Encryption Backdoors: A Discussion of Feasibility, Ethics, and the Future of Cryptography

In the age of technological advancement and the digitization of information, privacy seems to be all but an illusion. Encryption is supposed to be the white knight that keeps our information and communications safe from unwanted eyes, but how secure are the encryption algorithms that we use? Do we put too much trust in those that are charged with implementing our everyday encryption systems? This paper addresses the concept of backdoors in encryption: ways that encryption systems can be implemented so that the security can be bypassed by those that know about its existence. Many governments around the world are pushing for these kinds of bypassing mechanisms to exist so that they may utilize them. The paper discusses the ethical implications of these policies as well as how our current encryption algorithms will hold up to future technology such as quantum computers

Encryption Congress Mod (Apple + CALEA)

We are in the midst of the latest iteration of the “crypto wars.” These conflicts, nominally waged between proponents of strong encryption technologies on the one hand and law enforcement and national security interests on the other, are the natural result of increased availability and use of strong encryption throughout the communications ecosystem. Strong encryption makes it difficult, in some cases effectively impossible, for the government to obtain information from individuals – even in cases where it has lawful basis for demanding and legitimate need to obtain access to that information. The availability of a technology that effectively moots the government’s ability to compel the disclosure of information shifts the balance of power between individuals and the government. The task of rebalancing these powers ultimately falls to the political process, and, in specific, to Congress. This article uses CALEA, a law adopted in 1994 during the previous iteration of the crypto wars, as a lens to understand how Congress can, and is likely to, respond to this changing balance of power

Private Actors, Corporate Data and National Security: What Assistance Do Tech Companies Owe Law Enforcement?

When the government investigates a crime, do citizens have a duty to assist? This question was raised in the struggle between Apple and the FBI over whether the agency could compel Apple to defeat its own password protections on the iPhone of one of the San Bernardino shooters. That case was voluntarily dismissed as moot when the government found a way of accessing the data on the phone, but the issue remains unresolved. Because of advances in technology, software providers and device makers have been able to develop almost impenetrable protection for their customers’ information, effectively locking law enforcement out of accounts and devices, even when armed with a search warrant. Most privacy watchdogs, understandably shaken by Edward Snowden’s revelations of NSA spying, argue that this is an unadulterated good. The prosecutorial view is that this is an unprecedented interference with lawful investigations. There is no question that the companies fashioning themselves as champions of privacy benefit financially from this position. Apple has openly admitted in court filings that complying with court orders to assist in the execution of search warrants could “substantially tarnish Apple’s brand.” But while Apple may bear some responsibility for creating a system that it could not access itself, does that mean they should be statutorily tasked with undoing it? Current statutory law, in particular the Communications Assistance for Law Enforcement Act (CALEA), does not cover the encrypted information on physical devices, or information companies’ responsibilities to decrypt it. This Essay takes the question of whether CALEA should be amended as a starting point for a broader exploration of what assistance the government can justly ask of its citizens. There are strong arguments to be made that such obligations would not be reasonable, or that there should be a zone of privacy that the government cannot access. This would support a system in which some warrants are ineffectual. But if the functional impossibility of execution of these warrants is just the byproduct of a corporate strategy, “them’s the breaks” seems like an insufficient justification

Shedding Light on the Going Dark Problem and the Encryption Debate

In an effort to protect the enormous volume of sensitive and valuable data that travels across the Internet and is stored on personal devices, private companies have created encryption software to secure data from criminals, hackers, and terrorists who wish to steal it. The greatest benefit of encryption also creates the biggest problem: Encryption software has become so secure that often not even the government can bypass it. The “Going Dark” problem—a scenario in which the government has obtained the legal authority to search a suspected criminal’s encrypted device but lacks the technical ability to do so—is becoming increasingly common. In response, the government has resorted to obtaining court orders to compel private companies to assist it in bypassing encrypted devices, in some cases demanding that companies create entirely new software to accomplish this task. This raises a plethora of political, economic, and legal questions. This Note argues that given the weighty interests on all sides of the debate and the widespread effects that these cases will have, the encryption issue should be decided by the legislative branch instead of the courts. Because of the complexity of these issues and the lack of current legislation, the courts are being forced to stretch the law in ways that will likely lead to inconsistent and undesirable rulings. This Note advocates that the best method for Congress to solve this problem is to create an administrative body with rule-making, investigative, and adjudicative powers to address these situations on a case-by-case basis and to advise Congress on future legislation regarding encryption and digital security in general

Striking the Balance: Search Warrants and Encryption Protected Smartphones

(Excerpt) This note’s analysis of searches of encrypted cell phone will be broken down into in three parts. Part I of this note provides context for the balance between individual privacy and law enforcement by reviewing general Fourth Amendment principles and then Supreme Court rulings that apply these principles to cell phones. Part II then details the advancements in cell phone technology, specifically encryption. These new technologies render the data on cell phones inaccessible and lead law enforcement to go beyond search warrants and seek special orders pursuant to the All Writs Act. Part II provides an overview of the All Writs Act and the leading cases that define its scope and concludes that the act does not provide a power to courts to order the decryption of cell phones. Part III then asserts why a judicial response is inadequate to address the issues caused by encryption, and why new legislation is needed that will effectively and lawfully strike the balance between the interests surrounding data encryption on smartphones

Smartphone Forensic Challenges

Article originally published in Internation Journal of Computer Science and SecurityGlobally, the extensive use of smartphone devices has led to an increase in storage and transmission of enormous volumes of data that could be potentially be used as digital evidence in a forensic investigation. Digital evidence can sometimes be difficult to extract from these devices given the various versions and models of smartphone devices in the market. Forensic analysis of smartphones to extract digital evidence can be carried out in many ways, however, prior knowledge of smartphone forensic tools is paramount to a successful forensic investigation. In this paper, the authors outline challenges, limitations and reliability issues faced when using smartphone device forensic tools and accompanied forensic techniques. The main objective of this paper is intended to be consciousness-raising than suggesting best practices to these forensic work challenges

Cryptography with Disposable Backdoors

Backdooring cryptographic algorithms is an indisputable taboo in the cryptographic literature for a good reason: however noble the intentions, backdoors might fall in the wrong hands, in which case security is completely compromised. Nonetheless, more and more legislative pressure is being produced to enforce the use of such backdoors. In this work we introduce the concept of disposable cryptographic backdoors which can be used only once and become useless after that. These exotic primitives are impossible in the classical digital world without stateful and secure trusted hardware support, but, as we show, are feasible assuming quantum computation and access to classical stateless hardware tokens. Concretely, we construct a disposable (single-use) version of message authentication codes, and use them to derive a black-box construction of stateful hardware tokens in the above setting with quantum computation and classical stateless hardware tokens. This can be viewed as a generic transformation from stateful to stateless tokens and enables, among other things, one-time programs and memories. This is to our knowledge the first provably secure construction of such primitives from stateless tokens. As an application of disposable cryptographic backdoors we use our constructed primitive above to propose a middle-ground solution to the recent legislative push to backdoor cryptography: the conflict between Apple and FBI. We show that it is possible for Apple to create a one-time backdoor which unlocks any single device, and not even Apple can use it to unlock more than one, i.e., the backdoor becomes useless after it is used. We further describe how to use our ideas to derive a version of CCA-secure public key encryption, which is accompanied with a disposable (i.e, single-use, as in the above scenario) backdoor