In the field of cryptography, a secretly planted backdoor that allows eavesdropping on communications is usually a subject of paranoia and dread. But that doesnt mean cryptographers dont appreciate the art of skilled cyphersabotage. Now one group of crypto experts has published an appraisal of different methods of weakening crypto systems, and the lesson is that some backdoors are clearly better than othersin stealth, deniability, and even in protecting the victims privacy from spies other than thebackdoors creator.
In a paper titled Surreptitiously Weakening Cryptographic Systems, well-known cryptographer and author Bruce Schneier and researchers from the Universities of Wisconsin and Washington take the spys view to the problem of crypto design: What kind of built-in backdoor surveillance works best?
Their paper analyzes and rates examples of both intentional and seemingly unintentional flaws built into crypto systems over the last two decades. Their results seem to imply, however grudgingly, that the NSAs most recent known method of sabotaging encryption may be the best option, both in effective, stealthy surveillance and in preventing collateral damage to the Internets security.
This is a guide to creating better backdoors. But the reason you go through that exercise is so that you can create better backdoor protections, says Schneier, the author of the recent book Data and Goliath, on corporate and government surveillance. This is the paper the NSA wrote two decades ago, and the Chinese and the Russians and everyone else. Were just trying to catch up and understand these priorities.
The researchers looked at a variety of methods of designing and implementing crypto systems so that they can be exploited by eavesdroppers. The methods ranged from flawed random number generation to leaked secret keys to codebreaking techniques. Then the researchers rated them on variables like undetectability, lack of conspiracy (how much secret dealing it takes to put the backdoor in place), deniability, ease of use, scale, precision and control.
Heres the full chart of those weaknesses and their potential benefits to spies. (The ratingsL, M, and H stand for Low, Medium and High.)
A bad random number generator, for instance, would be easy to place in softwarewithout many individuals involvement, and if it were discovered, could be played off as a genuinecoding error rather than a purposeful backdoor. As an example of this, the researchers point to an implementation of Debian SSL in 2006 in which two lines of code were commented out, removing a large source of the entropy needed to create sufficiently random numbers for the systems encryption. The researchers acknowledge that crypto sabotagewas almost certainly unintentional, the result of a programmer trying to avoid a warning message from a security tool. But the flaw nonetheless required the involvement of only one coder, went undiscovered for two years, and allowed a full break of Debians SSL encryption for anyone aware of the bug.
Another, even subtler method of subverting crypto systemsthat the researchers suggest is what they call implementation fragility, which amounts to designing systemsso complex and difficult that coders inevitably leave exploitable bugs in the software that uses them. Many important standards such as IPsec, TLS and others are lamented as being bloated, overly complex, and poorly designedwith responsibility often laid at the public committee-oriented design approach, the researchers write. Complexity may simply be a fundamental outcome of design-by-committee, but a saboteur might also attempt to steer the public process towards a fragile design. Thatkind of sabotage, if it were found, would be easily disguisedas the foibles of a bureaucratic process.
But when it comes to a rating for controlthe ability to distinguish who will be able to exploit the security weakness youve insertedthe researchers label implementation fragility and bad number generation as low.Use a bad random number generator or fragile crypto implementation, and any sufficiently skilled cryptanalysts who spot the flaw will be able to spy on your target. Its clear that some of these thingsare disastrous in terms of collateraldamage, says paper co-author University of Wisconsin computer scientist Thomas Ristenpart. If you have a saboteur leaving vulnerabilities in criticalsystem that can be exploited by anyone, then this is just disastrous for the security of consumers.
More here:
How To Sabotage Encryption Software (And Not Get Caught)
