‘Authentication — Crypto-Wars’ new frontline
9 February, 2016: the FBI requested Apple to unlock an iPhone device belonging to a suspect of the San Bernardino terror shootings. Given until 26 February to respond, Apple flatly refused. So began a drawn out legal battle and ongoing public debates surrounding the merits of encryption, pitting the national security community and the tech-world against each other. Captains of industry and five-star generals faced-off in fiery declarations.
As the FBI hired Japan-based Sun Corp to unlock the iPhone for close to $1 million, WhatsApp (April 5th) and Viber (April 18th) both raced to complete end-to-end encryption roll-out on their products. Across the pond, the second reading of the was discussed in the House of Lords. This Bill appeared just steps away from authorising state-sanctioned “equipment interference”.
Reaching a new zenith, a new chapter in the Crypto-Wars has begun.
Most “battles” in this Crypto-War occur in the legal and policy spheres.
This is primarily due to requirement that intelligence services and law enforcement have to request the right to access the encrypted data of individuals in specific cases (lawful intercept). Lawful Intercept has been a hallmark of the telecoms industry for decades, as network managers were compelled by the law to provide data that may help with criminal investigations. As made apparent to the British public in the public uproar created by the ‘Regulation of Investigatory Powers Act (RIPA 2000)’ (Snooper’s Charter) and the recent ‘Investigatory Powers Bill’, many policy-makers are striving to create greater legal leeway for intelligence and law enforcement.
Meanwhile, academics such as Thomas Rid (Rise of the Machines) from the War Studies Department at King’s College London, have discussed the place of encryption in society’s moral-compass, whether such leeway is morally justifiable. Legal, policy and academia interact reflexively in a constantly shifting Crypto-War landscape.
However, an aspect of this conflict is certain. Both the national security establishment and the tech-world are developing surveillance and encryption technologies far faster than laws or policy.
Just as Daniel Moore’s and Thomas Rid’s Cryptopolitik & the Darknet exposed the critical chasm between Westminster’s understanding of the Darknet and real traffic trends, the available technologies driving encryption out-pace the current laws sanctioning “equipment interference”. These technologies cover a variety of areas such as F-Secure’s Freedome (better VPNs) or Silent Circle’s head-to-toe phone encryption, but appear most notably in the field of web authentication.
The very fabric of the internet hinges on the idea of trust. Without trust, it would be impossible to be certain that a file from Mr. Smith actually comes from Mr. Smith. E-Commerce, E-Banking and in particular E-Voting rely on the trust of both their users and their servers to function properly. One major structure in charge of maintaining this trust is web authentication, or the structures of authentication and certification in place to make sure, for instance, that a certain ‘Mr. Smith’ is actually who he says he is. Currently one system, the Public Key Infrastructure (PKI), dominates this space since the Internet’s humble beginnings.
Public Key Infrastructure
The Public Key Infrastructure is a centralised model of assigning a certain number (or key) to each individual machine attempting to gain access to a given server on the internet. If Alice wishes to access a server, she will be put through a multi-step process before gaining access to that server:
- 1) A Registering Authority (RA) notes down Alice’s Public Key (unique credentials)
- 2) A Certificate Authority (CA) notes down the Public Key onto a Central Directory
- 3) The CA issues a certificate based on Alice’s Public Key, this certificate is Alice’s digital signature.
- 4) This signature is matched with the Server’s Private Key to grant access
- 5) The signature is verified again by a Validation Authority, in charge of double-checking the validity of digital signatures/certificates.
It is quickly apparent how such a system may lead to serious vulnerabilities. The Public Key Infrastructure is a chain of events that relies on the integrity of the initial Public Key, and on the reliable denotation of this key in each following step. Alice’s identity on the internet is directly bound to her key. Due to this, after having been registered by RAs, Public Keys are stored by CAs in “Central Directories”. The PKI paradigm relies on storing this type of identification information on supposedly “air-tight” info-caches.
Similar to how keeping a list of username and password pairings in an office drawer, “Central Directories” are inherently dangerous and have been the cause of some of the largest security breaches in web history (See 2011 DigiNotar Breach). The repeated communication between different steps of the PKI also mean that “Replay” attacks are easier to undertake, such as when a hacker eavesdrops until they are able to replicate a given communication/operation. Moreover, governments have worked with other companies in issuing fake certificates to sanctioned spyware and malware. One example being Gogo Inflight Internet’s alleged use of Google certificates, as sanctioned by the FCC shown in this letter. The top 5 Certificate Authorities are all based in the United States — food for thought!
Alternative Models
In light of these bedrock vulnerabilities, the tech-world has been busy. The Web of Trust model, gives the freedom to each network to gradually accumulate their list of “trusted introducers”, or trusted users, placed on a White-list. The idea is that the more White-list users are placed, the more authentic one becomes. This circumvents the need to pass through CAs hundreds of times, as is usually the case with any given web-application. The Distributed Trust model is the most innovative, however.
A Distributed Trust Infrastructural Model
In a D-TA model, Alice would for instance, only have to supply two different pieces of information (Step 1: Multi-Factor Authentication), a pin code and the fact that she is using Google Chrome (logo shown in Safari), before being assigned a “Unique Cryptographic Authentication Key” (Step 2) and thus accessing the server. Alice did not have to surrender any passwords, keys or personal information to any “Central Directories” to be identified and authenticated. To prove that Alice’s pin and browser-type is correct, the information is matched with two or more partial key-holders (called “Trusted Authorities” or TA). The TAs constitute a block-chain of key-parts that together form the key. At no time does any TA have access to the full key, nor does any information get stored on any registry. Every authentication key is unique.
The Distributed Trust model eliminates two of the most damaging sources of cyber-breaches: password-related breaches and ‘Man-in-the-Middle’ attacks. Without any directories to poach information from, this near-eliminates the possibility of ID-theft (think: 2014 OPM Hack, last April’s Mexican Voter Breach, the LinkedIn Breach). More relevant to the Crypto-Wars, this technology prevents a common-method with which governments agencies — including intelligence services — implanted spyware into social-media, e-mail, and banking apps. At the same time, Distributed Trust would protect every government server from sophisticated attacks. Eliminating the need for passwords and/or public-key registries makes web-security truly air-tight.
In light of the resurgence of Crypto-Wars in public debate, the fate of Distributed Trust hangs in the balance. Should governments prove to make headway in adopting Distributed Trust, this would limit Opposition parties (in some countries) and Hacktivists from penetrating public servers. While widespread private-sector adoption would lead to a much more secure internet, it would remove many of the spy tools available to law enforcement and intelligence services (those being made legal by “Electronic Surveillance”).
Yuji Develle, is an Undergraduate Representative and Editor for Strife Blog. A French and Japanese War Studies graduate; he is currently working for a London start-up specialised in cryptography. His interests lie in cybersecurity, energy security and other emerging security issues.
This article was originally published on Strife Blog on August 1st 2016. They have a brand-new website, so check it out if you’re interested in Conflict. As always, should you have any questions, send me a Twitter message.
