There is an ongoing debate about placing encryption backdoors on messaging applications, which has been going on for many years. However, the issue with backdoors is not a new one—back in 2007 an NSA originated backdoor was discovered in the algorithm for random number generators. Why is it the so-called double-edged sword of the cybersecurity world? In this blog, I’ll define what an encryption backdoor is and how has it evolved in recent history.
What is encryption?
Before we look at encryption backdoors, it’s important to understand the encryption part of that equation. Encryption is the process of encoding and decoding messages using cryptographic methods, so that only authorized people can view their contents. Cryptography is not a new invention; it has been present since the ancient times. However, as the digital age evolves, computers introduce much more complex encryption patterns and schemes.
The encryption backdoor idea
Stanford University defines the backdoor in computing as a method of bypassing the normal authentication procedure. It is a piece of code, embedded (hidden) into a program or algorithm, software or hardware, prior to its distribution that will allow future access. In cryptography, this allows an intruder to access the encrypted information without having the correct credentials. Imagine the encryption backdoor as your spare door key, placed under a pot in the backyard of your house: if it is found by a thief the damage would be devastating.
Encryption backdoors are similar in theory to vulnerabilities, both offering an unorthodox way for someone to enter a system. The difference is that backdoors are put in place on purpose, where vulnerabilities are accidental in nature. The nature of backdoors—hidden and known by only an important few—makes encryption backdoors popular and a powerful weapon among cybercriminals.
It is important to understand that encryption backdoors can be used in a good as well as evil manner. Let’s examine the metaphorical sword of encryption backdoors and take a closer look at its two edges—the good one, where built-in backdoors exist and the evil one, where malware backdoors lurk.
Built-In backdoors can be used to restore user access, when there is no other way around, as well as for troubleshooting purposes. Often software developers create them to bypass the authentication process of the application while they are building it. The problem is that oftentimes they forget to delete these backdoors from the final product, potentially leaving these apps vulnerable to criminals.
Encryption backdoors can also be useful to tackle criminality, especially to detect terrorist conversations and Child Sexual Abuse Material (CSAM) hidden in encrypted messaging applications. Governments and law enforcement services request built-in backdoors to gain lawful access, if needed, in criminal and cybercrimes investigations. Upon agreement, the backdoor is installed at the product development phase, prior its retail distribution. In many cases, tech companies and privacy groups are rejecting the idea of placing backdoors, raising credible security and privacy concerns.
On the other hand, malware backdoors are created on purpose for nefarious means. As they can disguise nefarious activity, they are considered a Trojan, where an attacker can use them not only to access the infected system, but to move laterally undetected throughout the corporate network. Attackers can further exploit backdoors either to install spyware and keyloggers or to launch ransomware attacks.
As modern business models rely on extensive and complex software supply chains, bad actors are taking advantage and inject malware backdoors in open-source code. A 2020 report, conducted by Github, revealed that almost 20% of software bugs serve malicious purposes.
It may seem that our world would be better without encryption backdoors. Real life stories, show that backdoors create problems for individuals and businesses and resulting in lawsuits and financial compensation for the companies involved. But let’s not be too hasty. Is their extinction what we really want?
Encryption backdoors can maintain national and global security. Governments need to have the means to get evidence of a crime case; a tool that reduces the growing technological gap between the “good-ones” and the cybercriminals. For that reason they support strong and not unregulated encryption design by the companies. Government entities argue that the rules of access to digital data and potential crime elements can’t be defined by the tech industry for all of society.
Real world paradigms have shown that in many cases crime investigations have been closed due to inaccessible locked phones. To overcome any legal aspects about privacy a “key-escrow” system is proposed—where a trusted third party, operating as a secure vault for keys, allows decryption if legal permission is granted.
The problem is pretty obvious. Bad guys can detect a backdoor and gain illegal access. Systems with encryption backdoors are vulnerable to cybercriminals. Having backdoors in their systems, companies jeopardize their brand name and reputation.
Backdoors create ethical dilemmas related to state surveillance. The citizens’ privacy can be at risk. By having a backdoor installed in a system, any governmental organization can eavesdrop and access their personal data and information.
Despite the strong refusal of tech companies to incorporate encryption backdoors into their products, the industry will most likely have to coexist when it comes to backdoors. The best we can do is to know what they are, how they work, and how to protect ourselves.
On the other hand, we should acknowledge that backdoors can be useful tools in certain cases. The tradeoff is that we risk our privacy and expose our personal data to unauthorized entities. The problem will get bigger, if we can think of the technological evolution, such as Internet of Things (IoT) and the flood of smart devices all over our lives.
Unless there is legislative coercion for companies to accept encryption backdoors, the debate about encryption backdoors will intensify, especially as technology and law evolves. The development of a wide-reaching policy would help. A policy that will set a well-defined “blue line” on how technology can be used to serve humanity. This will allow solid encryption practices and let governments solve crimes and maintain public safety.
The strength of encryption is defined by how effectively we protect the integrity of the cryptographic algorithm and the security of the encryption keys. Venafi Trust Protection Platform protects your organization’s TLS keys and certificates, SSH keys, and code signing keys against misuse or compromise. To learn how to protect your organization’ machine identities, contact our experts today.