Saturday, March 5, 2016

Why 'Expert Hackers' Can't Write the Code

In a recent letter to the Financial Times, associate professor of the University of Hong Kong John Ure asked why if Apple could theoretically write code to bypass the iPhone message encryption service for the FBI why the expert hackers Apple warns of couldn’t do so as well. This speaks to a fundamental misunderstanding of how end-to-end encryption works.

This misunderstanding is completely understandable. Admittedly, before switching to Whisper (an open-source encryption service put out by the makers of Twitter) and doing some research, I probably would have had the same misunderstanding. While the actual workings of encryption itself are fairly complex, I think I can make them understandable by means of an analogy.

Imagine that there exists a mail delivery service where everyone in the service has a mail locker with a unique key. When you want to send something to a friend, you send put it in a slot in your locker that then transmits that parcel to your friend’s locker. While this is a rudimentary system of encryption, this is not how Apple’s (and Whisper’s) encryption system works. In such a paradigm, all the parcels that any user sends or receives would be vulnerable to anyone who had access to that locker and would be no different than simply having a password on your phone with no encryption service installed.

End-to-end encryption is a little more complicated. Add to the previous paradigm a system whereby inside of your locker, each of your friends’ mail slots needs to further be opened by another unique key that is in your possession. Thus to send and receive parcels for and from that particular friend, you need both the key to your locker as well as the key to their individual mail slot. In order to subvert this mail delivery system, one must possess not only a copy of your key, but also the key to each individual friend with whom your are sending and receiving parcels.

As you might imagine, this system would make the FBI very unhappy because they would need to gain access to your locker and the mail slot of everyone you know. What the FBI is asking Apple to do is to create a master key such that all lockers and all the mail slots inside those lockers be openable with a master key. Thus, whereas in the end-to-end encryption paradigm, Apple or the FBI or an expert hacker would need to pick an endless number of locks to get access to all the parcels you received or sent, the backdoor the FBI proposes would create a key that could open any mail slot in any locker.

As it stands now, such a master key does not and cannot exist. To make a master key would mean that anyone who could make a copy of this master key could access any parcel sent to any user within the system. This creation of a master key (or a backdoor in the parlance of the FBI) would fundamentally alter the encryption system such that it would no longer be the same system - to torture the metaphor some more, all the locks on all the lockers and mail slots would need to be replaced with one compatible with a master key. This doesn’t represent a hack on the program, but a fundamental alteration of it which would need to be installed on every user’s phone - something that a hacker is not capable of (or the FBI would have probably already done it).

Rather than a system whereby anyone trying to gain access to encrypted messages would need to hack you and your friend’s keys (they’re actually called keys by encryption programs) one by one, all they would need to do is make a copy of the master key, and they could gain access to everything sent in the system. In other words, it would defeat the purpose of using the system at all, rendering the current iPhone encryption system as merely an overly complicated way of sending messages as if there were no encryption at all.

1 comment:

  1. Thanks for the great explanation, I'll borrow the postbox analogy next time I try to explain en-to-end encryption to somebody.