Ray Ozzie's Encryption Backdoor

Last month, Wired published a long article about Ray Ozzie and his supposed new scheme for adding a backdoor in encrypted devices. It’s a weird article. It paints Ozzie’s proposal as something that “attains the impossible” and “satisfies both law enforcement and privacy purists,” when (1) it’s barely a proposal, and (2) it’s essentially the same key escrow scheme we’ve been hearing about for decades.

Basically, each device has a unique public/private key pair and a secure processor. The public key goes into the processor and the device, and is used to encrypt whatever user key encrypts the data. The private key is stored in a secure database, available to law enforcement on demand. The only other trick is that for law enforcement to use that key, they have to put the device in some sort of irreversible recovery mode, which means it can never be used again. That’s basically it.

I have no idea why anyone is talking as if this were anything new. Several cryptographers have already explained why this key escrow scheme is no better than any other key escrow scheme. The short answer is (1) we won’t be able to secure that database of backdoor keys, (2) we don’t know how to build the secure coprocessor the scheme requires, and (3) it solves none of the policy problems around the whole system. This is the typical mistake non-cryptographers make when they approach this problem: they think that the hard part is the cryptography to create the backdoor. That’s actually the easy part. The hard part is ensuring that it’s only used by the good guys, and there’s nothing in Ozzie’s proposal that addresses any of that.

I worry that this kind of thing is damaging in the long run. There should be some rule that any backdoor or key escrow proposal be a fully specified proposal, not just some cryptography and hand-waving notions about how it will be used in practice. And before it is analyzed and debated, it should have to satisfy some sort of basic security analysis. Otherwise, we’ll be swatting pseudo-proposals like this one, while those on the other side of this debate become increasingly convinced that it’s possible to design one of these things securely.

Already people are using the National Academies report on backdoors for law enforcement as evidence that engineers are developing workable and secure backdoors. Writing in Lawfare, Alan Z. Rozenshtein claims that the report—and a related New York Times story—”undermine the argument that secure third-party access systems are so implausible that it’s not even worth trying to develop them.” Susan Landau effectively corrects this misconception, but the damage is done.

Here’s the thing: it’s not hard to design and build a backdoor. What’s hard is building the systems—both technical and procedural—around them. Here’s Rob Graham:

He’s only solving the part we already know how to solve. He’s deliberately ignoring the stuff we don’t know how to solve. We know how to make backdoors, we just don’t know how to secure them.

A bunch of us cryptographers have already explained why we don’t think this sort of thing will work in the foreseeable future. We write:

Exceptional access would force Internet system developers to reverse “forward secrecy” design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

Finally, Matthew Green:

The reason so few of us are willing to bet on massive-scale key escrow systems is that we’ve thought about it and we don’t think it will work. We’ve looked at the threat model, the usage model, and the quality of hardware and software that exists today. Our informed opinion is that there’s no detection system for key theft, there’s no renewability system, HSMs are terrifically vulnerable (and the companies largely staffed with ex-intelligence employees), and insiders can be suborned. We’re not going to put the data of a few billion people on the line an environment where we believe with high probability that the system will fail.

EDITED TO ADD (5/14): An analysis of the proposal.

Tags: , , , , , ,

Posted on May 7, 2018 at 9:32 AM58 Comments

Comments

Jonathan May 7, 2018 9:56 AM

I completely agree on the big ideas you have here around the scheme: it’s only solving the easy part of the problem and using a solution that’s been proposed many times in the past but with a couple tiny changes.

One technical detail you get wrong, and I’m pointing out only because I’ve seen the same interpretation multiple other places and it seems to conflict with the actual article, is that you maintain each device will have its own key pair and that that will be available to law enforcement when needed. The article talks instead of each manufacturer having a single key pair and the phone just using the public key to encrypt a pin code (that part is unique to the device) which law enforcement could then take to the manufacturer of that device for decryption.

I don’t think that detail affects any of the conclusions you have in this post, but I got the impression from the article that Ozzie thinks that’s one of the innovations being proposed and I think criticisms of the proposal have been better when they address how that offers a different threat surface compared to the kind of scheme you talk about and how that still does not address, in any way, the big problems around the issue.

Sancho_P May 7, 2018 10:38 AM

Isn’t Ray Ozzie’s proposal a bit different from what @Bruce and Mathew Green were commenting on? It doesn’t change much but should not add confusion to the stew:

Matt Green wrote:
”… on the ability of manufacturers to secure massive amounts of extremely valuable key material”
In my understanding it is only one key, their private key, that they’d have to secure.
Not gigabytes of data.
Right, this single key could never be revoked.

Sancho_P May 7, 2018 10:42 AM

Generally it’s a very US centered NOBUS idea. We are the good ones!
However, some observations, from the other side of our canoe:

Positive:

  • To shift all responsibility to private corporations without legal liability is a cheap solution for the unable government. What could go wrong? [1]
  • It is a solution that would provide (hide) additional nat. security “improvements”.
    E.g. the ability to remotely Clear phones could not only silence inconvenient opponents but lock down whole nations (an advantage in cyberwar), and it will boost business in case of a ‘failure’.

Negative:

Code signing is not foolproof security. We should learn from history!

Questionable:

  • Who is the “vendor”? Who is the corporation?

  • For worldwide use, who would sign the request from US authorities to a Chinese manufacturer? The US president? With a scan from his picture ID?

  • Or the other way round, would e.g. Apple have to accept any Russian, Chinese or rogue state request?

  • Would they have to comply when the owner of the phone is a US citizen or US gov.org?

  • How would the know the real “owner” of the phone?

  • How could Apple make sure the PIN in question belongs to (was used by) the alleged entity?

But:

OK, they’d unlock the phone, just to encounter the other stuff on the phone was encrypted by the user.
Then what?

The point is not if it is theoretically possible to have exceptional access to any device.
On the contrary, the first point is if it would be of benefit to our society.

  • Seriously, what is the additional “content” of the phone they’d expect to find in addition to the metadata+ they got already from the provider?

Think about:

I may have a very bad, a really bad idea / picture / … in my head, but I leave it there, telling no one about it. It is mine. Secret.

¿Would you agree to examine my brain, only to see if true and what it is?

[1]
Nothing, we have secure equipment since decades. Business can! (ask Microsoft)

TimH May 7, 2018 10:53 AM

I suspect that should gov try to ram through a law forcing this, it should be possible to get an injunction against on the basis that our experts say the system is insecure. The standing for challenge would be the various other laws that force financial data processing to be secure. Of course, gov would bring in their experts to argue the other way, which will be interesting.

On the basis that IC is not stupid, I also suspect they don’t care about breaches because all the data that citizens care about being available to all who want it, is breachable now anyway.

Herman May 7, 2018 10:54 AM

It is clearly a nonsense proposal, but I’m sure that won’t stop somebody from making a huge amount of money to build it and fail – same as with any other large government IT contract!

Who? May 7, 2018 10:58 AM

Encryption is or is not secure, there are no other ways to see it. I fear people will see these encryption backdoors as something acceptable in the same way they see microprocessor bugs and backdoors as something unavoidable. People is seriously considering performance as something more important than security? People seriously consider privacy has no value either?

If we start considering hardware bugs introduced by poor and unverifiable overengineering designs targeted to achieve raw performance as acceptable, than privacy and security have no value, or than encryption and/or OS-level backdoors are good because “we have nothing to hide” then we have lost the current cryptowar.

I do not think people are criminals, they deserve privacy.

James May 7, 2018 11:09 AM

This proposal is obviously stupid, just like every similar one before it. Most of them are probably cooked up by bureaucrats like the Australian PM that said “the laws of mathematics come second to the law of the land”. There are so many manufacturers out there, and there is also open source. Who said i need to use the manufacturer’s encryption scheme ? How are they going to deal with this internationally ? I am sure the Chinese or the Russians will agree 🙂 The “encryption” cat has been out of the bag for a long time, and there is nothing anyone could do to put it back. Who wants to use encryption has a lot of options to do so. Of course some bad guys use encryption. They also use guns , cars, trucks, knives, axes or what ever, i don’t see any of those being banned. The legislators should come to senses and realize that in our universe the laws of mathematics and physics do come first. Or they should go to another universe and legislate there 🙂

Z.Lozinski May 7, 2018 1:09 PM

A different view on the proposed solution.

You have just created a massive target, which has a huge payoff for a successful attack. You get to see all the communications of anyone you choose to target. Every bad actor will be going after the key escrow database.

Let’s consider some previous high-value targets, and what happened to them:

  • The German FISH codes in WW2. They carried very high-level signals from German Army HQ. (I’m deliberately using this example, not ENIGMA, as that was an operational/tactical system. FISH carried
  • the DVD CSS master keys
  • the communications from the Soviet Navy strategic base in Vladivostok to HQ
  • the Sony Playstation 3 master keys

  • The US Office of Personnel Management database, with details of the national security clearances of 21.5 million US Government employees and contractors.

All of them were compromised. Some required huge effort, but all were compromised.

Why will any key escrow system be different? It is the surrounding processes that will fail.

Hmm May 7, 2018 2:10 PM

So when keys get leaked/cracked/rainbow’ed, the change is all affected devices are bricked forever instead.

#progress

James May 7, 2018 2:17 PM

@Hmm: not bricked, but most users will be left with their pants down. I don’t believe a system like this will ever take off. Technical users will use other encryption schemes, and non-technical ones that sill want real encryption will pay others for a solution. At some point decentralization will be the way to go.

Hmm May 7, 2018 2:22 PM

*assuming hardcoded keys in Internet o’ crap devices. *bricked for the 90% userland group.

But you’re right, I don’t see this happening either.

Eric Andresen May 7, 2018 2:42 PM

As noted, I don’t think the answer is pure escrow, but maybe a derivation. I could see the FBI generating a per device private/public key pair they send to Apple along with a manifest ID. Apple could wrap the manifest ID and some government public key with their own public key and store that encrypted on the device and note in a database what device is protected with what manifest ID.

The idea would be that on a pin change some firmware could store encrypted copies of the credentials in such a way that the government AND Apple have to cooperate to unlock a device. If the government and Apple both build a system such that one party has to provide something to unlock a device – and such that it is cryptographically strong, then no one party can be hacked or convinced to break into a device – it is simply a cooperative effort because all parties agree.

Agreement is a VERY difficult thing to obtain, so when you do obtain it, it was probably a very good use case.

James May 7, 2018 2:55 PM

@Eric Andresen: an encryption scheme where the protected content is available to anyone else except the intended parties is not good encryption… This system WILL be abused at some point. There are already a lot of bugs to worry about, there is no need to introduce new ones. Many manufacturers use features like secure enclave / TEE to store the keys and to give you a false sense of security like “oh, it’s ok to use a 4 digit pin, the hardware will limit the amount of tries”. Well, it does, until it doesn’t. Let’s say they implement such a system, and they force it via legislation. How can you enforce it ? It is simply not possible to enforce it on every manufacturer out there, and besides that you cannot force everyone to use it. As i said before, one can always get alternative solutions. While i do have respect for the LEOs that do their job right, many should start learning how to do good old police work. Mandating backdoors will only push criminals to alternative solutions while leaving a lot of people exposed.

Gerard van Vooren May 7, 2018 4:05 PM

@ Bruce Schneier,

The problem that I have with this answer it the international problem. That problem is nowhere to be found, but it does exist. And it leaves that question behind as if it doesn’t. I am quite aware that “we are all using the same machines”, but that makes the problem only worse! Now, where is that XDCD again about the law and then about the mob.

PeaceHead (updated) May 7, 2018 4:09 PM

Not entirely related,… and yet sorta…

I can see the logic of the criticisms.
So why are web browsers relying upon certificates and certificate “authorities” in the background?

Isn’t this somewhat of the same problem; no way to secure the databases and escrows?
To me, it seems like a similar issue, especially when most of the browser certificate authorities seem to have expired dates! What’s the point?

Can we go back to the early browser formats where there were no certificates being thrown around like readymade man-in-the-middle-attack templates?

Does anybody get me on this?

Meanwhile, current geopolitics are making me rather nervous.
Haspel seems like a real bad choice. And the timing is odd.

–> May Peacefulness Prevail Within All Realms of Existence.

echo May 7, 2018 4:12 PM

I alluded to this in a comment a few days ago and he was one of the kinds of people I was thinking of when I wrote it. Ray Ozzie is one of those dangerous rogue elements which can exist within a bureaucracy. In his mind it’s 1970s all over again. Things are not as bad as they used to be but this kind of battle is identical to the anti-discrimination battle.

The other part of Microsofts research which Raz is ripping off and isn’t talking about is bit level permissions of the network and data systems with a central off switch. This is a good idea if secure and used for good reasons but we know the real world is not like this. There is (or was) a white paper produced by Microsoft Research which Microsoft handed over to the UK government a few years ago when trying to sell the idea to the UK government out of the blue. I have no idea what the ministerial or security services or other views of this may or may not have been. I am not aware of the idea going anywhere.

Somewhere along the way the next government mandated Opendocumentformat for official use which may or may not be directly or indirectly connected.

I think some fo the comments illuminating the technical and social aspects of this issue are spot on. The best defence in many ways is decentralisation and a good society. This places the end point out of reach of authoritarian government and criminal threats.

Hans May 7, 2018 4:16 PM

Ha ha! Ozzie admits his proposal is just an amateur side-show:

“This isn’t The Answer, nor is there one. It’s all risks/tradeoffs.”

https://twitter.com/rozzie/status/989288495356301313

Personally, I think Steven Levy is the worst actor in all this. His gushing piece with little substantive response from cryptographers paints Ozzie as some sort of saint for putting down his tools because he finally has enough millions to work on this “impossible problem”. What drivel. Now Levy’s on twitter with “at least I’ve started a conversation” type responses.

Odd that Levy didn’t include more of Matt Green’s observations or criticisms beyond “security isn’t perfect”. I guess that might have deflated his article a bit. Telling that Ozzie (until now) only presented his idea to friendly audiences or in moderated meetings instead of simply inviting (paying?) a few cryptographers for feedback. Perhaps he feels safe now that he has a patent on “tamper evident” device cryptography. Maybe he can sell it to his old friends over at Intellectual Ventures to “monetize”.

PeaceHead May 7, 2018 4:26 PM

@PeaceHead: The current CA system IS f***ed, defective by design. Any trusted CA can sign a certificate for any domain. You can find a lot of reports about CAs being hacked, going rogue, etc, not to mention that most (all?) government agencies have their own CAs that are trusted by most browsers. There are mitigations, like certificate pinning, but it’s kind of a whack-a-mole. Again, decentralization …

James May 7, 2018 4:39 PM

@Hans: Come on, give Ozzie a break, he is just in need for some attention 🙂 This is not the first time an idea like this came up, and i bet it won’t be the last. Yes, they are all a bit different, but the goal is the same: backdooring encryption, and backdoored encryption, well, is not encryption. I really doubt any of them will take off. Remember clipper chip and what an embarrassing fiasco that turned out to be ?

Jeremy May 7, 2018 6:50 PM

@Eric Andresen: There are ways of splitting up a secret key so that you need all of the pieces in order to decrypt something; search for “secret sharing”.

But even knowing that the escrow key is split into two or three pieces, I wouldn’t feel much safer. Stealing the key from two places is at most twice as expensive as stealing it from one, and probably less. And the government has a huge amount of power to coerce cooperation.

Dave May 7, 2018 7:34 PM

This is the typical mistake non-cryptographers make when they approach
this problem: they think that the hard part is the cryptography to
create the backdoor. That’s actually the easy part. The hard part is
ensuring that it’s only used by the good guys

There’s a physical bank vault analogy I’ve used for this when trying to explain it to nontechnical people: Allowing the police access to banking data in order to catch money laundering is easy at the technical level, you cut a huge hole in the side of the bank’s vault to allow easy access. The problem then is how do you make sure only the police use it to get in and out, and how do you ensure that the access is only for a legitimate, authorised investigation?

(Most people’s eyes glaze over when you try and explain encryption issues to them).

myrf May 7, 2018 9:37 PM

@Eric Andresen

If the government and Apple both build a system such that one party has to provide something to unlock a device – and such that it is cryptographically strong, then no one party can be hacked or convinced to break into a device – it is simply a cooperative effort because all parties agree.

Three problems:

  • “The” government? Apple likely deal with thousands of governments.
  • What does “agreement” have to do with anything? You portray Apple as independent from governments, which isn’t true. Several governments could force them to comply.
  • You said “all parties”, but only mentioned the company and “the government”. What about the elephant in the room, the only parties to whom we ascribe inalienable rights: the humans who wish to communicate in private.

Mark May 7, 2018 9:48 PM

A typically short-sighted American solution that ignores the rest of the world.

James May 8, 2018 12:52 AM

Mark: Who said it’s only an American solution ? Every government wants something similar …

Denton Scratch May 8, 2018 3:02 AM

I don’t think that being the author of Lotus Notes confers enough credibility that people should pay attention to Ozzie’s half-baked and old-hat opinions about security and privacy.

James May 8, 2018 3:36 AM

@Denton Scratch: Of course not. As i’m aware he is not even a cryptographer, as cryptographers (at least the relevant ones) are against this idea in the first place. Hell i think not even the NSA would propose something like this. However, the guy can have opinions and ideas. The problem is who is going to believe him …

Cassandra May 8, 2018 4:53 AM

Perhaps the term ‘responsible encryption’ should be reclaimed to mean encryption that the user controls and can reasonably expect to be free of known flaws; other types, of course, being ‘irresponsible encryption’.

Would you encourage someone to use the Caesar cipher to encrypt all their secrets – of course not, that would be irresponsible.

Would you encourage someone to encrypt all their secrets with a cipher that had a known back-door over which they had no control – of course not, that would be irresponsible.

The point needs to be driven home repeatedly.

C.

RealFakeNews May 8, 2018 5:24 AM

It’s said that if an attacker controls your computer, it’s not your computer anymore.

If a Government has a cryptographic key to unlock your secrets, well, they’re not secret anymore.

Thus endeth the lesson?

In other words, a backdoor into security is not security. Why is this hard to understand?

Also, mandating that all crypto products must have a backdoor/key escrow capability from 2018, is rather pointless when you can just use existing cryptographic suites that don’t have such a backdoor from 2017 or earlier.

I guess that alongside the escrow requirement, would need to be a law that says possession of or using crypto that does not have a Government backdoor is illegal and carries jail time?

At the most basic level, it is completely unworkable.

Ollie Jones May 8, 2018 5:34 AM

Why should Apple cooperate? Even if it were possible to vet each government request well enough to protect their law-abiding customers (it’s not) it would be a massively expensive service to provide. The data vault full of keys is the easy part. Controlling access, not so much.

They would also incur massive risk to their brand and their money.

How could smaller device manufacturers possibly cooperate?

The government could hold the keys, you say. The US government? The government employing a CIA director whose personal AOL email was cracked by a teenager? The government employing farflung contract sysadmins with root access to vast caches of dangerous secrets (Snowden in Hawaii for example)?

All secrets eventually leak. No exceptions. Some law enforcement people and legislators may not know that. But Microsoft executives and famous programmers should.

RonK May 8, 2018 5:54 AM

@Who?

Encryption is or is not secure, there are no other ways to see it.

Someone thinking that security is 0-1 binary shouldn’t be posting comments on this blog. I remember seeing your nick before here, but really: do you even read the posts here?

Alejandro May 8, 2018 6:59 AM

One thing that concerns me about the quest for complete unfettered access is the concerted and united demands by all the westernized governments to make it happen.

We would expect something like that from tin hat dictators and such. But, to see it coming from the Brits, USA, Euros and Aussies is disappointing to say the least.

Also, we know when the technical and political kinks are worked out, data will be horribly abused, cracked and hacked by criminals, governments and corporations leaving us to assigned role as targets and victims.

I hope the resistance wins. But, I have doubts.

Marcus May 8, 2018 8:20 AM

Z.Lozinski’s list of high-value targets omits a particularly on-point example: the TSA master keys, which are similar to a law-enforcement key-escrow system in that both are designed for high-traffic use (the large number of luggage searches and search warrants, respectively, occurring on any given day), as distinguished from examples such as the DVD CSS master keys (which need be accessed only once for each new DVD published or each new DVD player model manufactured) or communications from a single High Command headquarters (I’d say that it was something of a misstep to choose as an example a High Command encryption system rather than a field-level one; the latter is the sort of high-volume usage case which is comparable to a law-enforcement special access system).

parabarbarian May 8, 2018 10:22 AM

In my experience when an expert says something cannot be done, he is usually wrong. When he says he does not know how to do something he is usually right.

I agree that any form of key escrow by government is, generally, a bad idea. It may have some application in a corporate environment such as allowing access to an employee’s laptop after he leaves. Nevertheless, absent a mathematical proof that secure key escrow is impossible, I will not claim it cannot be done. Just because we don’t yet know how to do it does not mean it cannot be done at all.

Clive Robinson May 8, 2018 12:42 PM

@ parabarbarian,

Nevertheless, absent a mathematical proof that secure key escrow is impossible, I will not claim it cannot be done.

You do not need much of a proof certainly not a mathematical one, simple logic and human nature should suffice.

One thing we know about humans is the need for centralized power. That is it appears no matter how a technology or human practice originates, it will become hierarchical with power concentrating at the top.

Such systems positively encorage abuse of power both by those in the hierarchy and those outside it. You only have to look at the number of credit card records stolen one way or another to know that the bigger the stack of data with value the more likely it is to be successfully attacked be it by insiders or outsiders, irrespective of the actual strength of the system. We cam also see it in Certificate Authorities.

Thus it is human to abdicate responsability and alow those seeking power to accumulate it. This has been true for millenium. An early US President even acknowledged the problem with “The price of freedom is eternal vigilance”.

Thus it is a forgon conclusion that such a database will be attacked untill successfully breached.

But it is worse US Presedential observations allso include “The only way three can keep a secret is if the other two are dead”.

A key escrow system will without doubt leak information each and every time it’s used. Thus it’s secrets will bit by bit become known. That is at some point sufficient information will have “escaped” that getting around the security will be come easy. At that point all pretence of security will be like the emporer’s finest new cloths, more illusion than practicality.

Erik Carlseen May 8, 2018 4:19 PM

Let’s just call this nonsense what it is: “Flat-Earth Encryption”

One of the big problems is that encryption is an extremely technical issue steeped in jargon. There’s not been a good “mental hook” to convey to laypersons how technically absurd various global key escrow proposals are, so I coined that expression. There are probably better ones out there, but this one links it with with another movement that has endless, fanatical belief in a notion thoroughly demolished in theory, testing, and actual practice. I’m happy with it, but better ideas are always welcome.

But even beyond the technical problems, this is politically impossible to maintain. Hypothetically, if they get this mess implemented then what’s next? Even if one were to assume the purest of intentions from the Feds (season with salt and tinfoil to your taste) and they’re just doing their jobs, blah, blah, blah… they still view anything that gets in their way as a major inconvenience (as most human beings do). We all know that even if they got everything here their desires would not be anywhere near sated. It’s a very large leap to go from where we are now to a key escrow system where the keys are held by vendors. It’s a very tiny leap to go from there to a key escrow system where the keys are held by the Feds. That’s not much more than physically moving some boxes (yeah, I know there’s more it than that, but it’s still pretty tiny). Better to hold the line at this step, because the next one will probably be an impossible battle – it’s just too small and easy.

echo May 8, 2018 5:01 PM

I can’t do anything but agree with the comments. Everyone is writing what I have been thinking and very well too!

Mike Spooner May 8, 2018 5:59 PM

An observation: in 2015, in the middle of the Apple-FBI court case, Apple stated that in 2014, they were getting an average of more than one request per week from law-enforcement agengies to unlock iPhones that had no PIN set (ie: were already unlocked). Admittedly a smallish fraction of the total, but still!

Thoth May 8, 2018 6:45 PM

@all, Clive Robinson

This topic was brought up by me and another reader in a previous Friday Squid post.

Key escrow and backdoors aren’t so distant and I have been banging at the fact that we are all willing consumers of already existing backdoors and escrows in our system via ARM TZ, Intel SGX/IME and AMD PSP.

I have proposed a workable and fully practical firmware based key escrow called the Firmware Clipper fClipper linked below and to make it work, I project that an agency in any country willing to shell out about USD$5 Million and 6 months to wait to any IT In/Security would have one custom made with full NOBUS access.

The firmware clipper I propose does not require special chips and uses already existing techniques and technologies which allows it to be implemented quickly and in a very practical sense with very low cost other than those cost paid for project execution.

Despite me proposing such a highly practical and low cost firmware based clipper design, my company and myself have made a commitment on record not to support or execute such developments of privacy breaching technologies that can only be used for creating more insecurity to the user and breaching the user’s privacy.

Link: https://www.schneier.com/blog/archives/2018/04/friday_squid_bl_621.html#c6774361

justinacolmena May 8, 2018 8:40 PM

“Ray Ozzie” is as strawman. You know, that very good cook who comes out personally from the kitchen and serves that expensive meal to you on a silver platter with a shiny dome over it. I don’t particularly know or care who he is or whether or not that’s even his real name. So feelings aside, let’s look at the scheme.

… [a] supposed new scheme for adding a backdoor in encrypted devices. It’s a weird article. It paints [the] proposal as something that “attains the impossible” and “satisfies both law enforcement and privacy purists,”

As Bruce has so kindly mentioned, we have heard this sort of proposal time and time again, and this time is no different.

It’s like the apartment manager or eccentric landlord in “that part of town” who insists on retaining a key to your room, and none of the apartment units even have a full kitchen in case you wish to cook for yourself and avoid the silver dome tray service, and heaven forbid you have a family or childen when those idiots continue to impose “schemes” like this to invade the privacy and sanctity of your homes and private lives.

PeaceHead May 9, 2018 5:58 PM

Wow, so many good comments.

@Dave; good metaphor; easy to understand, thanks.
@PeaceHead • May 7, 2018 4:26 PM ;…

Funny that you spoofed my nick, ha ha ha.
Anyways, thanks for the Certificate Authority (CA) infos.
What you said very much makes sense. Are there any really old browsers that don’t use em that can be retrofitted with modern web support?

I guess the question is, when were CA’s first implemented widely?

RockLobster May 9, 2018 9:08 PM

Nice article.
Unfortunately we live in a modern society that favours wealth over intelligence at every level, from education through positions of managenent and authority through elected officials and government so no one should be surprised when self serving morons who think they are intelligent because the college degree that mommy paid for says they are, come up with poorly thought out, knee jerk reactionist agenda that undermines everything their far more intelligent predecessors implemented and built our societies and laws on and then also think they have the answers to all the problems they caused by those actions and the individuals need to encrypt private data in the wake of the assault on it by corporate America and their cronies in government is not the least of it.

de la Boetie May 10, 2018 1:03 PM

“Ozzie is putting his trust in corporations”

Thanks for the laugh.

Rather obviously, as suggested above, this would be US LE and US corporations, yes?

But while this proposal cannot be taken seriously, it indicates some kind of sell-out they’re trying to concoct, the salami-slicing ratchet approach they use to inflict the half-baked on the ill-informed.

Who? May 10, 2018 4:59 PM

@ RonK

Someone thinking that security is 0-1 binary shouldn’t be posting comments on this blog. I remember seeing your nick before here, but really: do you even read the posts here?

You are nobody to decide if I should, or not, be posting comments on this forum; only our host and other respectable members of this forums can decide if I must leave. Have I been clear enough?

In relation to backdoors in either hardware, software or protocols, security is binary. They are acceptable or aren’t. Decision is simple to me, backdoors are a big no-no.

If you trust in the NOBUS-approach (even if only on incredibly well engineered NOBUS proposals) then you are either stupid or a NSA asset. Haven’t you learned anything from Snowden and the Shadow Brokers in the last years? Do you really think the intelligence community is able to protect their own secrets?

On the other side, who should own the key to these unbreakable NOBUS doors? The NSA? Why not the FSB or the chinese MSS? Why is the FSB worse than the NSA? I would not trust on any of these intelligence services to store the keys to my privacy.

Who? May 11, 2018 7:25 AM

@ echo

Sure, Snowden didn’t get the crown jewels but a few thousands documents. I think it was exactly his goal. He did know that getting tools and detailed technical documentation would have pose a risk to the world. I would say he was not surprised when EternalBlue was used as the base to the most devastating attack against Windows computers.

As I see it, Snowden’s goal was showing to the world what he thought was a serious violation of human rights. Shadow Brokers is more destructive and does not really care about the consequence releasing these tools into the wild had.

Nice article about quantum computing. I think data compression will matter on a quantum Internet, why not? Very high transmission speeds do not obliterate the need for compression. Data must be stored, and multiple copies of it should be advisable for both security (i.e. redundancy) and convenience. What I see is quantum computing being able to compute not only acceptable compression dictionaries but the best one, reaching maximum theoretical compression in the same amount of time used to achieve a low compression rate. Compression may become even more powerful than it is right now. And, indeed, qubits will require compression algorithms being redefined to work on multidimensional spaces.

I do not think, however, quantum computing will work as most people expects. It happened before with optical computing—in the ninteties research teams were working on fully-optical computers that look as huge lab experiments and were as powerful as a seventies calculator at most. The fact is that these huge optical computers were never successful, but we have optical drives (CD-ROMs, DVD players, Blu-Ray players, magneto-optical drives…), optical networks (i.e. optical fiber), laser printers and other advances that have become usual on our current computers. Most of these semi-optical devices predate the optical computing era.

We had been using quantum technology on our computers for years (e.g. TRNGs) and quantum networks, like the BBN Technologies quantum network for secure communications. We can expect more from quantum computing than we got from optical computing but in the end we will have a mix of electronics, optics and quantum devices.

…and we had been abusing quantum technology too (“rowhammer”).

Quantum computers will evolve into something comparable to the first Cray supercomputers: powerful computing devices attached to classical computers acting as front-ends to them.

Quantum computing will be exciting, but I do not expect future quantum computers behave like expensive D-Waves, they will be mostly electronic computers with powerful quantum devices attached. Perhaps some day we will see NVIDIA cards replaced by liquid nitrogen cooled quantum processors. So, bye-bye CUDA.

echo May 11, 2018 8:12 AM

@Who?

Once you filter out the office gossip and everything everyone knew already Snowden did provide hard proof of abuses to his credit. I have no idea if the UK could produce a Snowden. The culture and allowed culture are very different.

I have wrangled my appallingly embarassing maths skills with one intriguing compression scheme method. The computations are a bit beyond me due to a few stumbling blocks but I perceive a possibility or two. Your exploration of the opportunities and caveats seems very solid to me. I suspect things will be very much as you say.

I sometimes think the universe is made out of magic clayonly we’re a bit too dim to udnertsand it. Still, books would be very boring if we skipped to the last page.

Who? May 11, 2018 12:30 PM

@ echo

Once you filter out the office gossip and everything everyone knew already Snowden did provide hard proof of abuses to his credit. I have no idea if the UK could produce a Snowden. The culture and allowed culture are very different.

It was funny when I read the first news on Snowden! In some way all these projects were known, even if not using these names. Echelon was a first step on global surveillance, it was just a matter of time moving data collection to digital network intelligence. PRISM? It was known for years big corporations were collaborating with the U.S. Government. Some of these projects went far than I was expecting, others (e.g. backdoors in mainstream operating systems) not.

I have wrangled my appallingly embarassing maths skills with one intriguing compression scheme method. The computations are a bit beyond me due to a few stumbling blocks but I perceive a possibility or two. Your exploration of the opportunities and caveats seems very solid to me. I suspect things will be very much as you say.

Thanks, that exploration was just common sense combined with a decade of research on optical computing. It made no sense manufacturing optical logic gates to build a fully-optical computing when most tasks were easier to do on classical (supposedly well-tested[*]) platforms.

[*] Meltdown and Spectre shown that we were clearly wrong on this belief.

I sometimes think the universe is made out of magic clayonly we’re a bit too dim to udnertsand it. Still, books would be very boring if we skipped to the last page.

No, it is easier to understand. The universe is made of conspiracy theories that are proven to be true and facts that are proven to be false. Human greed is the rest.

A Nonny Bunny May 12, 2018 2:09 PM

@Jeremy

But even knowing that the escrow key is split into two or three pieces, I wouldn’t feel much safer.

What if it was really hard to get the second or third part?
What I’m thinking is, what if you just throw a part of the key away, so that it needs to be cracked by brute force. If you ensure the cost of doing so is sufficiently large, then law enforcement/intelligence services will think twice about trying without a very good reason.

lay-man May 12, 2018 10:38 PM

Correct me if I’m wrong, but why the heck would we want the manufacturer to have the full key in the first place. When generating it and sending to (possibly multiple) DBs, could we not:

1) use arbitrary companies, including well-funded vault-specializing ones to safeguard them, the same way Google/Facebook/Apple/Dropbox etc. do in practice today

2) where no one has full access alone because we could use Secret Sharing schemes for the private key itself and give out, say 3 copies per device key: one manufacturer, one vault-keeper, one for the police (US/Australia/whomever) to have to use all at once?

This is still bad and nobody in their right mind would want a device with this, just buying from companies which didn’t opt-in, but better than the bullshit in the original scheme by forcing several breaches at once to have to occur in relative succession.

Even better, the more signing parties at once governments could enlist for this, the better, as breaching the keys of all of them without anyone noticing gets exponentially harder.

You need more diplomacy and waiting, but at least not everything is screwed by one bad employee :/

Me May 14, 2018 2:42 AM

I think they don’t get it. Theoretical solution is not the problem, but it can’t be done in the real world. Private keys are leaking out all the time and secure processors can be flawed or badly designed. Remember the government is more like an AI. It can’t see through statistics and paper, because statistics and paper are it’s only eyes.

Little joke:

There are two options how to increase solved crime percentage.

First – better police work
Second – force people not to report crimes that are hard to solve

Matthias May 15, 2018 5:22 AM

The people thinking this is a good idea apparently never noticed the “Made in China” label on their device. All of those backdoor keys would be generated and installed by Chinese companies operating on Chinese soil. That should be the end of the discussion.

WhiskersInMenlo May 15, 2018 3:17 PM

Re back doors and massive key escrow systems.

One obvious risk is the massive data breach.

Less obvious is the global reach of such a data base set.
Who is the keeper of the data and who is allowed to have
one or more keys?

There are 195 countries in the world today. This total comprises 193 countries that are member states of the United Nations and 2 countries that are non-member observer states: the Holy See and the State of Palestine. In the US there are numerous TLAs and 50+”state police” agencies any of the 17,985 U.S. police agencies. And yes that includes everything from college campus patrols, to sheriffs, to local police, to federal agents in the US that could ask for keys. Factor this into a global view and the key keeper must be able to validate a request for any of the quarter billion plus agencies that might ask (friend and foe alike).

As for the “basically it” case: “The only other trick is that for law enforcement to use that key, they have to put the device in some sort of irreversible recovery mode, which means it can never be used again. That’s basically it.” There is the implication that property cannot be returned undamaged and if a remote mechanism exists the entire product set behind a data base set can be bricked. Apple might have a billion devices still operational. That is a lot of recycling bricks. For cell phones in general, the number of active mobile devices and human beings crossed over somewhere around the 7.19 billion mark.
Size of the data base… fits on a single USB stick most likely.

Anomin June 17, 2018 7:05 PM

I’m one of those amateur cryptologists. I don’t like Ray Ozzie’s idea simply because it bricks the phone. Apple can and does produce passcodes to law enforcement based on previous iCloud backups. An FBI screwup with the San Bernadino shooter’s iPhone5c rendered a spontaneous iCloud backup impossible because the iphone5c could no longer login to its iCLoud AppleID. Apple claimed it could give the feds what they wanted if a spontaneous wifi connection could possibly be made by the device (but if iCloud backups were disabled on the device, maybe a spontaneous backup is impossible anyway).

My suggestion is to use the Ray Ozzie approach to put per device secret SSIDs into each device, so that when law enforcement needs to get an iCloud backup that they don’t already have access to, Apple can grant them that SSID and iOS can force itself to connect when the device is powered on, even should Airplane Mode on the device be activated.

The limited number of SSIDs could make a brute force attack possible. But law enforcement would still need a legal court order to get Apple to surrender a passcode encrypted in an iCloud backup.

I know the corporate cache of these SSID keys would be vulnerable but per Ray Ozzie this can be no more vulnerable than a company’s Operating System update key pairs that are super cybersafe.

I also know granting a temporary backdoor to law enforcement can’t be easy, so please knock this mole down for me now.

PeaceHead July 9, 2018 6:22 PM

Maybe this is a good time for the USA to invest in recycled computers and cellphones for their precious rare earth metals and build more factories at home to use those materials to build integrated chips and electronics that the NSA and FBI can locally and remotely control.

And to be honest, I had assumed that the NSA already had that capability in partnerships with the nations who produce our electronics and chips en masse.

Hmm, not a good for a “trade war”.
To quote that tune so many people love,
“war, what’s it good for? absolutely nothing!”

And while I’m fantasizing, can we please have computer manufacturers who deliver BIOS updates with checksums? and using hashes that haven’t been compromised?

That would be nice.
Until that happens, the whole computer age is a bunch of glass houses in the courtyard of a sandcastle in the sky guarded by hyporcrits in service of an emperor wearing no clothes who was appointed by the electoral college and not by popular votes.

exit(0)

justinacolmena July 9, 2018 9:20 PM

@PeaceHead

…integrated chips and electronics that the NSA and FBI can locally and remotely control.

They don’t have time for that personal stuff. Those who want that stuff are identity thieves.

FBI is looking for probable cause and proof beyond a reasonable doubt. Can’t get that with what you’re talking about. Gotta go old school for the FBI goods. They couldn’t care less about your personal silicon as a general rule.

NSA is looking for casus belli. That’s an even higher standard. You can’t get too personal with that one, either. Don’t ignore the technology, no, I’m not implying that, but you have to think more old-school, CIA-style on this one, too.

The “back doors” are for the воры в законе.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.