Security news that informs and inspires

‘Building Side Doors Is Not Going to Help’

SAN FRANCISCO--The men who invented public key cryptography and the cryptosystems that secure the data and devices everyone uses on a daily basis have a simple message for those who want to implement crypto backdoors: don’t.

“I said in about 2000 that this isn’t going to go away and I haven’t changed sides since then. I think the people who put themselves forward as being concerned only with national security have a very narrow world view,” Whitfield Diffie, one of the inventors of public key cryptography, said during the cryptographers’ panel at the RSA Conference here Tuesday.

“We need to do everything we can to secure our systems. If you build a backdoor into them, it makes that task more complex.”

The discussion about building backdoors into cryptosystems is nearly as old as public key cryptography itself, and it has always centered on the desire for law enforcement and intelligence agencies to access encrypted communications and data for investigative and national security purposes. The number of attempts to accomplish this through legislation is too high to count, and while none of them has actually made it through Congress, that hasn’t stopped lawmakers from continuing to try. Most recently, Sen. Lindsey Graham (R-S.C.) introduced a bill called the EARN It Act that would have serious effects on the ability of Internet platform providers to offer end-to-end encrypted services. The bill has been roundly criticized by security experts and Internet law scholars.

“Crypto is really the elephant in the room for the Graham Blumenthal bill, it's a signal for Facebook and Signal to provide this method or be prepared to pay through the nose,” Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society said during a talk at the Enigma conference recently.

Law enforcement agencies in the United States also have been pushing technology companies to redesign their systems and products in a way that would enable access to encrypted communications and data at rest on devices. Some of the larger companies, including Apple and Microsoft, have been quite vocal in their opposition to this idea, and have fought some of these efforts in court.

The rationale that law enforcement agencies use for requiring this kind of access often is terrorism investigations, and while that concern is real and tangible, Diffie said the existence of backdoors in devices or cryptosystems would actually make things more difficult.

“The critical thing to think about, and I think this very real and thankfully hasn’t happened yet, is the possibility of a cyber Pearl Harbor. We’ve gotten better at securing some systems, but anything the size of an operating system or apps, we’re very poor at it. I don’t believe building side doors into them is going to help,” Diffie said.

While a legislative effort to mandate encryption backdoors so far hasn’t worked, technical solutions have sometimes gotten farther down the road, with the Clipper Chip being the most famous example. Building encryption systems that work is a notoriously difficult task, and building one that works and includes a backdoor is infinitely more difficult, if not impossible.

“Maybe progress in some sense isn’t needed. There is no technical solution that will keep us all safe and at the moment we don’t have any technical solutions that will keep everybody in this debate happy,” said Ron Rivest, one of the designers of the RSA algorithm and an institute professor at MIT.

“The technology, the adversaries, and the math all keep changing.”