Translated Article: EU Directive for “High-Class Cybersecurity” with Duplicate Keys
EU-Richtlinie für „hochklassige Cybersicherheit“ mit Nachschlüsseln by Erich Moechel for fm4.ORF.at.
The key message of the Council of Ministers’ resolution against secure encryption has already arrived in a first draft directive. For this reason here’s a historical outline of the new Crypto Wars since 2014.
The resolution of the EU Council of Ministers against secure encryption, which resulted in so much criticism, has already appeared in a first draft directive. A corresponding passage can be found in the new draft directive on “Measures for high-quality cybersecurity in the Union”. The date of December 16 of the document shows that it was already drawn up before the Council resolution was passed (on December 19).
Here, too, it is claimed that secure end-to-end encryption remains intact if duplicate keys are generated for third parties. Meanwhile the EU Council of Ministers has denied any involvement of the “Five Eyes” spy alliance in the EU decryption plans. In fact the project actually began in 2014 in the USA and other countries of this alliance, then Europol joined them. How deeply the “Five Eyes” alliance is actually involved in the EU plans is documented from the beginning of 2014 to the current resolution of the Council of Ministers.
Recital 54 in the draft directive on measures for a common high level cybersecurity standard in the Union. Kudos to security analyst Lukasz Olejnik for pointing this out.
“Suboptimal techno-political salad”
The relevant passage is hidden in recital 54 of the “high-quality cybersecurity” directive. “I’m surprised, that looks a bit suboptimal”, says security analyst Lukasz Olejnik to ORF.at, it is unclear “how such a techno-political salad could get into the final version of the commission’s draft”. In the previous passages, the use of E2E encryption is specifically recommended several times in the draft, then the above excerpt follows and it says the opposite.
Even if the statement of the sentence is rather vague, it explains that the use of E2E encryption should be reconciled with the security needs of the states in order to enable criminal prosecution. This means that E2E encryption has to be broken, for example by smuggling in a duplicate key by the platform provider. There are no solutions for “legally compliant access to E2E encryption”, because E2E means that only those involved in the communication can read and nobody in between. The second Crypto Wars began with the same demands for master keys.
Chronicle of the second Crypto Wars 2014 to the present day
The following chronicle covers those events from 2014 to the end of 2020 that appeared on the author’s radar screen. Naturally, this chronicle is far from complete, but it should give an approximate picture of the course of the campaign against encryption. For those interested in the topic, a comparison with the chronicle that Matthias Monroy wrote on the same topic for network politics is recommended. There the processes in the EU Council of Ministers and other EU institutions – with a strong reference to Germany – are described in detail.
How the golden age of surveillance ended
In response to Edward Snowden’s NSA revelations, the large Internet companies began to secure their global data networks and then more and more services with secure SSL / TLS transport encryption in autumn 2013. Before that, only banking and e-commerce were encrypted in this way, around 85 percent of global traffic went through the network in plain text. The states of the espionage alliance had long since realized that their vacuum cleaning methods on the glass fibers would in the medium term deliver less and less useful data.
Law enforcement officers faced slightly different, but similar, problems. The telephony networks, from which they could fetch metadata and content at will for 20 years at the push of a button, provided less and less useful data. A large part of the communications had migrated from SMS and phone calls to Facebook Messenger (transport encryption), WhatsApp (E2E) & Co. It was therefore in the common interest of secret services and police authorities to make it possible to monitor the secure encryption of communication services in the network. Already in the first crypto wars, which are mostly dated from 1994 to 2001, the NSA, FBI and GCHQ in particular demanded that all secret keys used in the network be deposited with the authorities.
2014 “Golden Keys” and the W3C’s Crypto API
2014 03 05 How the network is hardened against surveillance. The main topic at the plenary meeting of the Internet Engineering Task Force (IETF) was which technical measures should be taken against the surveillance of the Internet by the NSA and other secret services. The W3C kicked this off with an event under the programmatic title “Hardening the Internet against Comprehensive Surveillance”.
2014 11 06 Golden keys for secret services and police. Counter-terrorism coordinator Gilles de Kerchove, the directors of GCHQ and FBI simultaneously demand duplicate keys for iPhones and Androids at the operating system level. The concerted action was mainly focused on cell phones, but it was directed against any securely encrypted communication services.
2014 11 09 browsers as universal encryption tools. More and more easy-to-use, new crypto programs come as mere plug-ins for common web browsers. The W3C’s crypto-API for integration in the browser is about to be completed.
2015 Embarrassments, failures and counter-attacks
2015 01 25 EU economy needs secure encryption. In the Council of Ministers the technical EU bodies STOA and ENISA recommend the exact opposite of the demand for crypto backdoors with secure “end-to-end” encryption.
2015 02 01 Facebook monitoring plans of the EU Council of Ministers. The repeated demands of European ministers for “access to encryption” target the “https” encryption of Facebook, Google or Twitter. In the Council and in the ETSI, the possibilities of equating Facebook et al with telecommunications in terms of surveillance are discussed for the first time. In the first two months of 2015, NSA Director Michael Rogers speaks out in favour for master keys at conferences, interviews and in court. The NSA needs access to the data, regardless of whether it is the device of criminals, foreign spies or people who play a role in national security.
2015 03 15 Serious setback for NSA campaign against encryption. The loophole named “FREAK” by security researchers is based on the specifications of the NSA from the 1990s. At the time, the US secret service complex insisted that only keys with 40-bit encryption (DES) could be used for international downloads of the browser.
2015 22 10 Cryptologists strike back against the NSA
Two years after Edward Snowden’s revelations began, the free certificates from the “Let’s encrypt” security initiative are recognized by all browsers. “Let’s encrypt”, behind which the Mozilla Foundation (Firefox) stands, was founded at the end of 2013 as a reaction to the NSA mass tapping of data on the optical fibers.
2015 12 20 Serious setback for FBI campaign against encryption. The FBI got the backdoors that it had been asking for for years. However, they were in the FBI’s own firewall system. Since then the FBI has been investigating strangers who had systematically provided firewalls from the large US manufacturer Juniper with such back doors. As it turned out years later, the backdoor came from the NSA.
2015 12 27 Boom in encryption programs in 2016. The number of freely available encryption programs has exploded from two dozen in 2013 to more than 400. Just in time for the end of the year, the “Let’ѕ encrypt” initiative began to provide websites around the world with free, automated encryption certificates.
2016 The lull before the storm
2016 02 28 FBI farce around iPhone encryption escalates. The FBI’s complaint confirms that a recovery function by Apple was blocked by the FBI itself in such a way that it could no longer be opened. It was the iPhone of the San Bernardino assassin who killed 14 people.
2016 30 03, How FBI Access to iPhones Works. The FBI unexpectedly backs down on the lawsuit against Apple. According to the FBI, a way had been found to break into the iPhone of the dead San Bernardino assassin without requiring Apple to produce a general duplicate key for all devices.
2016 11 21 End-of-year surveillance overkill in Europe. New powers for secret services, cooperation requirements for providers in the field of encryption in the EU Council of Ministers, “Cybercrime” convention receives an update for the cloud age.
The second part of the saga of the second Crypto Wars will be published soon and will be linked here.
Pingback: Translated Article: EU Decryption Plans apparently "Done Deal" | DeepSec In-Depth Security Conference