[Infowarrior] - FBI Drive for Encryption Backdoors Is Déjà Vu for Security Experts

[Richard Forno]

<http://www.wired.com/threatlevel/2010/09/fbi-backdoors/>

FBI Drive for Encryption Backdoors Is Déjà Vu for Security Experts

By Ryan Singel 

September 27, 2010 10:47 pm

The FBI now wants to require all encrypted communications systems to have
backdoors for surveillance, according to a New York Times report, and to the
nation’s top crypto experts it sounds like a battle they’ve fought before.

Back in the 1990s, in what’s remembered as the crypto wars, the FBI and NSA
argued that national security would be endangered if they did not have a way
to spy on encrypted e-mails, IMs and phone calls. After a long protracted
battle, the security community prevailed after mustering detailed technical
studies and research that concluded that national security was actually
strengthened by wide use of encryption to secure computers and sensitive
business and government communications.

Now the FBI is proposing a similar requirement that would require online
service providers, perhaps even software makers, to only offer encrypted
communication unless the companies have a way to unlock the communications.

In the New York Times story
<http://www.nytimes.com/2010/09/27/us/27wiretap.html?_r=1>  that unveiled
the drive, the FBI cited a case where a mobster was using encrypted
communication, and the FBI had to sneak into his office to plant a bug. One
of the named problems was RIM, the maker of Blackberrys, which provides
encrypted email communications for companies and governments, and which has
come under pressure from India and the United Arab Emirates to locate its
severs in its countries.

According to the proposal, any company doing business in the States could
not create an encrypted communication system without having a way for the
government to order the company to decrypt it, and those who currently do
offer that service would have to re-tool it. It’s the equivalent of
outlawing whispering in real life.

Cryptographers have long argued that backdoors aren’t a feature — they are
just a security hole that will inevitably be abused by hackers or
adversarial governments.

The proposal also contradicts a congressionally-ordered 1996 National
Research Council report <http://www.nap.edu/openbook.php?record_id=5131>
that found that requiring backdoors was not a sensible policy for the
government.

“While the use of encryption technologies is not a panacea for all
information security problems, we believe that adoption of our
recommendations would lead to enhanced protection and privacy for
individuals and businesses in many areas, ranging from cellular and other
wireless phone conversations to electronic transmission of sensitive
business or financial documents,” said committee chair Kenneth W. Dam,
professor of American and foreign law at the University of Chicago. “It is
true that the spread of encryption technologies will add to the burden of
those in government who are charged with carrying out certain law
enforcement and intelligence activities. But the many benefits to society of
widespread commercial and private use of cryptography outweigh the
disadvantages.” 

Moreover, cases of encryption tripping up law enforcement are extremely
rare, according the government’s own records. In 2009, for instance, the
government got court approval for 2,376 wiretaps and encountered encryption
only once — and was able to get the contents of the communication.
Statistics for other years show no problems whatsoever for the government.

Jim Dempsey, the West Coast director of the Center for Democracy and
Technology, told Wired.com that the FBI is now saying that the numbers are
mistaken — and they’ll issue new ones in the spring.

Despite that, the FBI is saying that its spying capabilities could be
degraded unless the Congress requires companies using encryption to re-make
their current systems so that the companies have some way to spy on the
communications.

The FBI did not return a call seeking comment, but the FBI’s general counsel
Valerie Caproni told the New York Times that companies “can promise strong
encryption. They just need to figure out how they can provide us plain
text.”

While the scope of the proposal isn’t clear, it would seem to target
Hushmail, Skype, RIM and PGP, each of which use encryption to make it
possible for users to communicate without fear of being eavesdropped on by
the company making the service, hackers, criminals, business competitors,
and governments (authoritarian or otherwise).

There’s also a number of open source software packages that might also get
swept up by the proposal, including OpenPGP (an open protocol for sending
encrypted e-mails), TOR (a system for disguising the origin of web traffic),
and OTR (a system for encrypting instant messages).

University of Pennsylvania computer science professor Matt Blaze, a
cryptography exert co-authored a paper in 1998 about the technical
limitations of requiring back doors in crypto, says he’s confused by the
return of the dream of perfect surveillance capabilities.

“This seems like a far more baffling battle in a lot of ways,” Blaze said.
“In the 1990s, the government was trying to prevent something necessary,
good and inevitable.”

“In this case they are trying to roll back something that already happened
and that people are relying on,” Blaze said.

Few net users realize that they rely on cryptography every day. For
instance, online shopping relies on browsers and servers communicating using
SSL. Government employees, NGOs and businesses use RIM and PGP’s e-mail
encryption systems to safely protect diplomatic secrets, confidential
business documents and human rights communications. It’s not clear how those
services could continue since they work by having each user create special
decryption keys on their own devices, so that no one, including PGP or RIM,
could decrypt the communication if they wanted to. In PGP’s case, the
company doesn’t even run a mail server.

Skype routes calls through peer-to-peer connections in order to be able to
offer free internet calls, uses encryption to prevent the computers in the
middle from being able to listen in. Under the FBI’s proposed rules, that
architecture would be illegal. Targeted calls would have to be routed
through Skype.

“It would make Skype illegal,” said Peter Neumann, a scientist who testified
to Congress in the 1990s on the earlier proposal.

“The arguments haven’t changed,” Neumann said. “9/11 was something long
predicted and it hasn’t changed the fact hat if you are going to do massive
surveillance using the ability to decrypt — even with warrants, it would
have to be done with enormously careful oversight. Given we don’t have comp
systems that are secure, the idea we will have adequate oversight is
unattainable.”   

“Encryption has life critical consequences,” Neumann added.

The CDT’s Dempsey, who spent years working on the Hill on digital policy
issues, says the issue won’t get to Congress until next year, and depending
on the election, could face Republican backlash, especially given that the
Tea Party movement is driven in part by a distrust of big government.

Most importantly, for encryption advocates is getting the government to
describe in detail what their problems are and what they propose as a
solution.

In the 1990s, the NSA created the Clipper chip
<http://en.wikipedia.org/wiki/Clipper_chip>  intended for telecoms to use to
encrypt phone calls. The NSA initially refused to let outsiders see the
chip, which had a backdoor for the government.

“We, meaning Matt Blaze, Peter Neumann and [Columbia University professor]
Steven Bellovin, got them to show us details,” Dempsey said. “Then Matt
broke the Clipper chip.”

That put an end to that proposal.

“No disrespect to Matt, but there are 10,000 people who can do what he did,
and my worry is half of them work for Moldovian criminal hacker groups,”
Dempsey said.

Another concern is that wiretapping requirements in software have a tendency
to be used not just by governments bound to the rule of law. For instance,
Nokia and Siemens were lambasted last year for selling telecom equipment to
Iran that included the ability to wiretap mobile phones at will. Lost in
that uproar was the fact that sophisticated wiretapping capabilities became
standard issue for technology thanks to the U.S. government’s CALEA rules
that require all phone systems, and now broadband systems, to include these
capabilities.   

Blaze says he’s just confused by the proposal.

“If the point is to discourage the use of encryption broadly, that
contradicts the policy position of this administration and the two before
it,” Blaze said. “We need to protect the country’s information
infrastructure. I was at meeting of the White House and the very same
officials backing this were talking about the rollout of DNSSEC [a
technology that protects the internet's lookup system from hackers].

“So how do you reconcile that with the policy of discouraging encyrption
broadly?,” Blaze asked.