Hacking the GCHQ Backdoor
Last week, I evaluated the security of a recent GCHQ backdoor proposal for communications systems. Furthering the debate, Nate Cardozo and Seth Schoen of EFF explain how this sort of backdoor can be detected:
In fact, we think when the ghost feature is active—silently inserting a secret eavesdropping member into an otherwise end-to-end encrypted conversation in the manner described by the GCHQ authors—it could be detected (by the target as well as certain third parties) with at least four different techniques: binary reverse engineering, cryptographic side channels, network-traffic analysis, and crash log analysis. Further, crash log analysis could lead unrelated third parties to find evidence of the ghost in use, and it’s even possible that binary reverse engineering could lead researchers to find ways to disable the ghost capability on the client side. It should be obvious that none of these possibilities are desirable for law enforcement or society as a whole. And while we’ve theorized some types of mitigations that might make the ghost less detectable by particular techniques, they could also impose considerable costs to the network when deployed at the necessary scale, as well as creating new potential security risks or detection methods.
Other critiques of the system were written by Susan Landau and Matthew Green.
EDITED TO ADD (1/26): Good commentary on how to defeat the backdoor detection.
EDITED TO ADD (3/1): Another good essay on the security risks of this back door.
Chris • January 25, 2019 7:35 AM
Long time listener, first time caller…
I’m not well versed in security nor am I aware of all the work on this front. But in the spirit of conversing on the challenge:
While reading this I thought of the work in WWII with Enigma. Could the end clients insert a fixed tiny string, embedded in the message and encrypted, that would allow the group wanting to break the encryption a foothold to drastically reduce cracking time. Similar to the phrase the British team searched for to crack the daily code knowing that phrase was always somewhere in the message.
You still have a number of the administrative issues you have with the proposal above however you retain end-to-end (1-to-1 not 1-to-many), could put some additional obfuscation routines for the string used (regular rotation, different for country/service/etc) or maybe it is only inserted upon a warrant.
It would also mean if you break in to the string store you don’t have the keys to everything only an easier path to crack individual exchanges. May still take large resources to crack but wouldn’t allow immediate decoding by anyone. The acceleration of processing power and quantum would make any time analysis obsolete by the time you finish the calculation.