Presidential Candidates Don’t Have the Key to Encryption

It’s scary to hear the 2016 presidential candidates talk about encryption and Internet security when attempting to thwart use of the Internet as a terrorist recruiting tool. As if it’s not bad enough when Donald Trump says, “in certain areas, closing that Internet up in some way.” There exists a common misconception (particularly in Trump’s target demographic) that the US controls the global Internet. Infrastructure in foreign countries provides Internet services to people living abroad. We don’t have a pretty switch with gold brocade, Mr. Trump.

So how do we intercede and monitor communications that have been protected by encryption? Here’s what our misinformed presidential contenders are saying:

Governor Pataki – “Companies are entitled to encrypt and protect their knowledge and their intelligence. But what we need is a back door for law enforcement to be able to… go in and access those communications.”

Governor Kasich – “…there are things called the Joint Terrorism Task Force, headed by the FBI, and made up of local law enforcement, including state police. They need the tools. And the tools involve encryption where we cannot hear what they’re even planning.”  And again, “…there is a big problem. It’s called encryption. And the people in San Bernardino were communicating with people who the FBI had been watching. But because their phone was encrypted, because the intelligence officials could not see who they were talking to, it was lost.”

Senator Rubio – “…tech companies such as Apple and Google should not create too-tough-to-crack encryption standards on their mobile devices and digital services.”

After being asked if companies should be required to help the FBI crack encrypted communications,

Ms. Fiorina – “… why did we miss the Tsarnaev brothers, why did we miss the San Bernardino couple? It wasn’t because we had stopped collected metadata it was because, I think, as someone who comes from the technology world, we were using the wrong algorithms.”

What Ms. Fiorina and her colleagues should know is that once communicated data has been encrypted it cannot be decrypted without knowing the encryption key.  There are two scenarios to consider:  if the encryption is done following a standards based encryption scheme like a web browser uses, the only way to decrypt the communications is to “spoof” the recipient.  To accomplish this, one must intercede in the communication by having access to the sender’s device or to the sender’s service provider and then pose as the actual recipient.  This is not a trivial task as it requires knowing who the originator is and having access to their physical device or their service provider’s real-time data stream.

The second scenario is even more daunting; if the encryption is done following a private encryption scheme where only the sender and recipient know and have access to the encryption key, all bets are off.  The operating systems provided in Ms. Fiorina’s “technology world” will have virtually no insight or ability to spoof the recipient.  In this case, encryption and decryption are contained entirely within the application that creates the communication. What else should the presidential contenders know? Answer:  “There’s an app for that.”

So what can be done to intercede?  Many throw out the idea of a “back door” being built into the operating system. To monitor communications using a backdoor, the cyber-snoop would have to capture the incriminating data before the application encrypts the commutations.  This can be done by capturing and transmitting screen shots from the user’s display or by monitoring user keystrokes.  The former is inefficient and unreliable at best, the later easily circumvented by not using the keypad provided by the operating system. In the end, as Apple’s CEO Tim Cooke rightly points out, “the reality is if you put a back door in, that back door’s for everybody, for good guys and bad guys.”

About Pearl Software

Pearl Software is the developer of patented Internet monitoring software including Echo Crypto.View™ that provides endpoint visibility and control of encrypted data transfer. Its solutions are used by companies, government agencies, schools, hospitals and other public and private entities around the world. Its products are designed to provide network administrators with tools to monitor Internet usage and protect their networks from internal and external threats.  For additional news on Pearl Software, please visit pearlsoftware.com.

Posted in Cyber Security.