Keys Open Doors
Waging (the Wrong) War on Encryption
On the morning of February 17th, Apple CEO Tim Cook published an open letter to the company’s customers, in which he elaborated on recent FBI attempts to implement a backdoor in iOS devices. Specifically, the Bureau seeks the ability to gain entry into an iOS device through the use of brute force, by using a version of the iOS operating system that allows a user’s passcode to be entered electronically. In layman’s terms: imagine using every key ever fashioned to try to unlock someone’s front door — Eventually, one will work. With the help of powerful computers, testing every possible key electronically then becomes a rather effective attack strategy.
At present, Apple prevents this attack by requiring the manual entry of passcodes, and locks the device after multiple failed attempts — a security measure the FBI is clearly not particularly fond of. On top of that, the user has the option to erase all data on their phone after ten failed attempts, which is even more troublesome for those attempting a brute force strategy. While this is not necessarily a new or unique approach to securing information (think “burn after reading”), this power in the hands of individuals with malicious intent is an understandable concern for law enforcement and the intelligence community.
As mentioned in Cook’s letter, this effort by the FBI is clearly motivated by the recent San Bernardino terrorist attacks, in which an iPhone was used to communicate details of the plan. Because those responsible for the attack used passcodes on their phones, they proved useless to the law enforcement agents. In response, Apple has been helping the FBI as much as possible, within legal bounds, providing encrypted data and making their security engineers available for the purposes of the investigation. This has put Apple in an interesting ethical dilemma, with some in the mainstream media accusing them of supporting terrorism, citing legal research that suggests their accountability. On the other hand, Apple’s respect for personal liberty is laudible in the eyes of the increasing number of privacy-conscious consumers.
This seems to suggest that we, as a society, must soon choose between true privacy and true national security. Is that really the case? While my initial thought is no, it is a rather complex question with no obvious answer. With respect to Apple’s situation, however, things are more cut and dry. If Apple is to comply with the ruling of the federal court, then iOS will be modified so that it can be unlocked with a brute force attack. The fact that this idea is even being entertained by lawmakers demonstrates the disconcerting technological illiteracy of public officials. This decision sets a daunting legal precedent, jeopardizing the right to privacy of every American, as well as the integrity of the American tech industry.
Backdoors: Bad For Business
With a rudimentary understanding of information security, backdoors can seem like a good idea. Let’s go back to the scenario from earlier, where you have locked the front door of your house in an effort to protect your family and personal possessions. You have a key for yourself, obviously. You may also have copies of that key, which you have given to your family.
Now, imagine an attacker approaches your front door with every key ever made. With enough time, it is absolutely certain that they will get inside your house. In the current version of iOS, however, you would be able to catch this person before he or she had the chance to try every key. They would be arrested before breaking into your house. However, the FBI is essentially asking Apple for a “master key” which prevents you from stopping the attacker before he or she can get inside. This key would also open any door using the same lock — anyone with an iOS device. If you were this person, wouldn’t you want to buy a new lock?
That is, unfortunately, exactly what would happen. Apple’s integrity would be entirely compromised — once a master key is made, it can be copied and shared with others. The simple fact that a possible master key exists means that someone somewhere will replicate it. It may take years, or months, or days, but it will happen. Those people probably won’t work for the FBI, either. Rather, they could be con artists actually looking to use your personal information against you.
It is naïve to think that the implementation of backdoors would stop with Apple. With this decision, the same restrictions could be applied to any other tech company operating in the United States, including Google, which maintains the largest open-source mobile operating system in the world: Android. If the government pursues a backdoor in Android, a huge assortment of security implications come with it, because Android is not just the backbone of countless mobile phones; it is also used on watches, televisions, and vehicles. If the thought of having your car hacked has not crossed your mind yet, then take a minute or two to imagine the repercussions of such an event.
The implementation of backdoors is simply too dangerous, and would be the equivalent of opening the floodgates for attackers around the world. Despite the entirely respectable intentions of U.S. lawmakers, advancements in cryptography and information security cannot be held back. The only real consequences of legal restrictions are significant economic turmoil for American tech companies and the compromisation of Americans’ personal information. In a recent survey of worldwide encryption products, researchers from the Berkman Center for Internet and Society show that there are countless alternatives to American encryption products, many of which are free or open-source (subject to international scrutiny). If regulations are enforced upon American tech companies, then people — whether harboring malicious intent or otherwise — will turn to foreign services. Instead, American tech companies should be working with the government to push encryption technology even further.
When it comes to unlocking encrypted devices, however, it is clear that a more powerful approach is needed — something which serves as the equivalent of breaking the front door down. Policymakers can find such a technology in quantum computation, which serves to upset the entire security industry in the coming years.
Cryptographic Kryptonite: Quantum Computation
Quantum computation is a very powerful tool that will come to render all current encryption methods obsolete. Having started as an idea in the early 1980’s, researchers have made significant progress in the development of such a machine, but there is still a lot more to learn. For more information, consider checking out the D-Wave project that is being supported by institutions such as Lockheed-Martin, Google, NASA, and the University of Southern California.
In a traditional computer, everything is stored in memory as a combination of 0’s and 1’s. These ‘states’ can be seen as a sort of power switch — are electrons flowing, or are they not? The text in this article, the typography it is presented with on your display, and every movement you make with your mouse and keyboard are translated to these 0’s and 1’s. When the FBI says it wants to use brute force to unlock mobile phones, they mean cycling through every possible combination of 0’s and 1’s until they guess the correct key. Apple generates 256-bit keys using the Advanced Encryption Standard (commonly referred to as AES 256). A ‘bit’ is a single instance of a state that can either be a 0 or a 1. That means there are, in theory, 2^256 possible key combinations. In case you are curious, that’s 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 different possible keys.
Of course, it helps that computers are very efficient when it comes to this kind of repetitive, rudimentary task. To describe them as fast, however, would be a bit of a stretch. To cycle through every key would take too much time. Even assuming intel that limits the number of possible combinations, it would take a very powerful supercomputer — or a cluster of them — to crack these keys at the rate at which the FBI needs to unlock terrorists’ phones. Like the NSA and NASA, the FBI and other federal agencies are likely already investing heavily in quantum computation in an effort to make their jobs much easier. Quantum computers are built using ‘qubits’, which are the quantum counterpart of the bit which I previously described. Qubits are very fascinating quirks of quantum mechanics, which can be in one of any three states at any given time: 0, 1, or both. If the intricacies of quantum computers and qubits are keeping you up at night, I advise picking up Quantum Computation and Quantum Information (Nielson & Chuang). Ultimately, policymakers should know that these systems are very adept at cracking codes. With that in mind, if law enforcement agencies find themselves in the possession of a device that needs broken into, they can do so without simultaneously compromising the privacy of every law-abiding American citizen.
The bottom line is that legal restrictions are a step backward, not forward. It is reminiscent of the time when cryptography was classified as a munition and prohibited from being exported from the United States. How did that turn out? People protested by printing algorithms on t-shirts.
Rather than inhibit innovation, the United States government and law enforcement agencies have a duty to collaborate with the tech sector to (1) advance the security of consumer electronic devices, which are still susceptible to various foreign cyber attacks, and (2) invest heavily in quantum computation and other post-traditional-computer code-breaking technologies.