Documentation – Beware of Backdoors!

The early ’60s were a more innocent age than ours. Federico Fellini’s glimpse into the carefree world of the La Dolce Vita gave moviegoers a jet set. Those who could afford it flew from continent to continent within just a few hours. Tickets and passports were only checked at the gates. This changed dramatically on July 23, 1968. Three Palestinians, demanding freedom for their jailed compatriots, hijacked an Israeli plane on its way from Rome to Athens. Almost immediately, airports began to change and security checks became part of flying.

At that time, the US was at the forefront of the push for more security in the air. Security devices became better and better and today are to be found almost everywhere: in courthouses and public buildings, schools, and sports stadiums. Where IT security’s concerned, it’s a completely different story. Since the Crypto Wars of the 1990s, US agencies have been chipping away at security by demanding that companies include backdoors in their software and hand over duplicate encryption keys to the authorities. When governments objected, the US National Security Agency simply exploited loopholes and kept this knowledge to itself.

Who remembers to update the documen­tation? Anyone? Very, very rarely, I assure you!
_{Bernd Schöne is a German veteran in Internet journalism and an expert on data analysis.}

For many years, mathematician and cryptographer Bruce Schneier and other security experts have tried to talk politicians out of this dangerous nonsense. Despite this, the so-called useful security hole project keeps cropping up under a different name all around the world. The latest example is the EU Parliament, which passed a resolution in November 2020 calling for measures to undermine secure end-to-end encryption with skeleton keys and state-sponsored Trojan horses – malware that performs a range of malicious actions while misleading users of its true intent. The deliberations aren’t over yet but the project appears to be on track.

The Five Eyes, an intelligence alliance formed by the US, the UK, Canada, New Zealand, and Australia, is following a much more perfidious strategy. Instead of demanding that developers build backdoors into their apps, the Ghost Protocol would require the owners of messaging services to copy the encrypted message to a third party, a law enforcement agency that owns a private key. Thankfully, a coalition of technology companies, privacy experts, and human rights groups published an open response to this, claiming “it would undermine the authentication process… introduce potential unintentional vulnerabilities, increase risks that communications systems could be abused or misused.” That seems to have stopped the Ghost Protocol in its tracks, at least for now, but who knows what is really going on in the secret world of multinational snooping?

One thing is sure – it doesn’t matter if you hide a duplicate key under the doormat or in a bank safe, if there is a duplicate key somewhere, someone will eventually find it and use it.

In IoT solutions the concept of predictive maintenance is an important driver. The object of this concept is to change parameters in time to protect a device in imminent danger of breaking down. The industrial saboteur wants the exact opposite – to maximize wear and suppress alerts. So obviously, anyone selling or using IoT should fight tooth and nail to ensure that data handled by these systems is encrypted from start to finish. If governments say they just want to read communications in justified cases, who can guarantee that such tools will stay in reliable hands? Nobody! The only conclusion here is to be wary of all backdoors and duplicate keys – there are no good security loopholes.

READ MORE ARTICLES