Cryptographic Backdoors Explained

Cryptography is by far one of the most important subjects in the information age. Every time you log in somewhere, there’s an algorithm of some sort verifying your password against a hashed value that determines whether you can authenticate into your account or not. It’s how we keep hackers at bay. So, what happens when the algorithm that’s supposed to keep you safe has a backdoor that allows certain people to have unfettered access to your accounts and personal records?

On May 19, 2015, Apple and Google urged U.S. President Barack Obama to reconsider forcing private sector technology firms to include backdoors in their cryptographic algorithms. I aim to explain how this affects us as consumers of technology and the bottom lines of the corporations that provide us with said technology.

cryptobackdoor-nsasign

You could be forgiven if the term “Dual_EC_DRBG” sounds like arcane gibberish to you, but it’s perhaps a term tied to one of the biggest scandals in the history of encryption technology. Our story begins in the early 2000s, when elliptic curve cryptography was beginning to take root in computer systems. Until then, generating a random number was a pain because of its inherent predictability. You see, people can generate random numbers very efficiently since we all think differently. Can you tell what number between 1 and 100,000 I’m thinking about right now? You have a 1:100,000 chance of getting the answer right if you just guess randomly. That’s not the same with computers. They’re utterly horrible at this since they usually rely on other fixed values to get to their “conclusions.” Since they can’t “think,” we have to synthesize the process for them. Elliptic curve cryptography makes the process of generating a random number much less predictable than conventional methods.

Back to the story. The National Security Agency (NSA) pushed a module called Dual_EC_DBRG as a possibility for generating these numbers. It wasn’t passed.

It doesn’t end there, though. In 2004, the NSA made a $10 million deal with the creators of the RSA cryptosystem (the people who at that time had the most market share in cryptography) to make their pet module the default for RSA. We don’t know if the NSA included the backdoor, but Dual_EC_DRBG certainly had one. The fact that the NSA was so insistent on including this module in RSA cryptography doesn’t help the case against prior knowledge.

Fast-forward to 2015, and now you have the U.S. government as well as other governments around the world coming forward to ask private companies to include backdoors to their encryption algorithms.

cryptobackdoor-backdoor

You might already have an idea of why backdoors are bad. It’s a no-brainer, right? The thing is that there are other unseen consequences to introducing backdoors to encryption aside from the invasion of privacy by government entities.

First of all, if a hacker discovers the backdoor (which is exactly how the Dual_EC_DBRG fiasco mentioned earlier started), you can just about guarantee that anyone can exploit it to have a peek at things that are very private to you.

The second reason why backdoors are horrible can best be expressed in the form of a question: Knowing that not just the government, but any John Doe, can have a look at your private data, would you ever open an account anywhere ever again? People rely on technology right now because they trust it. Eliminate the trust, and you’ll see very few customers in the enterprise market. Yes, consumers may still use encrypted and connected technologies, but businesses are going to opt out in droves. A lot of our favorite manufacturers rely heavily on their business-to-business customer bases.

So, not only is this idea bad for consumers, but also bad for the bottom line of the businesses that provide us with the things we love. That’s why giants like Apple and Google are so concerned about these policies.

What do you think we should do? Is a possible law on this even enforceable? Tell us in a comment!

8 comments

  1. Cryptographic algorithm with a backdoor is like a condom with a pinhole. They both offer equally lousy protection.

    NSA and other intelligence agencies do not give a rat’s ass about consumer confidence, economy. or the effects of gamma rays on the marigolds on the moon. They WANT access to any and all information possible as easily as possible. The money and effort spent on having to decrypt encrypted electronic communication, in their minds, can be better spent on additional servers or storage for that communications.

    NSA, et al. will get their way the same way J.Edgar Hoover got all FBI budgets approved – by blackmailing the congress critters. God knows they all have skeletons in their closets they would rather not reveal.

    Unfortunately, private citizens are caught between a rock and a hard place. Any limits that inhibit the data gathering abilities of intelligence agencies will cost innocent lives. OTOH, indiscriminate data gathering by these agencies costs everybody their privacy. Either way, private citizens wind up getting shafted.

  2. They should have an access to all communication cause evil is rising across world .When you look around a lots of mentally unstable people .At end of the day AI planing should be better planned with Analysis to predict crime of evil !Society is sick !

    • To carry your argument further, everybody should be implanted with RFID chips and every room should have an A/V camera installed. That way everybody can be surveilled 24/7/365 and no evil will go undetected.

      Unfortunately, it is a government-sponsored lie that they need all this data to uncover planned acts of terrorism. Governments want the data to be able to control the populace. When was the last time you heard of some agency thwarting a plot through electronic means? With all this electronic communications being recorded and analyzed acts of terrorism are still being committed on a daily basis. If acts of terrorism are thwarted, it is because somebody snitches.

      Used to be that agencies such as KGB, Stasi, Gestapo, etc were vilified for their surveillance of the citizens. Now, supposedly democratic countries from the supposedly Free World are instituting surveillance policies that make the above-mentioned institutions look like a bunch of amateurs.

      “Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.”
      Benjamin Franklin

    • Judging by the appalling spelling and grammar, I would think that “Togo” is of limited intelligence and possibly a border-line troll. A backdoor to encryption is quite obviously the biggest no-no ever in the history of computing and to suggest that it be implemented shows that any person advocating this draconian move has not the slightest inkling or concern for the consequences if (as is almost sure to happen) the “backdoor” is obtained by the sort of villains that seem to inhabit the net these days. Perhaps “Togo” doesn’t care if his bank account is raided and emptied or if any personal details that he/she would prefer to be kept private were to be plastered all over the net. The rhetoric about having nothing to fear if you’re doing nothing wrong is total twaddle. It’s all about government control and it’s about time these elected jokers realized that they are supposed to be serving us, the public – not going about their own agenda and spying on the very people that put them in the positions they occupy.

      • “Judging by the appalling spelling and grammar, I would think that “Togo” is of limited intelligence and possibly a border-line troll. ”
        While I agree with your assessment, it is possible that English is not Togo’s native language. :-)

  3. Looks like George Orwell was right on the money the whole time, he just got the date wrong by about 40, maybe 50 years….

  4. Well dang. A lot of financial advisors, bankers, portfolio managers, etc. use RSA encryption for our money. If the right hacker finds that backdoor, poof. There goes our money. Not only that, but many 2-factor authenticators would be compromised making current multi factor login systems useless.

    • RSA is still “sort of” safe from prying eyes. Dual_EC_DRBG isn’t the only module they can use. They can simply opt out of it. The thing is that if they just use RSA “out of the box”, it will have that component enabled by default.

Comments are closed.

Sponsored Stories