Once again: Crypto backdoors are an insane, dangerous idea


The Washington Post editorial board lost its mind and called on the National Academy of Sciences to examine "the conflict" over whether crypto backdoors can be made safe: the problem is, there's no conflict.



Among cryptographers, the idea that you can make cryptosystems with deliberate weaknesses intended to allow third parties to bypass them is universally considered Just Plain Stupid. When proponents of backdoors speak, they always take pains to point out that they know nothing about crypto, but suggest that cryptographers just aren't trying hard enough to deliver the mythological "Golden Key" that will let "good guys" read your email, but not Chinese spies, identity thieves, and voyeurs.

The problem noted by many last year is that a backdoor to encryption, even if euphemistically rebranded as a “front door” or a “golden key,” is by definition a vulnerability. Building in backdoors threatens consumers and makes them vulnerable to criminals and hostile foreign governments alike. See, for example, the FREAK and Logjam vulnerabilities, discovered earlier this year. The FREAK attack can allow a malicious hacker to “steal or manipulate sensitive data” in transit—think, a password for your online banking, a credit card number, a compromising photo.

Both FREAK and Logjam originate out of 1990s “export-grade” cryptography—purposefully weakened encryption from the last time the government was pushing for the kinds of “golden keys” that the Washington Post is now advocating for. These days, not a week goes by that another major hack makes the news: OPM, Hacking Team, Ashley Madison. All this, even without a federal mandate to purposefully make things less secure.


A 'Golden Key' for Encryption Is Mythical Nonsense [Sarah Jeong/Motherboard]


(Image: GoldKey Security Token, Firewriter, CC-BY-SA)