Encryption: Obvious but not Encouraged

Cryptography has been a frequent topic here of late, starting with my very first post of 2015: Your Homework Mission, Should You Decide to Accept It. In that post, I reviewed an excellent online class that covered the foundation and application of modern cryptography.

One month later—after the latest multi-million-user-record security breach—it was Won’t Get Fooled Again. We discussed SSL (TLS is the more accurate term; ‘SSL’ lives on thanks to the acronym stickiness phenomenon) and its important role in securing the connection between your web browser and the front end of web servers. I also spilled ink on the importance of encrypting data at rest.

Another month later, I made the case for Contemporary Email based on the S/MIME standard in Everybody Love a Mime. S/MIME, Not So Much. That piece turned out to be quite a disappointment for all of us; I put a ton of effort into outlining my case and thought it was one of my best pieces. You thought different, as readership was well below average. Perhaps I was too cute with the title and the collective readership has a fear of mimes, an extension of the general fear of clowns. In any case, my grassroots campaign for authenticated encryption in email has yet to take off.

Most recently I documented Apple’s impressive iOS security features in Apple Shoots, Scores in Security. Quietly. That grabbed far better attention, thanks no doubt to NCAA March Madness. No, no, just kidding: anytime I put ‘Apple’ in the title of any post, the readership doubles. Nevertheless, in that piece I described the use of public key cryptography (PKC) and strong encryption in the file system, iMessage and (with a somewhat disappointing implementation) iCloud.

Just How Strong Is Modern Encryption?

I vaguely recall an article on cryptography written 20-some-odd years back that categorized available encryption techniques into four buckets:

1. Enough to prevent your siblings from snooping on you
2. Enough to defend against casual hackers
3. Enough to protect against sophisticated hackers
4. Enough to tie nation-state actors in knots

I believe the point of said article was that implementation was progressively more difficult as your objective moved down the bulleted list; and the conclusion was that your goal ought to fall somewhere between #2 and #3.

My how things change.

The advanced encryption standard (AES) is as near a universal cryptographic standard as we’ve ever had and, aware of it or not, you are using AES countless times every day. Just to name a few applications where AES is the default encryption:

• WPA-2 for WiFi
• TLS (that’s SSL per above) for websites, email and other traffic on the Internet
• iOS in many applications, per the article cited above

AES was the result of a remarkable five-year process organized by the National Institute of Standards (NIST) to select a strong encryption successor to DES for the US Government. I say ‘remarkable’ for a lot of reasons, not the least of which being a transparent and open process. To say nothing of the remarkable fact that the ‘winning’ algorithm (Rijndael) was developed by two Belgians. That isn’t a dig against Belgian cryptographers—far from it—it is a commentary on my fellow Americans deep-seated NIH tendencies. I wasn’t the only one surprised in 2001 when NIST selected Rijndael from a pool of originally fifteen competitors.

Thanks in no small part to the open and transparent process, coupled with the sheer importance of the task at hand, AES ran an unprecedented gauntlet of scrutiny. Cryptanalysts from all over the world put Rijndael and the other algorithms under the microscope for years. One can never say ‘never’ when it comes to strong cryptography, but there are no known successful attacks against properly implemented 128-bit AES; and 128 bits is the SHORTEST approved key length (192-bit and 256-bit, before you ask).

The paranoid skeptics among you—and good cryptographers are ALWAYS paranoid—may doubt that a successful attack would become ‘known’. If our own NSA cryptanalysts have managed the trick, after all, they would NOT blog about it. Let’s deal with the facts: AES is SO widely used in SO many applications that it has remained under intense scrutiny for 15+ years; and MOST of the cryptanalysts doing the scrutinizing would KILL to make a name for themselves by cracking AES.

Those of you unfamiliar with modern cryptography may wonder how ANYTHING could possibly be the equivalent of an unpickable deadbolt lock. One of the most fascinating wonders of modern cryptography, in short, is that defense holds an EXPONENTIAL advantage over attack. AES-128 is strong enough to withstand brute force attack on the order of 10E18 CPU years; that translates into a billion CPUs working for a billion years … to crack a SINGLE message.

And the good news keeps on coming: one of the selection criteria in the NIST process was computational efficiency for BOTH software and hardware implementations. Compounding the astute and prudent inclusion of efficiency, we’ve turned the Moore’s Law crank 6-ish times since AES was selected in 2001; your PC and smartphone—heck, your friggin’ smartwatch—are plenty powerful to run AES with little or no degradation in the user experience. Geez, you’ve already got proof of that with every ‘https’ website you visit.

Moore’s Law isn’t dead yet—topic for another article, coming real-soon-now—so perhaps the truly paranoid among us want a little extra margin. (Besides, I have never been a huge fan of odd powers of two; therefore, my bias toward even powers of two favors 256-bit keys). 256-bit AES is ASTRONOMICALLY harder to crack than 128-bit AES, on the order of 10E56 CPU years.

This is why we can say with a GREAT deal of confidence that traffic encrypted with properly implemented AES is absolutely secure … or as close to absolute security as anything you will ever come across in the cyber or physical world. Your author and a TONS of far more expert security authorities believe that authenticated encryption (AES-128 or greater, SHA-256 or greater) is an essential element in building a far more secure cyber infrastructure.

Please re-read that last sentence once or twice. If I’ve accomplished my objective of explaining all this, you should not only appreciate and understand that sentence … you should think it is OBVIOUS.

Well folks, there are a whole bunch of VERY important and vocal authorities who not only fail to find the above highlighted sentence obvious, they find it horribly WRONG.

The More Things Change …

Governments in many Western countries paint a picture that modern cryptography, specifically strong encryption, is an existential threat to society. This is nothing new; they’ve been beating this drum since the earliest days of the Internet. Rather than attempt to present their case for them, let’s go straight to the sources. Rewind to 1996 and then FBI Director Louis Freeh’s testimony to the US Senate.

Without question, the use of strong cryptography is important if the Global Information Infrastructure (GII) is to fulfill its promise.

Cool, Lou gets it! Not so fast, that was a red herring.

Law enforcement is already beginning to encounter the harmful effects of conventional encryption in some of our most important investigations. In the Aldrich Ames spy case, where Ames was told by his Soviet handlers to encrypt computer file information to them. In a child pornography case, where one of the subjects used encryption in transmitting obscene and pornographic images of children over the Internet. In a major drug-trafficking case, where one of the subjects of one of the court-ordered wiretaps used a telephone encryption device which frustrated the surveillance. Some of the anti-Government Militia groups are now advocating the use of encryption as a means of preventing law enforcement from properly investigating them.

Bam! The four horsemen of the apocalypse: espionage, pornography, drugs and terrorism. All facilitated by unfettered encryption. Unfortunately for Lou & Company, his very first illustrative example leaks as badly as the appalling mole that was Aldrich Ames. Think about this for a minute or three.

Aldrich Ames spied for the Soviet Union from 1985 through 1993, during which time he leaked an unprecedented amount of top-secret information and caused the death of at least ten US agents and many tens of US assets. The CIA correctly determined that they had a mole in 1986, yet Ames was not caught until 1993. Now I am going to go out a limb here: during the search for the mole, coming across encrypted computer files in the hands of Aldrich Ames would have been one hell of a smoking gun, regardless of having the ability to decrypt said files. On the contrary, from 1985 through 1992 the investigation simply did not come across ANY communication between Ames and his handlers, encrypted or otherwise.

Sorry Lou, you shot yourself in the foot there. Perhaps that registered in his unconscious, and he proceeded to peg the fear-meter just in case someone called him on any of the four horsemen.

Without an ability to promptly decrypt encrypted criminal or terrorist communications and computer files, we in the law enforcement community will not be able to effectively investigate or prosecute society's most dangerous felons or, importantly, save lives in kidnappings and in numerous other life and death cases.

Nice work with the kidnapping card, Lou, definitely has that race-against-the-clock element that reliably creates extreme tension in TV and movies. Though I do not recall EVER reading about kidnappers using encrypted communications; rest assured, you WOULD have read about such an instance as tangible evidence of the dangers of encryption.

Thank goodness Lou and team had a solution to this conundrum back in 1996. Believe it or not, this very same solution continues to be proposed to this very day.

There is now an emerging opinion throughout much of the world that there is only one solution to this national and international public safety threat posed by conventional encryption—that is, key escrow encryption.

Key escrow, in short, requires that EVERY encryption is performed with two keys: the one that we’ve been talking about for the past three months (your private key or the recipient’s public key) PLUS a second key belonging to the government.

• That S/MIME encrypted email you sent to your attorney? Encrypted with her public key AND a government public key.
• Ditto the iMessage dialog between you and your doctor.
• The file system on your iPhone? Encrypted with your private key and a government public key.

In all of the above scenarios—and the countless others using PKC—the government has the ability to perform decryption using their private key. Works something like this: the vault of government private keys is, well, under lock-and-key; a judge issues a search warrant; law enforcement can decrypt the communication specified in said warrant.

Lou finds this WHOLLY black-and-white.

Key escrow encryption is not just the only solution; it is, in fact, a very good solution because it effectively balances fundamental societal concerns involving privacy, information security, electronic commerce, public safety, and national security. On the one hand, it permits very strong, unbreakable encryption algorithms to be used, which is essential for the growth of commerce over the GII and for privacy and information security domestically and internationally. On the other hand, it permits law enforcement and national security agencies to protect the American public from the tyranny of crime and terrorism.

All politics aside—seriously—there is no such thing as “strong, unbreakable encryption” when the ciphertext can be decrypted by a second key in the hands of an unknown third party. This is not a dig on the US government or any other government for that matter, it is common sense: key escrow means there is a “golden key” somewhere, and guess what? Shit happens. Highly secure servers get hacked. Human beings managing computer systems make mistakes. Authorized users access very secure systems remotely in not-at-all-secure manners.

Everyone, especially any government folks reading this, please note that the paragraph above DID NOT include law enforcement officers stretching the rules. And it DEFINITELY did not mention a security apparatus run amok, recording all phone calls and duplicating every email. That is a multi-beer conversation and NOT the topic of this article.

… The More Things Stay the Same

Lest you think I exaggerated when I commented that the encryption-fear-machine is running strong today, nearly 20 years after Louis Freeh’s testimony above …

In a House Appropriations subcommittee hearing this morning on the FBI budget for the upcoming fiscal year, FBI Director James Comey was again critical of new encryption features from Apple that he claims would make it impossible for law enforcement to access the contents of mobile device communications.
27 March 2015

That sounds familiar, no? With an extra 19 years under their belt, certainly Jim and the FBI have evolved their arguments against encryption to be more concrete and convincing.

We’re drifting toward a place where a whole lot of people are going to be looking at us with tears in their eyes,” Comey argued, “and say ‘What do you mean you can’t? My daughter is missing. You have her phone. What do you mean you can’t tell me who she was texting with before she disappeared?

Jim, dude, the kidnapping ploy again? Seriously? And not just an isolated incident, mind you, many kidnappings impacting “a whole lot of people.” Apparently, we are about to be faced with a heretofore unseen WAVE of kidnappings, all focused on children with iPhone 6s given that it is the ONLY phone sold today with an encrypted file system.

Parents of young children, you are faced with a decision: (a) buy your child an Android phone or (b) go with an iPhone 6 and risk the FBI not being able to save your kidnapped child. Now I am nothing if not solution oriented, so in the interest of blunting the imminent abduction epidemic, I suggest the following: (1) make sure you have the password to unlock your child’s cellphone, and (2) upon kidnapping give the password to the FBI.

Damn, my suggestion—to say nothing of James Comey’s entire ludicrous scenario—has a fatal flaw. Every child I see today has a DEATHGRIP on their cellphone at all times; the likelihood of your daughter leaving her cellphone behind is close to nil.

Think these anti-encryption hysterics are limited to the USA? Think again.

Director of Europol Ron Wainwright has warned about the growing use of encryption for online communications. “It's become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism.”
29 March 2015

Wow, THE biggest problem? I wonder what specifically is on Ron’s mind.

Mr. Wainwright is concerned at moves by companies such as Apple to allow customers to encrypt data on their smartphones.

Coincidence? The danger of encrypted cellphone file systems, again, just two days after James Comey’s congressional testimony cited above. At least he fell back on the best-of-breed terrorism approach, rather than kidnapping.

Anything else on the horizon that will threaten the civilized world?

The development of heavily encrypted instant messaging apps is another cause for concern, he said.

Bad news Ron: if you had read my post on iOS security, you would know that this is WAY past the development stage. And those wankers at Apple built heavily encrypted messaging not as the default mode for iMessage, but as THE ONLY MODE.

The Bottom Line

Perhaps someday I will tackle the political side, Fourth Amendment and all. Once again, that is not the motivation behind this post. Earlier this year, I illustrated the REMARKABLE sophistication of contemporary threat actors in back-to-back posts here and here. Granted, the advanced persistent threats (APTs) documented in those posts were the product of nation-states and well-organized criminal operations. But cybershit inexorably flows downhill and ultimately becomes widespread in the hacker community. One of the world’s most respected security authorities, Bruce Schneier, puts it more elegantly.

Today's top-secret programs become tomorrow's PhD theses and the next day's hacker tools.

Strong cryptography in the form of authenticated encryption is THE BEST DEFENSE for our cyber infrastructure. That means PKC, AES and the rest of the toolbox—full-strength, not diluted—absolutely, positively not compromised from the outset by backdoors or key escrow. Pay very, VERY close attention to the anti-encryption crowd; the security of your digital future depends on them NOT succeeding. From Silicon Valley.