Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Security Pros Look at Encryption Backdoors (helpnetsecurity.com)

Posted by msmash on from the what-they-think dept.

An anonymous reader shares a report: The majority of IT security professionals believe encryption backdoors are ineffective and potentially dangerous, with 91 percent saying cybercriminals could take advantage of government-mandated encryption backdoors. 72 percent of the respondents do not believe encryption backdoors would make their nations safer from terrorists, according to a Venafi survey of 296 IT security pros, conducted at Black Hat USA 2017. Only 19 percent believe the technology industry is doing enough to protect the public from the dangers of encryption backdoors. 81 percent feel governments should not be able to force technology companies to give them access to encrypted user data. 86 percent believe consumers don't understand issues around encryption backdoors.

10 of 52 comments (clear)

  1. On that basis ... by derek_m · · Score: 5, Funny

    I can only conclude that almost 20% of security professionals surveyed are utterly incompetent.

    1. Re:On that basis ... by pr0fessor · · Score: 3, Insightful

      Making something Illegal isn't going to stop a criminal or terrorist. The result is that they will simply use an alternate method without a back door and eventually find the back door placed in the encryption methods by law. This will only make e-commerce less secure.

      What if we hide the back door? It's to late for that and it wouldn't work anyway hackers will find the back door and they will use it, finding and creating back doors is their bread and butter.

    2. Re:On that basis ... by hummassa · · Score: 2

      Yep. Every back door is an open door.

      --
      It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    3. Re:On that basis ... by Joce640k · · Score: 2

      Or use the widely-available backdoored method for convenience but with code words.

      --
      No sig today...
  2. Explain It Like Government Explains It by Anonymous Coward · · Score: 4, Insightful

    86 percent believe consumers don't understand issues around encryption backdoors.

    Maybe we should start explaining it in the same way that governments try to justify access.

    Government claims to need backdoors to keep us safe from terrorists? Maybe we should ask "how is giving terrorists access to our financial information, medical information, power grids, etc, keeping us safe from said terrorists?" Keep it in the public eye that backdoors give terrorists access to our information just as easily as it gives "the good guys" access to it.

    1. Re:Explain It Like Government Explains It by Anonymous Coward · · Score: 3, Interesting

      This debate has been with us since the early 1990s when the Clipper Chip (with its LEAF override fields) was introduced. Every time this comes up, the answer is obvious:

      With how easy it is for information to leak [1], a deliberately placed backdoor would turn into a gold mine for terrorist organizations, criminal organizations, foreign intel, organizations doing industrial espionage. Especially now, when almost anything winds up leaking due to the popularity of those who will sell out their country for a buck, even if the person doing so knows that their co-workers and their families will be tortured and killed.

      Backdoors become security holes. Was true back then; is true now.

      [1]: Yesterday, Assange received a lot of classified documents and other info on Russia, but refused to publish it on WikiLeaks. Wonder why he has no interest in attacking anything but US or European interests... hmmm...

  3. How to describe backdoors by peragrin · · Score: 5, Insightful

    How to describe encryption backdoors to idiots and non technical people.

    Ask them to pull out their house key. Now have them go make 10,000 copies of that key and label each key with their name address and door location. Have them include their normal working hours.

    Now they are to pass out those keys to every police officer, fire department, medical service group in their area just in case the government needs to get in their house in an emergency.

    Now ask them a question how likely would it be that 1 out of 10,000 would get lost or misplaced and end up in the wrong hands?

    100% of the people I have explained it to that way suddenly change their minds. Though it is still a small sample size. Once a generic key has been created and passed around you might as well not have a key

    --
    i thought once I was found, but it was only a dream.
    1. Re:How to describe backdoors by Rick+Schumann · · Score: 3, Interesting

      Now ask them a question how likely would it be that 1 out of 10,000 would get lost or misplaced and end up in the wrong hands?

      Worse: Some 'law enforcement officer' decides that since he/she has the key already, there's no reason for them to not go snooping around, warrant or no warrant. In fact let's go snooping through every house on the block, just in case we find something actionable. You know, for the safety and security of everyone. If people have nothing to hide in their homes, they shouldn't have anything to fear from this, right? And since it's 'law enforcement' on 'official business', they should trust them implicitly, right? If they don't trust them, then they MUST have something to hide, therefore justifying the snooping. Anyone making a big fuss over it for no reason probably is a criminal and needs to be investigated further..

      Excuse me, citizen; PAPERS, PLEASE..

  4. Security through obscurity doesn't work. by Tomahawk · · Score: 4, Informative

    Using obscurity in encryption just doesn't work. It has to be assumed that everything about the encryption method is known. Which is typically why everything about encryption methods is known - the algorithms and source code are always available to anyone.

    What is secret is the key that is used.

    Introducing a backdoor would mean that the method of how this backdoor is implemented would be known to everyone - it has to be, or at least assumed to be. So the only way to implement a backdoor "securely" is by using a key. This means hardcoding a public key into all public/private key encryption schemes and using both it and the users' public keys to encrypt the data, which is typically just encrypting the key for the symmetric encryption method (AES, for example) being used.

    I don't believe there would be a way to incorporate an extra key in a symmetric encryption system. Certainly not without seriously harming how the encryption works. And how would you hide the key? If the key is hard coded, everyone knows what it is, and can thus decrypt with it.

    Then you run into the problem of what happens once these hard coded keys are known to everyone, 'cos you know it's only a matter of time before they are either leaked or found. A global key to unencrypt all internet traffic - ever hacker and cracker, no matter if they are white, grey, black, or any other colour hat, would be searching for that key. And it wouldn't take all that long to find, given enough computing power (read: botnet).

    If a government does force this to happen, you know that they will be the first target for all of these people who find the global key(s).

  5. The problem... by XSportSeeker · · Score: 2

    The problem with governments suggesting backdoors in encryption is the same problem that generates a whole ton of bad decisions, grief, and politics towards the 1% - they live in a bubble.
    Why the heck a whole ton of politicians keep suggesting stuff like that is because they are surrounded by staff that don't have a clue about security.
    It's self evident for even people who read a bit on the subject: as soon as you put backdoors into encryption used by popular chat apps and whatnot, terrorists and criminals will just migrate to another platform that is out of the state's law reach and leave a whole ton of people who don't know better still using the platform, turning them into potential targets as their personal data starts to leak.
    And this is only a single reason why backdoors would never work. Not even mentioning how in principle, encryption with backdoor is already not encryption.
    They don't understand that good encryption has to be open and publicly audited, and that backdoor access would obviously leak, they don't understand how bad security practices are when handled by public sectors, how much data was already leaked by government mishandling, how the entire government would be far more vulnerable to foreign spies and terrorism in general should they weaken encryption, how banks would not be able to function without strong encryption, and a whole bunch of other stuff.

    Here's a good thing about the suggestion though: it's a good sign of politicians you should never vote for. They are legislating and promoting ignorance for votes or fear mongering with little to no technical backing. They are risking to put the public in even more danger because they keep pressing for laws that they don't know the full effect of. They are wasting taxpayer time and money because of their own ignorance. Keep these people away from representative positions.