The Importance of Strong Encryption in Free Societies

September 18, 2018 / by Jon Mentzell

There is growing concern regarding the role that encryption on personal devices might play in the future of law enforcement activities. Strong encryption, which uses large keys that are controversially hard to crack, has caused complaints in recent years as manufacturers such as Apple and Google increasingly add these features to their devices. What these companies have done is not new technology, but the broader application of existing public-private key encryption in a way that’s easy to use for the average consumer.

Understanding How Encryption Works

Encryption is a method of encoding information that allows it to be opened by only those who are granted access. Modern encryption relies on mathematical formulas that are easy to perform in one direction, but nearly impossible to perform in the other. Common examples include factoring the sum of large prime numbers or determining a single point on an elliptic curve based on a limited dot function with ‘n’ number of iterations. These methods require that the private key remains private in order to function properly while the shareable public key will not allow access to the private key. From this, a one-time key or ‘session’ key is generated and used for the remainder of the communication between the systems for that session. Messaging platforms using protocols such as the Signal Protocol change these keys frequently using what is called a double-ratchet encryption algorithm where two session keys are generated — one is used to encrypt the message and then discarded while the other is used to generate the next session key.

Controversial “Third Key” Not an Option

In these above described scenarios, there is no room for a third key. What many governments are asking companies to do is provide a third key that the government can use to access personal data stored on a person’s device. The rationale is that in the past, through the application of a warrant, a suspect could have anything relevant to a legal proceeding taken through legal means. With the advent and mass use of cell phones, much of that has gone away.


Related: Free Webcast on GDPR From Fornetix & StorMagic


Before 2014, encryption was available on most phones but enabling it was a long, drawn-out process that took a significant amount of time and technical knowledge. Now, most smart phones from Apple and Google encrypt their data stores by default. The phones generate a set of keys are only unlocked with the PIN you establish. If you power off your phone, the device is encrypted, but there are other actions such as continued failed logins that will also trigger an encryption event. Even if a prosecutor manages to get a warrant for your device, you can rest easy knowing that there is no way to open the device unless you enter your PIN. Even the manufacturers themselves have no way to circumvent this.

Government Workarounds Risk Compromising Security for Everyone

Since there is no way to insert a third certificate to allow government agencies to unlock phones, the government has to rely on other methods. The first option would be to get a copy of every key for every device being used along with the PIN to decrypt the device. Not only would this would require immense infrastructure, but it would be an irresistible target for hackers worldwide. Acquiring access has far-ranging consequences due to the way today’s technology is increasingly interconnected. Linked accounts like Facebook, Gmail, and Twitter that are nothing more than a connectivity bridge are fully accessible. Former Homeland Security Secretary Michael Chertoff likens it to a border search where the customs agent copies the keys to your house and searches your home. Besides the scope of the device changing based on new information, border control now has hundreds of keys they have to manage and keep safe to prevent criminals from making additional copies.


Related: Why Cities Need to Get Serious About Cyber Defense


The second option is for governments to limit the types of keys being generated. If everyone had a key that was easy to decipher, there would be little pushback from authorities. This also has the side effect of making decryption of keys relatively approachable by normal cyber-criminals. With on-demand high compute cloud resources available to anyone with a credit card, any valuable information can be taken and used immediately or held hostage for crimes such as blackmail.

I think we can all agree that safeguarding our personal information is important and that implementing strong encryption on personal devices makes sense. But when it comes to national security, the idea becomes more convoluted. Where do you stand on this issue? Do you think the government should have access to our personal information on our phones for national security reasons? Or do you think that’s a violation of our rights as American citizens? Would love to hear your comments.

 

> FREE Webcast - Encryption's Evolution in Today's GDPR Compliant World <

Recent Posts