Security Experts Oppose Government Access to Encrypted Communication | Coders warn against giving FBI access to encrypted data - Wednesday July 8th, 2015 at 1:20 PM
- Get link
- Other Apps
The world’s best cryptologists are warning the U.S. government that its desire to have privileged access to encrypted data is potentially damaging to worldwide privacy and security.
Such access would “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy,” argues a report released Tuesday.
ADVERTISEMENT
The team of coding specialists is timing their new report to fall a day before FBI Director James Comey makes his most high-profile case that locking government investigators out of encrypted communications will allow criminals to operate with impunity.
Comey will deliver his message Wednesday before both the Senate Judiciary and Intelligence Committees. The FBI head has been pressing for Congress to give investigators a legal framework that would give the government “exceptional access,” with a warrant, to encrypted data. Many have pushed back, arguing any such guarantee ruins encryption, creating a vulnerability for nefarious actors to exploit.
Tuesday’s report is the first time many of these elite coders have convened since 1997, when they came together to urge the government not to require companies to install the Clipper chip.
The small hardware chip would have created a permanent access point for the government to unveil any masked communications. But the government backed down at the behest of coders, who argued such a practice was difficult to implement and would make products unsecure.
While the Clipper chip would have been bad, “the damage that could be caused by law enforcement exceptional access requirements would be even greater today,” the report says.
“In the wake of the growing economic and social cost of the fundamental insecurity of today's Internet environment, any proposals that alter the security dynamics online should be approached with caution,” it adds.
Any type of guaranteed access is technologically unfeasible, the cryptographers argue.
Proponents have argued that the government could have exclusive access to a private key that would allow only them to unlock encrypted data.
That contradicts a basic encryption practice, in which keys are deleted immediately after use, the cryptologists said.
“It would be the equivalent of taking already-read, highly sensitive messages, and, rather than putting them through a shredder, leaving them in the file cabinet of an unlocked office,” said Daniel Weitzner, head of the MIT Cybersecurity and Internet Policy Research Initiative, who coordinated the report. “Keeping keys around makes them more susceptible to compromise.”
Guaranteed access would also inherently make systems more complex, creating a high likelihood of introducing accidental security flaws, the report maintains.
“Given that the new mechanisms may have to be used in secret by law enforcement, it would also be difficult, and perhaps illegal, for programmers to even test how these features operate,” said Weitzner, a former deputy chief technology officer at the White House, in a release.
The researchers insist that an exclusive access point would give devices such as smartphones a “single point of failure.” If nefarious actors discovered this one point, they would get access to everything on the device.
Lawmakers on both sides of the aisle have been sympathetic to these arguments in previous hearings on encryption. FBI officials' testimony, in particular, has not been well received.
Wednesday will give Comey his best chance yet to sway opinions on Capitol Hill. Technologists everywhere are hoping lawmakers won’t be convinced.
“At a time when we are struggling to make the Internet more secure, these proposals would take a step backward by building weakness into our infrastructure,” Weitzner said.
“It’s like leaving your house keys under the doormat: Sure, it may be convenient, but it creates the opportunity for anyone to walk in the door.”
Read the whole story
· · ·
SAN FRANCISCO — An elite group of security technologists has concluded that the American and British governments cannot demand special access to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger.
A new paper from the group, made up of 14 of the world’s pre-eminent cryptographers and computer scientists, is a formidable salvo in a skirmish between intelligence and law enforcement leaders, and technologists and privacy advocates. After Edward J. Snowden’s revelations — with security breaches and awareness of nation-state surveillance at a record high and data moving online at breakneck speeds — encryption has emerged as a major issue in the debate over privacy rights.
That has put Silicon Valley at the center of a tug of war. Technology companies including Apple, Microsoft and Google have been moving to encrypt more of their corporate and customer data after learning that the National Security Agency and its counterparts were siphoning off digital communications and hacking into corporate data centers.
Yet law enforcement and intelligence agency leaders argue that such efforts thwart their ability to monitor kidnappers, terrorists and other adversaries. In Britain, Prime Minister David Cameron threatened to ban encrypted messages altogether. In the United States, Michael S. Rogers, the director of the N.S.A., proposed that technology companies be required to create a digital key to unlock encrypted data, but to divide the key into pieces and secure it so that no one person or government agency could use it alone.
The encryption debate has left both sides bitterly divided and in fighting mode. The group of cryptographers deliberately issued its report a day before James B. Comey Jr., the director of the Federal Bureau of Investigation, and Sally Quillian Yates, the deputy attorney general at the Justice Department, are scheduled to testify before the Senate Judiciary Committee on the concerns that they and other government agencies have that encryption technologies will prevent them from effectively doing their jobs.
The new paper is the first in-depth technical analysis of government proposals by leading cryptographers and security thinkers, including Whitfield Diffie, a pioneer of public key cryptography, and Ronald L. Rivest, the “R” in the widely used RSA public cryptography algorithm. In the report, the group said any effort to give the government “exceptional access” to encrypted communications was technically unfeasible and would leave confidential data and critical infrastructure like banks and the power grid at risk.
Handing governments a key to encrypted communications would also require an extraordinary degree of trust. With government agency breaches now the norm — most recently at the United States Office of Personnel Management, the State Department and the White House — the security specialists said authorities could not be trusted to keep such keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to communications, China and other governments in foreign markets would be spurred to do the same.
“Such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend,” the report said. “The costs would be substantial, the damage to innovation severe and the consequences to economic growth hard to predict. The costs to the developed countries’ soft power and to our moral authority would also be considerable.”
A spokesman for the F.B.I. declined to comment ahead of Mr. Comey’s appearance before the Senate Judiciary Committee hearings on Wednesday. Mr. Comey recently told CNN, “Our job is to find needles in a nationwide haystack, needles that are increasingly invisible to us because of end-to-end encryption.”
A Justice Department official, who spoke on the condition of anonymity before the hearing, said that the agency supported strong encryption, but that certain uses of the technology — notably end-to-end encryption that forces law enforcement to go directly to the target rather than to technology companies for passwords and communications — interfered with the government’s wiretap authority and created public safety risks.
Paul Kocher, the president of the Rambus Cryptography Research Division, who did not write the paper, said it shifted the debate over encryption from how much power intelligence agencies should have to the technological underpinnings of gaining special access to encrypted communications.
The paper “details multiple technological reasons why mandatory government back doors are technically unworkable, and how encryption regulations would be disastrous for computer security,” Mr. Kocher said. “This report ought to put to rest any technical questions about ‘Would this work?’ ”
The group behind the report has previously fought proposals for encryption access. In 1997, it analyzed the technical risks and shortcomings of a proposal in the Clinton administration called theClipper chip. Clipper would have poked a hole in cryptographic systems by requiring technology manufacturers to include a small hardware chip in their products that would have ensured that the government would always be able to unlock scrambled communications.
The government abandoned the effort after an analysis by the group showed it would have been technically unworkable. The final blow was the discovery by Matt Blaze, then a 32-year-old computer scientist at AT&T Bell Laboratories and one of the authors of the new paper, of a flaw in the system that would have allowed anyone with technical expertise to gain access to the key to Clipper-encrypted communications.
Now the group has convened again for the first time since 1997. “The decisions for policy makers are going to shape the future of the global Internet and we want to make sure they get the technology analysis right,” said Daniel J. Weitzner, head of the MIT Cybersecurity and Internet Policy Research Initiative and a former deputy chief technology officer at the White House, who coordinated the latest report.
In the paper, the authors emphasized that the stakes involved in encryption are much higher now than in their 1997 analysis. In the 1990s, the Internet era was just beginning — the 1997 report is littered with references to “electronic mail” and “facsimile communications,” which are now quaint communications methods. Today, the government’s plans could affect the technology used to lock data from financial and medical institutions, and poke a hole in mobile devices and countless other critical systems that are moving rapidly online, including pipelines, nuclear facilities and the power grid.
“The problems now are much worse than they were in 1997,” said Peter G. Neumann, a co-author of both the 1997 report and the new paper, who is a computer security pioneer at SRI International, the Silicon Valley research laboratory. “There are more vulnerabilities than ever, more ways to exploit them than ever, and now the government wants to dumb everything down further.”
Other authors of the new paper include Steven M. Bellovin, a computer science professor at Columbia University; Harold Abelson, a computer science professor at MIT; Josh Benaloh, a leading cryptographer at Microsoft; Susan Landau, a professor of cybersecurity at Worcester Polytechnic Institute and formerly a senior privacy analyst at Google; and Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School and a widely read security author.
“The government’s proposals for exceptional access are wrong in principle and unworkable in practice,” said Ross Anderson, a professor of security engineering at the University of Cambridge and the paper’s sole author in Britain. “That is the message we are going to be hammering home again and again over the next few months as we oppose these proposals in your country and in ours.”
Read the whole story
· · · · ·
- Get link
- Other Apps
Comments
Post a Comment