Saturday, January 2, 2016

Giving good guys access to encrypted messages may give it to bad guys - January 1, 2016

Following the recent attacks in Paris and San Bernardino, California, some politicians are again trumpeting the need to give law enforcement access to all encrypted messages.

The theory is, if we could read the texts and email terrorists send and receive, we would know their plans.

A law would require makers of encryption products to build a backdoor into their software that law enforcement would access.

FBI Director James B. Comey has long advocated law enforcement be given this tool. The New York Times reported recently it appeared Comey had lost an internal struggle within the administration to force Apple, Google and others to decode messages for law enforcement.

It is unclear how, or even if, security software made in other countries could be compelled to provide backdoors to U.S. law enforcement.

The easiest way to understand how this might work is to look at a physical system. The Transportation Safety Administration requires the ability to unlock suitcases for security inspections. There are luggage locks that give you a unique key to your lock, but also allow a TSA master key to open the lock.

This is the best of both worlds, theoretically. Only you and the TSA can open your luggage.

At first glance, giving this same kind of protection to digital suitcases (i.e. messages,) seems like a no brainer; let law enforcement read messages, but keep others out.

There is another side we need to consider.

Security experts tell us that if you open a less-secure backdoor for law enforcement, others might use it too.

We have to look again at the TSA-approved locks to see how this might transpire.

A photograph of the keys ran in the Washington Post. Turns out that’s all you need to duplicate them.

Google “TSA Luggage Keys” and you’ll find people selling the keys and even files you can download so your 3D printer can make them.

If there is a backdoor for law enforcement in encryption products, experts fear they too might be discovered by the bad guys. Just as luggage keys leaked, backdoor technology may leak, or simply be discovered by hackers.

Recently Juniper, maker of firewalls that are designed to keep digital data safe from hackers, discovered someone had inserted a backdoor into their product. Juniper firewalls are used to protect commercial and governmental data, so there was a real potential that bad guys had gotten data we did not want them to have.

Now Wired Magazine reports a German security expert, Ralf-Philipp Weinmann, believes “Juniper culprits repurposed an encryption backdoor previously believed to have been engineered by the NSA, and tweaked it to use for their own spying purposes.”

The NSA is one of several suspects of who actually spied on traffic through Juniper devices. The Wired article is cited in this week’s Link post at FamilyTechOnline.com.

Too many in the public do not know they themselves depend on encryption. Certainly you do not have an encryption app on your phone or PC, nor do you have to encrypt or decrypt your email before you send it.

Our phones and computers encrypt and decrypt data for us on the fly, invisible to us.

When you shop at Amazon, HTTPS encryption encrypts your credit card information while it is in transit. Someone “listening” in to Internet traffic between your PC and Amazon would not be able to read your credit card number. Look at the address bar in your web browser. If the address begins with HTTPS then you are in an encrypted conversation.

The same happens when you log into your bank. More and more sites are using HTTPS security by default. Even this column is encrypted before Google Docs saves it to its server.

We could not do business, banking or review our medical information securely without encryption. It is a mainstay of online commerce.

And the fact is terrorists would simply communicate using other secure means if encryption became insecure. They learned to not use cell phones, and Osama Bin Laden’s home was the only one in the neighborhood without Internet.

Emails could be sent encrypted with one-time pads; manual encryption codes that defy decryption and are said to be unbreakable if used properly. It would require more effort for those using it, but would leave only those of us needing encryption for good things to be using insecure encryption.

To Share this article on Facebook, Pinterest, Twitter and others, click the appropriate button below.

Links for this week's column are here.

To subscribe to the print edition of Prince William Today, visit their website.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.