Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

Calls to Ban Effective Encryption Continue Despite Data Breach Crisis


The continued calls for the U.S. Congress to ban effective encryption despite the current computer security crisis in which data breaches are regular news is dangerous, shortsighted, and destined to harm all Americans. The two most effective tools that we have capable of helping prevent data breaches are encryption and reducing the attack surface of computer systems that handle sensitive or private data. Under the proposed legal framework, both will be sacrificed for a false sense of safety.

The latest installment of Congressional hearings was held by the Energy and Commerce Committee on April 19, 2016, and was titled Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives. The calls for Congress to ban effective encryption are repeated with little variance from the past. Some Members of Congress are expressing frustration that the debate is repeating itself without law enforcement suggesting any particular middle ground that would be workable for the tech community. But what is most chilling is that those in law enforcement continue to demand exceptional access despite years of back and forth and the parade of high profile data breaches both within government and the private sector. We’re losing the cybersecurity battle and the government is calling for a ban on one of the most effective tools that computer science has at its disposal.

The video is posted on YouTube and on the Energy and Commerce website (energycommerce.house.gov): the hearing starting at 48 minutes, 35 seconds into the feed.

The law enforcement panel starts at about an hour into the hearing and a tech industry panel at about 2 hours, 56 minutes in.

The law enforcement panelists continue to focus almost exclusively on how encryption is blocking their access to evidence. However, their desire to mandate insecure key management takes a rather naive view on the risks to society of insecure software in deployment. According to at least one of the law enforcement witnesses, good key management is not necessary for encryption as long as one has great firewalls according to the testimony by Indiana State Police Captain Chuck Cohen (hosted on s3.amazonaws.com). This tremendously trivializes the challenge of protecting keys at scale.

In rebuttal to this line of reasoning, Dr. Blaze (@mattblaze on Twitter) in his testimony (docs.house.gov) stated:

…there are two tried-and-true techniques that can, to some extent, ameliorate the inherent vulnerability of software-based systems. One is the use of encryption to protect data stored on or transmitted over insecure media. The other is to design systems to be as simple as possible, with only those features needed to support the application. The aim is to minimize the “attack surface” that any software vulnerabilities would expose.

Neither the use of encryption nor designing systems to be small and simple are perfect solutions to the software security problem. Even carefully designed, single-purpose software that encrypts data whenever possible can still harbor hidden, exploitable vulnerabilities, especially when it is connected to the Internet. For this reason, software systems must be exposed to continual (and resource intensive) scrutiny throughout their lifecycle to discover and fix flaws before attackers find and exploit them. But these approaches, imperfect and fragile as they might be, represent essentially the only proven defenses that we have….

In short, bad application security negates the effectiveness of encryption in real-world software systems and computer science and industry practice does not yet know how to make truly secure software, if that is even possible.

Observations on Twitter include:

One that stood out in particular was one from Just Security to Here’s What the Burr-Feinstein Anti-Crypto Bill Gets Wrong by Riana Pfefferkorn (@Riana_Crypto on Twitter). She goes much more in depth than I did with the leaked draft. She summarizes the key concept that one must understand to truly consider this crypto debate in context as:

In short, the bill prohibits covered entities from designing encryption and other security features so encrypted data is accessible only to the user, not law enforcement nor the entity itself. This is what I would call “effective encryption,” but law enforcement derisively calls “warrant-proof” encryption. If you’ve been following the encryption debate over the past year and a half, you’ll recognize instantly that this bill is not the innocuous public safety measure that its name implies or that its sponsors would have the public think.

Basically, the government would not need a backdoor if they just ban effective encryption in the United States. Sure the encryption would technically be just as strong as it is today, but the key management mandated by law would be significantly weaker, leading to data breaches and other problems. This entire effort is a political power play that once again proves that crypto is bypassed, not penetrated! As stated by Dr. Adi Shamir, co-inventor of RSA encryption and A.M. Turing Award Winner:

Cryptography is usually bypassed. I am not aware of any major world-class security system employing cryptography in which the hackers penetrated the system by actually going through the cryptanalysis […] usually there are much simpler ways of penetrating the security system — Dr. Adi Shamir

If you have not done so, please go and read Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications (schneier.com). It will help you understand the bigger picture of the technical side of exception access that law enforcement is seeking. In short, in the name of security, you shall not be allowed access to security.

There is a legal war on effective encryption and the anti-encryption crowd is out in force.

About Frank Rietta

Frank Rietta's photo

Frank Rietta is a web application security consultant, software developer, author, and speaker. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.