{"id":10725,"date":"2015-12-03T09:00:20","date_gmt":"2015-12-03T14:00:20","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=10725"},"modified":"2017-09-24T08:11:45","modified_gmt":"2017-09-24T12:11:45","slug":"golden-key-encryption","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/golden-key-encryption\/10725\/","title":{"rendered":"Clavis Aurea, or Does the &#8220;Golden Key&#8221; actually solve encryption issues"},"content":{"rendered":"<p>Following recent terrorist attacks accusations against encrypted means of online communications once again became louder. However the proposed solutions could create even more problems.<\/p>\n<p>Governments around the world \u2013 from Russia to US and from China to UK \u2013 seem to preach the same mantra: people\u2019s communications are encrypted so strongly that governments cannot access it when there is a need. It\u2019s said to be the main reason why the police cannot efficiently investigate cases involving pedophiles or terrorists, so \u2018something has to be done about it.\u2019<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/12\/06023555\/golden-key-FB.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-10727\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/12\/06023555\/golden-key-FB.jpg\" width=\"1280\" height=\"1280\"><\/a><\/p>\n<p>Solutions purposed by governments essentially presuppose that the existing encryption systems should contain certain vulnerabilities, so national agencies would have an opportunity to intercept the correspondence as they see fit.<\/p>\n<p>In a recent article Washington Post created a rather <a href=\"https:\/\/www.washingtonpost.com\/opinions\/compromise-needed-on-smartphone-encryption\/2014\/10\/03\/96680bf8-4a77-11e4-891d-713f052086a0_story.html\" target=\"_blank\" rel=\"noopener nofollow\">poetic term<\/a> for this approach \u2013 the Golden Key. The authors cite various cases of kidnapping and other criminal deeds when the investigators could not progress with their search, because the \u2018golden key\u2019 system was not deployed. The writers state that all tech companies, including the likes of Google, Apple, Facebook and Telegram, should grant these \u2018golden keys\u2019 to governments.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">The Washington Post Urges That A Compromise Is Needed On Smartphone Encryption <a href=\"http:\/\/t.co\/qcKk2PWBjp\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/qcKk2PWBjp<\/a><\/p>\n<p>\u2014 Digg Tech (@diggtech) <a href=\"https:\/\/twitter.com\/diggtech\/status\/518607133106262016?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 5, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Leaving ethics aside for now (otherwise this discussion would last for ages), in a situation where noble policemen do possess the said key, there is a solid probability of bad guys gaining access to the keys as well.<\/p>\n<p>There are quite a few examples of the \u2018golden key\u2019 idea being brought to life. Take the most obvious use case: TSA locks, created by Transportation of Security Administration. The concept is simple: travelers use TSA-approved luggage locks with a keyhole for the authorities to use (so they don\u2019t smash open the padlock if they think the luggage needs to be searched). There are ten master (\u2018golden\u2019) keys to be used on most types of luggage locks. The idea is based on the assumption that only TSA has access to master keys, whereas petty criminals raiding the luggage trunks have to use some other means to crack the padlock.<\/p>\n<p>However, recently the pictures of all TSA keys leaked online, followed by their 3D models. Now a number of Chinese marketplaces offer a complete set of TSA\u2019s golden keys, available to anyone. What could be done to remedy the situation? Alas, nothing in particular \u2013 one cannot replace all the luggage locks in the world.<\/p>\n<p>https:\/\/twitter.com\/J0hnnyXm4s\/status\/642396940261531648<\/p>\n<p>There is another example of such systems \u2013 app stores, the likes of Apple App Store. The entire security paradigm in their case is based on the principle that only employees can publish the app: first they check it for malware and then sign with their digital certificate.<\/p>\n<p>Obviously, Apple has not had its keys compromised, but adversaries found another way to bypass strict security checks. Some developers were fooled by cyber-criminals and inadvertently used the <a href=\"https:\/\/threatpost.com\/xcodeghost-ios-malware-contained\/114745\/\" target=\"_blank\" rel=\"noopener nofollow\">modified Xcode development framework<\/a>, which injected an masked malicious code into apps. The issue was not discovered by Apple security engineers in time, so App Store, once unassailable digital fortress, was flooded by dozens of malicious applications, including one particularly popular messenger.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Allegedly 40 apps on App Store are infected <a href=\"https:\/\/t.co\/UTSGwvWccj\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/UTSGwvWccj<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/apple?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#apple<\/a> <a href=\"http:\/\/t.co\/moLosQwB9V\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/moLosQwB9V<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/646689631333949440?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">September 23, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Let\u2019s dive deeper into the history of tech and recall a once widely publicized DVD crypto protection technology. In late 20th century DVDs employed crypto protection based on the infamous CSS algorithm. It was designed to restrict access to DVD content for other regions. Well, we all remember the <a href=\"https:\/\/en.wikipedia.org\/wiki\/decss\" target=\"_blank\" rel=\"noopener nofollow\">inglorious end<\/a> of the technology. Digital activists decrypted a number of keys and published them for free use. Now one can watch DVDs anywhere, regardless of the region coded into the CSS.<\/p>\n<div id=\"attachment_10728\" style=\"width: 440px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/12\/06023553\/4e759eef8e.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-10728\" class=\"size-full wp-image-10728\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/12\/06023553\/4e759eef8e.jpg\" width=\"430\" height=\"378\"><\/a><p id=\"caption-attachment-10728\" class=\"wp-caption-text\">The decryption code for DVDs was even printed on T-shirts<\/p><\/div>\n<p>The morale behind all these stories is simple: the system, which is based on the assumptions that good guys have the necessary information and bad guys don\u2019t, will fall \u2014 sooner or later. Once the bad guys get the keys, they can compromise the data of ordinary citizens in all ways imaginable, and their possibilities would totally match those of the police or the government.<\/p>\n<p>It\u2019s a highly undesirable outcome, because it\u2019s equally hard to replace all luggage padlock and firmware on all the smartphones in the world. The damage the compromise of \u2018golden keys\u2019 would cause easily overshadows the benefits of \u2018golden keys\u2019 used by government.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Modern #communications are encrypted so strongly that #governments cannot access it. Is it bad? #security<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FWz8m&amp;text=Modern+%23communications+are+encrypted+so+strongly+that+%23governments+cannot+access+it.+Is+it+bad%3F+%23security\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>There is also a chance that this \u2018golden key\u2019 idea is not that efficient at all: terrorists and criminals often use uncommon, niche encryption systems, thus successfully hiding from the officials. With that in mind, governments should create other ways to keep an eye on the criminals, more fruitful and less pervasive for the citizen.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>People encrypt their communications so strongly that governments cannot access it when there is a need. Is it really bad?<\/p>\n","protected":false},"author":32,"featured_media":10726,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1788,1789],"tags":[93,261,1331,899,607,1332,363,43,97,422],"class_list":{"0":"post-10725","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-privacy","9":"category-technology","10":"tag-cybercriminals","11":"tag-encryption","12":"tag-golden-key","13":"tag-hack","14":"tag-messengers","15":"tag-panacea","16":"tag-personal-data","17":"tag-privacy","18":"tag-security-2","19":"tag-threats"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/golden-key-encryption\/10725\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/golden-key-encryption\/5208\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/golden-key-encryption\/6364\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/golden-key-encryption\/6439\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/golden-key-encryption\/7327\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/golden-key-encryption\/7019\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/golden-key-encryption\/9890\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/golden-key-encryption\/6539\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/golden-key-encryption\/9780\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/golden-key-encryption\/9890\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/golden-key-encryption\/10725\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/golden-key-encryption\/10725\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cybercriminals\/","name":"cybercriminals"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=10725"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10725\/revisions"}],"predecessor-version":[{"id":19292,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10725\/revisions\/19292"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/10726"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=10725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=10725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=10725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}