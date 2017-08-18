How Security Pros Look at Encryption Backdoors (helpnetsecurity.com) 13
An anonymous reader shares a report: The majority of IT security professionals believe encryption backdoors are ineffective and potentially dangerous, with 91 percent saying cybercriminals could take advantage of government-mandated encryption backdoors. 72 percent of the respondents do not believe encryption backdoors would make their nations safer from terrorists, according to a Venafi survey of 296 IT security pros, conducted at Black Hat USA 2017. Only 19 percent believe the technology industry is doing enough to protect the public from the dangers of encryption backdoors. 81 percent feel governments should not be able to force technology companies to give them access to encrypted user data. 86 percent believe consumers don't understand issues around encryption backdoors.
I can only conclude that almost 20% of security professionals surveyed are utterly incompetent.
You must live in Switzerland.
It's dangerous to say stuff like this sarcastically now. Some idiot will think it's a good idea and run with it.
How to describe encryption backdoors to idiots and non technical people.
Ask them to pull out their house key. Now have them go make 10,000 copies of that key and label each key with their name address and door location. Have them include their normal working hours.
Now they are to pass out those keys to every police officer, fire department, medical service group in their area just in case the government needs to get in their house in an emergency.
Now ask them a question how likely would it be that 1 out of 10,000 would get lost or misplaced and end up in the wrong hands?
100% of the people I have explained it to that way suddenly change their minds. Though it is still a small sample size. Once a generic key has been created and passed around you might as well not have a key
Security through obscurity doesn't work. (Score:3)
Using obscurity in encryption just doesn't work. It has to be assumed that everything about the encryption method is known. Which is typically why everything about encryption methods is known - the algorithms and source code are always available to anyone.
What is secret is the key that is used.
Introducing a backdoor would mean that the method of how this backdoor is implemented would be known to everyone - it has to be, or at least assumed to be. So the only way to implement a backdoor "securely" is by using a key. This means hardcoding a public key into all public/private key encryption schemes and using both it and the users' public keys to encrypt the data, which is typically just encrypting the key for the symmetric encryption method (AES, for example) being used.
I don't believe there would be a way to incorporate an extra key in a symmetric encryption system. Certainly not without seriously harming how the encryption works. And how would you hide the key? If the key is hard coded, everyone knows what it is, and can thus decrypt with it.
Then you run into the problem of what happens once these hard coded keys are known to everyone, 'cos you know it's only a matter of time before they are either leaked or found. A global key to unencrypt all internet traffic - ever hacker and cracker, no matter if they are white, grey, black, or any other colour hat, would be searching for that key. And it wouldn't take all that long to find, given enough computing power (read: botnet).
If a government does force this to happen, you know that they will be the first target for all of these people who find the global key(s).