Backdoors in encryption products

After the recent terrorist attacks the governments are again pushing for more surveillance and the old debate on the necessity of the backdoors in encryption software raises its ugly head again. Leaving the surveillance question aside, let’s see, what does it mean to introduce backdoors to programs and how they can be harmful, especially when we are talking security and encryption?

Generally, a backdoor is an additional interface to a program that is not documented, its existence is kept secret and used for purposes other than the main function of the program. Quite often, a backdoor is simply a testing interface that the developers use to run special commands and perform tasks that normal users would not need to. Such testing backdoors are also often left in the production code, sometimes completely unprotected, sometimes protected with a fixed password stored in the code of the program where it is easy to find, i.e. also unprotected. Testing backdoors may or may not be useful to an attacker depending on the kind of functionality they provide.

Sometimes the backdoors are introduced with an explicit task of gaining access to the program surreptitiously. These are often very powerful tools that allow full access to all functionality of the program and sometimes add other functions that are not even available at the regular user interface. When talking about security and encryption products, such backdoors could allow unauthorized access, impersonation of other users, man-in-the-middle attacks, collection of keys, passwords and other useful information among other things.

The idea of the proponents of introducing backdoors into security and encryption software is that we could introduce such backdoors to the encryption and other tools used by general public. Then, the access to those backdoors would only be available to the police, justice department, secret services, immigration control and drug enforcement agencies… did I miss any? Maybe a few more agencies would be on the list but they are all well behaved, properly computer security trained and completely legal users. And that access would allow them to spy on the people using the tools in case those people turn out to be terrorists or something. Then the backdoors would come in really handy to collect the evidence against the bad guys and perhaps even prevent an explosion or two.

The problem with this reasoning is that it assumes too much. The assumptions include:

1. The existence and the access to the backdoors will not be known to the “bad guys”. As the practice shows, the general public and the criminal society contain highly skilled people who can find those backdoors and publish (or sell) them for others to use. Throughout the computer history every single backdoor was eventually found and publicized. Why would it be different this time?
2. The “bad guys” will actually use the software containing the backdoors. That’s a big assumption, isn’t it? If those guys are clever enough to use encryption and other security software, why would they use something suspicious? They would go for tools that are well known to contain no such loopholes, wouldn’t they?
3. The surveillance of everyone is acceptable as long as sometimes one of the people under surveillance is correctly determined to be a criminal. This whole preceding sentence is by itself the subject of many a fiction story and movie, “Minority Report” as an example comes to mind. The book “Tactical Crime Analysis: Research and Investigation” might be a good discussion of problems of predicting crime in repeat offenders, now try applying that to first-time offenders – you get literally random results. Couple that with the potential for abuse of collected surveillance data… I don’t really even want to think about it.

So we would en up, among other things, with systems that can be abused by the very “bad guys” that we are trying to catch while they use other, trustworthy, software and the surveillance results on the general population are wide open to abuse as well. I hope this is sufficiently clear now.

Whenever you think of “backdoors”, your knee-jerk reaction should be “remove them”. Even for testing, they are too dangerous. If you introduce them in the software on purpose… pity the fool.