Ride the Lightning

Government Again Calls for “Responsible” (Meaning Breakable) Encryption

October 17, 2017

Naked Security reported on October 12^th that Attorney General Rod Rosenstein had given a couple of speeches in recent weeks focusing on encryption – one at a cybersecurity conference in Boston and another at the Naval Academy – that proclaimed that strong encryption jeopardizes the lives and safety of Americans because it prevents law enforcement from gathering evidence, even when they have a warrant.

Sounds a lot like former FBI Director James Comey, doesn't it?

The FBI took Apple to court last year over its inability to access an iPhone belonging to one of the San Bernardino terrorists. That conflict never got settled – it was dropped after the agency hired a vendor that was able to break the access code.

Rosenstein declared he had no intention to "undermine" encryption, he said that when it is designed with no means of lawful access, it allows terrorists, drug dealers, child molesters, fraudsters, and other criminals to hide incriminating evidence. Mass-market products and services incorporating warrant-proof encryption are standard.

Rosenstein went further than Comey, describing how he thinks, "responsible encryption is achievable." Responsible encryption, he said, "can involve effective, secure encryption that allows access only with judicial authorization. Such encryption already exists. Examples include the central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop. No one calls any of those functions a "back door." In fact, those capabilities are marketed and sought out by many users."

This is not the first time that the US government has looked at the central management of encryption keys. In the early nineties it introduced the Clipper chip – an encryption and decryption chip for consumer devices that came with a backdoor for law enforcement. It was found to have a number of vulnerabilities, was never widely adopted and was made obsolete by strong encryption not controlled by the government, such as Phil Zimmermann's PGP.

Clipper didn't impress cryptographer Bruce Schneier (now CTO at IBM Resilient), who described the idea of a global key escrow system as "far beyond the experience and current competency of the field." Schneier (who is one of my heroes) isn't impressed this time around either. He said it is absurd to think that Rosenstein's vision of encryption is possible: "…for encryption to work well unless there is a certain piece of paper (a warrant) sitting nearby, in which case it should not work. Mathematically, of course, this is ridiculous. The math either works or it doesn't. You don't get an option where the FBI can break encryption but organized crime can't. It's not available technologically."

Given the government's track record on securing (not) everything from employee data (the Office of Personnel Management breach) and malicious exploits developed by US spy agencies, if it had the technology or the keys to defeat encryption, the threat of it being compromised would be very great.

Even if the government could make the use of unbreakable encryption illegal it would still have to face the fact that criminals don't obey the law. Law abiding citizens would be forced to use weak encryption while criminals would choose the strongest encryption available.

Responsible encryption? As Sherman Potter would say, "horse hockey!"

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson