Encryp'on,Security,andPrivacyStevenM.Bellovin
h9ps://www.cs.columbia.edu/~smb
Disclaimer
EverythingIsayismyopinionalone,anddoesnotrepresenttheopinionofanyUSgovernmentagency.
smb
2
The“GoingDark”Debatel Formanyyears,theNSAandtheFBIhaveworriedaboutthespreadofcryptographyinthecivilianworld
l Ontheotherhand,encryp'onisnecessarytoprotectAmericancomputersanddata
l Isthereaproblem?Ifso,isacompromisepossible?
smb
3
It’sanOldDebatel Accordingtosomereports,theneedforcivilianencryp'onwasrecognizedin1972whentheSovietseavesdroppedonUSgrainnego'ators
l IBMproposedthe“Lucifer”cipher,with112-bitkeys
l AYerrefinement,thekeysizewas64bits.NSAwanted48instead,toaidintheira9acks;IBMandtheNSAcompromisedon56bits
l IsthereawaytobalancetheneedtoprotectAmericaninforma6onwiththeneedoflawenforcementandintelligenceagenciesto(lawfully)intercepttraffic.Isthereevenaproblem?
smb
4
CryptographyisHardl Mostnon-governmentcryptographersopposemodifyingencryp'onsystemstopermitgovernmentaccess
l Why?Becausecryptographyishardintherealworld
l Real-worldcryptosystemsarefarmorecomplexthanhigh-levelexamples—andthecomplexityleadstotrouble
smb
5
CryptographicProtocolsl Whendoingencryp'on,youneedaprotocol—astylizedsetofmessagesanddataformats
l Gefngthesewrongcanresultinsecurityproblems
l Theveryfirstacademicpaperonthesubject(NeedhamandSchroeder,1978)endedwithawarning:“Finally,protocolssuchasthosedevelopedherearepronetoextremelysubtleerrorsthatareunlikelytobedetectedinnormalopera'on.Theneedfortechniquestoverifythecorrectnessofsuchprotocolsisgreat,andweencouragethoseinterestedinsuchproblemstoconsiderthisarea.”
l Theywereright—asimpleflawintheirdesignwentunno'cedfor18years
smb
6
Examplesl Incorrectlypaddingashortmessagetomatchtheencryp'onalgorithm’srequirementshasresultedinsecurityflaws
l Notauthen'ca'ngeveryencryptedmessagehasresultedinflaws.(Thatwastheessen'alflawrecentlyfoundinApple’siMessageprotocol.)
l Omifngsequencenumbersfromencryptedmessageshasresultedinflaws
l Theexistenceofolder,“exportable”algorithmsinthekeyandalgorithmnego'a'onprotocolhasresultedinflaws
l Tryingtoprovidean“addi'onaldecryp'onkey”forthegovernmenthasresultedinflaws
smb
7
HistoricalExample:TheWorldWarIIEnigmaMachine
Photo:publicdomainsmb
8
HistoricalExample:TheWorldWarIIEnigmaMachine
Youselecttheproperrotors
Photo:publicdomainsmb
9
HistoricalExample:TheWorldWarIIEnigmaMachine
Adjusttherotorstotheir“groundsefng”
Photo:publicdomainsmb
10
HistoricalExample:TheWorldWarIIEnigmaMachine
Settheplugboard
Photo:BobLord,viaWikiMediaCommonssmb
11
HistoricalExample:TheWorldWarIIEnigmaMachine
Photo:PaulHudson,viaFlickr
• Pickthreerandomle9ersandencryptthemtwice,andsendthosesixle9ersasthestartoftheencryptedmessage
• Resettherotorstothosethreele9ers
smb
12
WhatCouldGoWrong?l Sendingthesame,simplemessageeverydaywasafatalflaw
l Pickingnon-randomle9erswasafatalflaw
l Sendingamessageconsis'ngofnothingbutthele9er“L”wasafatalflaw
l Encryp'ngthethreele9erstwicewasafatalflaw
smb
13
TheThreeLe9ersl Imaginethat“XJM”wasencryptedto“AMRDTJ”
l ThecryptanalystsrealizedthatAandDrepresentedthesamele9er,MandTwerethesame,andRandJwerethesame
l Thisgaveawayvaluablecluestotherotorwiringandtherotororder!
Cryptographyishard…
smb
14
AProposedCompromise:Addi'onalDecryp'onKeysl Genericname:“excep'onalaccess”
l (Avoidsthevaluejudgmentimplicitincallingita“backdoor”,a“frontdoor”,a“goldenkey”)
l Oneproposal:Anyencryp'onsystemshouldprovideanaddi6onaldecryp6onkey,accessibleunderproperlegalsafeguards
l Firstinstan'atedintheClipperChip(1993),specialhardwarethatimplementedathen-classifiedencryp'onalgorithm(Skipjack)l Ithadanunexpectedflawintheexcep'onalaccessmechanism…
smb
15
SystemandPolicyProblemsl Howdoyouprotectthesecretkeynecessarytousethisfeature?
l Howdoyouprotectitagainstamajorintelligenceagency?
l Howdoyouprotecttheprocessagainstrou'niza'onofaccess?l Manha9analonehas200phonestheDAwantstodecrypt;SacramentoCountyhas80
l Thereareundoubtedlythousandsmoreacrossthecountrytodayl Willpeopledotherightthingwhenit’ssomethingtheydoeveryday,repeatedly?Hint:“rulebookslowdowns”workbecausenormally,peopledon’tfolloweverylastrule…
smb
16
WhichCountriesCanDecrypt?l Whohastherighttothedecryp'onkey?
l Wherethedevicewassold?
l Wherethedeviceisnow?l Doesanewkeygetinstalledattheborder?Howcanthatbedonesecurely?l Twice,I’vebeeninonecountrybutmyphonewastalkingtoacelltowerinanotheracrosstheborder
l Theci'zenshipoftheowner?Howdoestheencryp'oncodeknow?
l Willcountriestrusteachother?Notlikely…
smb
17
Interna'onalEconomicsl Whataboutforeign-madecryptography?
l Themajorityofencryp'onproductsaredevelopedabroadl Thelast'mecryptowasanissue,inthe1990s,thelossofbusinesstonon-UScompanieswasamajorfactorinlooseningexportrestric'ons
l Whatnon-USbuyerswillwantAmericansoYwareifthecryptohasanexcep'onalaccessfacilityaccessibletotheFBIandtheNSA?l In1997,theSwedishparliamentwasnotamusedtolearnthatthey’dpurchasedasystemtowhichtheNSAhadthekeys
l WhatwilltheStateDepartmentsaytoChinawhenitwantsitsownaccess?
smb
18
TheCostofCompliancel Ifbreakingencryp'onistoocheap,itisbadforsociety:“theordinarychecksthatconstrainabusivelawenforcementprac'ces[are]:‘limitedpoliceresourcesandcommunityhos'lity.’”(USv.Jones,615F.3d544(2012),Sotomayor,concurring)
l Ifit‘stooexpensiveforthevendor,itinhibitsinnova'on
l Codecomplexityisalsoacostandsecurityproblem
l (Asforecast,CALEAcomplianceindeedledtosecurityproblems)
smb
19
AppleversustheFBI:SanBernadinol WhenSyedFarookdiedinashootout,theFBIfoundacounty-ownediPhoneinhiscar
l Thecountygaveconsenttoasearch,theFBIhadawarrant—butthephonewaslocked(withsomedataencrypted)andmighteraseeverythingifthePINwasenteredincorrectly10'mes
l MagistrateJudgePymorderedAppletoproducesoYwarethatwouldallowunlimitedguesses,withaprovisiontoenterthemrapidly
l Appleobjected
smb
20
It’sNotAboutThisOnePhonel ThereisgoodreasontobelievetheFBIwillfindnothingofinterestonthisphone
l Buildingtheinfrastructuretounlockthissinglephoneis'me-consumingandexpensive—butoncethecodeexists,itbecomeseasytounlockothers
l AppleandtheFBIbothknowthis.l TheFBIwantsaprecedentsetinwhatseemslikeanidealcasel Appleisafraidofexactlythathappening
smb
21
Costl Applees'matesthatitwouldtake3-10person-monthstoproducethecode
l Myown,independentes'mateisquitecompa'blewiththeirsl AlliPhonecodemustbe“digitallysigned”,usingacryptographickeypossessedbyApple
l This,though,isthecosttoproducethefirstcopyofthesoYware,forthisonephone.Eachsubsequentversionwouldbeverycheap
l IfthesoYwareisnotlockedtoonephone,itwillbecomeatargetofothergovernments
l Ifitislockedtoonephone,youhavetherou'niza'onproblem
smb
22
CompelledSpeech?l Iscomputercode“speech”undertheFirstAmendment,orisitpurelyfunc'onal?
l The2nd,6th,and9thCircuitshavesaidcodecanbespeech(9thCircuitopinionwithdrawn)l Inallthreecases,thecodewaslinkedtoanpoli'calissue
l Applehasexpressedanopinionthatbackdoorsareethicallywrong.Cantheybecompelledto“say”somethingtheydon’tbelieve?
l Whataboutthedigitalsignature?l Isthatmerelyafunc'onalaccesscontrolmechanism?l OrisitApple’sa9esta'onthatthecodemeetstheirstandards?l TheirappstorepoliciesandsignedappshavebeenamajorreasonwhyiOShasmuchbe9er
securitythanAndroid
smb
23
SubpoenaingtheCodeandSigningKeyl TheFBIhasindicatedthatifApplewon’thelpitunlockthephone,itwillsubpoenathecodeandsigningkey
l Canthecodebesubpoenaed?Probably,butproducingausablecopyofthecodebaseandbuildenvironmentisfarfromeasy
l Thesigningkey?l There’ss'llthecompelledspeechissuel Applemaynotbeabletoturnitover—bestprac'cesdictatekeepingsuchkeysina“HardwareSecurityModule”(HSM)
l ThewholepointofanHSMistopreventdisclosureofamajorsigningkey!
smb
24
TheiCloudBackupl Farook’sphonewasbackeduptoApple’siCloudaboutsixweeksbeforetheshoo'ng
l iCloudbackupsarenotencryptedl Customerswanttorecovertheirdata,evenifthey’veforgo9entheirPINl Apple’sthreatmodelislossofadevice,nothackingofiCloud
l Whatwasdonewiththephoneduringthosesixweeks?l AnFBIerrorpreventedthemfromforcinganewbackup
l Someappshavedatathatis(deliberately)notbackedup
l But—Appleknowsexactlywhichappsareonthephone,andhencewhattheycando,wherethemetadatamightbe,etc.Statementsbylawenforcementsuggesttheythinktheoddsonfindingusefulinforma'onarelow.
smb
25
AppleandPrivacyl Ideological:TimCookstronglybelievesinprivacy
l Healsobelievesinspeakingoutinthefaceofinjus'ce—asachild,hetriedtointerveneinaKlancross-burning
l Peoplestorelotsofsensi'vedataontheirphones(“Moderncellphonesarenotjustanothertechnologicalconvenience.Withalltheycontainandalltheymayreveal,theyholdformanyAmericans“theprivaciesoflife.”Rileyv.California,134S.Ct.2473(2014))
l Marke'ng:Privacyisadis'nguisherfromGoogle,whichearnsitsrevenuefromusers‘personaldata
l Alloftheabove?Probably.
smb
26
It’sNotPrivacy,It’sSecurityl Phonesholdalotofsensi'veinforma'on(passwords,bankaccountnumbers,emailaccountaccess,etc.)
l ThedeclineofBlackberryandtheriseof“BringYourOwnDevice”(BYOD)meansthatcorporatedataisonphones,too
l Phonesareareusedasauthen'catorsfornetworklogin,some'mesinplaceofhardwaretokens
l ImagineanAmericanbusinessexecu'vecrossingtheborderintoacountrywithanoppressivegovernment—andthatgovernmentcanunlockthephone…
smb
27
WhereAreWe?l Thiscasemaybemoot,buttheissuewillariseagain
l NewsreportssuggestthatAppleisgoingtostrengthentheirsecuritymechanisms
l There’sbeennothorough,publicdiscussionoftheextenttowhichlawenforcementaccesstometadatacansubs'tuteforaccesstocontentl Somehavecalledthis“thegoldenageofsurveillance”
l ThedebatehasoYenbeenlawyersandpolicymakersversustechnologists—andtheytalkpasteachotherl Weneedpeoplewhospeakbothlanguages!
smb
28
FurtherReadingl HaroldAbelson,RossAnderson,StevenM.Bellovin,JoshBenaloh,Ma9Blaze,WhiuieldDiffie,
JohnGilmore,Ma9hewGreen,SusanLandau,PeterG.Neumann,RonaldL.Rivest,JeffreyI.Schiller,BruceSchneier,MichaelA.Specter,andDanielJ.Weitzner.Keysunderdoormats:Manda'nginsecuritybyrequiringgovernmentaccesstoalldataandcommunica'ons.JournalofCybersecurity,1(1),September2015.h9p://cybersecurity.oxfordjournals.org/content/early/2015/11/17/cybsec.tyv009
l HalAbelson,RossAnderson,StevenM.Bellovin,JoshBenaloh,Ma9Blaze,WhiuieldDiffie,JohnGilmore,PeterG.Neumann,RonaldL.Rivest,JeffreyI.Schiller,andBruceSchneier.Therisksofkeyrecovery,keyescrow,andtrustedthird-partyencryp'on,May1997.h9ps://www.cs.columbia.edu/~smb/papers/paper-key-escrow.pdf
l SusanLandau,Tes'mony,Hearingon“TheEncryp'onTightrope:BalancingAmericans’SecurityandPrivacy”,JudiciaryCommi9ee,UnitedStatesHouseofRepresenta'ves,March1,2016.h9ps://judiciary.house.gov/wp-content/uploads/2016/02/Landau-Wri9en-Tes'mony.pdf
smb
29
HowiPhoneEncryp'onWorksl Arandom,256-bitnumber(the“UUID”)ismanufacturedintothephone’sprocessor,andisn’teasilyretrievablefromoutside
l WhenaPINisentered,thePINandtheUUIDarecombinedtoforma“key-encryp'ngkey”(KEK)viaaprocessthatmusttakeabout80milliseconds
l TheKEKisusedtoencryptthe“data-encryp'ngkey”(DEK)
l TheDEKisusedtoencrypt(certain)dataonthephone
l TheDEKsareuselesswithouttheKEK,buttheKEKcanonlybecalculated(a)usingthePIN,and(b)usingtheUUIDnotvisibleexternally
l NeweriPhonesdokey-handlinginaspecial,secureareaoftheprocessor
smb
30