The number of devices connected to the Internet recently exceeded the world population and continues to grow steadily. In addition, a huge number of devices communicate with each other using computer networks, not having access to the Internet. Let's see how this huge pile of machines recognizes each other, ensures the safety of communication and ultimately impacts privacy.
Nicknames, avatars or passwords? No, these are all the mechanisms needed for people trying to adapt to the new digital reality. Machines are born digital and have innate means for this case: machine identities. The basis they use to establish their identities is public-key cryptography.
Here’s how it works: a program generates a pair of keys that have a fundamental property: if something is encrypted with one key, it can be decrypted only by the other, and vice versa. One of these keys is called public key and the second one is called private key. Public keys are passed on to anyone, and private keys are kept secret. Such a system allows to ensure the integrity and confidentiality of the transmitted information, as well as to be sure that the message was sent by the owner of the private key.
But when this consistent mathematical model collides with our imperfect world, many questions arise. How do you know that the owner of a private key is who he pretends to be? How to protect a private key from compromise? How can we securely exchange public keys?
One of the solutions became the use of Public Key Infrastructure — PKI, based on the following principles:
- The private key is known only to its owner.
- Certificate authority (CA) creates an electronic document — digital certificate, thus proving the fact that the private key is known exclusively to the owner of this certificate, the public key is freely distributed in the certificate.
- Nobody trusts each other, but everyone trusts the CA.
- CA confirms or refutes that the public key belongs to the given entity who owns the corresponding private key.
The issues of machine identity management and protection are relevant now more than ever. For example, most recently it became known that the government will require Facebook to provide access to voice messages in their messenger application. Of course, the company does not want to disclose the data of its users (for free). Therefore, Facebook's claims an inability to provide such access due to the fact that encryption keys are generated on users' devices and cannot be obtained by the social network. However, the Philipp Hancke report of 3 years ago says that the SDES protocol used on Facebook implies the transfer of session keys, used to protect voice calls, to the company's servers. If the situation over the years has not changed, then Facebook will find it much more difficult to defend the privacy of its users.
Other countries, where the privacy issues are less acute, went even further. One example is the so-called "Yarovaya law" in Russia, which recently came into force. The law obliges all providers to store all the transmitted data for six months, and that companies such as Facebook, give the law enforcement authorities the keys to access the encrypted data of all its users. In April of this year, Russian providers have already begun to block the Telegram messenger for refusing to provide such machine identities.
Meanwhile the European court of human rights has ruled that GCHQ’s methods for bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards. Many of the government's requirements to change the mechanisms for managing machine identities, designed to simplify the access of law enforcement bodies to the correspondence of citizens, do not in fact eliminate the threats to which they are directed, but create new ones.
Information about the very fact of having keys that can decrypt any user's correspondence by itself gives a new attack vector. And if successful, such an attack will allow adversary to compromise security of all participants, including those who were not specifically targeted.
Issues of jurisdiction also matter: not all countries support these requirements. Malicious actors can use the jurisdiction of countries that do not support the requirements of implementing backdoors in cryptography, to gain unauthorized access bypassing strong cryptography. Also, it could open an opportunity for non-regulated market participants to create products and services that may appear to customers to be more trustworthy than warranted.
Moreover law enforcement agencies have a range of other investigative tools to ensure access to systems and data, when warranted. Techniques include legal mechanisms for accessing data stored in plaintext on corporate servers, targeted exploits on individual machines, forensic analysis of suspected computers, and compelling suspects to reveal keys or passwords.
The demands that governments of countries around the world make on the management of machine identities are (ironically) nothing more than an attack on human rights. And technology companies are at the first line of defense. We now face the issue of choosing the direction of electronic communications, which have become a key factor in the development of mankind. If today we do not pay enough attention to managing machine identities and do not show steadfastness in our struggle for the rights and freedoms of our users, tomorrow we can lose our users, developers and the entire business.