Innovate. Accelerate. Win.
September 18-19 | Las Vegas and Virtual
#MIMSummit2023 Join top security leaders looking to redefine what’s possible at the must-see industry event of 2023.
It seems the field is pulling in both directions. Proponents of child-safety reamed Facebook over its continued plans to fully encrypt Messenger. In the meantime, Australia has had a few years to fully flesh out its own backdoor plans—with some interesting two-year conclusions along the way. In the midst of all that, scientists and researchers see no slow-down in the mad rush to optimize encryption. Along those lines, something to (potentially) rival the capabilities of quantum computing was found literally in the wild, and in it may be the answer to truly cost effective (and superior) random number generation. As capabilities expand, end-to-end encryption faces scrutiny for the same reason cryptographers love it the most—it may be becoming too good.
Encryption: now, with crystals
It’s hard to find a good random number these days. Luckily, nature has provided the answer in the seemingly nonsensical growth patterns of crystals. If quantum computing, true randomness and current decryption methods matter - this will, too.
Published recently in the journal Matter, researchers tested the process of crystallization against a “well-known algorithm.” Says Lee Cronin, director of the study and chemistry professor at the University of Glasgow, “We found our messages encoded with the genuinely random numbers took longer to crack than the algorithm, because our system could guess the algorithm and then just brute force it.”
Cronin and his colleagues had created a robot that would convert the crystallization minutiae (viewed through a webcam) into ones and zeroes. That randomness was superior to the algorithm, because there was no pattern to crack.
For many, this may call to mind the (semi-synthetic-yet-still-wild) process of Cloudflare and their wall of 100 lava lamps. Don’t knock it—that psychedelic display encrypts about 10% of the internet.
Going back to the crystals, they’re more than just an organic alternative to a true random number generator. The possibilities exponentiate when you factor in chemical reactions that could infuse even more randomness.
In addition to being all-natural, they’re also green. Cronin says because of the elastic nature of crystallization, the process is reusable as it can be “boiled down” and reset after use. Then the phenomenon starts all over again as the molecules organize their way back to solid form.
It’s hard to brute-force nature, and the secrets of exploring the “chemical space” are only beginning to show their value. This chemistry-based approach found by Cronin and his team could be a shortcut to what was once the goal and purview of quantum computers—achieving the Valhalla of true randomness. Considering the complexities and cost of owning your own quantum computer, this could possibly give others (outside of Google, IBM and nation states) a fighting chance.
Are crystals the future of encryption and quantum computing? Not sure. But what’s interesting is that nature has again offered up elegant answers to our most complex questions in cryptography. And it looks like we're closer to taking them.
- New Quantum Cryptography Research Gives Governments an Edge Against Nation State Attacks
- The Race to Quantum Readiness: How Public Key Cryptography Can Keep Up
- Quantum Computing Threatens All Current Cryptography
How the backdoor laws are panning out in Australia
When laws mandating encryption backdoors for Australian-bound businesses rolled out in 2018, they were met with mixed feeling. We’ll just say. For the next few years, countries waited to see how their own cryptographic fates would be decided. We’re still waiting. But while we do, why don’t we have a check to see how the Australian laws are panning out?
What was promised:
According to the Act, three requests can be made to combat “the challenges posed by ubiquitous encryption”.
- Technical Assistance Notices (TAN) - “designated communication providers” compelled to intercept communication.
- Technical Capability Notices (TCN) - "designated communication providers” compelled to build the methods that would allow them to intercept communication, as in a TAN above.
- Technical Assistance Requests (TAR) - “voluntary” requests for information. In the first pass of the laws, these didn’t require as much oversight as the above two.
- A notice must not ask a provider to “implement or build a systemic weakness, or systemic vulnerability” into the electronic communication
- A notice must not prevent a provider from “rectifying a systemic weakness, or systemic vulnerability” in the electronic communication
- Systemic vulnerability – affects a whole class of technology
- Systemic weakness – includes a whole class of technology, but excludes specific individual targets
If the first two bullet points were cryptographically attainable, which many industry gurus have negated, the law seems fine. What might have been left on the debate room floor is the unsettling answer to that question.
What is being delivered
- Most interception warrants (TANs) do not require approval by judges, only members of the Administrative Appeals Tribunal (AAT)
- Sometimes, the decision can be made in minutes
- “Reasonable” notice is determined by the body issuing the warrant, not third-party oversight
Most notices requesting information are not made available to the public.
What would be interesting to make available to the public, however, are the positive statistics showing the benefits backdoors have provided. They were pushed through in Australia on the grounds that they would catch more criminals, spoil more drug rings and expose more terrorist plots. Two years in, and we might want to see the fruits of our labors.
If ever there were a time that Five Eyes needed empirical proof to back up their ongoing claims of backdoor necessity, it is now.
- Battle of the Backdoors in Networking Infrastructure: Intentional vs. Incidental
- Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates
- Why are Government Officials Who Know Next to Nothing About Encryption So Eager to Mandate Encryption Backdoors?
Child-welfare activists speak out against Facebook encryption
It’s a tough call. No one wants to see child exploitation take a stronger foothold in ubiquitous apps like Facebook Messenger. However, since Messenger already has a “secrets" option, who will really be impacted by encrypting the rest of the app?
Proponents of child welfare argue that the E2EE capabilities of a fully encrypted backend, as was promised by Facebook (unifying WhatsApp, Instagram and Messenger) would only make it easier for child abusers to sneak around in the dark.
WhatsApp, the encrypted platform, currently “bans more than 250,000 users every month for posting imagery of exploited children.” Facebook has also optioned other ways of protecting children online within a fully encrypted environment. One of those is by matching user profile photos to faces of known predators, and relying on the information chain that comes from user reports.
This (might be) a little-known fact, but Messenger already has a fully encrypted option, “Secret Conversations.” You can fully encrypt a message thread between you and another party, and it even gives you the option to delete messages after a set time. And, it's available now. It has been since 2016.
It seems that were I an enterprising exploiter, I may already have investigated this option. I may already be using it. So who is Facebook really endangering by not encrypting Messenger?
If Facebook leaves the rest of pedestrian traffic unencrypted to the outside world, are they exposing pedophiles or leaving vulnerable the rest of their users? Are they making it easier for law enforcement to catch criminals or for criminals to catch children? Online exploitation is not the only form of abuse—by breaching systems, platforms and insecure networks, child sex traffickers can find whereabouts of minors whose messages and locations are exposed to moderately skilled hackers.
Like we’ve said before, it cuts both ways.