The NSA’s Split-Key Encryption Proposal is Not Serious
Written by Joseph Lorenzo Hall
The US Government has been busy on the encryption front in both positive and negative ways. On the positive front, there is a major effort underway to move all government websites to HTTPS; I’ll discuss that in a future post. But on the problematic and negative side of the ledger, we once again turn to the NSA.
NSA Director Michael Rogers has launched a new trial balloon to address what law enforcement and intelligence agencies are calling “Going Dark.” As reported by Ellen Nakashima and Barton Gellman’s on a front page story in the Washington Post, Admiral Rogers shared a proposal that would require tech companies to create a “golden key” that would allow access to encrypted data and communications. The new twist in Rogers’ proposal was to cut this golden key into pieces so that no one entity – the NSA or the company making the product – could decrypt the data without all the pieces of the key.
Sorry Admiral Rogers, but requiring split-key encryption is not a serious proposal.
It’s time to stake that trial balloon to the ground of technical reality. Sorry Admiral Rogers, but requiring split-key encryption is not a serious proposal.
The technical community and the US Government have long been engaged in a simmering fight about encryption, dubbed the “crypto wars.” While many had thought that the crypto wars had all but ended in the late 1990s, we were clearly wrong. The FBI has been arguing for years that it is “going dark,” namely that methods of wiretapping telephones don’t work on the internet or with encrypted data. The NSA has also been engaged in a variety of efforts to undermine cryptography. The government has been concerned in the past that strong encryption would be helpful to criminals, terrorists, and foreign nations, so it has long maintained that cryptography should be carefully controlled. It all but lost the series of earlier battles in the war: strong encryption is available worldwide to protect data and communications, and it is a fundamental feature of the modern internet and world wide web.
FBI Director James Comey was unable to cite a single instance when encryption frustrated FBI investigations.
And yet, despite this, the sky has not fallen. Even as encryption has become a common tool of internet and communication technologies, it has not proven problematic to preventing crime in the manner predicted. In fact, when recently speaking in support of anti-encryption mandates, FBI Director James Comey was unable to cite a single instance when encryption frustrated FBI investigations.
To boot, the US Government has flirted with essentially the exact proposal from Adm. Rogers in the past. When CDT was merely three years young, in 1997, we coordinated a technical report entitled, “The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption”. In the report, we demonstrated that there would be no provable secure way to communicate using split key key escrow systems, so certain types of sensitive transactions involving health information, financial information, and intimate information would be more vulnerable to interception in the case of a flaw, compromise, or abuse of the system. Also, securing repositories of keying material, validating requests for keys, and distributing keys would be exceedingly complex, and likely much more complex than the underlying encryption itself. This is costly to say the least, but it can also be dangerous in that adding complexity to a system will inevitably lead to additional methods to undermine it and find vulnerabilities that can be used to attack it.
If the United States creates a split-key encryption mandate, autocratic countries are likely to follow suit and require access to encrypted services.
The split key approach also raises a host of concerns for business, privacy, and human rights. If the United States creates a split-key encryption mandate, autocratic countries are likely to follow suit and require access to encrypted services, a measure already being pursued in China despite U.S. criticism. This mandate would also leave US companies – that have already lost significant business abroad in recent years due to surveillance concerns – labeled by foreign competitors as “NSA accessible.” American companies won’t be able to assure foreign or domestic customers that their data is secure if the NSA hacks into the company, as reportedly happened to Google and Yahoo. A company would also face logistical issues if a customer requested a recovery key, but the company had to coordinate with the government to provide it. And because criminals could still use foreign electronic products and software, the mandate would not even cut off their access to encryption technology and would “hobble” US security products that seek to use modern cryptography (such as encryption that uses very short-lived keys, called “perfectly forward secret” encryption).
Adm. Rogers should come back with a proposal the technical community hasn’t already identified as irresponsible, costly, and impractical. And for a good reminder on the value of strong encryption, perhaps he should give the Government CIO office a call, which I’ll talk more about in my next blog post.