backdoors.

It's not about security

Security pros don't like backdoors because they make something unsecure. Government likes backdoors because their objective isn't security. When put at its most charitable these yahoos want to be seen to be doing something to help even if it's actually useless; security theater. Often however, it's about control of nominally honest citizenry rather than any sort of way to deal with 'terrorists'. It's about power, not protection.

Re:It's not about security

[ctilsie242]

Governments tend to not like backdoors, when they are found and used against their own interests...

Re:It's not about security

[MangoCats]

People also seem to forget how quickly governments lose control of secrets they try to keep. If something is buried in a vault and forgotten, then it stays secret, but if something like a backdoor is accessed on a regular basis by a large number of people (say >10) - no matter how well vetted and trained and threatened with execution for breach - eventually, much sooner than later in most cases, someone will leak the secret.

Re:It's not about security

[ctilsie242]

The more it is used, the more often it can be leaked. There is also a priority of how useful a backdoor is. Being able to covertly compromise the head of an enemy state or terror organization's phone for high value intel is one thing. Being able to take phones from protestors arrested en masse to slurp off the goodies in mass quantities is another.

Even the suspicion of a backdoor will get people working on steps to mitigate it, be it having apps that require a passcode before they run and doing the encryption themselves with their own encryption libraries, to people simply turning off their devices when they are not in use and slipping them into a grounded metal box when on trips.

Re:It's not about security

[Opyros]

"Three may keep a secret if two are dead." -Poor Richard's Almanack

That!

[s.petry]

Security professionals look at "Back" doors the same way we do "Front" doors in terms of "They let people in!" We look at back doors as worse, because there is measurable proportion between how well hidden the door is, and how nefarious the person is using them."

Fourteen Percent

[SeattleLawGuy]

From the summary: 86 percent believe consumers don't understand issues around encryption backdoors.

So it look like 14 percent either (1) don't understand encryption backdoors themselves (2) are trying to get rid of the survey as quickly as possible, or (3) never interact with people and therefore assume all people know everything they know, in a sort of intellectual peek-a-boo or Ravenous Bugblatter Beast of Traal moment.

Encryption backdoors?

Someone needs to read the bill of rights. You know, that part about privacy as an inalienable right.

Sp only 9% got it right?

[houghi]

If 91% said that it COULD be used by hackers, I assume that the other 9% said that it WOULD be used by hackers.

Re:Sp only 9% got it right?

[q4Fry]

The other 9% said "Nope, no one could exploit that. Certainly not me. Definitely secure. What's your IP address?"

Keys Under Doormats conclusion hasn't changed

http://dspace.mit.edu/handle/1721.1/97690#files-area

Same conclusion as 22 years ago.

heavily infiltrated

[crafoo]

"72 percent of the respondents do not believe encryption backdoors would make their nations safer from terrorists..."

The remaining 28 percent were government plants and NSA corporate infiltrators.

That's the actual problem

[aglider]

I can be ok with the gov to spy on my encrypted coms.
But would you get those backdoors will remain within the gov alone?

The problem...

[XSportSeeker]

The problem with governments suggesting backdoors in encryption is the same problem that generates a whole ton of bad decisions, grief, and politics towards the 1% - they live in a bubble.
Why the heck a whole ton of politicians keep suggesting stuff like that is because they are surrounded by staff that don't have a clue about security.
It's self evident for even people who read a bit on the subject: as soon as you put backdoors into encryption used by popular chat apps and whatnot, terrorists and criminals will just migrate to another platform that is out of the state's law reach and leave a whole ton of people who don't know better still using the platform, turning them into potential targets as their personal data starts to leak.
And this is only a single reason why backdoors would never work. Not even mentioning how in principle, encryption with backdoor is already not encryption.
They don't understand that good encryption has to be open and publicly audited, and that backdoor access would obviously leak, they don't understand how bad security practices are when handled by public sectors, how much data was already leaked by government mishandling, how the entire government would be far more vulnerable to foreign spies and terrorism in general should they weaken encryption, how banks would not be able to function without strong encryption, and a whole bunch of other stuff.

Here's a good thing about the suggestion though: it's a good sign of politicians you should never vote for. They are legislating and promoting ignorance for votes or fear mongering with little to no technical backing. They are risking to put the public in even more danger because they keep pressing for laws that they don't know the full effect of. They are wasting taxpayer time and money because of their own ignorance. Keep these people away from representative positions.

Digital wiretapping could be easy

[qzzpjs]

It may need some work from app vendors, but adding a wiretap option isn't hard. 1) Fed gets a warrant and gives it to the app company they want to tap. 2) App company creates a public/private key and gives the private key to the feds. 3) App then sends a copy of all the user's data to the feds using the unique public key (flag in the user's account or something). 4) After the warrant expires, the feed to the feds stops.

The keys are unique per warrant so criminals can't find the key. The feed is only transmitted during the period of the warrant so hackers couldn't just hack anyone. Feds only get to tap one user per warrant so no mass surveillance . App company makes the keys so Feds can't just reuse the same key for everyone.

I'm sure that I'm missing some details here, but it would work a lot better than a forced backdoor in encryption.