Tag: encryption

Building backdoors into encryption isn’t only bad for China, Mr President

Building backdoors into encryption isn't only bad for China, Mr President

Want to know why forcing tech companies to build backdoors into encryption is a terrible idea? Look no further than President Obama’s stark criticism of China’s plan to do exactly that on Tuesday. If only he would tell the FBI and NSA the same thing.

In a stunningly short-sighted move, the FBI – and more recently the NSA – have been pushing for a new US law that would force tech companies like Apple and Google to hand over the encryption keys or build backdoors into their products and tools so the government would always have access to our communications. It was only a matter of time before other governments jumped on the bandwagon, and China wasted no time in demanding the same from tech companies a few weeks ago.

As President Obama himself described to Reuters, China has proposed an expansive new “anti-terrorism” bill that “would essentially force all foreign companies, including US companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services.”

Obama continued: “Those kinds of restrictive practices I think would ironically hurt the Chinese economy over the long term because I don’t think there is any US or European firm, any international firm, that could credibly get away with that wholesale turning over of data, personal data, over to a government.”

Bravo! Of course these are the exact arguments for why it would be a disaster for US government to force tech companies to do the same. (Somehow Obama left that part out.)

As Yahoo’s top security executive Alex Stamos told NSA director Mike Rogers in a public confrontation last week, building backdoors into encryption is like “drilling a hole into a windshield.” Even if it’s technically possible to produce the flaw – and we, for some reason, trust the US government never to abuse it – other countries will inevitably demand access for themselves. Companies will no longer be in a position to say no, and even if they did, intelligence services would find the backdoor unilaterally – or just steal the keys outright.

For an example on how this works, look no further than last week’s Snowden revelation that the UK’s intelligence service and the NSA stole the encryption keys for millions of Sim cards used by many of the world’s most popular cell phone providers. It’s happened many times before too. Ss security expert Bruce Schneier has documented with numerous examples, “Back-door access built for the good guys is routinely used by the bad guys.”

Stamos repeatedly (and commendably) pushed the NSA director for an answer on what happens when China or Russia also demand backdoors from tech companies, but Rogers didn’t have an answer prepared at all. He just kept repeating “I think we can work through this”. As Stamos insinuated, maybe Rogers should ask his own staff why we actually can’t work through this, because virtually every technologist agrees backdoors just cannot be secure in practice.

(If you want to further understand the details behind the encryption vs. backdoor debate and how what the NSA director is asking for is quite literally impossible, read this excellent piece by surveillance expert Julian Sanchez.)

It’s downright bizarre that the US government has been warning of the grave cybersecurity risks the country faces while, at the very same time, arguing that we should pass a law that would weaken cybersecurity and put every single citizen at more risk of having their private information stolen by criminals, foreign governments, and our own.

Forcing backdoors will also be disastrous for the US economy as it would be for China’s. US tech companies – which already have suffered billions of dollars of losses overseas because of consumer distrust over their relationships with the NSA – would lose all credibility with users around the world if the FBI and NSA succeed with their plan.

The White House is supposedly coming out with an official policy on encryption sometime this month, according to the New York Times – but the President can save himself a lot of time and just apply his comments about China to the US government. If he knows backdoors in encryption are bad for cybersecurity, privacy, and the economy, why is there even a debate?

QR codes with advanced imaging and photon encryption protect computer chips

QR codes with advanced imaging and photon encryption protect computer chips

QR, or Quick Response, codes — those commonly black and white boxes that people scan with a smartphone to learn more about something — have been used to convey information about everything from cereals to cars and new homes.

But, University of Connecticut (UConn) researchers think the codes have a greater potential: protecting national security.

Using advanced 3-D optical imaging and extremely low light photon counting encryption, Board of Trustees Distinguished Professor Bahram Javidi and his research team have taken the ordinary QR code and transformed it into a high-end cybersecurity application that can be used to protect the integrity of computer microchips. The findings were published in IEEE Photonics Journal.

“An optical code or QR code can be manufactured in such a way that it is very difficult to duplicate,” said Javidi, whose team is part of UConn’s Center for Hardware Assurance, Security, and Engineering (CHASE) in the School of Engineering. “But if you have the right keys, not only can you authenticate the chip, but you can also learn detailed information about the chip and what its specifications are.

“And, that is important to the person using it.”

Corrupted and recycled integrated circuits or microchips posed a significant threat to the international electronics supply chain. Bogus or used computer chips may not matter much when they cause poor cell phone reception or an occasional laptop computer crash in personal use. But the problem becomes exponentially more serious when counterfeit or hacked chips turn up in the U.S. military.

The problem has been exacerbated in recent years by the fact that much of the national production of microcircuits has moved offshore, where prices are lower but ensuring quality control is more difficult.

In 2012, a Senate Armed Services Committee report found that more than 100 cases of suspected counterfeit electronics parts from China had made their way into the Department of Defense supply chain. In one notable example, officials said counterfeit circuits were used in a high-altitude missile meant to destroy incoming missiles. Fixing the problem cost the government $2.675 million, the report said.

Unlike commercial QR codes, Javidi’s little black and white boxes can be scaled as small as microns or a few millimeters and would replace the electronic part number that is currently stamped on most microchips.

Javidi says he can compress vital information about a chip — its functionality, capacity, and part number — directly into the QR code so it can be obtained by the reader without accessing the Internet. This is important in cybersecurity circles, because linking to the Internet greatly increases vulnerability to hacking or corruption.

To further protect the information in the QR code, Javidi applies an optical imaging “mask” that scrambles the QR code design into a random mass of black-and-white pixels that look similar to the snowy images one might see on a broken TV. He then adds yet another layer of security through a random phase photon-based encryption that turns the snowy image into a darkened nighttime sky with just a few random stars or dots of pixilated light.

The end result is a self-contained, highly secure, information-laden microscopic design that is nearly impossible to duplicate. Only individuals who have the special corresponding codes could decrypt the QR image.

And that is important to all of us.