What Could Possibly Go Wrong With Backdoors?

graffiti-406824_640

What could possibly go wrong with back doors? Pretty much everything imaginable.

You must have seen about the debate between the FBI and Apple over providing a backdoor for the Apple iPhone 5C model.

I strongly agree with Michael Hayden, former head of both the Central Intelligence Agency and the National Security Agency. In an interview with Charlie Rose, Hayden said:

My position is that with the FBI and others demanding that Apple universally enable backdoors in their devices to break otherwise unbreakable encryption, I actually side with Apple. On the grounds of security and safety, I think that’s the best choice. American security and safety, in this current cyber era, is better served with end-to-end unbreakable encryption.

toys-773813_640

The Crypto Wars

Many have described the current argument as an attempted return to the failed “Crypto Wars” of the 1990s. That was when the U.S. Government wanted everyone to use the Clipper Chip, which would provide backdoor access to all encrypted communication and storage.

The Clipper Chip failed, but we did get the nonsense of “export grade” cryptography. It was a system by which, if the U.S. didn’t tell foreigners how to do math, they would never figure it out themselves. Right… Then in 1998, two Belgian cryptographers, Joan Daemen and Vincent Rijmen, submitted their Rijndael cipher to U.S. NIST and it came to be accepted as the U.S. Advanced Encryption Standard (or AES). Oops. Daemen went on to be on the team that developed the Keccack cryptographic suite, part of which was formally accepted as the Secure Hash Algorithm 3 (or SHA-3) in August 2015.

Dangerous Legacy

The 1990s “Crypto Wars” didn’t accomplish anything positive, but we are still at risk from their legacy. The U.S. Government requirement for intentionally weakened “export grade” cryptography meant that protocols like SSL and IPsec had to include support for them. You won’t be very successful with non-compliant implementations, so every SSL implementation included them.

Now with the recent DROWN vulnerability of SSL/TLS we have been hit by the third SSL/TLS vulnerability of the past year caused by 1990s back doors that still haven’t been sealed off! The other two within the past year were the colorfully named FREAK and Logjam attacks.

The FREAK attack, for “Factoring RSA Export Keys,” targets deliberately weak RSA keys.

The Logjam attack targets deliberately weakened Diffie-Hellman key negotiation.

So yes, back doors today can cause trouble for the next fifteen to twenty years. Not just by becoming entrenched in a family of protocols, they can go bad in so many other ways:

  • Politically motivated abuse by (inappropriately) trusted insiders
  • Criminal blackmail and extortion
  • Exposure of the secrets of the government that wanted the backdoors
    in the first place
  • Exposure of the secrets of the government’s surveillance targets
  • Driving users to alternative, possibly less secure, backdoors

Trying to Move Forward

Current best practices include, Perfect Forward Secrecy and authenticated encryption. We explain these in Learning Tree’s System and Network Security Introduction course. Backdoors interfere with both of these crucial security mechanisms, forcing significant steps backward and re-enabling a variety of cyber crimes.

Check out the the paper Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications by an all-star team of authors, many of them leaders in various areas of information security.

And come back next week for a list of some of the embarrassing failures of government-imposed backdoors!

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.