Exceptional Access

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Good Public Key Cryptography is dependent on the absolute protection of the Private Key Component of the public/private key pair. But it turns out in most cases that are is good reason to allow Exceptional Access to data protected by the key.

Context

  • Ever since strong cryptographic encryption technologies were created, shortly after computers become common, there have been governmental agencies that have worried that their lack of access to private data, under the existing rule of law, was a threat to the security of the Common Good that they are charged with protecting.
  • Soon after the NSA learned of the threat to their surveillance capability with computer cryptograph, they start to work on mitigations where the government held the keys in heavily protected escrow. This plan did not even consider the leakage of government "secrets" that has been a common part of reporting on government plans. But the threat posed with the AT&T Telephone Security Device 3600 in 1992 forced their hand and resulted in a hurried attempt to release the Skip-Jack encryption scheme based on the Clipper chip.
  • But Clipper failed in spectacular fashion as reported on the front page of the New York Times [1]
    When Dr. Blaze, a 32-year-old computer scientist at AT&T Bell Laboratories, discovered a basic flaw in the Government's cloak-and-dagger Clipper system recently, he was merely doing what he does best: pushing computer code until it breaks. But AT&T is poised to become a leading supplier of Clipper technology, which the Clinton Administration is promoting as a way to let law enforcement officials wiretap encoded telephone calls and computer transmissions in the digital age. And if Dr. Blaze's research undermines the Clipper, it could scuttle a multimillion dollar business.
  • The metastatic growth in government's desire for secrecy was describe in the New Yorker as something that needed to be kept in check, rather than enabled. But what is really scary is that all of this secrecy doesn't work well. Leaks continue unabated and there always seems to be yet one more agency that wants access to the secrets of its citizens with insufficient concern for their security. [2]
    Daniel Patrick Moynihan, the intellectual polymath who represented New York in the US Senate for 24 years, developed a well-founded skepticism toward government secrecy. Bureaucrats and others, Moynihan knew, could always conjure reasons to keep information under warps, and the ratchet of secrecy generally worked in only one direction. secrets begat more demands for secrecy, at ever greater peril to the public's right to know what was happening in its name. Secrecy, Moynihan wrote in his 1998 book of that title, thus became a "a hidden, humongous, metastasizing mass within the government itself.

Problems

  • After the spectacular failure of skip-jack, the industry has been able to keep most governments at bay in their attempt to gain access to user's secret information.
  • There are many reason why secret protections almost always need some sort of "brake the glass" mechanism to activate an alarum on solve a security problem.
  1. User health information is widely regarded as containing many secrets that users should be able to protect from release to anyone without their consent. However, if the user is laying comatose at the scene of some major trauma, such concerns take second place to protecting the user's life. The absence of user consent must not be a hindrance to the overriding interest in protection of life itself.
  2. Legitimate governmental secrets
  • As of early 2019 there was nearly universal belief that it was not possible to design a secret protection scheme with a "brake the glass" mechanism that would not be misused. “The answer is always, show me a proposal that doesn’t harm security,” says Dan Boneh, a celebrated cryptographer who teaches at Stanford. “How do we balance that against the legitimate need of security to unlock phones? I wish I could tell you.”[3]

Solutions

  • All governments make the case that they have the technology and security necessary to protect user's secrets. The fiasco with skip-jack blew the extreme version of that argument out of the water. Yet there are many cases where we have decided to give the government the discretion to decide when a "brake the glass" event has occurred and access needs to be granted. For example, FirstNet has been established as a response to the lack of communications among emergency responders at the 9-11 tragedy. The resultant network and coordination with local governments allows access to much of a user's medical history. Some Smart Phones have lock-screen access to a user identity, automobile registration information typically request the primary driver to be registered, and other mechanisms allow the first responders to deal with medical access and contact information to give the assistance required.
  • Ray Ozzie, Ernie Brickell, Stefan Savage, and Robert Thibadeau have all been working on finding some technical solutions that do not exhibit any of the flaws from earlier systems. Ray Ozzie's solution gives control to corporations that provide the encryption to grant access on a phone by phone basis to a decryption key, that when activated would reveal the secrets and block the phone from further use so that online surveillance would never be possible.[3] It seems that the press of security concerns will force the technologists' hand sooner or later and some such solution will be forced on the industry.

References

  1. John Markoff, At AT&T, No Joy on Clipper Flaw. (1994-06-03) New York Times p. 1 https://www.nytimes.com/1994/06/03/business/at-at-t-no-joy-on-clipper-flaw.html?searchResultPosition=1
  2. Jeffrey Toobin, Barr review. (2019-04-15) The New Yorker p. 15-16
  3. 3.0 3.1 Steven Levy, Cracking the Crypto War. (2019-04-18) Wired https://www.wired.com/story/crypto-war-clear-encryption/