December 3, 2015

Clavis Aurea, or Does the “Golden Key” actually solve encryption issues

News Privacy Security Technology

Following recent terrorist attacks accusations against encrypted means of online communications once again became louder. However the proposed solutions could create even more problems.

Governments around the world – from Russia to US and from China to UK – seem to preach the same mantra: people’s communications are encrypted so strongly that governments cannot access it when there is a need. It’s said to be the main reason why the police cannot efficiently investigate cases involving pedophiles or terrorists, so ‘something has to be done about it.’

Solutions purposed by governments essentially presuppose that the existing encryption systems should contain certain vulnerabilities, so national agencies would have an opportunity to intercept the correspondence as they see fit.

In a recent article Washington Post created a rather poetic term for this approach – the Golden Key. The authors cite various cases of kidnapping and other criminal deeds when the investigators could not progress with their search, because the ‘golden key’ system was not deployed. The writers state that all tech companies, including the likes of Google, Apple, Facebook and Telegram, should grant these ‘golden keys’ to governments.

Leaving ethics aside for now (otherwise this discussion would last for ages), in a situation where noble policemen do possess the said key, there is a solid probability of bad guys gaining access to the keys as well.

There are quite a few examples of the ‘golden key’ idea being brought to life. Take the most obvious use case: TSA locks, created by Transportation of Security Administration. The concept is simple: travelers use TSA-approved luggage locks with a keyhole for the authorities to use (so they don’t smash open the padlock if they think the luggage needs to be searched). There are ten master (‘golden’) keys to be used on most types of luggage locks. The idea is based on the assumption that only TSA has access to master keys, whereas petty criminals raiding the luggage trunks have to use some other means to crack the padlock.

However, recently the pictures of all TSA keys leaked online, followed by their 3D models. Now a number of Chinese marketplaces offer a complete set of TSA’s golden keys, available to anyone. What could be done to remedy the situation? Alas, nothing in particular – one cannot replace all the luggage locks in the world.

There is another example of such systems – app stores, the likes of Apple App Store. The entire security paradigm in their case is based on the principle that only employees can publish the app: first they check it for malware and then sign with their digital certificate.

Obviously, Apple has not had its keys compromised, but adversaries found another way to bypass strict security checks. Some developers were fooled by cyber-criminals and inadvertently used the modified Xcode development framework, which injected an masked malicious code into apps. The issue was not discovered by Apple security engineers in time, so App Store, once unassailable digital fortress, was flooded by dozens of malicious applications, including one particularly popular messenger.

Let’s dive deeper into the history of tech and recall a once widely publicized DVD crypto protection technology. In late 20th century DVDs employed crypto protection based on the infamous CSS algorithm. It was designed to restrict access to DVD content for other regions. Well, we all remember the inglorious end of the technology. Digital activists decrypted a number of keys and published them for free use. Now one can watch DVDs anywhere, regardless of the region coded into the CSS.

The decryption code for DVDs was even printed on T-shirts

The morale behind all these stories is simple: the system, which is based on the assumptions that good guys have the necessary information and bad guys don’t, will fall — sooner or later. Once the bad guys get the keys, they can compromise the data of ordinary citizens in all ways imaginable, and their possibilities would totally match those of the police or the government.

It’s a highly undesirable outcome, because it’s equally hard to replace all luggage padlock and firmware on all the smartphones in the world. The damage the compromise of ‘golden keys’ would cause easily overshadows the benefits of ‘golden keys’ used by government.

There is also a chance that this ‘golden key’ idea is not that efficient at all: terrorists and criminals often use uncommon, niche encryption systems, thus successfully hiding from the officials. With that in mind, governments should create other ways to keep an eye on the criminals, more fruitful and less pervasive for the citizen.