Backdoors present a problem waiting to happen and a gold mine for hackers
Included in the rising noise of calls from security agencies, law enforcement and the government for encryption backdoors into encrypted devices and chat apps is U.S. Attorney General William Barr. Though to say ‘call’ may be generous, as these have become nigh on demands. The argument is given by Barr and by the rest of these groups always falls to the same line: Bad people are protected by strong encryptions, which allow them to keep doing bad things to everyone. If security agencies/law enforcement could just simply have a little look into users’ conversations every occasional time, then it would be much easier to do their jobs and all would be right with the world.
Whilst allowing law enforcement to access whatever they please, be it secure messaging apps, devices or any sort of private communications, may seem like a fantastic idea at first, but it would also mean that the technology that is used to protect our online communications, shopping and banking would all be critically weakened and at risk. There is no challenge or impossibility in creating a backdoor into software. Where it is impossible is in creating one that does not drastically weaken and compromise the security. Whilst it may be done with the most honourable of intentions, the moment an encryption backdoor is placed, it is ticking clock until someone exploits it. And it is at that point we find our protections have been compromised by the very people it was supposed to protect against.
This is frightening. Trump’s AG Barr is insisting all encryption must have backdoors. As we have seen w massive, highly destructive leaks from NSA, if there is a backdoor the bad guys will most likely get it too. Then, they’ll have access to the entire global financial system. https://t.co/vsVtqBvQ5Q
— James Fawcette (@TheFawcette) July 24, 2019
This is not a question of protecting criminals or interfering with the law, not at all. From Apple’s response to the FBI demands in relation to the San Bernardino shooting to Australia enforcing laws to make companies weaken encryptions or even A.G.Barr’s accusations towards tech companies, there is no one who is part of the technology industry and community who is arguing or trying to defend terrorists or criminals. It is for the rights of every other citizen, who’s privacy is under threat.
Encryption backdoors are not hard to create; the problem is keeping them shut
We are not going to dive into the numerous ideas and “solutions” that law enforcement agencies and governments have proposed and individuals explain why each one is fundamentally flawed from the get-go. Be it ghost protocols, encryption master keys, or secret keys for devices, they all have serious problems. The one thing that all of these proposals have in common is they are all built around one extremely flawed assumption: that the backdoor will never be found and use it to exploit thousands, if not millions with the information. This is it. The problem. Once an encryption backdoor is built in, it is just a waiting game for when, and not if, someone finds a way to exploit it and gain access.
To break in through the backdoor will take two different forms: hackers who try to find weaknesses within the protection on the door or from the inside, someone abusing or selling the backdoor. Supposedly impenetrable defences are broken into by hackers, who spend days and months and even years breaking into these systems.Continous attacks to servers that contain our data, MacOS and Windows under malware attacks and smartphones under threat from rogue apps. Breaking through a “secret backdoor” and exploit will suddenly jump above everything else on their priorities.
Hey Atty. Gen. William Barr: Are you a cryptographer? A mathematician? No? You’re not? Then how the heckin’ heck do you think you can declare something possible in an area of expertise you don’t understand? Where do you get off on saying backdoor encryption is possible?
— Russell John (@binarian10101) July 24, 2019
When it comes to security systems, hackers are extremely successful at bypassing and breaking in. And these can have extremely devastating consequences, such as incidents like with Dejardins and Equifax, impacting millions of people. With some hacks, including the hack on Ashley Madison a few years back, or more recently, such as with Capital One, these are eventually revealed to be inside jobs. The keys to the castle, so to speak, were trusted to someone who then used that access to betray that trust. With the defenses and systems to watch out for attacks, it meant nothing as they still ended up being hacked.
Now throw into this the idea of a secret key. This key has the power to unlock and access any iPhone. Everything contained on the device can be seen. With something this powerful, how long do you think it will be until its discovery? Until someone outside of law enforcement finds out about its existence? A year? Maybe months? It could be down to weeks or days, maybe even hours. And you can be sure that an instrument of that power would be instantly targeted the minute it was known of, by the same people it would supposedly protect us all from.
The master key to iPhones? That is a prize far too valuable for any criminal to let pass. Gaining that key allows them a nigh on endless supply to funds, (stealing money). Think of how much they would be able to access, even if the solution worked 10% of the time. That is far too much for anyone to let pass.
Once these will be exploited and used, trust in online shopping and banking will be quickly eroded thanks to encryption backdoors. People still use online service despite the numerous hacks that happen. This is because the hacks have never broken the very encryption that makes up the foundation of the protection for our data. At SKY ECC, we want our encryption foundation to be as secure as possible, which is why we use a 521 bit ECC as the core
Instead, other systems are broken into, which have not been protected as well. A password was left in plain text by the developer or the decryption key was unprotected on the same server as the encrypted database (imagine it like leaving your keys outside after locking the door from the inside).
William Barr gave a talk today at Fordham, on “going dark” and the need for encryption backdoors. A lot of this is old hat. The surprising thing is that it was the only subject of the talk: it seems like the Trump administration is serious about this. (Thread).
— Matthew Green (@matthew_d_green) July 23, 2019
In the modern online era, no hack has ever successfully cracked any underlying encryption. When a password cracker tries to get in, they do not attempt to break encryption. They simply guess, until they stumble across the right answer. It is a case of matching from an encrypted password list to lists of common passwords and words. They keep attempting this until they get a match.
However, by using a randomly generated password, especially longer passwords, it would not be on the list, so it could not be checked against. If an encryption was to be broken, it would not matter what the password was, it could be decrypted. This is not the case right now.
What may be far more worrying about this situation is that by its own nature, an encryption backdoor’s existence would never be public knowledge. The technology companies who made the backdoor would be made to swear secrecy on the project and the government, alongside law enforcement, would insistently deny its very existence. So, what happens when it is compromised? The public will have no idea whilst the backdoor is exploited and they are now at risk. If they do learn of it, it will be far too late, the horses have left the paddock.
With such a powerful key at their disposal, able to decrypt phones and read any message, do you think it’s owners would admit if someone else managed to gain control of it, never mind admitting if it exists or not?
Of course they wouldn’t tell us.
Instead, we would be presented with the situation of the encryption backdoor being cracked by criminals, who would use the information to find new ways to make sure their own communications are protected again, most likely by making apps designed for the job. At the same time, we would see a rapid increase in seemingly impossible attacks and hacks. Information that was communicated securely would suddenly be publicized. Eventually, the dots will be connected and it will be traced to the existence of the backdoor, as well as how it has been compromised, abused, leaked, and whatever else the hackers have been able to accomplish.
And with that we would be where we began and now with major data breaches and potentially thousands of innocent people at risk.
All for one, but not one for all
What is very interesting in all of this is that law enforcements want to have backdoors into our communications, access to our tools. But they want to keep their own secrets hidden away. The normal rebuttal of this is “we need to protect our secrets…” however, this argument does not really fly when the secrets that governments guard often include horrid atrocities, as bad as the criminals they seek to catch. The citizen oversight committee is not being given a secret key to decrypt the governments information. That would not be secure. What could happen if the keys “fell into the wrong hands”?
It would not be acceptable for that to happen to them. So why should it happen to all of us?
Governments cannot simply turn around to people and demand they sacrifice their freedom of speech, security and privacy, whilst the government is determined to protect its own. Private, secure communications is something everyone needs. Secure shopping, secure banking, secure online access.
It is about the needs of the many, not the few. Or in this case, the one.
All of this can be brought down to one movie quote from a certain Vulcan: “The needs of the many, outweighs the needs of the few.” Bad people can use technology to do bad things. Bank robbers often use cars when trying to escape from the police, but we don’t have campaigns for universal kill switches for cars do we? In this global, interconnected, online age we rely on secure encryption to keep our information and privacy secure. Backdoors compromise all of this and the cost that it presents is far too great in our opinion.
This is why we won’t have a backdoor in SKY ECC. If law enforcement asks and presents all the legal paperwork required, we make sure to comply with the requests presented. But this does not mean we will, or can, decrypt messages for law enforcement. Within SKY ECC servers, information stored is kept to the minimum amount, as it was built to be.
Messages are not stored and neither is Metadata (It is kept encrypted when in transit too). Only ECC IDs, which are made sure to have no personally identifiable information, and who they have within their contact list are kept. Your communications and privacy deserve the best, a tool that can give you the privacy you need. We believe SKY ECC is that tool.
Governments and law enforcements continue to keep their pressure on companies such as Apple, Google, Facebook and ourselves, as they seek a way to see whatever is being said by anyone they deem to be of interest. But no matter the pressure, we will stand tall with our stance. We do not believe that there is anything such as a safe encryption backdoor and most crucially, we believe that secure communication is everyone’s right.
When privacy is at stake, we will not risk it for encryption backdoors. That is our stance.