End-to-end
encryption 101
Modern
encryption schemes break down into several categories. For the purposes of this
discussion we'll consider two: those systems for which the provider holds the
key, and the set of systems where the provider doesn't.
We're not
terribly interested in the first type of encryption, which includes protocols
like SSL/TLS and Google Hangouts, since those only protect data at the the link
layer, i.e., until it reaches your provider's servers. I think it's fairly well
established that if Facebook, Apple, Google or Yahoo can access your data, then
the government can access it as well -- simply by subpoenaing or compelling
those companies. We've even seen how this can work.
The
encryption systems we're interested all belong to the second class -- protocols
where even the provider can't decrypt your information. This includes:
Apple and Android device encryption (based
on user passwords and/or a key that never leaves the device).
End-to-end messaging applications such as
WhatsApp, iMessage and Telegram*.
Encrypted phone/videochat applications such
as Facetime and Signal.
Encrypted email systems like PGP, or
Google/Yahoo's end-to-end.
This seems
like a relatively short list, but in practice w're talking about an awful lot
of data. The iMessage and WhatsApp systems alone process billions of instant
messages every day, and Apple's device encryption is on by default for everyone
with a recent(ly updated) iPhone.
How to
defeat end-to-end encryption
If you've
decided to go after end-to-end encryption through legal means, there are a
relatively small number of ways to proceed.
By far the
simplest is to simply ban end-to-end crypto altogether, or to mandate weak
encryption. There's some precedent for this: throughout the 1990s, the NSA
forced U.S. companies to ship 'export' grade encryption that was billed as
being good enough for commercial use, but weak enough for governments to
attack. The problem with this strategy is that attacks only get better -- but
legacy crypto never dies.
Fortunately
for this discussion, we have some parameters to work with. One of these is that
Washington seems to genuinely want to avoid dictating technological designs to
Silicon Valley. More importantly, President Obama himself has stated that
"there’s no scenario in which we don’t want really strong
encryption". Taking these statements at face value should mean that we can
exclude outright crypto bans, mandated designs, and any modification has the
effect of fundamentally weakening encryption against outside attackers.
If we mix
this all together, we're left with only two real options:
Attacks on key distribution. In systems
that depend on centralized, provider-operated key servers, such as WhatsApp,
Facetime, Signal and iMessage,** governments can force providers to distribute
illegitimate public keys, or register shadow devices to a user's account. This
is essentially a man-in-the-middle attack on encrypted communication systems.
Key escrow. Just about any encryption
scheme can be modified to encrypt a copy of a decryption (or session) key such
that a 'master keyholder' (e.g., Apple, or the U.S. government) can still
decrypt. A major advantage is that this works even for device encryption
systems, which have no key servers to suborn.
Each
approach requires some modifications to clients, servers or other components of
the system.
No hay comentarios:
Publicar un comentario