IEEE joins the ranks of non-backdoored strong cryptography defenders
'Exceptional access' is a really bad idea, says standards-setter, but one-off malware is cool
The Institute of Electrical and Electronics Engineers (IEEE) has joined the ranks of objectors to proposed law enforcement measures that would compromise access to strong cryptography.
The august engineering body went beyond merely opposing the popular understanding of what constitutes a “backdoor”, instead framing its opposition in terms of the broader expression“ exceptional access mechanisms”.
According to the statement the Institute issued this week, its reasoning is:
- ”Exceptional access mechanisms” weaken systems and embed vulnerabilities, creating risk for end users;
- Such mechanisms don't stop bad actors from using strong encryption, either created specifically for them, or obtained from countries that don't require access mechanisms;
- Busting crypto would hamper companies' ability to compete globally; and
- ”Efforts to constrain strong encryption or introduce key escrow schemes into consumer products can have long-term negative effects on the privacy, security and civil liberties of the citizens so regulated.”
The IEEE does, however, acknowledge law enforcement requirements, and accepts that cleartext data on corporate servers should be available under warrant.
Likewise, and possibly controversially, the Institute listed “targeted exploits on individual machines” among the options it feels should be available to law enforcement, along with the less-worrying “forensic analysis of suspected computers, and compelling suspects to reveal keys or passwords.”
While none of this represents new thinking, it puts the IEEE firmly alongside individuals and organisations who have also criticised the idea that cryptography can be undermined without putting people at risk, en masse.
Most notably, Stanford professor Martin Hellman, of Diffie-Hellman fame and who helped invent the foundations of today's crypto systems; Columbia professor and USENET co-creator Steve Bellovin; top cryptographer Paul Kocher; and information security guru Bruce Schneier panned the FBI's repeated assertions that there's a crypto magic bullet.
Meanwhile with much less fuss, Internet engineers have talked far less, issuing RFC 7258 and stating that “Pervasive Monitoring is an Attack”, That document has informed dozens of drafts and RFCs since, most designed to eventually make strong crypto ubiquitous. ®
Sponsored: Becoming a Pragmatic Security Leader