Encryption/Decryption Race

The political one I mean, not the technological one.  Recall, for instance the San Bernardino terrorist attack, the FBI’s capture of one of the terrorists’ encrypted iPhones, Apple’s refusal to decrypt it (they couldn’t, by their design of the iPhone’s OS), then-FBI Director James Comey’s (yes, that Comey) cynically tear-jerking demand for future such personal device encryption back doors to decrypt at Government convenience, and Apple’s refusal to support development of that.

An expert on the subject—a technological expert I mean, not a political one—thinks he’s solved the problem.  His solution is described in a Wired article.  This expert thinks he has a way of providing Government “exceptional access” to a private person’s (or private enterprise’s) encrypted cell phone (for instance).  His solution, Clear, works this way:

The vendor—say it’s Apple in this case, but it could be Google or any other tech company—starts by generating a pair of complementary keys. One, called the vendor’s “public key,” is stored in every iPhone and iPad. The other vendor key is its “private key.” That one is stored with Apple, protected with the same maniacal care that Apple uses to protect the secret keys that certify its operating system updates. These safety measures typically involve a tamper­proof machine (known as an HSM or hardware security module) that lives in a vault in a specially protected building under biometric lock and smartcard key.

That public and private key pair can be used to encrypt and decrypt a secret PIN that each user’s device automatically generates upon activation. Think of it as an extra password to unlock the device. This secret PIN is stored on the device, and it’s protected by encrypting it with the vendor’s public key. Once this is done, no one can decode it and use the PIN to unlock the phone except the vendor, using that highly protected private key.

So, say the FBI needs the contents of an iPhone. First the Feds have to actually get the device and the proper court authorization to access the information it contains—Ozzie’s system does not allow the authorities to remotely snatch information. With the phone in its possession, they could then access, through the lock screen, the encrypted PIN and send it to Apple. Armed with that information, Apple would send highly trusted employees into the vault where they could use the private key to unlock the PIN. Apple could then send that no-longer-secret PIN back to the government, who can use it to unlock the device.

Included in the procedure is the requirement to send a judge’s search warrant to Apple along with the encrypted PIN, and Apple would first verify the warrant before sending anyone to the vault.

Hmm….

In a landmark 2015 paper called Keys Under Doormats, a group of 15 cryptographers and computer security experts argued that, while law enforcement has reasons to argue for access to encrypted data, “a careful scientific analysis of the likely impact of such demands must distinguish what might be desirable from what is technically possible.” Their analysis claimed that there was no foreseeable way to do this. If the government tried to implement exceptional access, they wrote, it would “open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend.”

Exceptional access is not desirable.  All Clear would do is add to the hackers’/criminals’/malicious nation-states’—and malicious network entities’—target lists the men and women running the companies “storing” the back doors, now working in cahoots with Government men through the screen of a Government-issue search warrant.

It’s true enough that

Using that same system to provide exceptional access…introduces no new security weaknesses that vendors don’t already deal with.

The “same system” is the various ways software developers and vendors encrypt keys that then are used, for instance, to verify the veracity of this or that application a user just downloaded or an OS update being offered—or pushed—to a user.  It’s also true that things like Clear add no new security weaknesses (assuming, arguendo, that the software of the Clears of this potential brave new world is well implemented).  But spreading those existing weaknesses around, putting them explicitly in the hands of Government and out of the hands of individuals using the devices solves nothing.  It’s still men and women who are the weak link in this politically-driven solution, however elegant and simple to execute the technological proposal.

No, it’s not so much a matter that exceptional access is a “crime against science,” Wired‘s phrasing in its misunderstanding of the proposal.  It’s that exceptional access is a crime against individual liberty.  Even against group liberty.

In another cynical representation, current FBI Director Christopher Wray, noting that his FBI “was locked out of 7,775 devices in 2017,” said

I reject this notion that there could be such a place that no matter what kind of lawful authority you have, it’s utterly beyond reach to protect innocent citizens.

Stipulate that Wray is pure as the driven snow with motives beyond reproach.  He’s a man.  So will be his successors.  So are all of the men and women of government and of industry.  So will be their successors.

Thus, a question for those of you to the left of center and beyond, politically: would you really want a Donald Trump’s FBI via his selection of judges to have exceptional access to your secrets?

And a question for those of you to the right of center and beyond, politically: would you really want a Hillary Clinton’s FBI via her selection of judges to have exceptional access to your secrets?  A Bernie Sanders’?

Who among you are willing to trust a James Comey FBI with any of this?  A J Edgar Hoover FBI?

Or the titans of industry, the evil 1%?  Even Tim Cook, who resisted FBI demands in the San Bernardino case, is accommodating to the demands of the People’s Republic of China government.

What the sort of solution that is Clear does is force us to trust the good offices of the men and women running a manufacturer in addition to the good offices of the men and women of government.

That’s the stuff of a socialist’s wet dream.