When Encryption Is A Crime Only Criminals Will Have Encryption

As we enter the silly season of another Presidential Election, and possibly because of a psychological condition that I am calling COVID Mania*, the government is once again making boneheaded moves to introduce and pass legislation that would allow the federal government and law enforcement agencies easier access to encrypted messages from criminal sources.  This issue comes up every five to ten years.  It seems that agencies such as the NSA, FBI, DHS, as well as a slew of other governments in China, India, Australia, New Zealand, Canada, Germany, and many others are working to weaken encryption in order to combat crime, child pornography, and terrorism.  This article will take a look at the history of governmental restrictions against encryption to show why it is not possible to have weak encryption that is still secure , and why these legislative attempts have failed in the past.

Phil Zimmerman and PGP

In 1991 Phil Zimmerman wrote PGP, the first publicly available public/private key encryption algorithm.  Available as a free and open source product, Zimmerman posted the source code publicly on the Internet.  At the time, the federal government classified encryption as a military weapon, and subjected it to export controls.  The publication of PGP was seen as a violation of the Arms Export Control Act.  Zimmerman was put through an intensive 3-year investigation by the government, but the investigation ended in 1996 without charges being filed.  This, and efforts by the RSA Corporation to remove encryption from export controls resolved this issue for a time.  Anyone with sufficient skills can create an encryption system.  Encryption not not solely a US invention, and foreign versions of encryption existed that were not subject to US export controls, and that this served only to reduce the sales and profits of US encryption companies.

Skipjack and the Clipper Chip

The Clipper Chip was an invention of the National Security Agency, and was a hardware chipset that was designed with a “backdoor” that would allow the NSA to intercept and decrypt messages secured by the Clipper Chip.  It was introduced in 1993 and was supposed to be implemented by telecommunications companies, but active resistance by the information technology and telecommunication industries prevented adoption, and the concept was defunct by 1996.

Skipjack was a cryptosystem that was designed to be used by the Clipper Chip.  It suffered from many flaws, and was based on technologies that in some cases were 40 years old.  It used a short 80-bit key to encrypt information in 64-bit blocks.  Skipjack was also a notable failure, and the Skipjack algorithm was declassified and published by the NSA on June 24, 1998.  It was decertified for use on Federal networks by NIST in 2016.  It was never widely adopted inside government or anywhere else.

Key Escrow

The Clipper Chip and Skipjack also introduced the concept of key escrow.  Key escrow would require users of encryption to submit their encryption keys to the government, to be held “securely” in a database, and would allow law enforcement agencies to access an encryption key subject to a court order.  The EFF preferred to call this “key surrender.”  Bruce Schneier has an excellent technical abstract on why key escrow is a huge security vulnerability and doomed to failure.

There are two or three obvious problems with key escrow.  The first is that criminals were unlikely to submit their keys in escrow, and so key escrow did not solve the fundamental problem providing a method to easily decrypt messages of criminals.  They could also choose to use their own home-brewed cryptosystems, or purchase encryption from foreign sources not subject to US law.

A key escrow database would only be used by legitimate businesses and entities.  The key escrow system would surely become a popular target of hackers, cybercriminals, and foreign espionage agencies, making the process of successfully securing this database against all forms of attack an unreasonable expectation.  Additionally, access could be gained illegally through bribery, extortion, and other forms of social engineering.  These breaches would impact only legitimate users, not criminals.

The Current Situation

Modern cryptography no longer depends on the use of static symmetric encryption keys. Most transactions use a combination of asymmetric public/private key pairs, and one-time symmetrical session keys.  More and more websites are converting from unencrypted HTTP websites to encrypted HTTPS websites.  All HTTPS encrypted web connections, such as you would use in online banking, shopping, ecommerce, or almost anything else, are secured using a one-time session key that is created at the start of your session and destroyed at the end of the session.  Escrowing these keys is not feasible or particularly useful.

The session key is created in your web browser, and is encrypted further using the public encryption key of the website.  The session key is then decrypted by the web site using it private key.  The now decrypted session key is now used by both parties, and destroyed at the end of the session.

Other concepts, such as Perfect Forward Secrecy, also change the encryption key for each session.  Again, key escrow does not provide a manageable source of encryption key information, and even if such a system existed, and encryption key would allow the decryptor access to one and only one session.

The government  continues to offer decryption solutions such as the creation of a Decryption Master Key, intentionally designed flaws in the encryption algorithm, key and message escrow, and trigger mechanisms that would allow decryption of message created by an application.  The problem with all these methods is that the criminals groups all have their own technology personnel that can exploit these weaknesses in order to attack victims of their schemes, as well as circumvent these decryption methods in ways that would protect them from law enforcement actions.  Basically, the weaknesses of these systems would fall on legitimate users, not the criminals.

The second problem is that we are being asked to trust our respective governments to not misuse these tools.  We have seen too many instances where the government and law enforcement are more interested in expediency and convenience, and act in flagrant violation of the Constitution and the law, and violate our civil rights at every opportunity.  This is my major opposition to their arguments.  I just don’t trust them.

Author’s note:  The term COVID Mania is something I may have coined to describe all the goofy behavior I have observed since the Pandemic was announced in February or March of 2020.  This includes mask wearing when driving alone in your automobile, rioting for social justice, arson and the destruction of minority owned businesses in the very neighborhoods where Black Lives Matter the most, and other goofiness related to the Pandemic.

Bruce Schneier has an interesting article on his blog titled COVID-19 and Acedia that talks about the same phenomenon.  Acedia is a real condition, “It’s a sense of no longer caring about caring, not because one had become apathetic, but because somehow the whole structure of care had become jammed up.”

And then this article about COVID fatigue from Malwarebytes.  So this is a thing.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.