Encryption

A Tale of Three Backdoors

By Nicholas Weaver
Thursday, August 27, 2015, 8:00 AM

Benjamin Wittes recently asked "?" to build backdoors into security systems.­

The tale of three backdoors: TSA locks, the CALEA interface, and the Dual_EC PRNG, all amply illustrate the dangers posed by backdoors in systems.  For backdoors may fail catastrophically, degrade national security, and can potentially be used against those who demanded the backdoors in the first place.  The scars born by the security field in dealing with failed backdoors provides ample illustration why we find the idea of backdoors troubling and dangerous.

 contain a disclosed backdoor which is similar in spirit to what Director Comey desires for encrypted phones.  In theory, only the Transportation Security Agency or other screeners should be able to open a TSA lock using one of their master keys.  All others, notably baggage handlers and hotel staff, should be unable to surreptitiously open these locks.

Unfortunately for everyone, a TSA agent and the Washington Post revealed the secret.  , since it is the pattern of the teeth, not the key itself, that tells you how to open the lock.  So by simply  of the complete spread of TSA keys in the Washington Post's , the Washington Post enabled anyone to make their own TSA keys.

So the TSA backdoor has failed: we must assume any adversary can open any TSA "lock".  If you want to at least know your luggage has been tampered with, forget the TSA lock and use a zip-tie or tamper-evident seal instead, or attach a real lock and force the TSA to use their bolt cutters.

Telephone systems also have a backdoor thanks to CALEA (the Communications Assistance to Law Enforcement Act).  Although CALEA doesn't mandate any particular technology, , so any phone switch sold in the US must include the ability to efficiently tap a large number of calls.  And since the US represents such a major market, this means virtually every phone switch sold worldwide contains “lawful intercept” functionality.  Yet this capability doesn't just find use in law enforcement.

In the "" beginning in 2004, some unknown entity compromised Vodafone Greece.  This team of skilled attackers surreptitiously enabled the lawful intercept functionality on Vodafone's switches and then used their backdoor access to wiretap the cellphones of prominent Greek politicians and NGOs, including both the Minister of Defense and the Prime Minister.

We need to assume that, if someone can perform such an attack against Vodafone, others can (or already have) used the same strategy against Verizon or AT&T.  So in the CALEA backdoor we have introduced a weakness into our telephone systems which attackers can exploit with significant national security implications

The final backdoor, Dual_EC_DRBG, was surreptitiously developed by the NSA.  This trap-doored pseudo-"random" number generator enables the NSA (or anyone who knows a secret number) to .  Yet as many cryptographers were suspicious of both Dual_EC's  and "" nature, the NSA also needed to use its market power to encourage adoption, including  to make it the default pRNG.

Thus the biggest user of Dual_EC backdoored cryptography was probably the US government.  Which means that there is a magic number locked away in an NSA computer which, if revealed to a hostile power, enables the bulk decryption of large volumes of unclassified US government communication, communication the NSA was supposed to protect.

Unfortunately, the NSA has a recent history of leakers (its not just Snowden).  If a leaker instead wanted to be a spy, the Dual_EC magic numbers, even now, represent a secret the Chinese, Russians, French, or Israelis might pay millions to acquire.  That is, assuming that some unknown spy hasn’t already sold this secret.

All three backdoors introduced significant problems.  TSA locks can be opened by anyone despite their promise of security, the CALEA interface has been used for nation-state spying, and the biggest potential victim of the Dual_EC backdoor is probably the US government.

We have a difficult enough time building secure systems without backdoors, and the presence of a backdoor must necessarily weaken the security of the system still further.  With the dreadful history of backdoors, its little wonder most security professionals believe building backdoors right is practically impossible.

Topics: