Encryption

Building on Sand Isn’t Stable: Correcting a Misunderstanding of the National Academies Report on Encryption

By Susan Landau
Wednesday, April 25, 2018, 10:00 AM

The encryption debate is messy. In any debate that involves technology—encryption, security systems and policy, law enforcement, and national security access—the incomparable complexities and tradeoffs make choices complicated. That's why getting the facts absolutely right matters. To that end, I’m offering a small, but significant, correction to a post Alan Rozenshtein wrote on Lawfare on March 29.

Rozenshtein argued that in opposing an exceptional-access mandate—the ability for law enforcement to access an encrypted communication or locked device with a warrant—the computer-security community had deluded itself into thinking that such systems couldn’t be built securely. As evidence of this, Rozenshtein pointed to the recent National Academies study on the tradeoffs involved in government access to encrypted content. (Note: I served on the study committee.) He wrote that the report made an important point that many missed: "High-level experts in the information-security community itself are trying to build secure third-party-access systems." But this is not what the report said.

The Academies report does discuss approaches to “building ... secure systems” that provide exceptional access—but these are initial approaches only. The report states as much in writing that computer scientists have “begun to explore” this area of research. The presentations to the Academies committee were brief descriptions of ideas by three smart computer scientists, not detailed architectures of how such systems would work. There's a huge difference between a sketch of an idea and an actual implementation—Leonardo da Vinci’s drawings for a flying machine as opposed to the Wright brothers’ plane at Kitty Hawk. The presentations that the Academies saw are more akin to sketches than a system architecture.

None of the three presentations involved anything more than the thoughts of a single individual. The study did not hear presentations about engineering teams “trying to build secure third-party-access systems”—there is no such effort at present. (This does not include key-recovery solutions such as those provided in Apple’s FileVault or Microsoft’s BitLocker; these solve a different problem from the “going dark” issue.)

An exceptional-access system is not merely a complex mathematical design for a cryptosystem; it is a systems design for a complex engineering task. Building such a system would be extraordinarily hard and would require a large team of engineers. An exceptional-access system would have to operate in real time, authenticate multiple law-enforcement agencies (including police and sheriff departments, of which there are over 15,000 in the U.S.), ensure the accuracy of the authentication system and its ability to withstand attacks, and handle frequent updates to hardware, the operating system, phones, and more. The exceptional-access system would have to be flexible enough to handle the varied architectures of different types of phones, security systems and update processes. (The latter would be extremely challenging for phones using the Android operating system, which are supplied by multiple different vendors. These providers often customize the open-source Android release to some extent—and may make changes on varying schedules. Thus the diversity of Android devices is likely to make subverting them through a software update significantly harder than it would otherwise be.)

The fundamental difference between building a sound cryptosystem and a secure exceptional-access system is the difference between solving a hard mathematics problem—one that the Advanced Encryption Standard competition showed we can do—and producing a sound engineering solution to a difficult systems problem with constantly changing parts and highly active adversaries. There is a large delta between a conceptual architecture and the complex and detailed design specification that identifies where the security risks may lie. This is why the security community largely believes exceptional-access systems are impossible to make with the requisite level of security.

Rozenshtein misunderstands the Academies report when he writes that it “undermine[s] the argument that secure third-party-access systems are so implausible”—and as a result, his reasoning is built on sand. While he does acknowledge the difficulty of building an exceptional-access solution, his arguments for building such systems fail to fully take that difficulty into account.