Here in the US, and indeed in the press around the world, there are new calls to curtail the use of encryption. I suppose it is natural for politicians to seek boogeymen. Encryption is a good one as it just sounds like something only governments and bad guys would want to use. Never mind that virtually all internet users use encryption for safe communication with secure web sites.
While various forms of encryption have been around for millennia, the value of the intelligence gained from breaking Enigma and PURPLE in World War II made it clear to everyone that a) cryptography was a valuable tool, and b) the ability to break that encryption was a valuable tool. In fact, those lessons led encryption to be regulated by the US International Traffic in Arms Regulations (ITAR) and other laws as “Auxiliary Military Equipment.” That was substantially eased at the end of the 20th century.
Both good guys and bad guys have been using encrypted communication recently. The freely-available tools such as WhatsApp, Signal, Telegram and others make sending encrypted messages very simple. While some may do it as a novelty, and some may do it for genuine business or personal confidentiality, others may be doing it for illegal purposes. The existence of that latter group has led politicians to call for regulating such apps. That’s probably not possible to do in any practical and meaningful sense.
First, the toothpaste is out of the tube. The software is available for PC, MAC, iOS, Android, Linux and other platforms as open source. That means anyone can re-create the apps. If new apps had some kind of back door, people would continue to use the old ones or use the source to “fork” new versions. The encryption used by these apps is often of a quality approved for Top Secret information – it is probably pretty strong stuff!
Another feature of many or all of these popular applications is something called “perfect forward secrecy”. I’ll talk more about that in a future post, but basically it means that if the key for one message is somehow discovered, it can’t be used to decrypt previous or subsequent messages. This, combined with deniability (the lack of a way to prove that a particular party sent a particular message), means that even if a message were somehow “cracked” neither its origin nor content could be authenticated, nor could it be used to help decode other messages.
The idea of restricting access by bad guys to encryption sounds good – if the good guys could read everything the bad guys sent, they’d be easier to catch. That hasn’t proven to be true in the past and it isn’t likely to be true now. And both good guys and bad guys can use other methods including steganography and coded phrases (such as “I will bring the food” meaning “I will bring the money”). Instead of relying on bad guys to use encryption with back doors or escrowed keys, we need to rely on developing other, more reliable techniques of catching them.
What do you think? Let us know your thoughts about encryption apps in the comments below.
To your safe computing,