Encryption Backdoors: The Achilles Heel to Cybersecurity?
The war against cybercrimes is ongoing and should not be halted or terminated because cybercriminals are not on the verge of giving up any time soon. Rather, they seem to be getting tech savvier on a daily basis.
The war against cybercrime is ongoing and should not be halted or terminated because cybercriminals are not on the verge of giving up any time soon. Rather, they seem to be getting tech savvier on a daily basis. (Read How Cybercriminals Use GDPR as Leverage to Extort Companies.)
Taking a look at the IC3 Complaint Statistics 2014-2018, it becomes very glaring that we are really facing a cyberwar across the globe.
IC3 statistics showing a significant increase in total losses during 2018 (source: FBI IC3)
Different technological and non-technological measures such as weak and strong passwords, single, double, and multi-factor authentication are being fashioned out to arrest the menace caused by hackers but due to the fact that technology itself is advancing rapidly, it will still take some level of work to be able to have full control of the situation. (Read Is Security Research Actually Helping Hackers?)
Some of the measures that have been posited to use in tackling cybercrime include:
While the zero-trust strategy is not technologically based, both VPN and blockchain are based on technology. Despite the fact that they may have their different shortcomings especially as even renowned VPN providers can have privacy issues the good news is that both have encryption as a feature.
What's the Connection Between Encryption Backdoors and the Government?
It’s rather unfortunate that despite all the effort being put in place to ensure that organizations, governments, and individuals are secured, it is the government that may be constituted a stumbling block in checkmating the activities of cybercriminals.
They claim this is necessary for the interests of national safety and security as criminals and terrorists increasingly use encrypted messages to communicate online.
The FVEY governments believe that there is a widening gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data, which they term "a pressing international concern." In their opinions, this clearly demands "urgent, sustained attention and informed discussion."
What Exactly is Encryption, Anyway?
Encryption is the method by which your data is converted into a secret code that conceals the information's true meaning. (Read Trusting Encryption Just Got a Lot Harder.)
You make use of encryption algorithms or ciphers to encode or decode messages. If an unauthorized party manages to intercept your encrypted data, the only way such data can be meaningful to the intruder is by haphazardly guessing which cipher was used to encrypt the message and also what keys were used as variables.
The possible number of combinations that can be used to crack this type of encryption can keep a hacker working throughout life without success. This makes encryption a very valuable asset and security tool.
Why All the Hues About Encryption?
Encryption can be said to be the basic block on which information technology (IT) assets are built and without it, cybercriminals will be having a field day as things are currently. Before going through the tunnel, your data gets encrypted with a special pre-configured algorithm.
Then going out of your device, the encrypted traffic goes via the tunnel to a blockchain or VPN server. The server contacts the requested Internet resource, traffic is decrypted and reaches the resource in an unencrypted way.
The process is the same backward: your data from the website is unencrypted, then it becomes encrypted and conveyed through the tunnel to you where it is finally decrypted.
The Federal Bureau of Investigation (FBI), are brimming hell on technology companies that offer end-to-end encryption (E2EE). Their argument is that such encryption restricts law enforcement from accessing data and communications even with a warrant.
The FBI described this issue as "going dark," and the U.S. Department of Justice (DOJ) is not taking it with a pinch of salt either. The DOJ is calling for what they termed "responsible encryption" that can be unbarred by technology companies under a court order.
Taking it to the extreme, Australia enacted a law that made it compulsory for visitors to render passwords for all digital devices when before entering the country. A five-year jail term is a punishment for failure to comply.
Benefits Derivable from Encryption
- Confidentiality — the message’s content is encoded.
- Authentication — you can easily verify the origin of the message.
- Integrity — ensures that the content of the message is still intact and has not been tampered with.
- Nonrepudiation — senders have no way of denying the encrypted message originated from them.
Even when you fail to have security behind your mind, the fact that you must meet up with the world’s best standards makes it mandatory for you to encrypt your data since you must meet compliance regulations.
Quite a number of organizations and standard bodies recommend or mandate that sensitive data must be encrypted in order to prevent unauthorized third parties or hackers from accessing the data.
A case in point is that of the Payment Card Industry Data Security Standard (PCI DSS) where it is absolutely necessary that merchants must encrypt customers' payment card data when it is both stored at rest and broadcasted over unrestricted channels.
5 Examples of Encryption
Making use of link-level encryption, you have your data encrypted data when it leaves your network, decrypted at the next link, which may be a host or a relay point, and then it’s re-encrypted before it is sent to the next link. You have the advantage of using a different key or even a different algorithm for data encryption by each link.
This process keeps on repeating until your data gets to its destination.
Cloud storage encryption
The world is talking Cloud storage and hence the encryption of data in the cloud cannot be overemphasized. Cloud storage providers are able to encrypt data using encryption algorithms and the data is then placed in cloud storage.
The fundamental difference between cloud encryption and in-house encryption is that cloud customers must take time to learn about the provider's policies and procedures for encryption and encryption key management in order to ensure that encryption is in league with the level of sensitivity of the data being stored.
With Network-level encryption you are able to apply crypto services at the network transfer layer — above the data link level but below the application level. The implementation of network encryption is facilitated through Internet Protocol Security (IPsec) as a set of protocols and authentication methods developed for data protection just at the dawn of the Internet, which is a set of open Internet Engineering Task Force (IETF) standards that, when used in conjunction, design a structure for private transmission over IP systems.
This is based on the quantum mechanical properties of particles to protect data. Going by the Heisenberg uncertainty principle which posits that the two identifying properties of a particle — its location and its momentum — cannot be measured without changing the values of those properties, quantum cryptography is strongly positioned to ensure the security of your data.
For this reason, it’s practically impossible to copy any quantum-encoded data since any attempt to access the encoded data will change the data. This will raise a red flag and the authorized parties to the encryption will be notified of the attempted breach.
End-to-end encryption (E2EE)
E2EE ensures that any data being sent between two parties cannot be viewed by an attacker who may have one way or the other intercepted the communication channel. However, the use of an encrypted communication circuit, as provided by Transport Layer Security (TLS) between web client and web server software, is not always enough to ensure E2EE.
You should ensure that the actual content you are transmitting is encrypted by client software before being passed to a web client and decrypted only by the recipient. Examples of messaging apps that provide E2EE include Facebook's WhatsApp and Open Whisper Systems' Signal.
It’s also possible for Facebook Messenger users to get E2EE messaging with the Secret Conversations option.
Looking at this succinctly from all angles, what the government is trying to do maybe for the intended good of the populace with encryption backdoors will clearly and overwhelmingly jeopardize the privacy and security of everyone. They should ponder on the gravity of cybercriminals exploiting these same backdoors they are clamoring for.
Without encryption backdoors, the cybercrime situation is barely containable as it stands. What will the scenario look like if we open up our last line of defense to them?
And this is exactly what we shall obtain. The risks are of mammoth proportions.