top | item 9874171

(no title)

breakall | 10 years ago

Isn't their a fair distinction between an undocumented weakness ("back door") to which LEOs have access, and a provider providing a key ("front door") upon a lawful order, maintaining the strength of the encryption scheme?

It seems some believe that Comey is playing with semantics in order to obfuscate, or doesn't understand the argument he's making -- I don't.

discuss

EthanHeilman|10 years ago

Neither backdoor nor frontdoor are well defined (backdoor does not always imply secrecy). I never heard the word "front door" until this recent push, and generally key escrow has been referred to as a backdoor despite being public knowledge.

My personal definitional taste would be:

* Backdoor - an additional way to decrypt a communication without the consent of the communicating parties.

* Secret Backdoor - a backdoor which the communicating parties are not aware of (DUAL_EC).

* Public Backdoor - a backdoor which is built into the public description the of the encryption system so that the communication parties are aware of it (lotus email backdoor).

* Frontdoor - a type of public backdoor which requires a warrant to access and whose key is controlled by a neutral (disinterested) third party. I'm not sure this is exactly what the FBI wants.

Thus, frontdoors are a very specific form of backdoors.

AgentME|10 years ago

I would have thought "front door" would mean to get the intended recipient of the message to decrypt it for you.

cb18|10 years ago

Language is power.

I say we refrain from adopting any new silly terminology that anyone attempts to foist upon us regarding this issue.

Something is either cryptographically secure, or it isn't. A "cryptographic" method that allows access to anyone not authorized by the one doing the encryption is not cryptographically secure. And in that case, what's the point in using it or even calling it cryptography?

harshreality|10 years ago

That's some semantic gymnastics. So a "Public backdoor" is a "Frontdoor" when used by a law enforcement agency with a warrant. What about when the "neutral" third party uses the keys for some purpose without a warrant? What about when the third party is hacked? It seems confusing to refer to the same system as both a frontdoor and a backdoor.

The FBI would probably be happy with a front door. Unfortunately, a "frontdoor" means some "neutral" third party (or anyone who hacks it) then has the ability to decrypt all your communications. Furthermore, a "neutral" third party isn't necessarily that trustworthy. The saving grace of the CA system is that non-targeted attacks are likely to be detected, because the CAs don't have the certificates' private keys, and use of alternate keys is detectable, or even preventable (only in advance) with pinning.

Everyone would balk at a CA system where the CAs had all the servers' private keys. No matter how trustworthy the CA. It would be undetectable, and pinning wouldn't mitigate it. And that's exactly what the FBI wants for Google, Facebook, Microsoft, and Whatsapp communication products.

If a neutral third party holds the keys, then you have the company (1) that makes the communications products having the keys, transferring them to the neutral third party (2) and deleting them ("we promise!"), so only the third party holds them for possible eventual use by the FBI (3). That's three entities that may potentially have access to key material in the future, not to mention anyone who hacks those three entities.

username|10 years ago

They already have a front door. It's called "get a warrant".

afar|10 years ago

Why is getting a warrant not enough? Seems the level of access and cooperation is as much or greater than a key or backdoor.

Isn't it relatively speedy to get a warrant? In some cases just hours?