Thales Blog

Backdoors for Encryption … Another Bad Idea

May 26, 2015

Andy Kicklighter Andy Kicklighter | Director of Product Marketing More About This Author >

Encryption KeysThe debate underway now on encryption and backdoors is nothing new.

It’s been a while since the laws in the 1990’s banned shipment of any encryption software with more than 64bit encryption from the U.S. At the time, 128 bit encryption was deemed “hard enough” to crack that its broad usage by adversaries represented a “Threat to National Security”.

ClickToTweet: Backdoors for Encryption - Another Bad Idea @akicklighter

The director of the FBI even specifically identified it at a congressional hearing in 1998. He also identified that the FBI was increasingly unable to complete court-authorized electronic surveillance efforts as a result of these technologies. He and other law enforcement leaders urged a “balanced policy on public encryption”.

Let’s suppose for a minute that what U.K. and U.S. Government officials (and even local police departments) are now discussing becomes law and all data-at-rest, data-in-motion and secure communications offered through IT Security vendors were formulated with a “back door” for government access.

First – Be aware that the most dangerous bad guys will be safe anyway. There are endless code repositories of open source encryption software to be found across the world. All kinds of encryption algorithms are available AES, DES, Elliptical curve, and much more.   Anyone seriously worried about being compromised by the backdoor has only to get hold of a moderately talented programmer (Can you say “Elance”?), create their own, secure encryption tools and then use them. Result – the ones who are serious about eluding detection will continue to do so.

Would putting in back doors catch some bad guys? Yes … the less intelligent and less thoughtful ones. It would probably be most useful for local law enforcement, and much less so when looking to prevent the next September 11th style attack.

But local, or any broad use, of a backdoor comes with a big risk … Exposure of that back door.

So let’s look at that as our second point – What about compromises of that back door? If the best use is to catch the accountant hiding fraudulent data on his phone or PC, to prevent child abuse or to help with gangland enforcement, how can that back door be safe given all of the people in the law enforcement community who’d need access? Even with a couple of tech geniuses working on procedures to protect each vendor’s back door, I have think that widespread usage will mean that it is only a matter of time before it is compromised.

Then where are we? Well – basically every piece of information protected by the commercial solution whose back door is compromised is wide open. It could make the data breaches we’re seeing now seem like minor problems.

OK ... So to be even handed we could try and put in individual backdoors for individual instances, keep data banks with the backdoor sets, and do other things to make this more difficult.  But that's all it would be - more difficult.

Third – What will it mean for any organization providing secure communications, networking, applications and data solutions? Well, their business will be severely affected. International sales will disappear, and local vendors will fill the vacuum in those areas. U.S. and U.K.-based firms will lose the business and even potentially their technological lead.   And if their backdoor is compromised, even their domestic business could potentially evaporate.

Past these three points, what else might happen once we take the first step? Extensions to the law that might ban even creating and using your own encryption software without a back door? Blacklisting of programmers who have dabbled in encryption? A new Great Firewall of America to block access to all encryption software sites internationally?

Seriously, the fact is that “the cat is out of the bag”, textbooks on modern encryption algorithms and methods abound and the open source software libraries are available to “build your own” secure encryption at need.  Look at these consequences of creating and turning over backdoors to government – and then consider how many people are being affected today by organizations failure to properly encrypt sensitive information.

In fact given those failures, organizations actually have very good reasons for expanding their usage of encryption. In this incredibly risky cybersecurity environment, it’s one of the smartest moves they can make. As we know by now, breaches and theft of data can cause major legal, financial and reputational harm – or even ruin – for both human beings and businesses.

Weigh the options yourself – in my opinion – backdoors are a bad idea.