Encryption, the NSA, and the front door
There are few topics these days that can spark debate in software-development circles as quickly as the US National Security Agency (NSA). Recently, the NSA's director went on the record in public to advocate mandating government access to encrypted software systems. Such mandatory access is an idea that has been floated before, and although this time around the specifics are different, the tech industry has been just as receptive to the potential interference as one would expect. The plan outlined would make it virtually impossible to deploy certain free-software systems without running afoul of regulations and, while it does not seem particularly likely to be written into law any time soon, is has provoked quite a bit of discussion.
NSA Director Michael Rogers made the comments in question during a
speech at Princeton University. The Washington Post published
a write-up of the talk on April 10. The story quotes Rogers as saying
"I don’t want a back door [...] I want a front door. And I want
the front door to have multiple locks. Big locks.
" The
distinction Rogers made was that "back doors" are hidden entry points;
what he promoted are encryption systems with strong crypto—but where law enforcement has a way to access the keys.
The comments come while the White House is studying encryption
policy, the Post story explains. In a February interview
with Re/code, President Obama said "there’s no scenario in which
we don’t want really strong encryption
", but went on to say that
law enforcement has a national-security interest in accessing
encrypted communication. The difficulty, he said, is that encryption
that is too strong makes it impossible for a software company to
comply with a court order requesting specific documents.
All of this, of course, is familiar territory. A service provider (such as an email-hosting service) might be asked to turn over the emails and access logs associated with a particular user account. If all of the encryption keys needed to decrypt the account information are held by the user, the service provider cannot turn over any readable documents. What is different, however, is Rogers's suggestion.
For reference, in the mid-1990s the Clinton administration proposed a mandatory "key escrow" system, in which service providers would be required to create decryption keys independent of any keys held by the user or the service provider. Those keys would be turned over to a "trusted party" that would, in turn, release the appropriate key to the US government when required during criminal investigations. The proposal was an extension of the Clipper chip project, which was a hardware-based encryption system for digital phones. Each chip had a backdoor encryption key burned in during the manufacturing process; the backdoor key was held by the government. The Clipper chip failed in the marketplace, however, and was quickly abandoned.
The Wikipedia entry on key escrow links to a copy [PDF] of the 1996 CIA memo advocating a post-Clipper-chip escrow program. It makes for interesting historical reading, but the program was never implemented. The objections to it (apart from the risk driving software development away from the US) were straightforward: fear of abuse by government agencies or individuals, fear of abuse by the "trusted parties," and the general principle that individuals deserve to keep some of their communication private.
What Rogers proposed this time is a "split key" system. As with key escrow, an encryption key independent of the user's would be generated for each account—but in this system each of those keys would then be split into parts. The government would hold one half, and the service provider the other. Both pieces would have to be brought together to access a user account. That way, no single rogue actor could access a user's private data—regardless of whether the actor was from law enforcement or from the service provider.
The Post story cites critics of the proposal from Yahoo and from George Washington University’s Cyberspace Security Policy and Research Institute. There would be technological and logistical challenges to a mandatory form of such a system—imagine how many split keys would need to be generated and delivered to law enforcement on a daily basis for services as popular as Gmail and Facebook, for instance.
There is also the problem of keeping the split keys separate. Even if they are held by separate entities in the long term, they must be generated together and then distributed. That provides an opportunity for an attacker to copy both keys well before they reach the proper hands (including, of course, the service keeping its own copy of the government key from day one). Similarly, any time both key halves are used together, there would be another opportunity to steal or duplicate them.
In addition, critics of US government security policy may understandably have questions about how the government would exercise its right to meet with the service provider and access a suspicious account. Would such meetings be subject to gag orders or secret National Security Letters? Would the government be able to compel the service to turn over its half of the key, if it decided the stakes were particularly high?
Furthermore, under such a plan it might become illegal in the US to run non-compliant Internet services (possibly even for private use), which would put untold numbers of free-software projects in a bind. They would have to choose between implementing the mandatory split-key escrow service and losing US users. Free-software projects not based in the US would hardly be expected to merge in support for a US-government access program. No doubt some users in the US would continue to run their own services as they see fit, but they would do so at significant legal risk.
The Post story notes that, so far, there is no legislation proposed to implement what Rogers is asking for. It would seem to be a hard sell in the current climate; after the Edward Snowden leaks, cooperating with the NSA is a decidedly unpopular proposition in tech circles, and consumer interest in privacy issues is relatively high.
Nevertheless, privacy advocates are not taking anything for granted. The Electronic Frontier Foundation (EFF) criticized Rogers's comments, casting them in the same light as the Clipper chip and related proposals:
On the plus side, the EFF article is a welcome reminder that past attempts to mandate back (or front) doors in encryption products have failed. Historians will note that the Clipper chip fiasco contributed considerably to the growth of PGP and other software encryption projects, even though at that time encryption was considered "munitions" and was subject to export controls.
Whatever comes of
the NSA's interest in split-key escrow technology, it will no doubt
provoke considerable work from privacy-conscious software
developers—perhaps leading to projects that will have just as
much impact in the long term as PGP.
Index entries for this article | |
---|---|
Security | Encryption/Key escrow |
Security | Privacy |
Encryption, the NSA, and the front door
Posted Apr 23, 2015 7:40 UTC (Thu)
by alonz (subscriber, #815)
[Link]
Another obvious problem with these proposals is that criminals are all too likely to find a way to “escrow” incorrect keys. So the entire system will only be useful for spying on law-abiding citizens.
Posted Apr 23, 2015 7:40 UTC (Thu) by alonz (subscriber, #815) [Link]
Basically, these proposals hinge on the basic premise that the public (and, in particular, the adversaries) are somehow technologically inferior to the government, which is far from the truth.
Encryption, the NSA, and the front door
Posted Apr 23, 2015 9:34 UTC (Thu)
by grmd (guest, #4391)
[Link] (4 responses)
Posted Apr 23, 2015 9:34 UTC (Thu) by grmd (guest, #4391) [Link] (4 responses)
Encryption, the NSA, and the front door
Posted Apr 23, 2015 12:29 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link] (3 responses)
Posted Apr 23, 2015 12:29 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (3 responses)
Encryption, the NSA, and the front door
Posted Apr 23, 2015 15:07 UTC (Thu)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted Apr 23, 2015 15:07 UTC (Thu) by nix (subscriber, #2304) [Link] (2 responses)
Encryption, the NSA, and the front door
Posted Apr 26, 2015 8:26 UTC (Sun)
by paulj (subscriber, #341)
[Link] (1 responses)
Posted Apr 26, 2015 8:26 UTC (Sun) by paulj (subscriber, #341) [Link] (1 responses)
I think we should assume the reverse, that these policies are being pushed by people who *are* well-informed. That they're pushing for this tells us they have trouble with encryption in main-stream products a non-trivial amount of the time, and that they believe that with sustained pressure on politicians they can get backdoor laws.
Encryption, the NSA, and the front door
Posted Apr 26, 2015 21:06 UTC (Sun)
by rgb (subscriber, #57129)
[Link]
Posted Apr 26, 2015 21:06 UTC (Sun) by rgb (subscriber, #57129) [Link]
Encryption, the NSA, and the front door
Posted Apr 23, 2015 13:33 UTC (Thu)
by felixfix (subscriber, #242)
[Link] (3 responses)
Posted Apr 23, 2015 13:33 UTC (Thu) by felixfix (subscriber, #242) [Link] (3 responses)
Encryption, the NSA, and the front door
Posted Apr 23, 2015 14:32 UTC (Thu)
by n8willis (subscriber, #43041)
[Link] (2 responses)
Posted Apr 23, 2015 14:32 UTC (Thu) by n8willis (subscriber, #43041) [Link] (2 responses)
I have vague recollections of that happening; perhaps the government bent over backward to persuade AT&T to take the project on -- we may never know. The Crypto Museum does not indicate how many were sold, however.
Nate
Encryption, the NSA, and the front door
Posted Apr 29, 2015 11:51 UTC (Wed)
by ortalo (guest, #4654)
[Link] (1 responses)
Posted Apr 29, 2015 11:51 UTC (Wed) by ortalo (guest, #4654) [Link] (1 responses)
In fact 20 years after, the existence of this cloth is probably the first really useful positive thing I learn about the clipper chip. (At that time, my advisor even recommended me *not* to look at it as a learning casze as it was starting to be considered bad crypto.)
Do you have a picture? (Of the t-shirt of course.)
Encryption, the NSA, and the front door
Posted Apr 29, 2015 13:01 UTC (Wed)
by felixfix (subscriber, #242)
[Link]
Here is the logo, on the front I think; the back is similar to this, but a little different. I found these links on an EFF page which also says the t-shirts are available again, but points to a dead link.
Posted Apr 29, 2015 13:01 UTC (Wed) by felixfix (subscriber, #242) [Link]
Encryption, the NSA, and the front door
Posted Apr 23, 2015 16:54 UTC (Thu)
by micka (subscriber, #38720)
[Link]
Posted Apr 23, 2015 16:54 UTC (Thu) by micka (subscriber, #38720) [Link]
Encryption, the NSA, and the front door
Posted Apr 23, 2015 21:10 UTC (Thu)
by ddevault (subscriber, #99589)
[Link]
Posted Apr 23, 2015 21:10 UTC (Thu) by ddevault (subscriber, #99589) [Link]
Encryption, the NSA, and the front door
Posted Apr 23, 2015 21:46 UTC (Thu)
by fandingo (guest, #67019)
[Link] (12 responses)
Posted Apr 23, 2015 21:46 UTC (Thu) by fandingo (guest, #67019) [Link] (12 responses)
For medium to high profile targets, the government merely possessing half the key, along with their enormous purported decryption, is likely sufficient to decrypt without incurring an impactful amount of resources.
There's no reason why the government needs half the key upfront, unless they want to mount clandestine decryption attacks. Otherwise, requiring providers to maintain a key and establishing seizure procedures of those keys would be sufficient, although still both unnecessary and unbearable in my opinion. They want half of that key for a reason.
Encryption, the NSA, and the front door
Posted Apr 23, 2015 22:05 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (5 responses)
Posted Apr 23, 2015 22:05 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)
In the simplest case, the user's key can be generated as HASH(a+b) where "a" is Google's seed key and "b" is seed NSA's key. Either seed is worthless by itself.
Encryption, the NSA, and the front door
Posted Apr 23, 2015 23:18 UTC (Thu)
by reubenhwk (guest, #75803)
[Link] (2 responses)
Posted Apr 23, 2015 23:18 UTC (Thu) by reubenhwk (guest, #75803) [Link] (2 responses)
Encryption, the NSA, and the front door
Posted Apr 23, 2015 23:40 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Posted Apr 23, 2015 23:40 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)
Besides, modern ciphers are secure against partial key compromise.
Encryption, the NSA, and the front door
Posted Apr 24, 2015 0:14 UTC (Fri)
by fandingo (guest, #67019)
[Link]
Posted Apr 24, 2015 0:14 UTC (Fri) by fandingo (guest, #67019) [Link]
I only had a few minutes to investigate earlier, but I couldn't find anything that analyzed this situation. I would be extremely hesitant to make any statements about the overall security of a key if part were disclosed and some ciphertext had been intercepted.
You're also ignoring the practical implications of using the longest AES key possible. The service provider has to have a good entropy source that doesn't deplete. AES 256 also puts more computational strain when in use. That doesn't matter on your desktop, but it certainly matters on your phone.
Encryption, the NSA, and the front door
Posted Apr 23, 2015 23:54 UTC (Thu)
by fandingo (guest, #67019)
[Link] (1 responses)
Posted Apr 23, 2015 23:54 UTC (Thu) by fandingo (guest, #67019) [Link] (1 responses)
For example the key combination function is: f(a V b) where b=0 and f is the identity function, meaning that every "half-key" that the NSA receives is identical *and* the "half-key" retained by the provider is the final key. Obviously, the government would never allow that.
As you move further away from the example above the government gains an advantage and guess who will be formulating the rules? The government has no incentive to make "b" useless and lots of incentive to the contrary.
I just don't trust any f() where the NSA knows any of the input and has some say on how the inputs are used to not be have some weakness.
Encryption, the NSA, and the front door
Posted Apr 24, 2015 0:40 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Apr 24, 2015 0:40 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
I'm not advocating for NSA, just explaining that any realistic key sharing solution would have its vulnerabilities somewhere else.
Encryption, the NSA, and the front door
Posted Apr 24, 2015 20:58 UTC (Fri)
by rgmoore (✭ supporter ✭, #75)
[Link] (5 responses)
Posted Apr 24, 2015 20:58 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link] (5 responses)
One reason that users might want to have a key splitting system is that it protects them against abuse by the service provider. Many people talk about this as if the government is the only organization that wants their secrets, but there are plenty of businesses and criminals who could profit from them, too. Protection against unscrupulous businesses, and against rogue employees, is of real value.
Of course, if you don't trust either the government or the service provider, you probably ought to be encrypting your data yourself and not giving anyone the key. But if you're somehow required to give up your key, it's probably better to have it split between two parties.
Encryption, the NSA, and the front door
Posted Apr 24, 2015 21:11 UTC (Fri)
by dlang (guest, #313)
[Link] (4 responses)
Posted Apr 24, 2015 21:11 UTC (Fri) by dlang (guest, #313) [Link] (4 responses)
Encryption, the NSA, and the front door
Posted Apr 26, 2015 12:58 UTC (Sun)
by foom (subscriber, #14868)
[Link] (2 responses)
Posted Apr 26, 2015 12:58 UTC (Sun) by foom (subscriber, #14868) [Link] (2 responses)
I believe that's annoyed the govt in the past.
Encryption, the NSA, and the front door
Posted Apr 27, 2015 1:37 UTC (Mon)
by dlang (guest, #313)
[Link] (1 responses)
Posted Apr 27, 2015 1:37 UTC (Mon) by dlang (guest, #313) [Link] (1 responses)
Encryption, the NSA, and the front door
Posted Apr 29, 2015 4:40 UTC (Wed)
by foom (subscriber, #14868)
[Link]
Posted Apr 29, 2015 4:40 UTC (Wed) by foom (subscriber, #14868) [Link]
Encryption, the NSA, and the front door
Posted Apr 26, 2015 13:23 UTC (Sun)
by rgmoore (✭ supporter ✭, #75)
[Link]
Posted Apr 26, 2015 13:23 UTC (Sun) by rgmoore (✭ supporter ✭, #75) [Link]
If the only service they provide is to transmit or store the data, they don't need to be able to decrypt it. A good example of this approach is Firefox's sync. The copy on Mozilla's servers is encrypted with a key that only the user has, so it still works as a synchronization mechanism even though Mozilla can't read the contents. That has some downsides- they can't recover your data for you if you forget your password- but it does protect your privacy.
Encryption, the NSA, and the front door
Posted Apr 23, 2015 22:12 UTC (Thu)
by davidstrauss (guest, #85867)
[Link] (1 responses)
Posted Apr 23, 2015 22:12 UTC (Thu) by davidstrauss (guest, #85867) [Link] (1 responses)
The problem described is not really true, at least not more than for any other hybrid encryption scheme. The big error is assuming that distributing the half keys to the proper parties is hard, which it's not with modern (1980s+) approaches.
For any substantial amount of data or when multiple parties need access, the typical approach is to generate a single-use symmetric key for that data and then encrypt that key using an asymmetric algorithm for each party.
In the case of split escrow, one might divide the single-use key in two, encrypting half for the vendor and half for the government. The customer would have the entire key encrypted with their public key for distribution to them.
The system performing the encryption would briefly have access to the single-use symmetric key, but that's also the same system that had access to the plaintext at the same moment, anyway.
The real loss in security is by moving the encryption up to the vendor's systems, not using a split key escrow scheme.
Encryption, the NSA, and the front door
Posted Apr 29, 2015 12:02 UTC (Wed)
by ortalo (guest, #4654)
[Link]
Posted Apr 29, 2015 12:02 UTC (Wed) by ortalo (guest, #4654) [Link]
By the way, if the NSA wants my keys, I think *I* could probably agree to use enduser software that sends them a copy. No problem. I would request them to operate as a third party notarizing my communications as a reciprocal service (as well as delivering me annually a "good citizen" certificate for the lulz).
YMMV of course. But the NSA guaranteeing my annual payments to LWN.net [1]: that would be a memorable breakthrough in cryptography!
[1] If they pass Jon&Nathan security audit of course.
Encryption, the NSA, and the front door
Posted Apr 23, 2015 22:18 UTC (Thu)
by jmclnx (guest, #72456)
[Link] (2 responses)
Posted Apr 23, 2015 22:18 UTC (Thu) by jmclnx (guest, #72456) [Link] (2 responses)
Encryption, the NSA, and the front door
Posted Apr 25, 2015 2:50 UTC (Sat)
by misc (guest, #73730)
[Link] (1 responses)
Posted Apr 25, 2015 2:50 UTC (Sat) by misc (guest, #73730) [Link] (1 responses)
(and if possible one who will be a bit more complete than sales peoples blaming the leaks to cover some failed deals ?)
AFAIK, Amazon and Google are still strong, others US tech companies are still used, and the rush to outsource services to external providers is still strong.
Encryption, the NSA, and the front door
Posted Apr 30, 2015 0:20 UTC (Thu)
by gdt (subscriber, #6284)
[Link]
Posted Apr 30, 2015 0:20 UTC (Thu) by gdt (subscriber, #6284) [Link]
Encryption, the NSA, and the front door
Posted Apr 28, 2015 12:57 UTC (Tue)
by robbe (guest, #16131)
[Link]
Posted Apr 28, 2015 12:57 UTC (Tue) by robbe (guest, #16131) [Link]
Of course, unless the system is heavily abused, it will also be pretty useless for its stated purpose: careful people (including sensible criminals) will just double-encrypt.
Encryption, the NSA, and the front door
Posted Apr 29, 2015 11:43 UTC (Wed)
by ortalo (guest, #4654)
[Link]
Posted Apr 29, 2015 11:43 UTC (Wed) by ortalo (guest, #4654) [Link]
If find that a pretty unfortunate approximation given the orator position. Maybe one of this counsellor should remember him that misguiding his own country may be the actual reason why his predecessor had to leave.