Encryption: why Apple is right to resist

by bold-lichterman

In a precedent, the American firm published a letter on its site for the attention of its users in which she made public a message she received from the FBI asking her to set up a Backdoor allowing the US intelligence agency to bypass the encryption mechanisms and thus gain access to the data.

This affair brings to the fore the eternal controversy Encryption Vs the Fight against terrorism. Indeed, government institutions constantly advance the “fight against terrorism” argument to justify their request to businesses. This case also reveals what I call the clash of digital sovereignties. But before we detail all of this, let’s take a look at what is meant by Backdoor to fully understand the stakes of this case.

The Backdoors, this false good idea

A Backdoor or “backdoor” is a voluntary vulnerability allowing access to a system without the knowledge of its user. This can take several forms and strongly depends on the type of system targeted. For example, a pair of login/ password hard-coded in the BIOS (Basic Input Output System, in French: “elementary input / output system”, ndlr), or a component allowing a telecommunication operator to access the infected machine remotely and to perform all kinds of operations.

In the case of asymmetric encryption, the user often has a set of keys which is at the heart of the mechanism enabling their data and / or communications to be encrypted as explained in Wikipedia.

iKvqlHlgXXQiDyejP0SxyKVlACP6eL3t5ysEDS3bNEOKUHLM23Mbeu2EErzH71bvle7Esth7XeBaYYtX8oE WcIMQRFx7yDQe3dXrtIR2KKB8Ien r67kMVCj IS0n6Qqj66qlnq

First step: Alice generates two keys. The public key (green) that she sends to Bob and the private key (red) that she keeps preciously without divulging it to anyone.

pAgz mpj7iFF6p mlv F8TkoDkr4 gxkLzcFP36p1JNK8YZOYHTja92TNdZjIH  Ha36CF0eR3PJRzxhMpgglVOoL9r6bw3DQ9hRBo rCCRzcIa8mOT3wsAejyblXQLq8NnC P68

Second and third steps: Bob encrypts the message with Alice’s public key and sends the ciphertext. Alice decrypts the message using her private key. A Backdoor will make it possible, for example, to access said keys and consequently to access unencrypted data or even decrypt communications.

The danger with this technique is that it can be used by anyone who succeeds in discovering its existence. If not everyone has the skills to do it, cybercriminals or enemy governments may have the skills to detect this type of flaw and thus exploit it. Worse, the terrorists who increasingly have cybercriminals among their members could exploit these loopholes.

In a long article written by John McAfee, the sulphurous CEO of the company publishing the McAfee antivirus, the latter offers his services and the services of his hackers to decrypt Iphone communications for free and on demand, so Apple does not will not have to implement a Backdoor on his devices which would be according to John McAfee “the beginning of the end of the United States of America”.

Other big players like Google or the Electronic Frontier Foundation have supported Apple.

In the case of the case which interests us, and according to this item, the FBI asks Apple to disable three options:

  • A first option that allows you to delete the content of the iPhone if the user has entered the wrong password ten times.

  • A second option that requires the passcode either enter by hand via the touch screen.

  • A third that creates a waiting time between false attempts to enter a password.

Without these three options, The FBI would be able to perform brutal attacks to find the right word. passcode of the targeted user.

Why would Apple then refuse such a request? It is difficult to answer for Apple, but there is a good chance that the Apple brand is afraid of taking such a risk which will have a definite impact on its stock market price the day this matter becomes known.

The ghost of the Juniper affair and many others …

Everyone should remember the Juniper case. Juniper Networks is an American company specializing in telecommunications equipment which announced the discovery of two major flaws affecting both equipment used by companies around the world and equipment used by institutions.

However, these two flaws are the result of a “backdoor” in the ScreenOS operating system installed on the infected equipment. These flaws make it possible to decrypt communications and decrypt VPN traffic. We have to understand the scale of such a case. A company that produces network and security solutions that equip businesses and institutions around the world are found.

The Juniper case is just one example among many. How then not to draw the parallel with the case which interests us in this article and how to continue to believe that the Backdoors will be used against terrorism? And even suppose that these backdoor be used against terrorism. How not to be worried by the danger of introducing such flaws into systems that will be used massively later?

Fight against terrorism or economic war?

At the risk of repeating ourselves, there is indeed a before and an after Snowden. In the aftermath of Snowden, anyone who has taken care to read the various leaked documents now knows that the United States of America is using its skills primarily for espionage which is more of an economic war than any other. fight against terrorism.

In addition to the arguments put forward above, it is important to analyze the argument for the fight against terrorism in the light of a field study, in particular when we compare the number of victims related to firearms to the number of victims related to firearms. terrorist acts in the United States of America:

US gun and terrorism death graphic

image illustration – source

We can turn the problem in all directions, this only confirms this phase of shock of digital sovereignties in which our societies have entered.

The Clash of Digital Sovereignties

Beyond the technical questions, the case to which we are interested in this article reflects the fact that “digital sovereignties” are entering a phase of conflict today. It is interesting to examine this curious meeting of the two terms that are “sovereignty” and “digital”.

On the one hand, Sovereignty which “designates the exclusive right to exercise political authority (legislative, judicial and / or executive) over a geographical area or a group of peoples living in community.”. It is a medieval concept which is born with that of the State, but which moves away from it every day. Moreover, sovereignty is neither synonymous with democracy nor a “rule of law”. A possibly perfectly sovereign dictatorship.

On the other hand, Digital refers to the “digitization” of common spaces and exchanges. But what interests us here goes far beyond “Digital”. In fact, sovereignty must be backed up by another notion which covers a perimeter, a “geography”. It is in this that cybernetics seems more suitable in the sense that it integrates the exchanges between humans and machines.

To clearly define the meeting of the two terms, I therefore propose the following definition which only needs to be improved: “The exclusive capacity of an individual or a group of individuals to exercise the necessary authority over a given perimeter. cyberspace in order to control its components, the flow of data produced and consumed, as well as all the players taking part in it ”.

In the light of this definition, the digital sovereignty of a State is not necessarily compatible with that of a company, or even with that of citizens. We can even go further by ruling that “digital sovereignty” will henceforth constitute a decisive competitive advantage for a company.

In the same vein, the last opposing case Facebook to a Parisian teacher confirms this trend. Indeed, the Paris Court of Appeal confirmed, on Friday February 19, 2016, the competence of the French judge to judge Facebook in the case involving the Courbet painting.

In this effort to control their digital destiny that each of the different social actors will seek to deploy, new areas of tension are emerging. It is in this context that we must decipher this affair and the shock wave has only just begun.

yassir-kazar-2016Yassir Kazar is a “serial entrepreneur”, Certified Lead Auditor ISO / CEI27001. He regularly speaks at conferences and / or workshops on topics related to Cyber ​​Security. He taught the Business intelligence in Master II MIAGe in Paris V. Yassir is the co-founder and CEO of the start-up Yogosha, Bug Bounty platform.