encryp’on, security, and privacysmb%c2%a0%c2%a0%c2%a0%c2%a0… · examples l incorrectly padding...

Encryp'on,Security,andPrivacyStevenM.Bellovin

h9ps://www.cs.columbia.edu/~smb

Disclaimer

EverythingIsayismyopinionalone,anddoesnotrepresenttheopinionofanyUSgovernmentagency.

smb

2

The“GoingDark”Debatel  Formanyyears,theNSAandtheFBIhaveworriedaboutthespreadofcryptographyinthecivilianworld

l  Ontheotherhand,encryp'onisnecessarytoprotectAmericancomputersanddata

l  Isthereaproblem?Ifso,isacompromisepossible?

smb

3

It’sanOldDebatel  Accordingtosomereports,theneedforcivilianencryp'onwasrecognizedin1972whentheSovietseavesdroppedonUSgrainnego'ators

l  IBMproposedthe“Lucifer”cipher,with112-bitkeys

l  AYerrefinement,thekeysizewas64bits.NSAwanted48instead,toaidintheira9acks;IBMandtheNSAcompromisedon56bits

l  IsthereawaytobalancetheneedtoprotectAmericaninforma6onwiththeneedoflawenforcementandintelligenceagenciesto(lawfully)intercepttraffic.Isthereevenaproblem?

smb

4

CryptographyisHardl  Mostnon-governmentcryptographersopposemodifyingencryp'onsystemstopermitgovernmentaccess

l  Why?Becausecryptographyishardintherealworld

l  Real-worldcryptosystemsarefarmorecomplexthanhigh-levelexamples—andthecomplexityleadstotrouble

smb

5

CryptographicProtocolsl  Whendoingencryp'on,youneedaprotocol—astylizedsetofmessagesanddataformats

l  Gefngthesewrongcanresultinsecurityproblems

l  Theveryfirstacademicpaperonthesubject(NeedhamandSchroeder,1978)endedwithawarning:“Finally,protocolssuchasthosedevelopedherearepronetoextremelysubtleerrorsthatareunlikelytobedetectedinnormalopera'on.Theneedfortechniquestoverifythecorrectnessofsuchprotocolsisgreat,andweencouragethoseinterestedinsuchproblemstoconsiderthisarea.”

l  Theywereright—asimpleflawintheirdesignwentunno'cedfor18years

smb

6

Examplesl  Incorrectlypaddingashortmessagetomatchtheencryp'onalgorithm’srequirementshasresultedinsecurityflaws

l  Notauthen'ca'ngeveryencryptedmessagehasresultedinflaws.(Thatwastheessen'alflawrecentlyfoundinApple’siMessageprotocol.)

l  Omifngsequencenumbersfromencryptedmessageshasresultedinflaws

l  Theexistenceofolder,“exportable”algorithmsinthekeyandalgorithmnego'a'onprotocolhasresultedinflaws

l  Tryingtoprovidean“addi'onaldecryp'onkey”forthegovernmenthasresultedinflaws

smb

7

HistoricalExample:TheWorldWarIIEnigmaMachine

Photo:publicdomainsmb

8

HistoricalExample:TheWorldWarIIEnigmaMachine

Youselecttheproperrotors

Photo:publicdomainsmb

9

HistoricalExample:TheWorldWarIIEnigmaMachine

Adjusttherotorstotheir“groundsefng”

Photo:publicdomainsmb

10

HistoricalExample:TheWorldWarIIEnigmaMachine

Settheplugboard

Photo:BobLord,viaWikiMediaCommonssmb

11

HistoricalExample:TheWorldWarIIEnigmaMachine

Photo:PaulHudson,viaFlickr

•  Pickthreerandomle9ersandencryptthemtwice,andsendthosesixle9ersasthestartoftheencryptedmessage

•  Resettherotorstothosethreele9ers

smb

12

WhatCouldGoWrong?l  Sendingthesame,simplemessageeverydaywasafatalflaw

l  Pickingnon-randomle9erswasafatalflaw

l  Sendingamessageconsis'ngofnothingbutthele9er“L”wasafatalflaw

l  Encryp'ngthethreele9erstwicewasafatalflaw

smb

13

TheThreeLe9ersl  Imaginethat“XJM”wasencryptedto“AMRDTJ”

l  ThecryptanalystsrealizedthatAandDrepresentedthesamele9er,MandTwerethesame,andRandJwerethesame

l  Thisgaveawayvaluablecluestotherotorwiringandtherotororder!

Cryptographyishard…

smb

14

AProposedCompromise:Addi'onalDecryp'onKeysl  Genericname:“excep'onalaccess”

l  (Avoidsthevaluejudgmentimplicitincallingita“backdoor”,a“frontdoor”,a“goldenkey”)

l  Oneproposal:Anyencryp'onsystemshouldprovideanaddi6onaldecryp6onkey,accessibleunderproperlegalsafeguards

l  Firstinstan'atedintheClipperChip(1993),specialhardwarethatimplementedathen-classifiedencryp'onalgorithm(Skipjack)l  Ithadanunexpectedflawintheexcep'onalaccessmechanism…

smb

15

SystemandPolicyProblemsl  Howdoyouprotectthesecretkeynecessarytousethisfeature?

l  Howdoyouprotectitagainstamajorintelligenceagency?

l  Howdoyouprotecttheprocessagainstrou'niza'onofaccess?l  Manha9analonehas200phonestheDAwantstodecrypt;SacramentoCountyhas80

l  Thereareundoubtedlythousandsmoreacrossthecountrytodayl  Willpeopledotherightthingwhenit’ssomethingtheydoeveryday,repeatedly?Hint:“rulebookslowdowns”workbecausenormally,peopledon’tfolloweverylastrule…

smb

16

WhichCountriesCanDecrypt?l  Whohastherighttothedecryp'onkey?

l  Wherethedevicewassold?

l  Wherethedeviceisnow?l  Doesanewkeygetinstalledattheborder?Howcanthatbedonesecurely?l  Twice,I’vebeeninonecountrybutmyphonewastalkingtoacelltowerinanotheracrosstheborder

l  Theci'zenshipoftheowner?Howdoestheencryp'oncodeknow?

l  Willcountriestrusteachother?Notlikely…

smb

17

Interna'onalEconomicsl  Whataboutforeign-madecryptography?

l  Themajorityofencryp'onproductsaredevelopedabroadl  Thelast'mecryptowasanissue,inthe1990s,thelossofbusinesstonon-UScompanieswasamajorfactorinlooseningexportrestric'ons

l  Whatnon-USbuyerswillwantAmericansoYwareifthecryptohasanexcep'onalaccessfacilityaccessibletotheFBIandtheNSA?l  In1997,theSwedishparliamentwasnotamusedtolearnthatthey’dpurchasedasystemtowhichtheNSAhadthekeys

l  WhatwilltheStateDepartmentsaytoChinawhenitwantsitsownaccess?

smb

18

TheCostofCompliancel  Ifbreakingencryp'onistoocheap,itisbadforsociety:“theordinarychecksthatconstrainabusivelawenforcementprac'ces[are]:‘limitedpoliceresourcesandcommunityhos'lity.’”(USv.Jones,615F.3d544(2012),Sotomayor,concurring)

l  Ifit‘stooexpensiveforthevendor,itinhibitsinnova'on

l  Codecomplexityisalsoacostandsecurityproblem

l  (Asforecast,CALEAcomplianceindeedledtosecurityproblems)

smb

19

AppleversustheFBI:SanBernadinol  WhenSyedFarookdiedinashootout,theFBIfoundacounty-ownediPhoneinhiscar

l  Thecountygaveconsenttoasearch,theFBIhadawarrant—butthephonewaslocked(withsomedataencrypted)andmighteraseeverythingifthePINwasenteredincorrectly10'mes

l  MagistrateJudgePymorderedAppletoproducesoYwarethatwouldallowunlimitedguesses,withaprovisiontoenterthemrapidly

l  Appleobjected

smb

20

It’sNotAboutThisOnePhonel  ThereisgoodreasontobelievetheFBIwillfindnothingofinterestonthisphone

l  Buildingtheinfrastructuretounlockthissinglephoneis'me-consumingandexpensive—butoncethecodeexists,itbecomeseasytounlockothers

l  AppleandtheFBIbothknowthis.l  TheFBIwantsaprecedentsetinwhatseemslikeanidealcasel  Appleisafraidofexactlythathappening

smb

21

Costl  Applees'matesthatitwouldtake3-10person-monthstoproducethecode

l  Myown,independentes'mateisquitecompa'blewiththeirsl  AlliPhonecodemustbe“digitallysigned”,usingacryptographickeypossessedbyApple

l  This,though,isthecosttoproducethefirstcopyofthesoYware,forthisonephone.Eachsubsequentversionwouldbeverycheap

l  IfthesoYwareisnotlockedtoonephone,itwillbecomeatargetofothergovernments

l  Ifitislockedtoonephone,youhavetherou'niza'onproblem

smb

22

CompelledSpeech?l  Iscomputercode“speech”undertheFirstAmendment,orisitpurelyfunc'onal?

l  The2nd,6th,and9thCircuitshavesaidcodecanbespeech(9thCircuitopinionwithdrawn)l  Inallthreecases,thecodewaslinkedtoanpoli'calissue

l  Applehasexpressedanopinionthatbackdoorsareethicallywrong.Cantheybecompelledto“say”somethingtheydon’tbelieve?

l  Whataboutthedigitalsignature?l  Isthatmerelyafunc'onalaccesscontrolmechanism?l  OrisitApple’sa9esta'onthatthecodemeetstheirstandards?l  TheirappstorepoliciesandsignedappshavebeenamajorreasonwhyiOShasmuchbe9er

securitythanAndroid

smb

23

SubpoenaingtheCodeandSigningKeyl  TheFBIhasindicatedthatifApplewon’thelpitunlockthephone,itwillsubpoenathecodeandsigningkey

l  Canthecodebesubpoenaed?Probably,butproducingausablecopyofthecodebaseandbuildenvironmentisfarfromeasy

l  Thesigningkey?l  There’ss'llthecompelledspeechissuel  Applemaynotbeabletoturnitover—bestprac'cesdictatekeepingsuchkeysina“HardwareSecurityModule”(HSM)

l  ThewholepointofanHSMistopreventdisclosureofamajorsigningkey!

smb

24

TheiCloudBackupl  Farook’sphonewasbackeduptoApple’siCloudaboutsixweeksbeforetheshoo'ng

l  iCloudbackupsarenotencryptedl  Customerswanttorecovertheirdata,evenifthey’veforgo9entheirPINl  Apple’sthreatmodelislossofadevice,nothackingofiCloud

l  Whatwasdonewiththephoneduringthosesixweeks?l  AnFBIerrorpreventedthemfromforcinganewbackup

l  Someappshavedatathatis(deliberately)notbackedup

l  But—Appleknowsexactlywhichappsareonthephone,andhencewhattheycando,wherethemetadatamightbe,etc.Statementsbylawenforcementsuggesttheythinktheoddsonfindingusefulinforma'onarelow.

smb

25

AppleandPrivacyl  Ideological:TimCookstronglybelievesinprivacy

l  Healsobelievesinspeakingoutinthefaceofinjus'ce—asachild,hetriedtointerveneinaKlancross-burning

l  Peoplestorelotsofsensi'vedataontheirphones(“Moderncellphonesarenotjustanothertechnologicalconvenience.Withalltheycontainandalltheymayreveal,theyholdformanyAmericans“theprivaciesoflife.”Rileyv.California,134S.Ct.2473(2014))

l  Marke'ng:Privacyisadis'nguisherfromGoogle,whichearnsitsrevenuefromusers‘personaldata

l  Alloftheabove?Probably.

smb

26

It’sNotPrivacy,It’sSecurityl  Phonesholdalotofsensi'veinforma'on(passwords,bankaccountnumbers,emailaccountaccess,etc.)

l  ThedeclineofBlackberryandtheriseof“BringYourOwnDevice”(BYOD)meansthatcorporatedataisonphones,too

l  Phonesareareusedasauthen'catorsfornetworklogin,some'mesinplaceofhardwaretokens

l  ImagineanAmericanbusinessexecu'vecrossingtheborderintoacountrywithanoppressivegovernment—andthatgovernmentcanunlockthephone…

smb

27

WhereAreWe?l  Thiscasemaybemoot,buttheissuewillariseagain

l  NewsreportssuggestthatAppleisgoingtostrengthentheirsecuritymechanisms

l  There’sbeennothorough,publicdiscussionoftheextenttowhichlawenforcementaccesstometadatacansubs'tuteforaccesstocontentl  Somehavecalledthis“thegoldenageofsurveillance”

l  ThedebatehasoYenbeenlawyersandpolicymakersversustechnologists—andtheytalkpasteachotherl  Weneedpeoplewhospeakbothlanguages!

smb

28

FurtherReadingl  HaroldAbelson,RossAnderson,StevenM.Bellovin,JoshBenaloh,Ma9Blaze,WhiuieldDiffie,

JohnGilmore,Ma9hewGreen,SusanLandau,PeterG.Neumann,RonaldL.Rivest,JeffreyI.Schiller,BruceSchneier,MichaelA.Specter,andDanielJ.Weitzner.Keysunderdoormats:Manda'nginsecuritybyrequiringgovernmentaccesstoalldataandcommunica'ons.JournalofCybersecurity,1(1),September2015.h9p://cybersecurity.oxfordjournals.org/content/early/2015/11/17/cybsec.tyv009

l  HalAbelson,RossAnderson,StevenM.Bellovin,JoshBenaloh,Ma9Blaze,WhiuieldDiffie,JohnGilmore,PeterG.Neumann,RonaldL.Rivest,JeffreyI.Schiller,andBruceSchneier.Therisksofkeyrecovery,keyescrow,andtrustedthird-partyencryp'on,May1997.h9ps://www.cs.columbia.edu/~smb/papers/paper-key-escrow.pdf

l  SusanLandau,Tes'mony,Hearingon“TheEncryp'onTightrope:BalancingAmericans’SecurityandPrivacy”,JudiciaryCommi9ee,UnitedStatesHouseofRepresenta'ves,March1,2016.h9ps://judiciary.house.gov/wp-content/uploads/2016/02/Landau-Wri9en-Tes'mony.pdf

smb

29

HowiPhoneEncryp'onWorksl  Arandom,256-bitnumber(the“UUID”)ismanufacturedintothephone’sprocessor,andisn’teasilyretrievablefromoutside

l  WhenaPINisentered,thePINandtheUUIDarecombinedtoforma“key-encryp'ngkey”(KEK)viaaprocessthatmusttakeabout80milliseconds

l  TheKEKisusedtoencryptthe“data-encryp'ngkey”(DEK)

l  TheDEKisusedtoencrypt(certain)dataonthephone

l  TheDEKsareuselesswithouttheKEK,buttheKEKcanonlybecalculated(a)usingthePIN,and(b)usingtheUUIDnotvisibleexternally

l  NeweriPhonesdokey-handlinginaspecial,secureareaoftheprocessor

smb

30