Every so often, usually after a national security event, prominent political voices in many countries will emerge to decry the availability of encryption software and its uses for nefarious means. They reason that as such software could be used to hide the movements of those wishing to commit crimes, that the concept of cryptography which law enforcement does not have ready access to should be banned, forcing all users to utilise insecure platforms with backdoor access built in.
On many levels, this is a reasonable assertion; ignoring the sizeable challenge it represents to the concept of privacy in digital communications, the idea is not completely ridiculous on its face. Law enforcement has been able to intercept communications for centuries, from letters to telephone calls, after all. However, today’s network communications have a significant difference.
In the past, cryptography – and other methods of hiding the intended content of a message from all other than the intended recipient – were almost exclusively the domain of the military and other secret services. The principles of cryptography were not widely known, not taught, and kept hidden from the outside world for as long as possible.
This began to change around the middle of the 20th century, as interest in cryptography grew and civilian research on the subject increased. Happening in concert with the availability of home computers, this brought about many knowledgeable civilian researchers and practitioners of cryptography where none had existed before.
Today, devices used for sending and receiving private, public, even military and government communications use a cryptographic cipher – the complex system which encodes and decodes a plain text message – designed by a civilian research team. The Rijndael cipher was chosen in 2001 as the basis for the Advanced Encryption Standard (AES), used in many military and government networks across the world.
This and other ciphers are freely available for others to implement today, without requiring the blessing of or any information from a military or government organisation. What’s more, very few (if any) organisations are known to be able to break ciphers which are recommended for usage today with an appropriate-length key in anything approaching a reasonable amount of time, under many hundreds of years.
So, with the widespread public availability of very competent cryptography, both public and private key (so messages can be protected whether or not the intended recipient has a shared private key) the situation today is very different from the past. Now, novices with no knowledge of cryptography whatsoever can utilise easily-accessible encryption software and send messages that for almost all intents and purposes are unreadable except by their intended recipient.
If legislation were enacted banning the use of these programs, the following things would then occur:
1. The legislation would have to specify a replacement cipher to be used, as cryptography has been a necessary part of enabling the widespread use of network communications for sensitive information such as financial transactions.
2. This replacement cipher would then need to be breakable by a government organisation, either by an intentional backdoor in the cipher or via mandatory usage of a short encryption key.
3. Anyone, such as criminals, who was sufficiently interested in still retaining their secure encrypted communications could still use software implementing the more secure ciphers, as the mathematics, design and code required to do so is widely available already.
With these points in mind, we can see that the only people disadvantaged by such legislation would be everyday legal users, who now have their security compromised by the use of a weaker cipher. If the history of designing complex systems (as cryptographic systems certainly are) has taught us one thing, it is that if a vulnerability (such as an intentional backdoor) is present in a system, more than the intended party will eventually find it.
This is why cryptographers are continually at odds with government organisations on the subject of back doors; to be able to provide one user with unfettered access as is so often requested, the door is opened to anyone interested enough to find it; and with cryptographic schemes would could be mandated for the majority of network communications in a country, there is no shortage of interest.
So, what can realistically be done about the problems law enforcement faces with secure cryptography communications? While the mathematics and system design of cryptographic ciphers are thoroughly vetted for many years by the academic, private and public communities of cryptographers, one area is typically not: the application implementing these systems and ciphers.
Indeed, there is a thriving underground market for known exploits of these applications which would allow unintended users to gain access, and the developers and operators of these applications are also under continuous pressure from government organisations to open access to their data in transit and at rest.
The most likely method of success for government organisations to gain access to data of interest is to covertly contact these developers and operators, compelling them directly to provide access to data in a way that does not alert the users of the service.
Although this method is arguably more legwork than simply providing a cryptographic backdoor and outlawing strong encryption, it is far more realistic. There is no real way to ban the use of strong encryption on today’s internet, and attempting to do so only further disadvantages honest users while handing the leg-up to those with criminal intent.
The next time you read an article with a lawmaker and a cryptographer arguing over the issue of outlawing encryption, think about what both sides are saying. Lawmakers (mostly) don’t want to leave the public without any method of protecting their private information, and cryptographers (mostly) don’t want to completely lock out law enforcement agencies from accessing information to protect people either.
In this situation, the problem is one of understanding: cryptographers cannot wave a magic wand and add a police-only backdoor to all the mathematics underpinning the design of a modern cipher without it being discoverable by anyone. The sooner this is more widely understood, the sooner we can get to discussing real solutions to this problem.