EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto

The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. From a report: In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use. Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach -- by offering member states more support when they actually get their hands on an encrypted device. "The commission's position is very clear -- we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon," security commissioner Julian King told a press briefing. "We're trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."

Re:

[Anonymous Coward]

Who bankrolls the EU now that Britain is out?

The same as before: not Britain.

Re:

[AHuxley]

AC "Reminder: Spies, cops don't need to crack ... They'll just hack your smartphone" (26 Jul 2017)
"Police in Germany will forego seeking decryption keys for secure messaging apps, ..... , and instead simply hack devices to snoop on suspects"
AC governments are just going for the remote communication interception software (RCIS) solution to advanced end to end crypto.

Ok, that's something we can talk about

[Opportunist]

So we have a device of someone that we suspect to be a criminal, now aid us to access it.

That is something we can actually work with. Provided there is oversight and it's not "we probably have (population count) terrorists in our country, let's find out how to up the surveillance so we can track them all!"

Re:

[93 Escort Wagon]

It depends whether they going collaborate on an as-needed basis, or are they going to collect and hoard zero-days without notifying the manufacturers?

We've seen how well the latter works... thanks, NSA!

Re:

[Anubis IV]

Completely agree. This has been the proper course of action from the start, and I'm glad they're finally coming around on it. It's the only path that aligns with the security and privacy interests of businesses and individuals while allowing for law enforcement to conduct lawful investigations.

There will certainly be additional points to discuss, such as the degree and nature of their collaboration (e.g. Is it—or to what extent is it—okay for them to withhold information regarding vulnerabilitie

Re:

[Opportunist]

The creed behind the law should be that there should be full cooperation when someone has a suspect and a reasonable assumption that this suspect is actually a criminal, but zero support for any measures that aim for blanket surveillance of people "just because".

Re:

[david_thornley]

but zero support for any measures that facilitate blanket surveillance of people "just because".

FTFY.

If a measure can be used for mass surveillance, it doesn't make any difference how sincere the legislators sound as they say it won't be. Law enforcement will us that measure despite what it was aimed for.

Uhm

[jawtheshark]

Do I understand this right that they want brute-force encryption? If so, somebody really should explain complexity analysis to them. These algorithms have been chosen in such a way that brute forcing is computationally hard.

How exactly... we don't know. Maybe someone has an RSA-cracking supercomputer up their sleeve they're keeping secret. Maybe someone's particularly good with a soldering iron and can read off keys from extracted flash memory chips.

If any member state has that capability, there is no way

Re:

[Lennie]

Remember the FBI Apple iPhone debate in the US and a solution was found how to gain access to the data, my guess would be they could be sharing those kinds of solutions. I would be surprised if they had things even more advanced than that.

Re:

[Boutzev]

Please, don't ! Leave them with their brute forcing. In the meantime we can enjoy secure communication.

I am not sure if this is just an attempt to please the lobbysts of encryption regulation or ignorance.

Re:

[Megol]

It's an example of you not understanding. Brute forcing is (generally) impossible and that's not what this is about.

Re:

[UnknowingFool]

Do I understand this right that they want brute-force encryption? If so, somebody really should explain complexity analysis to them. These algorithms have been chosen in such a way that brute forcing is computationally hard.

No they want to share methods on how to break devices. No device is 100% secure. Each device probably has an exploit depending on the hardware and OS version. For example, the San Bernandino shooter had an older model iPhone that was bypassed but that took several months before the US government could find someone who could do it. At the very least point the governments in the right direction: "Oh that model Samsung and Android, we used this company to break that phone." It is more so that each government d

Re:

[Anonymous Coward]

If any member state has that capability, there is no way in hell they'll share it.

This is simply a request to increase the funding & staffing of EC3 in Europol.
https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3

All in all, EU has taken a rational position here.
Law enforcement cannot simply disregard the issue; they have to do and say SOMETHING.
A statement "we will NOT be going to ask or push for backdoors & weak crypto" is good enough, especially considering this comes from the LEA / antiterrorism guys, not from DG CONNECT or similar.

Re:

[hoofie]

They didn't have access to GCHQ pre-Brexit either. The UK is very, very reticent to let any country that isn't part of the Five-Eyes agreement anywhere near any of the special toys, kit and capabilities they have there.

Re:

[gweihir]

Don't tell them! They are convinced that because they represent nation-states, they are all-powerful. Let them have that illusion!

The irony

[Rick Schumann]

The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption), they'd use codebooks and other types of obfuscation (book ciphers, and so on; the list is endless) that have been used for much longer than we've had computers, and goverments and cops would be back at Square One again: needing to do REAL police work, not just be jackbooted thugs with guns forcing their will on everyone. Are they really so blind to all this, or is it just another power-grab?

Re:

[bobbied]

Exactly.... This is really stupid in that it only helps you catch the stupid ones....

Anybody who thinks about this, won't have an issue communicating securely regardless of if the encryption backdoor.

Re:

[Baron_Yam]

Consider for a moment that while governments may ultimately be varying degrees of evil, that is an emergent property that isn't necessarily present in the humans who make it up.

Now imagine you're a cop or a politician, and you have criminals and pressure to stop them from getting organized or simply 'getting away with it', and you KNOW there's evidence you could hang them with if you could get your hands on it.

Of course they're going to try and get official back doors. Now you say those back doors will onl

Re:

[Rick Schumann]

You NEVER trade freedom for security. EVER.
'Backdooring' encryption RUINS it, plain and simple; there is no compromise that can or should be made there. EVER.

Re:

[Baron_Yam]

>You NEVER trade freedom for security. EVER.

That's a foolish absolute to stand behind, since you do it all the time in your day to day life.

>'Backdooring' encryption RUINS it, plain and simple; there is no compromise that can or should be made there. EVER.

Another silly stance to take. For general encryption, absolutely... but there's nothing wrong with a proprietary system with a back door in it, as long as it's understood to be less than perfectly secured and that it will eventually be cracked (or t

Re:

[Rick Schumann]

No, you're completely and totally wrong, and are you even a U.S. citizen? Or are you some foreigner who has no stake in this? Or are you a government shill? Or are you just a troll/jackass? Regardless you are to be IGNORED as you are no better than these shitty politicians and so-called 'law enforcement'.

Re:

[Anonymous Coward]

This a joke post? Article is about the EU and you grizzle about whether someone is a "U.S. citizen". And why do "foreigner"s have no stake? It's global. Etc, and so on.

Truth is you trade freedom for security every day of your life. Every day. Wake up and look around you.

I am against backdooring general crypto but I don't claim it means the end of civilisation like you do.

Re:

[PCM2]

Are you being willfully stupid?

You are NOT free to walk into a bank waving a gun. That freedom is denied you. You ARE free, however, to walk into a bank and withdraw a large amount of money, with the reasonable expectation that nobody else in the bank will shoot you and take it from you.

See how this works?

Re:

[Rick Schumann]

You know goddamned well what I mean so fuck off.

Re:

[david_thornley]

Your "less than perfectly secured" is awfully optimistic. Most people aren't prepared to jump to a new encryption method when the old back door is compromised. Moreover, the system can't ever be trusted, since the user never knows who might know the back door. It might be of some use to some people, but nobody with any sort of security requirements could rely on the system.

Re:

[hcs_$reboot]

criminals and terrorists would not just use non-compromised encryption, they'd use codebooks and other types of obfuscation

Terrorists have shown how clever they are ; that kind of subtlety is out of their league.

Re:

[BlueStrat]

The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption), they'd use codebooks and other types of obfuscation (book ciphers, and so on; the list is endless) that have been used for much longer than we've had computers, and goverments and cops would be back at Square One again: needing to do REAL police work, not just be jackbooted thugs with guns forcing their will on everyone. Are they really so blind to all this, or is it just another power-grab?

Of course it's another power-grab. That's almost a given for almost everything Western governments are trying to implement in the encryption/security field. The mistake here is in assuming they're telling us the truth when they tell us they will use it exclusively against criminals & terrorists instead of mostly as another general domestic surveillance tool for politically/ideologically-driven motives.

They know as well as we do that real terrorists and criminals will simply use other secure methods. The

Re:

[Kjella]

The irony here is that even if they put a gun to everyones heads and forced them to ruin encryptions' value by compromising it with 'backdoors' (that anyone would eventually be able to discover and leverage) criminals and terrorists would not just use non-compromised encryption (copied from before the ban on 'real' encryption)

Well most suggestions don't involve building an algorithmic backdoor, but about making the manufacturer retain a copy of embedded keys. Like for every iPhone there's a master UID - essentially a 256 bit AES key - fused into the processor during manufacturing. They (supposedly) don't keep a copy, they certainly could and stick in a vault somewhere and in theory they'd only hand individual keys over to law enforcement with a warrant. The "doomsday" scenarios are that a powerful organization robs the vault or

That's Honestly Enough

[NicknameUnavailable]

Every CPU since 2006 has backdoors built in, they don't need to have backdoors in individual protocols. If they have cyber-backdoor agreements with the nation manufacturing the chips they have a backdoor.

Re:

[NicknameUnavailable]

Not every one. There are plenty of open hardware certified devices.

lol, that's so naive I don't know whether to laugh or cry. If you didn't design and build the chip or are best friends with the guy who designed and built the chip, it has a backdoor (possibly even in that latter case due to all the NDAs he would be in fear of.)

Re:

[NicknameUnavailable]

You are mocking publicly available knowledge which is well documented. Sad.

Re:

[david_thornley]

Apple designs its own ARM chips, and they've been clear about standing up for user security. I'm not at all convinced that all CPUs have back doors.

Re:

[NicknameUnavailable]

Apple uses Intel chips, which absolutely have backdoors (they actually beat AMD to it by a couple of years.) They "stand up for" user security because it's bad PR if they don't pretend to.

Re:

[david_thornley]

True; I was thinking of the ARM chips on iDevices. Apple in fact got bad PR from the dispute with the FBI relating to the work iPhone 5C that the San Bernardino shooter almost certainly didn't leave evidence on, so I'll give them credit for that. Apple appears to want user security.

Re:

[NicknameUnavailable]

Apple wants people to believe they have user security. Post-Snowden it would be incredibly ignorant to believe there is any device made by a US company without backdoors.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Sudden outbreak of common sense?

[Anonymous Coward]

Or have they just struck a secret deal somewhere?

Let's hope the first. Being a big fan of EU (the idea) and sometimes utterly revolted by EU (the implementation), this makes my week.

Yes please

[SlashDread]

Do share all your cracking and hacking tricks. Publicly.

so we can patch the vulns

While they're busy sharing wealth

[rsilvergun]

why not publish all those vulnerabilities they're using to decrypt devices (after a suitable period of time given to the manufacturer to fix the defect)? Could it be they don't really care about security in our shared cyberspace? Naw, they could never be so callous.

October 2017

[Anonymous Coward]

Is when the encryption wars began. The war was long and had many casualties. After many years of trying to crack encryption most governments around the world agreed to make encryption used by anyone other than the government illegal.

I'm good with that

[JohnFen]

Weakening encryption is bad. Trying to break encryption is expected.

Encryption = False sense of security

[Seven Spirals]

Encryption weenies place a lot more faith in it's power than I do. So, are we supposed to trust SSL? I don't. Besides being eat-up with a laundry list of past vulnerabilities, I'm supposed to trust some megacorp that says some other megacorp or boiler-room-scam operation capable of issuing a certificate signing request is trustworthy? Why again? Just because they can pay folks to answer the phone or to supposedly check someone's business license? That doesn't mean *squat*. There are so many instances where

Re:

[AHuxley]

Encryption is good to stop random other governments, people, ads, ISP's, telcos as a message moves along the pipes.
At some time that fully and secure message had to be created and later decrypted for the users convenience.
Key logging is the solution and will get content at source from the users for the security services.
A one time pad on paper used once and sent would be secure. The privacy of the message is protected by using a one time pad. Anonymity on networks in 2017 is not protected.
Interestin

Re:

[Anonymous Coward]

> So, are we supposed to trust SSL? I don't. ... I'm supposed to trust some megacorp that says some other megacorp or boiler-room-scam operation capable of issuing a certificate signing request is trustworthy?

TLS/SSL exists independent of the Certificate Authorities. You (and anyone else) can use SSL/TLS without involving a third party: sign your own damn certs. Viola, you have full-strength data-in-flight crypto capabilities.

The reason you don't really see this on the web is because without cert pinnin

Re:

[david_thornley]

Good encryption means precisely one thing: that it is necessary to know the key to access the information, but otherwise it's safe. When using something like AES-256, the only problem is key management. Nobody who can't find or guess my iPhone unlock code is going to be able to read anything off it, and the Secure Enclave makes it very difficult to guess.

There's a big difference between levels of security. If they're willing to haul you in and torture you for the information, they're almost certainly

Simple answer

[Chris Mattern]

"when [a member state] gets a device, how do they get information that might be encrypted on the device."

You don't. If you could, the encryption would be pointless.

EU vs Five Eyes

[Hal_Porter]

For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."

I think they're worried about the Five Eyes countries sharing information with each other, but not with EU countries

https://en.wikipedia.org/wiki/... [wikipedia.org]

One of the interesting contradictions of the UK being a member of the EU was that it always had much better intelligence sharing with the Five Eyes countries than it did with any EU country.

see through it

[DriveDog]

First, often asking for something (backdoors) is cover for already having it. Second, pretending to not ask for it is cover for getting it without public scrutiny. Third, knowing of vulnerabilities and keeping them secret and exploiting them is ethically just as bad as having backdoors. You find it, you announce it, or you're hurting security for everyone. You think you're the only one that found it? Unlikely. Russians, Iranians, Pakistanis, and Israelis have found it but the only way to block their use of

Re:

[OneHundredAndTen]

You wish. And hopefully, you won't get - the exacerbated nationalism and just plain xenophobia latent in Brexit and the Catalonian attempts to secede are in the spirit of the times that kept Europe embroiled in more or less continuing internecine wars for hundred of years. Get rid of the EU and prepare yourself to enjoy such times again - with modern weaponry.

So you’re in favour of backdoors then?

[Picodon]

You are accusing the EU of incompetence for stating that they are “not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon”, and at the same time you are praising Brexit, when Theresa May (and Cameron before her) as well as officials from other individual states (including France and Germany) have been advocating the mandatory use of backdoors. So I take it that you are a supporter of weak en