FBI Signals Imminent New Push to Fatally Compromise Encryption
Posted on November 26, 2017
According to a new article from Ars Technica, Deputy Attorney General Rod Rosenstein has reaffirmed his support for the Department of Justice’s renewed push to compel tech companies to weaken the encryption they deploy in their commercially available devices, services, and other products, a call which come only a month after he similarly advocated for so-called “responsible encryption.” However, as cryptography and security experts uniformly agree that encryption can only be considered properly deployed when access to an encrypted communication is reserved solely for the sender and intended recipient, it appears that “responsible encryption” is merely the latest euphemism for compromised encryption.
What distinguishes Rosenstein’s appeal from previous campaigns to weaken encryption is the sophistication of the arguments he supplied, but when examined in depth, they fail to offer any firmer basis for disarming encryption than their predecessors. In his statement from last month, he cites “the central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop” as instances of the sort of “responsible encryption” the Justice Department would endorse, but while these techniques are embraced in some segments of the tech sector, they are fundamentally not viable for the purposes or scale which Rosenstein envisions.
With the exception of multi-recipient messages, all of these proposals constitute some form of what is called “key escrow.” Under a key escrow model of encryption, which is not reserved for governments but is relatively common in the tech industry, at least one party which is not directly sending or receiving the encrypted data retains a copy of the encryption keys used. If the Justice Department were to appropriate this setup for law enforcement purposes, which would be a more unusual use of key escrow, it would simply mean permitting the federal government, as a third-party, to retain a copy of keys to users’ encrypted data. To understand precisely how the Justice Department intends to bend key escrow toward its law enforcement objectives, it helps to consider each of the implementations Rosenstein presents as prototypes.
Some operating system update models do indeed employ key escrow in which the OS developer, such as Microsoft, holds a copy of user’s hard drive keys so that the drive can be decrypted for update installation. Although hard drives must be decrypted for OS updates to be properly installed, the operating system is automatically unlocked–by the user upon booting it up–when running normally, meaning the developer wouldn’t require a key if an update were initiated in this state. The only reason a developer would need a key for updates is if the update is configured to execute while the system is in some non-default state, such as during boot-up or shutdown. Apple does not keep copies of keys for its Mac computers, nor do Linux distribution developers, and their updates are handled completely satisfactorily.
Email content scanning is also a form of key escrow, but with webmail providers like Google and Yahoo as keyholders instead of OS vendors. By reserving a copy of the key for the transmission between the mail server and the user’s browser, these companies are party to the full text of messages so they can sell personal details of interest to advertisers. As with full-disk encryption, though, this arrangement is not intrinsically necessary for mail delivery to function–for those who run their own mail server or use a privacy-conscious webmail provider, no extraneous keys are retained and no content is mined.
In order to facilitate encrypted messaging to conversations involving more than two people, each participant must have a respective key for every other participant, and when a message is sent, it is sent in as many copies as there are participants, but encrypted with each one’s key respectively. Unlike the foregoing use cases, this is required by design, but the model breaks down in the case of granting federal government access to data because, again, they are not an intended participant in the message thread but a passive third-party observers. Thus, to deliver the Justice Department’s intended functionality would really just result in key escrow.
Finally, key recovery options for lost disk decryption passwords is, once again, key escrow on the part of the OS vendor. Normally, when no extra keys are generated and stored separately, a lost full-disk encryption key renders data irrecoverable by the user. As a way to offer users recourse, some OS vendors keep a copy of the key which users can request if they forget the password for the one on the system. Besides constituting another form of key escrow, this is also a poor security model: the point of encryption is that no one not authorized by the user should have any means of accessing their data. But if OS vendors keep a spare, this leaves the door open for bad actors to impersonate the user and convince the vendor to hand them the user’s key. Malicious hackers use the same tactic with email or bank account providers all the time, so there is no reason to believe backup keys will be spared the same fate.
So what makes key escrow so dangerous? First, even if you fully trust the holder of copy key to use it only in the most judicious circumstances, there is always the risk they will lose it. Both Wikileaks’ publication of CIA hacking tools and the Shadow Brokers’ theft of NSA’s digital arsenal reveal that the federal government can’t even keep its most prized secrets from leaking out, so how can citizens expect it to keep their encryption keys safe? Second, experience shows that the federal government is not so high-minded regarding whose data it chooses to go after. Just this year, the Justice Department issued search orders for the records on millions of visitors to a peaceful anti-Trump protest site and the Facebook accounts of the organizers (both developments CCDBR covered in the past). If the Justice Department was so eager to pursue such an invasive search of data held by third-parties, one can only imagine how much more brazen such searches would be if they held the keys to this data in their own database.
With this in mind, it becomes clear that the encryption Rosenstein favors would require more responsibility from the government than they’re capable of demonstrating, and more than citizens could reasonably expect. More importantly, such a scheme would fundamentally compromise the encryption which forms the core of modern technology.
You can read the full piece from Ars Technica here.
Jonathan Terrasi has been a Research Assistant with the Chicago Committee to Defend the Bill of Rights since January 2017. His interests include computer security, encryption, history, and philosophy. In his writing, he regularly covers topics on current affairs and political developments, as well as technical analyses and guides on security issues, published on his blog, Cymatic Scanning, and Linux Insider.