Sunday, April 01, 2018

Why the crypto-backdoor side is morally corrupt

Crypto-backdoors for law enforcement is a reasonable position, but the side that argues for it adds things that are either outright lies or morally corrupt. Every year, the amount of digital evidence law enforcement has to solve crimes increases, yet they outrageously lie, claiming they are "going dark", losing access to evidence. A weirder claim is that  those who oppose crypto-backdoors are nonetheless ethically required to make them work. This is morally corrupt.

That's the point of this Lawfare post, which claims:
What I am saying is that those arguing that we should reject third-party access out of hand haven’t carried their research burden. ... There are two reasons why I think there hasn’t been enough research to establish the no-third-party access position. First, research in this area is “taboo” among security researchers. ... the second reason why I believe more research needs to be done: the fact that prominent non-government experts are publicly willing to try to build secure third-party-access solutions should make the information-security community question the consensus view. 
This is nonsense. It's like claiming we haven't cured the common cold because researchers haven't spent enough effort at it. When researchers claim they've tried 10,000 ways to make something work, it's like insisting they haven't done enough because they haven't tried 10,001 times.

Certainly, half the community doesn't want to make such things work. Any solution for the "legitimate" law enforcement of the United States means a solution for illegitimate states like China and Russia which would use the feature to oppress their own people. Even if I believe it's a net benefit to the United States, I would never attempt such research because of China and Russia.

But computer scientists notoriously ignore ethics in pursuit of developing technology. That describes the other half of the crypto community who would gladly work on the problem. The reason they haven't come up with solutions is because the problem is hard, really hard.

The second reason the above argument is wrong: it says we should believe a solution is possible because some outsiders are willing to try. But as Yoda says, do or do not, there is no try. Our opinions on the difficulty of the problem don't change simply because people are trying. Our opinions change when people are succeeding. People are always trying the impossible, that's not evidence it's possible.

The paper cherry picks things, like Intel CPU features, to make it seem like they are making forward progress. No. Intel's SGX extensions are there for other reasons. Sure, it's a new development, and new developments may change our opinion on the feasibility of law enforcement backdoors. But nowhere in talking about this new development have they actually proposes a solution to the backdoor problem. New developments happen all the time, and the pro-backdoor side is going to seize upon each and every one to claim that this, finally, solves the backdoor problem, without showing exactly how it solves the problem.

The Lawfare post does make one good argument, that there is no such thing as "absolute security", and thus the argument is stupid that "crypto-backdoors would be less than absolute security". Too often in the cybersecurity community we reject solutions that don't provide "absolute security" while failing to acknowledge that "absolute security" is impossible.

But that's not really what's going on here. Cryptographers aren't certain we've achieved even "adequate security" with current crypto regimes like SSL/TLS/HTTPS. Every few years we find horrible flaws in the old versions and have to develop new versions. If you steal somebody's iPhone today, it's so secure you can't decrypt anything on it. But then if you hold it for 5 years, somebody will eventually figure out a hole and then you'll be able to decrypt it -- a hole that won't affect Apple's newer phones.

The reason we think we can't get crypto-backdoors correct is simply because we can't get crypto completely correct. It's implausible that we can get the backdoors working securely when we still have so much trouble getting encryption working correctly in the first place.

Thus, we aren't talking about "insignificantly less security", we are talking about going from "barely adequate security" to "inadequate security". Negotiating keys between you and a website is hard enough without simultaneously having to juggle keys with law enforcement organizations.

And finally, even if cryptographers do everything correctly law enforcement themselves haven't proven themselves reliable. The NSA exposed its exploits (like the infamous ETERNALBLUE), and OPM lost all its security clearance records. If they can't keep those secrets, it's unreasonable to believe they can hold onto backdoor secrets. One of the problems cryptographers are expected to solve is partly this, to make it work in a such way that makes it unlikely law enforcement will lose its secrets.


This argument by the pro-backdoor side, that we in the crypto-community should do more to solve backdoors, it simply wrong. We've spent a lot of effort at this already. Many continue to work on this problem -- the reason you haven't heard much from them is because they haven't had much success. It's like blaming doctors for not doing more to work on interrogation drugs (truth serums). Sure, a lot of doctors won't work on this because it's distasteful, but at the same time, there are many drug companies who would love to profit by them. The reason they don't exist is not because they aren't spending enough money researching them, it's because there is no plausible solution in sight.

Crypto-backdoors designed for law-enforcement will significantly harm your security. This may change in the future, but that's the state of crypto today. You should trust the crypto experts on this, not lawyers.

1 comment:

Paul Gerhardt said...

The core argument as I understand it is "efforts to provide law enforcement with crypto-backdoors will harm your security."

That's simply not true and past experience has taught us on two different occasions that efforts to provide law enforcement with some secret key/mechanism can counter-intuitively improve security.

The clipper chip is cited to the point of cliché but a direct consequence of its failure was loosening of export regulations which meant everyone could implement secure cryptography protocols, not just those inside of the US. A clear case where an effort to provide law enforcement with a backdoor resulted in an improvement.

Less well known is the origin story behind the Diffie-Hellman-Merkle key exchange. Back in 1973 virtually all cryptography was symmetric. Public-Private key systems just weren't a thing yet. Keys needed to be manually exchanged through tedious methods. Hellman sought to create a scheme that let you programmatically create crypto-backdoors in symmetric ciphers. A meta cipher that ensured you could create a secret key (x2) to decipher exchanges encrypted with a secret primary key (x1). A scheme where ciphers setup to use (x1) to encrypt and decrypt messages could secretly be decrypted by law-enforcement using (x2). It wasn't until they built this thing and had it up and running that they realized they could flip this model on its head and recognized a neat side-effect if you didn't keep (x2) secret at all. Instead by publically exchanging (x2) in the clear one could use it to provide a means for secure private key generation without sending the key over the wire. Again an effort to produce a crypto-backdoor system that resulted in an improvement in security.

They calculated the cost of breaking an existing 50-bit DES key at somewhere between $10,000-$100,000 in 1970's compute power - but with their new scheme they could rotate keys on a regular enough basis to make this attack mitigable and a crucial step along with the development of RSA around the same time.

I don't disagree that the parties advocating for backdoors in earnest aren't morally bankrupt, nor that all efforts here won't have negative consequences, just that two important improvements exist as a contradiction to the central premise of this argument that research or political movements here bare no fruit.