The Second Crypto War and the Future of the Internet

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.huffingtonpost.com/matthew-prince/the-second-crypto-war-and_b_6517528.html

In the early 1990s, the first Crypto War began. With the release of the
programmer Phil Zimmerman's PGP ("Pretty Good Privacy") encryption software
in 1991, for the first time in history, anyone could encode and exchange a
message that no law enforcement agency had the technical ability to
intercept and decode.

Fearing that criminals would be able to hide their communications, the
reaction of governments worldwide was swift. The United States, for
instance, banned the export of what it deemed "strong crypto." Early
versions of Internet software such as Netscape's Communicator browser and
Lotus Notes came in two flavors: a Domestic version that supported strong
128-bit crypto and an International version that supported weak 40-bit
crypto.

But the genie was out of the bottle. The math equations that powered both
strong and weak crypto systems were identical and elegantly simple. The
difference between strong and weak was merely the length of the keys they
used. Regulating the length of a key -- effectively akin to telling you
that you're not allowed to use a password that's more than a certain number
of characters -- proved impossible. And, by the early 2000s, the
technologists prevailed. Restrictions on the use and export of strong
cryptosystems were largely dropped, and the first Crypto War came to a
close.

First shots in the next crypto war

History may attribute the Archduke Ferdinand moment that spawned the second
Crypto War to a cheeky little smiley face, hand drawn on a United States
National Security Agency diagram that was revealed to the public on October
30, 2013. On that day, the Washington Post published the diagram from the
trove of secret documents revealed by former NSA contractor Edward Snowden.

The document showed how the US was tapping Google's private communication
lines over which messages between the company's data centers were being
exchanged unencrypted. The cheeky smiley face denoted the place on Google's
infrastructure where crypto was "added and removed." To the NSA, it was a
clever way to sneak behind the strong crypto lines and capture messages
where they weren't encoded. To the technology industry, it was nothing
short of a declaration of war.

The technologists fight back

Since then, the technologists have scrambled to add strong cryptographic
protections even to those parts of their systems that were previously
considered private. Apple, for instance, with the release of the latest
version of the company's iPhone software, has designed a messaging system
where it doesn't have a way of reading messages that pass between two
users. If you're using an up-to-date iPhone to send a text message to
another iPhone user, and the little bubble containing your message is blue,
then neither Apple, nor your ISP, nor any law enforcement agency tapping
into the transmission line is likely able to read the contents of the
message.

This intentional "blinding" of user content not only thwarts mass
surveillance, but also many of the techniques of targeted law enforcement.
If Apple doesn't have the contents of their users' messages, the company
has no way of responding to a warrant requesting that content. Previously,
companies like Apple, Google, Facebook, and others have acted as a
centralized repository of user data that law enforcement could turn to
during an investigation. As the second Crypto War heats up, these companies
are engineering new ways to lock their users' data away even from legal
process.

And, again, as in the first Crypto War, the response from government has
been swift. British Prime Minister David Cameron recently pledged that
"modern forms of communication" should not be "exempt from being listened
to." Director of GCHQ Robert Hannigan urged that companies needed to help
with allowing surveillance of their networks, describing social media
networks as "a terrorist's command-and-control network of choice." And US
FBI Director James Comey suggested companies should be required to design
"intercept solutions" into their technologies.

Cryptography's broad swath

While debate in the coming Crypto War will likely focus on the proper
responsibilities of technology companies and law enforcement, it's
important to bear in mind the wide swath cryptography now cuts. Strong
crypto's implications to protect user privacy and create challenges for law
enforcement surveillance are obvious. However, cryptography impacts other
significant technology debates of our time.

For example, network neutrality -- the idea that Internet Service Providers
(ISPs) shouldn't discriminate against or favor different services -- is
directly impacted by cryptography. By encrypting data as it moves across
the wire, ISPs cannot inspect the contents of packets in order to
discriminate between services. Cryptography also prevents ISPs from
inserting tracking cookies in their users data streams, a practice some
providers like Verizon have begun implementing in order to develop new
advertising-based revenue streams.

Government regulation of Internet content also depends on controlling
cryptographic content. Regimes that block certain content from entering
their borders inherently need to inspect Internet traffic. In many
instances where state actors have taken this approach, encrypted traffic is
simply blocked outright since it cannot be inspected. That approach, of
course, only works so long as a majority of Internet traffic is
unencrypted. As more of the Internet adopts strong crypto, the ability of a
regime to control what information flows across its borders is threatened.

Cryptography is even challenging traditional monetary systems. Bitcoin, the
most popular of the so-called crypto currencies, depends on some of the
same cryptographic algorithms that Apple uses to secure messages sent
between iPhone users. Rather than Bitcoin's money supply being controlled
by a central bank, the value of the currency depends on the math behind the
cryptography algorithm itself. Some governments have banned the use of
Bitcoin, suggesting it poses an existential threat to their ability to
regulate financial transactions. The challenge, however, just as in the
first Crypto War, is that the algorithms are simple, widely known, and
broadly used across many applications making it very difficult to put the
genie back in the bottle.

Proceed with caution

Today, the technology industry is more powerful and better organized than
it was when it won the first Crypto War. However, I am concerned that the
industry underestimates the threat posed by regulators reluctant to give in
to the broad use of strong crypto, and in doing so, give up some level of
control. As we fight the coming Crypto War, it is important that the
technology industry acknowledge the challenges of law enforcement and
legitimate government interests at stake. And, at the same time, it is
critical for government policy makers to educate themselves about the broad
impact of strong crypto and the potential unintended consequences of trying
to weaken it.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!