|
|
Subscribe / Log in / New account

Encryption, the NSA, and the front door

By Nathan Willis
April 22, 2015

There are few topics these days that can spark debate in software-development circles as quickly as the US National Security Agency (NSA). Recently, the NSA's director went on the record in public to advocate mandating government access to encrypted software systems. Such mandatory access is an idea that has been floated before, and although this time around the specifics are different, the tech industry has been just as receptive to the potential interference as one would expect. The plan outlined would make it virtually impossible to deploy certain free-software systems without running afoul of regulations and, while it does not seem particularly likely to be written into law any time soon, is has provoked quite a bit of discussion.

NSA Director Michael Rogers made the comments in question during a speech at Princeton University. The Washington Post published a write-up of the talk on April 10. The story quotes Rogers as saying "I don’t want a back door [...] I want a front door. And I want the front door to have multiple locks. Big locks." The distinction Rogers made was that "back doors" are hidden entry points; what he promoted are encryption systems with strong crypto—but where law enforcement has a way to access the keys.

The comments come while the White House is studying encryption policy, the Post story explains. In a February interview with Re/code, President Obama said "there’s no scenario in which we don’t want really strong encryption", but went on to say that law enforcement has a national-security interest in accessing encrypted communication. The difficulty, he said, is that encryption that is too strong makes it impossible for a software company to comply with a court order requesting specific documents.

All of this, of course, is familiar territory. A service provider (such as an email-hosting service) might be asked to turn over the emails and access logs associated with a particular user account. If all of the encryption keys needed to decrypt the account information are held by the user, the service provider cannot turn over any readable documents. What is different, however, is Rogers's suggestion.

For reference, in the mid-1990s the Clinton administration proposed a mandatory "key escrow" system, in which service providers would be required to create decryption keys independent of any keys held by the user or the service provider. Those keys would be turned over to a "trusted party" that would, in turn, release the appropriate key to the US government when required during criminal investigations. The proposal was an extension of the Clipper chip project, which was a hardware-based encryption system for digital phones. Each chip had a backdoor encryption key burned in during the manufacturing process; the backdoor key was held by the government. The Clipper chip failed in the marketplace, however, and was quickly abandoned.

The Wikipedia entry on key escrow links to a copy [PDF] of the 1996 CIA memo advocating a post-Clipper-chip escrow program. It makes for interesting historical reading, but the program was never implemented. The objections to it (apart from the risk driving software development away from the US) were straightforward: fear of abuse by government agencies or individuals, fear of abuse by the "trusted parties," and the general principle that individuals deserve to keep some of their communication private.

What Rogers proposed this time is a "split key" system. As with key escrow, an encryption key independent of the user's would be generated for each account—but in this system each of those keys would then be split into parts. The government would hold one half, and the service provider the other. Both pieces would have to be brought together to access a user account. That way, no single rogue actor could access a user's private data—regardless of whether the actor was from law enforcement or from the service provider.

The Post story cites critics of the proposal from Yahoo and from George Washington University’s Cyberspace Security Policy and Research Institute. There would be technological and logistical challenges to a mandatory form of such a system—imagine how many split keys would need to be generated and delivered to law enforcement on a daily basis for services as popular as Gmail and Facebook, for instance.

There is also the problem of keeping the split keys separate. Even if they are held by separate entities in the long term, they must be generated together and then distributed. That provides an opportunity for an attacker to copy both keys well before they reach the proper hands (including, of course, the service keeping its own copy of the government key from day one). Similarly, any time both key halves are used together, there would be another opportunity to steal or duplicate them.

In addition, critics of US government security policy may understandably have questions about how the government would exercise its right to meet with the service provider and access a suspicious account. Would such meetings be subject to gag orders or secret National Security Letters? Would the government be able to compel the service to turn over its half of the key, if it decided the stakes were particularly high?

Furthermore, under such a plan it might become illegal in the US to run non-compliant Internet services (possibly even for private use), which would put untold numbers of free-software projects in a bind. They would have to choose between implementing the mandatory split-key escrow service and losing US users. Free-software projects not based in the US would hardly be expected to merge in support for a US-government access program. No doubt some users in the US would continue to run their own services as they see fit, but they would do so at significant legal risk.

The Post story notes that, so far, there is no legislation proposed to implement what Rogers is asking for. It would seem to be a hard sell in the current climate; after the Edward Snowden leaks, cooperating with the NSA is a decidedly unpopular proposition in tech circles, and consumer interest in privacy issues is relatively high.

Nevertheless, privacy advocates are not taking anything for granted. The Electronic Frontier Foundation (EFF) criticized Rogers's comments, casting them in the same light as the Clipper chip and related proposals:

Key escrow was a bad idea in 1993. It was a bad idea when the National Security Agency began attempting to covertly insert backdoors into cryptographic standards from 2000 on. It was a bad idea when the Obama administration indicated a desire to legislate key escrow in 2010. And it's a bad idea now [...]

On the plus side, the EFF article is a welcome reminder that past attempts to mandate back (or front) doors in encryption products have failed. Historians will note that the Clipper chip fiasco contributed considerably to the growth of PGP and other software encryption projects, even though at that time encryption was considered "munitions" and was subject to export controls.

Whatever comes of the NSA's interest in split-key escrow technology, it will no doubt provoke considerable work from privacy-conscious software developers—perhaps leading to projects that will have just as much impact in the long term as PGP.

Index entries for this article
SecurityEncryption/Key escrow
SecurityPrivacy


to post comments

Encryption, the NSA, and the front door

Posted Apr 23, 2015 7:40 UTC (Thu) by alonz (subscriber, #815) [Link]

Another obvious problem with these proposals is that criminals are all too likely to find a way to “escrow” incorrect keys. So the entire system will only be useful for spying on law-abiding citizens.

Basically, these proposals hinge on the basic premise that the public (and, in particular, the adversaries) are somehow technologically inferior to the government, which is far from the truth.

Encryption, the NSA, and the front door

Posted Apr 23, 2015 9:34 UTC (Thu) by grmd (guest, #4391) [Link] (4 responses)

There seems to a certain amount of parochial thinking ... does the NSA expect to have front doors into encrypted systems developed in every country in the world? ... will people in the USA be restricted to only using encrypted systems developed in the USA?

Encryption, the NSA, and the front door

Posted Apr 23, 2015 12:29 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (3 responses)

Same problem on the other side of the pond where British politicians want the same thing.

Encryption, the NSA, and the front door

Posted Apr 23, 2015 15:07 UTC (Thu) by nix (subscriber, #2304) [Link] (2 responses)

Actually as far as I can tell the crowd of tech-phobic UK career politicians (and the tech-ultraphobic Civil Service people that they are mouthpieces for) want *no encryption at all*, and are so out of touch that they don't yet grasp that the time for that passed a generation ago.

Encryption, the NSA, and the front door

Posted Apr 26, 2015 8:26 UTC (Sun) by paulj (subscriber, #341) [Link] (1 responses)

While the politicians who get on TV and act as the PR mouthpieces might not be terribly well-informed, I think it is wrong to assume that therefore the civil servants behind the scenes who are pushing for this are not well-informed either.

I think we should assume the reverse, that these policies are being pushed by people who *are* well-informed. That they're pushing for this tells us they have trouble with encryption in main-stream products a non-trivial amount of the time, and that they believe that with sustained pressure on politicians they can get backdoor laws.

Encryption, the NSA, and the front door

Posted Apr 26, 2015 21:06 UTC (Sun) by rgb (subscriber, #57129) [Link]

Or they are pushing for this to make us think what you thought.

Encryption, the NSA, and the front door

Posted Apr 23, 2015 13:33 UTC (Thu) by felixfix (subscriber, #242) [Link] (3 responses)

I remember mainly how much ridicule the Clipper Chip got; I still have the "1984 -- We're behind schedule" t-shirts. The wikipedia entry doesn't say how many chipsets were actually sold, but I was surprised by the comment here that "The Clipper chip failed in the marketplace"; were *any* sold, did it ever get past the prototype stage?

Encryption, the NSA, and the front door

Posted Apr 23, 2015 14:32 UTC (Thu) by n8willis (subscriber, #43041) [Link] (2 responses)

The Crypto Museum indicates that AT&T produced a Clipper-chip device: http://www.cryptomuseum.com/crypto/usa/clipper.htm

I have vague recollections of that happening; perhaps the government bent over backward to persuade AT&T to take the project on -- we may never know. The Crypto Museum does not indicate how many were sold, however.

Nate

Encryption, the NSA, and the front door

Posted Apr 29, 2015 11:51 UTC (Wed) by ortalo (guest, #4654) [Link] (1 responses)

I did not know there was that t-shirt!
In fact 20 years after, the existence of this cloth is probably the first really useful positive thing I learn about the clipper chip. (At that time, my advisor even recommended me *not* to look at it as a learning casze as it was starting to be considered bad crypto.)
Do you have a picture? (Of the t-shirt of course.)

Encryption, the NSA, and the front door

Posted Apr 29, 2015 13:01 UTC (Wed) by felixfix (subscriber, #242) [Link]

Here is the logo, on the front I think; the back is similar to this, but a little different. I found these links on an EFF page which also says the t-shirts are available again, but points to a dead link.

Encryption, the NSA, and the front door

Posted Apr 23, 2015 16:54 UTC (Thu) by micka (subscriber, #38720) [Link]

Escrow would be pronounced the same way as the french word "escroc", which mean "crook". How would you find a trusted one?

Encryption, the NSA, and the front door

Posted Apr 23, 2015 21:10 UTC (Thu) by ddevault (subscriber, #99589) [Link]

This is clearly designed to spy on the public. Strong encryption exists and criminals are sure to use it instead of the backdoored version. I won't personally change my habits or reduce the security of any software I write if this law makes it through - even if that makes me a criminal.

Encryption, the NSA, and the front door

Posted Apr 23, 2015 21:46 UTC (Thu) by fandingo (guest, #67019) [Link] (12 responses)

I find the most troubling aspect the change in feasibility of an attack when half the key is known. I'm not aware of much cryptanalysis that focuses on the effect of partial key disclosure, but I imagine the results are catastrophic.

For medium to high profile targets, the government merely possessing half the key, along with their enormous purported decryption, is likely sufficient to decrypt without incurring an impactful amount of resources.

There's no reason why the government needs half the key upfront, unless they want to mount clandestine decryption attacks. Otherwise, requiring providers to maintain a key and establishing seizure procedures of those keys would be sufficient, although still both unnecessary and unbearable in my opinion. They want half of that key for a reason.

Encryption, the NSA, and the front door

Posted Apr 23, 2015 22:05 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

Not really. "Half a key" is a simplification, in reality a secure algorithm for secret sharing would be used: http://en.wikipedia.org/wiki/Secret_sharing

In the simplest case, the user's key can be generated as HASH(a+b) where "a" is Google's seed key and "b" is seed NSA's key. Either seed is worthless by itself.

Encryption, the NSA, and the front door

Posted Apr 23, 2015 23:18 UTC (Thu) by reubenhwk (guest, #75803) [Link] (2 responses)

Somehow I doubt the government would be happy with that solution. No, they're going to want 64-bits of your 128-bit key. Otherwise what good would it do the government?

Encryption, the NSA, and the front door

Posted Apr 23, 2015 23:40 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

So use 256-bit keys (AES-256). Brute-forcing the other part of the key is infeasible.

Besides, modern ciphers are secure against partial key compromise.

Encryption, the NSA, and the front door

Posted Apr 24, 2015 0:14 UTC (Fri) by fandingo (guest, #67019) [Link]

> Besides, modern ciphers are secure against partial key compromise.

I only had a few minutes to investigate earlier, but I couldn't find anything that analyzed this situation. I would be extremely hesitant to make any statements about the overall security of a key if part were disclosed and some ciphertext had been intercepted.

You're also ignoring the practical implications of using the longest AES key possible. The service provider has to have a good entropy source that doesn't deplete. AES 256 also puts more computational strain when in use. That doesn't matter on your desktop, but it certainly matters on your phone.

Encryption, the NSA, and the front door

Posted Apr 23, 2015 23:54 UTC (Thu) by fandingo (guest, #67019) [Link] (1 responses)

The devil is very much in the details then, but I still think that the government desires to define things in such a way that it gives them a material advantage. There would be all sorts of nonsense (from the government's perspective) that would occur if HASH(a+b) (or whatever method is chosen) is unspecified.

For example the key combination function is: f(a V b) where b=0 and f is the identity function, meaning that every "half-key" that the NSA receives is identical *and* the "half-key" retained by the provider is the final key. Obviously, the government would never allow that.

As you move further away from the example above the government gains an advantage and guess who will be formulating the rules? The government has no incentive to make "b" useless and lots of incentive to the contrary.

I just don't trust any f() where the NSA knows any of the input and has some say on how the inputs are used to not be have some weakness.

Encryption, the NSA, and the front door

Posted Apr 24, 2015 0:40 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

That's fine. Even if NSA's key is the same as my luggage's password ('123456') then it'll still be useless without Google's key.

I'm not advocating for NSA, just explaining that any realistic key sharing solution would have its vulnerabilities somewhere else.

Encryption, the NSA, and the front door

Posted Apr 24, 2015 20:58 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link] (5 responses)

One reason that users might want to have a key splitting system is that it protects them against abuse by the service provider. Many people talk about this as if the government is the only organization that wants their secrets, but there are plenty of businesses and criminals who could profit from them, too. Protection against unscrupulous businesses, and against rogue employees, is of real value.

Of course, if you don't trust either the government or the service provider, you probably ought to be encrypting your data yourself and not giving anyone the key. But if you're somehow required to give up your key, it's probably better to have it split between two parties.

Encryption, the NSA, and the front door

Posted Apr 24, 2015 21:11 UTC (Fri) by dlang (guest, #313) [Link] (4 responses)

umm, if your service provider can't get at the data without the government being involved, how are they going to provide you with the service?

Encryption, the NSA, and the front door

Posted Apr 26, 2015 12:58 UTC (Sun) by foom (subscriber, #14868) [Link] (2 responses)

Well I think Apple says they don't have encryption keys for some stuff, they're only stored in the phone itself.

I believe that's annoyed the govt in the past.

Encryption, the NSA, and the front door

Posted Apr 27, 2015 1:37 UTC (Mon) by dlang (guest, #313) [Link] (1 responses)

at that point it's not the company that's going to be dealing with the escrow issues, it will be the person who knows the key (i.e. the device owner)

Encryption, the NSA, and the front door

Posted Apr 29, 2015 4:40 UTC (Wed) by foom (subscriber, #14868) [Link]

Why do you say that? The *person* never knows or sees the key either. Apple's OS on Apple's hardware generated it and stored it and could (and maybe would be required to) send the escrowed key parts off-device to some servers in the clouds.

Encryption, the NSA, and the front door

Posted Apr 26, 2015 13:23 UTC (Sun) by rgmoore (✭ supporter ✭, #75) [Link]

If the only service they provide is to transmit or store the data, they don't need to be able to decrypt it. A good example of this approach is Firefox's sync. The copy on Mozilla's servers is encrypted with a key that only the user has, so it still works as a synchronization mechanism even though Mozilla can't read the contents. That has some downsides- they can't recover your data for you if you forget your password- but it does protect your privacy.

Encryption, the NSA, and the front door

Posted Apr 23, 2015 22:12 UTC (Thu) by davidstrauss (guest, #85867) [Link] (1 responses)

> There is also the problem of keeping the split keys separate. Even if they are held by separate entities in the long term, they must be generated together and then distributed. That provides an opportunity for an attacker to copy both keys well before they reach the proper hands (including, of course, the service keeping its own copy of the government key from day one). Similarly, any time both key halves are used together, there would be another opportunity to steal or duplicate them.

The problem described is not really true, at least not more than for any other hybrid encryption scheme. The big error is assuming that distributing the half keys to the proper parties is hard, which it's not with modern (1980s+) approaches.

For any substantial amount of data or when multiple parties need access, the typical approach is to generate a single-use symmetric key for that data and then encrypt that key using an asymmetric algorithm for each party.

In the case of split escrow, one might divide the single-use key in two, encrypting half for the vendor and half for the government. The customer would have the entire key encrypted with their public key for distribution to them.

The system performing the encryption would briefly have access to the single-use symmetric key, but that's also the same system that had access to the plaintext at the same moment, anyway.

The real loss in security is by moving the encryption up to the vendor's systems, not using a split key escrow scheme.

Encryption, the NSA, and the front door

Posted Apr 29, 2015 12:02 UTC (Wed) by ortalo (guest, #4654) [Link]

Yep. Seconded. Unforgiveable error from their side. We all know now from experience that young students or bearded professors software is so much better than vendor-produced expensive crap.
By the way, if the NSA wants my keys, I think *I* could probably agree to use enduser software that sends them a copy. No problem. I would request them to operate as a third party notarizing my communications as a reciprocal service (as well as delivering me annually a "good citizen" certificate for the lulz).
YMMV of course. But the NSA guaranteeing my annual payments to LWN.net [1]: that would be a memorable breakthrough in cryptography!

[1] If they pass Jon&Nathan security audit of course.

Encryption, the NSA, and the front door

Posted Apr 23, 2015 22:18 UTC (Thu) by jmclnx (guest, #72456) [Link] (2 responses)

Such a thing would destroy the US software industry. Just hints of what Snowden took was enough to impact the industry, never mind creating an actual policy. Also, what happens when (not if) the keys in 'escrow' are leaked ?

Encryption, the NSA, and the front door

Posted Apr 25, 2015 2:50 UTC (Sat) by misc (guest, #73730) [Link] (1 responses)

We are soon at 2 years after the leaks. Do we have a report of the impact ?
(and if possible one who will be a bit more complete than sales peoples blaming the leaks to cover some failed deals ?)

AFAIK, Amazon and Google are still strong, others US tech companies are still used, and the rush to outsource services to external providers is still strong.

Encryption, the NSA, and the front door

Posted Apr 30, 2015 0:20 UTC (Thu) by gdt (subscriber, #6284) [Link]

The EU investigation into Apple and Google's taxes has been kicked along by Snowden removing the "do no evil" gloss off US technology companies, They are now seen much the same way as any US multinational.

Encryption, the NSA, and the front door

Posted Apr 28, 2015 12:57 UTC (Tue) by robbe (guest, #16131) [Link]

Taken at face value, this system is still better than plaintext which enables blanket surveilance. While the system will probably be abused a lot (including, but not limited to: forcing providers to decrypt, stealing provider keys, gag orders), plaintext is currently abused all the time and in much higher numbers than can be kept quiet in the above system.

Of course, unless the system is heavily abused, it will also be pretty useless for its stated purpose: careful people (including sensible criminals) will just double-encrypt.

Encryption, the NSA, and the front door

Posted Apr 29, 2015 11:43 UTC (Wed) by ortalo (guest, #4654) [Link]

With respect to the physical door analogy, I guess he does not really want multiple locks, but multiple keys.

If find that a pretty unfortunate approximation given the orator position. Maybe one of this counsellor should remember him that misguiding his own country may be the actual reason why his predecessor had to leave.


Copyright © 2015, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy