One of the most
fascinating things about information security is the concept of a backdoor. What
is more interesting is the shear idea that the NSA desires to eavesdrop on our internet
traffic through the use of a backdoor. (Schneier, 2013) “[NSA] has secret agreements with
telcos to get direct access to bulk internet traffic. It has massive systems
like TUMULT, TURMOIL, and TURBULENCE to sift through it all. And it can
identify ciphertext — encrypted information — and figure out which programs
could have created it” (Schneier, 2013) . Obviously, it is a little frightening
to know that the NSA can easily go through our internet communications and
collect our personal information whenever they want. It is even more alarming
that the NSA can undercover this encrypted information and which potential program
encrypted it to begin with.
Another
interesting item to note is that, “The NSA wants is to be able to read that
encrypted information in as close to real-time as possible. It wants backdoors,
just like the cybercriminals and less benevolent governments do. And we have to
figure out how to make it harder for them, or anyone else, to insert those
backdoors” (Schneier, 2013) . I guess this makes it our duty to
prevent the NSA from inserting these backdoors. It seems a little ironic that
we have to protect ourselves from the NSA. I thought they were on our side.
More specifically, it is the National Security Agency’s motto to state that
they are, “Defending our Nation and Securing the Future” (National Security Agency, 2013) . I hope the NSA
knows exactly what they are doing by wanting to incorporate all of these
backdoor “features.”
In order for NSA
to design backdoors, a few concepts should be considered. For instance, the
concept of low discoverability, high deniability, and lastly the concept of minimal
conspiracy should be considered. (Schneier, 2013) More specifically, “Low discoverability
[means] the less the backdoor affects the normal operations of the program, the
better. Ideally, it shouldn’t affect functionality at all. The smaller the
backdoor is the better. Ideally, it should just look like normal functional
code” (Schneier, 2013) . This makes sense to the idea of low
discoverability. You do not want functionality to be affected at all. Next is
the concept of high deniability. For instance the concept of high deniability
means, “If discovered, the backdoor should look like a mistake” (Schneier, 2013) . Lastly, there is
the concept of minimal conspiracy. “The more people who know about the backdoor,
the more likely the secret is to get out. So any good backdoor should be known
to very few people” (Schneier, 2013) . These concepts are all just basic
ideas of how the NSA could design their backdoors. (Schneier, 2013)
Some great
strategies to defend against backdoors include the following: (Schneier, 2013)
·
“Vendors should make their encryption code
public, including the protocol specifications. This will allow others to
examine the code for vulnerabilities.”
·
“The community should create independent
compatible versions of encryption systems, to verify they are operating
properly.”
·
“There should be no master secrets. These are
just too vulnerable.”
·
“All random number generators should conform to
published and accepted standards. Breaking the random number generator is the
easiest difficult-to-detect method of subverting an encryption system.”
·
“Encryption protocols should be designed so as
not to leak any random information. Nonces should be considered part of the key
or public predictable counters if possible. The goal is to make it harder to
subtly leak key bits in this information.”
There is no
definite method to defend against backdoors. The techniques listed above offer some
great techniques to help prevent backdoor problems. For instance, “With these
principles in mind, we can list design strategies. None of them is foolproof,
but they are all useful. I’m sure there’s more; this list isn’t meant to be exhaustive,
nor the final word on the topic. It’s simply a starting place for discussion.
But it won’t work unless customers start demanding software with this sort of
transparency” (Schneier, 2013) . It is clear that
this backdoor issue is one that the public needs to be aware of so that we can
all work together and try to get these problems resolved.
References
National Security Agency. (2013, September 4). National
Security Agency Central Security Service. Retrieved October 16, 2013, from
National Security Agency Central Security Service: http://www.nsa.gov/
Schneier, B. (2013, October 16). How to Design — And
Defend Against — The Perfect Security Backdoor. Retrieved October 16, 2013,
from Wired:
http://www.wired.com/opinion/2013/10/how-to-design-and-defend-against-the-perfect-backdoor/
