Éibhear/Gibiris

A proposed "Resolution on Encryption" is under consideration by the EU Council.

The proposal encourages the EU to work with technology companies to develop mechanisms to allow security services to read messages that would otherwise be encrypted beyond their access.

Some technical proposals have been published over the last few years that seek to address the challenges and concerns with this approach to criminal investigations. Some of these are well-considered proposals; others … less so. However, they all suffer from 3 flaws, and I would like to outline them here.

Existing encryption systems that are nearly impossible to break are categorised as "Strong Encryption". Simplisticly, strong encryption involves applying a published and well-understood mathematical process to a combination of the message and an additional piece of information known as a key. The message is encrypted by the sender using the "public" key of the receiver, and the receiver can decrypt the message using only their "private" key which is related to the public key, but can't be derived from it. As the designations suggest, everyone can use a public key, but only the receiver accesses the private key. That way, anyone can send the receiver an encrypted messages, but only the receiver can decrypt them.

The first flaw arises from the demand that security services be permitted to "get access to" any encrypted message, in order to conduct an investigation or to gather evidence. Many (or most) of the encryption systems proposed to facilitate this allow for a third key – a "master key" – that can be used to decrypt all the messages. Some of these schemes require this master key to be retained by the messaging provider, while other schemes allow for the key to be held in escrow, or to be in the control of a government organisation such as the police or an intelligence service. For all these proposals, there is an unavoidable risk: the key will leak and will be made available to bad actors, such as organised crime gangs or hostile governments.

This isn't speculation; it is fact.

Between the middle of October 2020 and November 2020, Ireland's "paper of record" published 2 articles regarding the prosecution of members of An Garda Síochána, and another 2 regarding the prosecution of others in positions of trust following accusations of corrupt practices. The value to hostile governments and wealthy crime gangs of this master decryption key is difficult to exaggerate, as any and all messages encrypted within the system covered by this master key would be accessible to whoever holds a copy of the key1. Given that value, the lengths to which these actors would go to access the master key would also be difficult to measure; all that is needed for this key to fall outside the control of those entrusted with it is for one well-placed person to accept the terms offered to them.

The second flaw is related to the first. There is, of course, a mechanism to invalidate such a leaked master key and to replace it with a new one. Invalidating the leaked key will ensure that future messages can't be decrypted with it. Then, for as long as this new one is safe, all messages encrypted under its cover will be decryptable only by those authorised to do so. But this key invalidation isn't something that can be retroactively applied; all messages encrypted under the cover of the leaked, now-invalidated key will be accessible to anyone who has it. In cryptographic terms, therefore, these pre-existing messages are now no longer encrypted, merely obscured. This includes all innocent messages sent to innocent people by … umm … innocent people.

Any encryption system that grants security services access to messages that use it can't realistically be described as strong encryption. They are designed to allow arbitrary access to messages, and these systems are forced to assume that unrelated security controls, intended to protect against inappropriate access, are robust. This, though, is not a safe assumption, and as soon as it fails the damage will be catastrophic. Therefore, such an encryption system can be considered broken by design.

The third flaw derives from another incorrect assumption, unrelated to the one discussed above. Here's a brief, encrypted message:

-----BEGIN PGP MESSAGE-----

hQEOA4eafDexsQ7WEAQAxEf3/ke5hXOlr3BqT7iiOzS2e4KoKkKJ6Hi7i6BLO2Ng
je0k1YLxES84Z//lCzuy56T41CHO6Osb1J93YDmdM+0tQRMyXuAP7eFem4zk5R+C
GLh/Xt6b9QaYs/+JB/Q6hQmu123zv1z35qdvLJCePEeBaz6WW0/w7ghbJbsS8mAD
/0d8p4mYUDN6mvo+eF8ElrtOLAO+iM0baF6V+XJrzOAKWSbHyUIlJ0rLY3pTFL/G
Wu+hbaick1x3md8NNehZNQXqjGnkGdNc4zT6W2Z1k4kWBmBdLbHvWG/JlEown3hO
7TjHcwiDkXK0JXUkDJYx27I/34gua/qrj/Ni+ELujXwP0kcBrHV5Rx8QG67mkXSR
mCfiFzWe93Nqb7cK97dFZiaZ9rApz9TLn+CjT4JvUT9io04jgfM+RoxW1WUtqzv1
PtP/ABbrbIrcNw==
=AWDl
-----END PGP MESSAGE-----

The message itself is Hello world!, though only the person whose public key I used can confirm that.

This blog is not an end-to-end encrypted service. It's true that the web pages are served over an encrypted channel called SSL, but the text is stored in plain text; no particular individual requires anything specific to her- or himself in order to read the site.

There is currently no way to unmake strong encryption. Similarly, there is no way to effectively ban its use; strong encryption is just mathematics, and mathematics doesn't recognise political or jurisdictional controls. For the same reason, and in the event that the current encryption systems are all be found to be flawed, there is no way to prevent all of the nearly 8 billion people on this planet from developing new systems to replace them.

It is a broken idea that bad actors would not embed strongly-encrypted messages into an otherwise unencrypted messaging system. Burning out a car is illegal and destructive, yet criminals still do it. Laundering the proceeds of crime is an offence, yet it continues. Just because string encryption is banned, it doesn't mean it can't be used, and just because all the messaging systems currently in use obey the law doesn't mean they won't be used to transmit encrypted messages.

Ultimately, addressing the criminal justice problems of encryption by breaking it will not have anything close to the desired effect. Criminals seeking to evade capture will embed encrypted messages into non-encrypted systems. The only parts of society that would be negatively affected are the vast majority of people who are innocent of any crime and stupid criminals who would not anyway be trusted by other, less stupid, criminals.

Investment in intelligence and policing methods that directly target suspects is a far better approach and is far safer for society at large. It would be more expensive than current policing methods, and possibly more expensive – financially – than just breaking encryption, but it would also be robust to the flaws I outline above and it would better protect the privacy of innocent members of society.

I originally wrote this as a "letter to the editor", but the timing was off and I expect it was too long for them anyway. Instead of my usual practice of pasting the letter verbatim as a blog post, I made some significant edits to better present it, which includes some re-wording of sections and addition of links.

This website can't record comments. If you would like to join the conversation, you can do so on twitter or on the Matrix.org room I've opened here.

Footnotes:

1

As this key will just be data, it can, of course be copied – that an adversary has it doesn't mean thet good guys don't, and therefore doesn't mean that the good guys will know, because they won't notice it missing!