Talking Backdoors: Forcing a round peg into a square hole
In an appeal to the RIPE community Patrik Fältström, Technical Director and Head of Security at Netnod, and Stephen Farrell, Researcher at Trinity College and long time Security Area Director at the IETF, spoke out against the next wave of “not so secure encryption” proposals from the European Union. A recent Council of Ministers’ paper from the Portuguese Presidency underlines once more the need for access to end-to-end encrypted communication.
“It is not over”, both Fältström and Farrell warned in their talks at the RIPE82 meeting on backdoor discussions, which according to Fältström are happening without technical experts.
The sky is not falling
Encryption has become a commodity, driven in recent years by Edward Snowden’s revelations about illegal state mass snooping. “Encryption is our standard feature for kind of everything. It's not really an interesting set of product category any more”. Of course, new crypto algorithms are being developed all the time, and a number of interesting challenges have remained, from fully-homomorphic encryption to secure cloud communications or ideas on how to allow hosts to authenticate when they do not have their own public IP address space (but instead use private IP addresses).
Despite agitated debates over users going dark by using more and more TLS or relying on the various developed DNS privacy mechanisms, so far the sky has not fallen, according to Farrell, “and I don’t think it will”.
Implementing Security and Privacy, BUT...
The European Commission has nevertheless been pushing for legal access to end-to-end encrypted communication. The Portugese Presidency published a paper on 12 May 2021 where it set out its next steps to develop a system for secure but accessible encryption under EU law.
“Serious organised crime and terrorist attacks are planned, executed and concealed online, illegal substances and products are marketed, and criminals are finding subtle ways to launder profits unhindered by physical borders. Fast developing technologies amplify the scale of the problem”, the Presidency paper reads. It asks Member States to support the European Commission’s preparations for a respective legislative proposal in 2022. Member States are asked to help identify options on how to move forwards on encryption.
This belief that encryption that is accessible via backdoors, frontdoors or vulnerabilities will still be secure leaves Fältström at a loss. Two recent technical proposals circulated by the EU presidency clearly illustrate the problem. One wants a hash of every communication sent from a device to a specific server for ‘review’, without the hash being end-to-end-encrypted. Another mechanism presented to Member States is that “everyone must have a secure enclave in the centre that is trusted, and inside the secure enclave you can access the unencrypted data even though it's end-to-end”, Fältström reported, reiterating the general feeling of technical experts, who feel that such concepts defy the sheer laws of mathematics. Either you encrypt securely end-to-end, or you do not.
Fallout of EncroChat break-in
Nurturing the ideas of accessible end-to-end encryption has been the recent Encrochat affair, Fältström added. French and Dutch police used the mobile encryption provider Encochat’s server to send out manipulated updates, thus gaining access to all 60000 Encrochat users’s devices. Was that still a targeted operation or was it a general phishing expedition which is banned by Swedish law at least, Fältström wondered. In Sweden one defendant, who was sentenced based on EncroChat material, has been acquitted. According to the public prosecutor, 200 more cases will result in acquittals as well, because the material was inconclusive. While the prosecution does not want the cases to go up to higher courts for fear of a dismissal of the EncroChat material as mass surveillance, law enforcement still promotes the results in the case for legalizing a generalized chat surveillance.
As the issues around weakening encryption were both a technical and legal problem, a much more multi-stakeholder discussion is urgently needed, Fältström said at RIPE 82. “It is like forcing a round peg in a square hole, and just because that’s what’s happening right now, we must participate in that operation”.
It is worth noting that the EU is not the only party to start considering legislation to address the round-peg-square-hole, some concerning proposals are also on the road in Mauritius, Brazil, Australia and other countries, Olaf Kolkman of the Internet Society warned. For more information see here.