Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How FBI vs. Apple could cripple corporate and government security

Rich Mogull | March 22, 2016
The implications go way beyond whether law enforcement can unlock an alleged criminal's phone.

The fight was known as the Crypto Wars, and the government, under President Clinton, eventually relented. Those attempts at control did little more than weaken the security of products and businesses. An encryption algorithm isn’t a nuclear centrifuge, and when all you needed to do was print source code for software in a book and ship it overseas for someone to scan into a computer and compile, the idea of restricting a bit of math to a national border became farcical. Especially when that math was already legal and public.

The U.S. government backed down on the battle for encryption because it was essential to running businesses and government services over the Internet. Attempts to allow encryption outside the country only in a weakened state left everyone vulnerable to attack since domestic systems also needed to support the lower security levels. The remnants of those early attempts are still having repercussions decades later.

Even without restrictions on encryption, the proper implementation is difficult. When I authored a paper on defending enterprise data on iOS 7, I had to describe how to best work around Apple’s incomplete encryption—the very holes that started this debate, and were later closed in iOS 8.

The Department of Justice, in their latest brief, states, “This burden, which is not unreasonable, is the direct result of Apple’s deliberate marketing decision to engineer its products so that the government cannot search them, even with a warrant.” That statement is an outright falsehood disguised as wishful thinking. Improving the encryption of iOS 8 was a security decision, one lauded by IT security departments everywhere, who had long been encrypting laptops to an equal standard.

Every golden key is a skeleton key

In his South by Southwest speech, President Obama stated, “I suspect the answer will come down to how we create a system where the encryption is as strong as possible, the key is as secure as possible, it’s accessible by the smallest number of people possible, for the subset of issues that we agree is important.”

There are existing techniques to enable third-party access to strongly encrypted systems. One widely used method uses an alternate key to decrypt data. Businesses will often support more than one key for a piece of data or a computer for various reasons, such as ensuring an IT department can still recover a corporate system if an employee tries to lock them out.

Apple and other technology providers could use this well-known method to allow government access to systems. The truth is this can be done relatively securely. We know how to keep incredibly sensitive encryption keys secure. It typically involves multiple people holding only fragments of the total key, extensive physical security, and non-networked systems. Ignoring the international privacy considerations, and the impact on these technology provider’s international business operations, if such a system was created and used in rare circumstances, it is highly unlikely to be broken.

 

Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.