Scapegoating Encryption
Written by Nikos Vaggalis   
Monday, 08 May 2017
Article Index
Scapegoating Encryption
Workarounds


So, yes to the intelligence services, yes to apprehending the criminals, just not through weakening encryption or planting backdoors, but in other ways, ways detailed in Orin S. Kerr and Bruce Schneier's "Encryption Workarounds" report:

"The widespread use of encryption has triggered a new step in many criminal investigations: the encryption workaround. We define an encryption workaround as any lawful government effort to reveal an unencrypted version of a target’s data that has been concealed by encryption. This essay provides an overview of encryption workarounds. "

According to it, there are six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. The first three are strategies to obtain an existing key to unlock encrypted data. The latter three are ways of accessing the data in plaintext form without obtaining the key. In each case the authors consider the practical, technological, and legal hurdles that need to be overcome.

A. Find the Key

"The first way for the government to decrypt the data is to find an
existing copy of the key.Perhaps it was written down on a particular page in a particular notebook in the suspect’s library, or was entered into a file of passwords stored on the target’s computer or phone, which would require investigators to perform forensic analysis on the computers to locate them.This strategy of finding the key often requires the legal authority to search for and seize it."

B. Guess the Key

"A second encryption workaround is to guess the key.In the simplest case, agents may guess the key successfully by making educated guesses about what passwords the owner is likely to have used. Passwords generally need to be remembered by their users, which means they are often memorable numbers or phrases."

 

scapegoating4

As the Washington Post revealed in its DNA article, guessing the key is a valuable technique in use in the the early years of the millennium. Back then the US Secret Service had already linked 4,000 of its employees' computers into the "Distributed Networking Attack" program, configured to try different password combinations against a series of encryption keys. Since many encryption programs provide up to 128- or 256-bit keys and in trying to break a 256-bit key there's a greater probability that the sun will burn out before all the computers in the world could factor in all of the information needed to decrypt it using today's conventional dictionary and brute force decryption methods.

"DNA scours a suspect's hard drive for words and phrases located in plaintext and fetches words from Internet sites listed in the computer's Web browser logs. DNA technicians then load the suspect's encrypted data into the system, while Shadowfax (the machine that tells each segment of the network what to work on) tells the Blackhorse (machines that assign jobs to DNA computers in Secret Service-field offices around the country) computers how to distribute the workload of testing the keys against the word lists and execute any subsequent brute-force attacks against the targeted encryption keys.

It's estimated that between 40 and 50 percent of the time investigators can crack an encryption key by creating word lists from content at sites listed in the suspect's Internet browser log or Web site bookmarks.If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms"

In this case computing-power is highly desired because it would make cracking the password much quicker.If the agency had already been "looking to partner with companies in the private sector that may have computer-processing power to spare", imagine what it is capable of pulling now or what could possibly pull when quantum computing arrives:

"The quantum computers’ ability to process and analyze enormous sets of data; security goes away the moment there is a quantum computer that can break the encryption in place to protect it."

A dream come true for any intelligence agencies since only they and a few select partners will have the power to break any kind of encryption.

C. Compel the Key

"A third approach is for the government to compel the key from someone who has or knows it.The government effectively “finds” the key by identifying someone who has or knows it and then compelling them to disclose or use it.

In an authoritarian regime, or among criminals, the idea of coercion could include threats, bribery, seduction, and torture. In this essay, we restrict ourselves to legal compulsion techniques.

Of course, if investigators ask for the key and such a person provides it voluntarily, officers may use the key that is provided so long as the Fourth Amendment is otherwise satisfied. The more significant case is where the person refuses to disclose the key voluntarily. This will raise the legal question of how much pressure the government can exert to encourage disclosure."

It turns out that in the UK not disclosing your password is already an act punishable with many years in prison under Section 49 of the Regulation of Investigatory Powers Act 2000 (RIPA). This allows law enforcement to demand a suspect hand over the password to, or to provide unencrypted copies of the material that agencies are after. If a suspect refuses to do this, it is considered an offence which carries the possibility of up to two years imprisonment, and up to five years if the case is one of national security.

The problem herein lies in:

" if the evidence on the device is particularly damning, a rational suspect may decide to suffer the punishment for noncompliance rather than suffer the greater punishment of the underlying crime."

The encryption workarounds discussed so far involve means of obtaining and then using a key to decrypt encrypted data. Now let's examine the workarounds that do not require a key but get access in other ways.

D. Exploit A Flaw in the Encryption Scheme

"Access is gained without requiring the key by exploiting a weakness in the system designed to keep people out. All software contains bugs, and commercial software can contain thousands of them. Some of these bugs result in security vulnerabilities, and some of those vulnerabilities can be exploited to defeat the encryption scheme. Hackers, criminals, foreign governments, and others all take advantage of these flaws in encryption systems.

A lesson is that the degree of third-party assistance that can
be legally compelled is likely to be a continuing theme of the law of encryption workarounds. Encryption technology runs on software created outside the government and runs on hardware manufactured by private companies. Expertise relevant to workarounds will be found outside the government. As the recent dispute over the San Bernardino iPhone revealed, how much authority the government has to compel the assistance of third parties is a fundamental question of encryption workarounds."

As John McAfee argues in this interview, things get sour when, as in the San Bernadino case:

"if you only get access to an individual phone, you get a court order, Apple should help. But the FBI didn’t ask for that. It asked for a universal key that will allow it to get into any Iphone. It’s a different thing and it’s the first time the FBI has asked for that. That’s one thing. Sure, you have a court order, you have a phone you want to break in - we’ll help you break into this phone; but the FBI specifically said “We want a Master Key”. That’s what they asked for."

E. Access Plaintext When the Device Is In Use

"Because intended users cannot read ciphertext, encrypted data must be decrypted to be read by them. This necessarily creates a security vulnerability. The government can work around encryption by gaining access to information when it is in decrypted form.

An investigator could insert a keylogger into a computer to collect keystrokes or install a hidden camera in the room where the computer is that can record both what the suspect is typing and what he is reading."

The reports then goes through the famous Playpen case where the FBI successfully penetrated the Tor network by the use of malware:

"Because  Tor  masked  the  true  IP  addresses  of  its visitors, however, the  government  could  not  trace  back  visitors  in  the usual way: Visits only logged the IP addresses of Tor nodes, which could not be traced back to the IP addresses visitors themselves used to establish an Internet connection and visit Playpen.

To reveal the true IP addresses of users, the government obtained a warrant authorizing the installation of a “network investigative technique” -in other words, malware—on the computers of Playpen visitors."

In this case there's always the danger of those kind of tools ending up to the wrong hands as The Shadow Brokers dumping a trove of such tools showcased, which some say they got hold of by directly hacking the Equation Group and others that they stole it from a server hosting the malware used in a live operation. In any case after the tools are found it's a matter of reverse engineering to get to the secrets hiding underneath.

F. Locate a Plaintext Copy

"The sixth and final type of encryption workaround is to obtain a separate and unencrypted copy of the information. The target may have multiple copies of the sought-after records, and the government may be able to access an unencrypted version. Instead of bypassing encryption, it avoids encryption entirely."

I will leave you with a paragraph from this essay which carries the most significant lesson, the one that authorities must opt for: 

"How much encryption is a game-changer for criminal investigations depends on the success of encryption workarounds. When targets use encryption, the police do not simply give up. Rather, investigators turn to encryption workarounds that try to erase the barrier that encryption can create. Just as for every action, there is an equal and opposite reaction, for every use of encryption to conceal communications there is a set of workarounds that could be employed to try to reveal them."

Instead they should work on strengthening encryption, rather than weakening it, as well as helping out in patching vulnerabilities rather than developing them.

According to John McAfee:

"Here’s the truth of hacking and security. No matter how secure you want to make your system, someone will always find a way to break in. It’s been that way with safes, it’s been that way with door locks, it’s been that way with bank vaults. There will always be a way. Nothing can be perfectly secure in life. This is just the way the world works, the least of all, software. It has to be a continual affair. You make something, you think it’s perfect, someone finds a way to break in, you see how they break in, you fix that and make it stronger. And in the end, we end up with stronger products and more perfect security."

Apple CEO Tim Cook condemned the San Bernadino request for the order as dangerous and said that:

"it would make Apple “hack [its] own users and undermine decades of security advancements that protect our customers—including tens of millions of American citizens—from sophisticated hackers and cybercriminals.

The same engineers who built strong encryption into the iPhone
to protect our users would, ironically, be ordered to weaken those
protections and make our users less safe.”

Agencies could actively work into that direction by sponsoring bug bounties, see HackerOne for example, employ specialized personnel who can hack anything and help in getting the world educated, especially the youth, in adopting a security focused mindset through promoting CTF contests, the likes of the recent Carnegie Mellon PicoCTF 2017 addressed to middle and high school students.

Otherwise what are they waiting for, for even the Space missions to get hacked?

"Jeanette Hanna-Ruiz, chief information officer for IT security at Nasa, has claimed it's only a 'matter of time' before cyberattackers and nation-state government adversaries successfully hack into the space exploration technology used by the world-famous federal agency.

One major concern is that hackers – very likely working for a rival government – is that communications sent between spacecraft and its bases would be intercepted. Hanna-Ruiz said the agency's cybersecurity teams are actively searching for bugs and vulnerabilities."

Authorities might have a strong case against encryption but the problem is that this argument is used as a way to scapegoat and diminish its role in this endless pursuit of assuming super powers, when there are other, ample, ways to defeat the bad guys.

International policy director for the Computer and Communications Industry Association Christian Borggreen told Ars Technica:

“It is certainly understandable that some would respond to recent tragedies with backdoors and more government access. But weakened security ultimately leaves online systems more vulnerable to all types of attacks from terrorists to hackers. This should be a time to increase security – not weaken it"

Instead of directing all the resources to that extent, here we are de-constructing the only thing that protects us from the bad guys, whoever they are. Just imagine a world without encryption, how would that be?

 

scapegoating2

 

 

More Information

Orin S. Kerr and Bruce Schneier's "Encryption Workarounds"

ENISA position paper and opinion on encryption

Gemalto-GDPR (General Data Protection Regulation)

Anne Jellema Encryption we must say no to back doors

WWW's inventor Tim Berners opposes encryption backdoors

Cisco vulnerability default ssh key

BENIGNCERTAIN exploit

A journalist in exile awaits Turkeys momentous referendum

Turkey is sliding into dictatorship

OPM hack

Washingtonpost DNA

Quantum computing

How refusing to hand over your passwords can land you in jail

McAfee: If FBI gets backdoor to people's phones, US society will collapse

The Shadow Brokers trove

Space missions to get hacked?

Related Articles

Public Key Encryption 

Modifiable Encryption

Computational Complexity 

Carnegie Mellon's PicoCTF 2017

 Public Key Cryptography Set To Fail In Five Years 

Ever Increasing Need For Secure Programming

Let's Encrypt Now In Public Beta

Crypto 101 - A Free Ebook

Secrets and Lies, Digital Security in a Networked World, 15th Anniversary Edition (book review) 

Introduction to Cryptography with Open-Source Software (book review)

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

 

Banner


Apache Releases Tomcat 11
07/11/2024

Apache has announced the release of Tomcat 11, as well as marking the 25th anniversary of the first commit to the Apache Tomcat source code repository since becoming an ASF project.



Ursina - A Game Engine Powered by Python
08/11/2024

Ursina is a new open source game engine in which you can code any type of game in Python, be it 2-D, 3-D, an application, a visualization, you name it.


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

 



Last Updated ( Monday, 08 May 2017 )