Encryption Backdoors Will Always Turn Around And Bite You In The Ass

(Mis)Uses of Technology

from the golden-keys dept

Wed, Mar 4th 2015 10:50am — Mike Masnick

As you may have heard, the law enforcement and intelligence communities have been pushing strongly for backdoors in encryption. They talk about ridiculous things like "golden keys," pretending that it's somehow possible to create something that only the good guys can use. Many in the security community have been pointing out that this is flat-out impossible. The second you introduce a backdoor, there is no way to say that only "the good guys" can use it.

As if to prove that, an old "golden key" from the 90s came back to bite a whole bunch of the internet this week... including the NSA. Some researchers discovered a problem which is being called FREAK for "Factoring RSA Export Keys." The background story is fairly involved and complex, but here's a short version (that leaves out a lot of details): back during the first "cryptowars" when Netscape was creating SSL (mainly to protect the early e-commerce market), the US still considered exporting strong crypto to be a crime. To deal with this, RSA offered "export grade encryption" that was deliberately weak (very, very weak) that could be used abroad. As security researcher Matthew Green explains, in order to deal with the fact that SSL-enabled websites had to deal with both strong crypto and weak "export grade" crypto, -- the "golden key" -- there was a system that would try to determine which type of encryption to use on each connection. If you were in the US, it should go to strong encryption. Outside the US? Downgrade to "export grade."

In theory, this became obsolete at the end of the first cryptowars when the US government backed down for the most part, and stronger crypto spread around the world. But, as Green notes, the system that did that old "negotiation" as to which crypto to use, known as "EXPORT ciphersuites" stuck around. Like zombies. We'll skip over a bunch of details to get to the point: the newly discovered hack involves abusing this fact to force many, many clients to accept "export grade" encryption, even if they didn't ask for it. And it appears that more than a third of websites out there (many coming from Akamai's content delivery network -- which many large organizations use) are vulnerable.

And that includes the NSA's own website. Seriously. Now, hacking the NSA's website isn't the same as hacking the NSA itself, but it still seems notable just for the irony of it all (obligatory xkcd):

But the lesson of the story: backdoors, golden keys, magic surveillance leprechauns, whatever you want to call it create vulnerabilities that will be exploited and not just by the good guys. As Green summarizes:

There’s a much more important moral to this story.

The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today.

This might be academic if it was just a history lesson — but for the past several months, U.S. and European politicians have been publicly mooting the notion of a new set of cryptographic backdoors in systems we use today. This would involve deliberately weakening technology so that governments can intercept and read our conversations. While officials are carefully avoiding the term “back door” — or any suggestion of weakening our encryption systems — this is wishful thinking. Our systems are already so complex that even normal issues stress them to the breaking point. There's no room for new backdoors.

To be blunt about it, the moral of this story is pretty simple:
Encryption backdoors will always turn around and bite you in the ass. They are never worth it.

Let's repeat that last line, because it still seems that the powers that be don't get it:

Encryption backdoors will always turn around and bite you in the ass. They are never worth it.

Whether it's creating vulnerabilities that come back to undermine security on the internet decades later, or merely giving cover to foreign nations to undermine strong encryption, backdoors are a terrible idea which should be relegated to the dustbin of history.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, encryption, export encryption, export keys, freak, nsa, openssl, ssl, tls, vulnerability

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Sheogorath (profile), 4 Mar 2015 @ 11:05am

What's the betting...
...that someone deliberately exploited this vulnerability on the NSA's website in order to force the US government to stop being so blind about the problems with security backdoors?
[ link to this | view in chronology ]
Just Another Anonymous Troll, 4 Mar 2015 @ 11:06am

Give the coders a break
It's hard enough to create a secure cryptographic standard and keep it that way.
It's even harder* to create a secure cryptographic standard, keep it that way, and maintain a backdoor for intelligence agencies. In fact, having a backdoor in your crypto is the very antithesis of a secure system.
*read: impossible
[ link to this | view in chronology ]
- That One Guy (profile), 4 Mar 2015 @ 11:16am
  
  Re: Give the coders a break
  Oh people aren't blaming the coders for this, they're blaming the idiots in the government who forced them to build intentionally weak encryption.
  [ link to this | view in chronology ]
Miles Barnett (profile), 4 Mar 2015 @ 11:22am

Encryption Backdoors Will Always Turn Around And Bite You In The Ass
Then maybe we should all purchase some Ass Armour(TM).
[ link to this | view in chronology ]
Mike Acker (profile), 4 Mar 2015 @ 11:37am

re: "the don't get it"
="Let's repeat that last line, because it still seems that the powers that be don't get it: "

IMHO the understand it perfectly. and, as the song says "as soon as one door closes another door will open"

and so the game of whack a mole continues ad nauseum. another "sophisticated" (my ass) attack . another CVE. and then another patch, and another door is opened.

the business model of the internet is surveillance. i think this was noted by Bruce Schneier recently, if memory serves. and this is exploited by commercial interests, government, and crooks alike. Truly "a fool's paradise".

Open source should help. I hope. I use it, anyway.
[ link to this | view in chronology ]
Anonymous Coward, 4 Mar 2015 @ 11:43am

"Golden key"
It's interesting to note that this SSL "export crypto" was really an attempt at a "golden key", that is, something only "good guys" could break.

It worked by deliberately weakening the encryption. It did the equivalent of taking a long key (for instance, a 128-bit symmetric key) and revealing most of it, so only a small part of the key was kept secret (usually 40 bits for symmetric keys).

"Good guys" like the government would have access to large amounts of computer power, and therefore be able to try all the 1099511627776 possible combinations until finding one that matched. "Bad guys" like a neighborhood hacker would have access only to a small amount of computer power, and so would need years to find the matching combination. With advances on computer power, the size of the secret part was increased, so one would would have to check 72057594037927936 possible combinations.

Of course, the premise that only "good guys" would have access to large amounts of computer power didn't hold for long (the EFF DES cracker was an early demonstration of its failure). And that's before going into the definition of "good guys".
[ link to this | view in chronology ]
- Anonymous Coward, 4 Mar 2015 @ 11:54am
  
  Re: "Golden key"
  (continuing)
  
  One could make a monetary argument: even for the weakened keys, the cost of trying all the combinations would be more than the value of the obtained information, so your credit card numbers were safe. That ignores three important considerations.
  
  First, that not all value is monetary. A hacker could be willing to spend more than the monetary value of the information, if he had other reasons to be interested in breaking the encryption.
  
  Second, that marginal cost matters. Once the hacker has already spent the hundreds of thousands of dollars to buy the fast computers he would need, the incremental key of breaking another key is small (mostly power and wear on the fans). The more keys the hacker breaks with his initial investment, the cheaper it becomes in the end.
  
  Third, that hackers hack (it's what they do). What prevents a hacker from using other people's money to break the keys? A hacker could for instance invade a company and "borrow" their computers for a while.
  [ link to this | view in chronology ]
  - Anonymous Coward, 4 Mar 2015 @ 12:09pm
    
    Re: Re: "Golden key"
    (continuing)
    
    However, SSL export crypto was "fair for its day". Back then, everything was plaintext. Nothing was encrypted. Even with its bizarre limitations, export crypto was a "foot in the door": people got used to it, and wanted more.
    
    The world has also changed. Gone are the days where nation-states had the privilege of being the only ones with the capability to develop strong cryptography. The notion that export restrictions would prevent strong cryptography from becoming available to everyone became more and more of an anachronism. With the knowledge of cryptography becoming more common, the knowledge of its weaknesses also became more public. Weak algorithms became less acceptable. And with that, "deliberately reducing the key length" is no longer a valid attempt at a "golden key".
    [ link to this | view in chronology ]
  - Anonymous Coward, 4 Mar 2015 @ 12:12pm
    
    Re: Re: "Golden key"
    the cost of trying all the combinations would be more than the value of the obtained information,
    
    Botnets do not cost the cracker, and can provide more computing power that most data-centers. In may ways the bad guys have the advantage over the good guys when it comes to access to computing power, embarrassingly parallel problems , as they steal computer cycles, rather than paying for them.
    [ link to this | view in chronology ]
    - Jack, 5 Mar 2015 @ 8:00am
      
      Re: Re: Re: "Golden key"
      Botnets don't cost the OPERATOR of the botnet. They do cost the end user, who is typically told a specific number of IOPS/s by the hour. The more of the botnet they utilize, the more it costs.
      
      Its essentially the same pricing structure as amazon EC2.
      [ link to this | view in chronology ]
Matt D (profile), 4 Mar 2015 @ 11:56am

Correction: Encryption backdoors will bite you in the back door.
[ link to this | view in chronology ]
Anonymous Coward, 4 Mar 2015 @ 12:07pm

dont talk rubbish! you just ask the NSA, FBI, CIA, HS. they'll tell you the truth!!
[ link to this | view in chronology ]
- Sheogorath (profile), 4 Mar 2015 @ 5:30pm
  
  Re:
  I did just that, and now I'm on holiday at Camp Echo here in sunny Cuba!
  [ link to this | view in chronology ]
DannyB (profile), 4 Mar 2015 @ 12:10pm

Oxymoron time
Whenever you hear someone say that they want systems to be Secure and have Golden Keys, they are contradicting themselves.

The "Golden Keys" is a euphemism for Back Door, to make it sound nicer.

A Back Door is a security vulnerability that makes a system insecure.

Therefore the person is saying they want a system to be Secure and Insecure. That is a government worthy oxymoron if I have ever heard one.

See here for example:

New Rules in China Upset Western Tech Companies

Oh, look! The Chinese are doing it too! But they don't call it "golden keys", they say they want systems to be "Secure and Controllable".

Controllable means Back Door.
Back Door means vulnerability making system insecure.

Therefore, the Chinese want systems to be "Secure and Insecure". Another oxymoron brought to you by a government.
[ link to this | view in chronology ]
Guardian, 4 Mar 2015 @ 12:31pm

2000
a design implimentation of a virus that can use 5% of the bandwidth of a pc could also easily do same for its cpu powr say 1%, then range out and use a bot net for use of 1 million pcs
that would be like having 100,000 full computers and using process hiders ( they exist right now ) you will never know in fact , with the knolwedge of all the major anti virii providers out there , its easy to "simulate them while eradicating them ...keeping the machine largely safer then it was previously lol....

you all fookin idiots to think this 15 year old tech has not advanced
[ link to this | view in chronology ]
DannyB (profile), 4 Mar 2015 @ 12:34pm

Politicians please remember . . .
Encryption Backdoors WILL NOT bite you in the ass.

They will bite the American Public individuals and companies in the ass. So that makes it okay, right?
[ link to this | view in chronology ]
Anonymous Coward, 4 Mar 2015 @ 1:14pm

Criminal export
back during the first "cryptowars" ... the US still considered exporting strong crypto to be a crime.
And they still do, if you don't fill out the proper paperwork.
[ link to this | view in chronology ]
tracyanne (profile), 4 Mar 2015 @ 2:42pm

Encryption Backdoors Will Always Turn Around And Bite You In The Ass
And the NSA and the other TLAs will be saying, just so long as it's my donkey that gets bit, I'm OK

But seriously, the lesson they are probably going to take away is "We have 15 years grace period on each back door, I think we can manage that."
[ link to this | view in chronology ]
AnonCow, 4 Mar 2015 @ 3:34pm

Keys corrupt, golden keys corrupted absolutely.
[ link to this | view in chronology ]
Anonymous Coward, 4 Mar 2015 @ 4:57pm

Back Doors, Golden Keys ... more like a golden shower while someone has you over a barrel. I thought these people were against that sort of kinky shit.
[ link to this | view in chronology ]
Uriel-238 (profile), 4 Mar 2015 @ 5:32pm

Since they want a golden key, lets make it a golden key.
That is, rather than a backdoor key we provide interested agencies with a golden cryptanalytic algorithm based on the classic brute force attack

In fact, it's identical. Given a targeted data packet, the routine attempts to decode it with a hypothetical key 00000...00001, then 00000...00010, then 00000...00011 and so on until one test produces readable code.

Such an algorithm will, inevitably, crack any crypto (not just SSL) and allow an agency to access the unencrypted text. It's also intrinsically costly, so that only governments with immense computational resources will be able to break SSL. In fact, costly enough to protect end users against dragnet use of the key, so that warrants for specific decryption jobs will serve as a time and labor saving stopgap against Golden Key overuse.

(By costly, I mean it takes a very fast and powerful computer a very long time to derive an SSL key. Indirectly, it may cost a lot of actual money for renting and maintaining the computer and supplying it with power. Also considering the time requirements, upgrades, hiring and training new technicians, museum rights and so on.)
[ link to this | view in chronology ]
- Jack, 5 Mar 2015 @ 8:05am
  
  Re: Since they want a golden key, lets make it a golden key.
  You did read the story didn't you? That is exactly what the exported version of RSA was - it was a short enough key to be brute forced only by governmetns with massive computing power (at the time). Unfortunately for the NSA (but fortunately for us), computational power of computers increased exponentially and instead of a normal PC taking hundreds or thousands of years to brute force the algorithm, it only took hours or minutes...
  [ link to this | view in chronology ]
  - Uriel-238 (profile), 5 Mar 2015 @ 10:35am
    
    I was being facetious
    By not shortening the key, it would take centuries if not millennia, by which time the advancement of quantum computers should make all SSL obsolete anyway.
    [ link to this | view in chronology ]
GEMont (profile), 5 Mar 2015 @ 12:33pm

The ass that get's bitten is not the ass of government.
"...backdoors are a terrible idea which should be relegated to the dustbin of history."

And thus, "backdoors" will indeed become the foremost desired project of governments world wide and will indeed be implemented in most nations.

---
[ link to this | view in chronology ]
- Uriel-238 (profile), 5 Mar 2015 @ 6:25pm
  
  And this is why we need encryption with plausible deniability.
  Heck, an extra-careful enterprise could add the process of writing unused space on all hard drives with random numbers. That way drives that are unencrypted are indistinguishable from drives that are.
  
  I'm pretty sure the military seven-pass data purge ends with random numbers anyway.
  [ link to this | view in chronology ]