Christiaan Colen
There is no Asian approach to encryption. The Internet transcends conventional borders and so does the encryption that travels with it. But there is a growing Asian security dialogue and an emerging debate on encryption in Asia. That debate has been overshadowed by the disjointed responses of individual countries to specific aspects of encryption. Bahrain, China, Iran, Kazakhstan, Pakistan and Saudi Arabia, amongst others, formally disallow different forms of client-side encryption. A larger list of countries have decryption-on-demand laws. They are not very different from Western liberal democracies where calls for encryption bans and backdoors are commonplace.
In India, the surveillance and encryption debate is marked by contradictions. We are losing out, the claim goes, because the technologies and infrastructure of digital communications are located abroad. We must sacrifice our freedoms, another claim goes, because only high levels of surveillance can protect us. Unfortunately, these reductive arguments, designed to appeal to nationalism and insecurity, have captured the national discourse. They have helped to shape a statist, blunt and control-oriented approach to encryption. Taking their cue from China, several Asian countries including India want to impose their sovereignty on the Internet, strictly license encryption products, have unfettered access to Internet communications and more. This ‘Internet sovereignty’ approach to encryption will fail.
This essay explains the basics of how encryption works; provides a high-level account of the American crypto-wars and how they manifest in India; looks at how mass surveillance fears have fuelled a new phase of the crypto-wars; and demonstrates the futility of the Indian government’s nationalism-laced approach to encryption, particularly in relation to data localisation, Internet sovereignty and the withdrawn National Encryption Policy of 2015. Looking ahead, this essay argues that encryption cannot be stopped; cybersecurity depends on strong encryption; and India’s security and prosperity depend on the widespread adoption of encryption.
If it stopped pursuing the Internet sovereignty approach and supported strong encryption without backdoors instead, India would break ranks with many Asian countries. But since there is no multilateral cybersecurity cooperation regime in Asia that India participates in, that would not be a loss. On the other hand, India should drive the Asian cybersecurity debate towards unbreakable encryption in the interests of its emerging digital economy, democratic values and national security.
The Basics of Encryption
Encryption is the conversion of intelligible data (plaintext), such as files or messages, into an unintelligible form (ciphertext) and decryption is the reversion of ciphertext to plaintext. Encryption occurs through the application of a cipher, a cryptographic algorithm that links the plaintext and ciphertext. The algorithm contains at least one variable parameter (key) that changes each time data is encrypted. The key is determined by a random number generating algorithm. For encryption to work, the key must be secret. Encryption does not encompass data conversion using a fixed key with no variable parameter (scrambling).[1]
Until the 1970s, both the encrypter and decrypter had to have a pair of identical keys (symmetric-key encryption). The system has two main weaknesses. First, the key has to be shared before the message (key exchange). Second, secrecy is inversely proportional to the number of people in the know—intuitively, not mathematically. Moreover, the sender is not sure that the key reached the intended receiver, and the receiver is not sure that her key was authentic (authentication problem). That is because of the danger of the key exchange being intercepted by a third party who may access the messages as they flow or impersonate either the sender or receiver (man-in-the-middle).
Most key exchange problems were solved by the invention of public key cryptography in the 1970s. Two non-identical but mathematically linked keys are created, one to encrypt a message and the other to decrypt it (asymmetric-key encryption). A receiver makes one of her keys publicly available (public key) but keeps the other one secret (private key). A sender encrypts her message using the receiver’s public key which the latter decrypts with her private key. To solve the authentication problem, the sender, who has also made her public key available, signs her message with her private key which can only be decrypted with her public key to verify her signature (digital signature).
When designed and implemented well, public key cryptography is unbreakable. It obviates backdoors because no man-in-the-middle has the receiver’s private key. It can assure message integrity by algorithmically assigning the data a fixed value (hashing) which can be verified for consistency. However, public key cryptography is computationally intensive and slow to operate so it is rarely used for real-time communications which continue to be symmetrically encrypted.
The Crypto-Wars
The encryption debate is United States-centric because, for better or for worse, American laws have shaped the Internet’s architecture and the availability of encryption products. Public key cryptography did not begin to find mass application until the 1990s. The primary cryptosystem in regular use, the Data Encryption Standard (DES), developed by IBM in the 1970s, and approved by the NSA, used a symmetric-key algorithm with a weak key. As Internet use grew, businesses improved the security of their products to encourage consumer confidence.
For individuals who did not want to depend on off-the-shelf encryption, the asymmetric-key Pretty Good Privacy (PGP) cryptosystem, developed in 1991, offered client-side encryption for messages. PGP provides unbreakable encryption for messages even when passing through known backdoors. No one besides the sender and receiver can access the plaintext making strong PGP immune to man-in-the-middle attacks (end-to-end encryption).
In the early 1990s, American telecom carriers were upgrading from analogue to packet-switched digital transmissions. The US government pushed carriers to install the ‘Clipper chip,’ a chipset that used a symmetric-key algorithm to encrypt voice data with a key developed by the NSA. The Clipper chip was to be installed in phones and a key copy surrendered to government to be held in escrow.
There are two fundamental problems with government key escrow. First, escrow of any sort only works when the third-party escrow agent is trusted by the other parties to handle the object of their transaction―in this case, keys. When a government wiretaps a private communication, it is not a third-party; so in a surveillance situation the government cannot by definition perform escrow functions. Second, the key is vulnerable to attack while stored in escrow. When the Clipper algorithms were declassified by the US government, they were swiftly shown to be vulnerable to high-speed, high-volume key guesses (brute-force attack).
At the same time, the US legislature enacted the Communications Assistance for Law Enforcement Act of 1994 (CALEA). It compelled telecom carriers to technologically enable government wiretaps. There were three significant limitations. First, the government was prevented from banning commercial encryption. Second, the law was restricted to the public switched telecom network (PSTN); it did not cover Internet services such as voice-over-Internet-protocol (VoIP) calls. Third, communications carriers were exempted from the duty to decrypt messages (decryption mandate) if they did not have the means to do so.
In 2005, CALEA was extended to cover VoIP and broadband Internet service providers (ISPs) even though they are not PSTN-based. But it still did not cover non-ISP-provided Internet email or over-the-top (OTT) instant messengers. Consequently, while Skype had to have CALEA-mandated backdoors, Gmail or WhatsApp were free from backdoors and the decryption mandate. That set the stage for the second phase of the crypto-wars.
In India, the Central Monitoring System (CMS) corresponds to CALEA in several ways. Until recently, telecom carriers were restricted to 40-bit encryption which was even weaker than the 64-bit key found in the 1980s-vintage A5/1 cipher used in the 2G GSM standard.[2] Some carriers simply did not encrypt and voice calls could be lifted off-the-air. The CMS requires carriers to provide the government with a seamless interception interface irrespective of their network encryption. It covers VoIP and ISPs too. Unless an Indian user uses client-side public key encryption or commercial end-to-end encryption, their communications have permanent backdoors.
The CMS is more than an interception interface. It creates a centralised database which even Britain’s recent “snoopers’ charter” failed to do. Will Delhi misuse its technological capabilities? We do not know. But we do know that the government has a long history of illegal wiretaps. The issue has been consistently raised in Parliament and covered in the press.[3] Interceptions and decryptions are ordered by bureaucrats with little understanding of the law and no independent oversight mechanism. Private carriers have obeyed even procedurally-irregular interception orders instead of pushing back against irregular surveillance.[4] Nevertheless, the government asks us to trust it to use the CMS in accordance with law. It would not be an unfair assessment to say that businesses and individuals will be more interested in encrypting their communications from now on.
The Blackberry Episode
From 2008 the Indian government pressured Blackberry-maker Research in Motion (RIM) to decrypt messages on demand or hand over their key. RIM faced similar measures in Saudi Arabia and the United Arab Emirates. The campaign against RIM was more about enforcing Indian jurisdiction on a foreign company than it was about the national security risks of encryption. There are two kinds of Blackberry services. For companies, RIM installs a local Blackberry Enterprise Server (BES) and employees’ emails are routed through the BES with strong encryption. In most cases, RIM does not have the key and cannot decrypt BES messages. In any event, terrorists are not employees, they do not use BES services.
For individuals, RIM has an unencrypted Blackberry Internet Service (BIS) network. This is most likely how terrorists using Blackberrys communicate. BIS emails can be intercepted as plaintext provided the local carrier removes any transport layer encryption it added.[5] Instant messages via the Blackberry Messenger (BBM) app are transmitted on the basis of unique device-specific numbers (PIN). PIN to PIN messaging, another option for terrorists, are not encrypted, they are only scrambled using a single, global key.[6] They can be intercepted and routed to a third Blackberry quite easily, a textbook man-in-the-middle attack.[7]
Essentially, if the government wanted to intercept someone’s BIS communications, it was free to do so under Indian law. There would have to be an interception order under either section 69 of the Information Technology Act, 2000 (IT Act) read with rule 3 of the Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009 (Interception Rules), or section 5(2) of the Indian Telegraph Act, 1885 read with rule 419A of the Indian Telegraph Rules, 1951. On the other hand, if, hypothetically, the BIS server was located in India, then access to data on it could be ordered under section 91 of the Code of Criminal Procedure, 1973 (CrPC), a significantly lower threshold.
There is legal uncertainty regarding data access procedures because interception law is largely observed in the breach. Sections 69 and 69B of the IT Act, read with their respective rules, grant access to stored information and communications data, but in 2014 the Central Bureau of Investigation was using section 91 of the CrPC to access communications data. It is likely that other law enforcement agencies were doing the same and still are. There is no transparency and no accountability for legal abuse. In any event, the Interception Rules almost certainly suffer from excessive delegation and are ultra vires their parent statute.
No comments:
Post a Comment