Why encryption backdoors are no worries for the enterprise

Although the governments of five countries, including the US, have recently served notice that they might become more aggressive about accessing encrypted information, enterprises have nothing to worry about. Individual consumers, however, may.

The recent Statement of Principles on Access to Evidence and Encryption from the governments of the Five Eyes countries notes that they have the right to obtain access to encrypted information through warrants and other legal means, and that they may more strongly assert this right in the future.

Here's a key excerpt from the statement:

Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.

This has been widely criticized as being the first step toward governments requiring technology vendors to put backdoors in their products to support governments' requirements for eavesdropping. That might be true. If it is, what would be the effect of such backdoors on enterprise users of encryption?

Probably nothing at all. Here’s why.

How to Achieve Consistent Data Security Across Hybrid IT

Encryption as a double-edged sword

Encryption can protect either businesses or consumers from cyber-criminals. The way encryption is used to protect sensitive information is essentially the same in each, but the ways in which users' keys are managed are typically very different. In particular, key management that includes key recovery is critical for enterprises' use of encryption, while consumers almost always have a very negative view of it.

The use of encryption in the business world can cause regulatory and compliance issues if it is done carelessly; if you lose the key that was used to encrypt data, you also lose the data that was encrypted with it. Businesses are often required by law to maintain certain business records and to produce these records when requested by regulators or in court orders. Because of this, losing business information is something enterprises want to avoid.

Enterprises require key recovery 

To ensure that users can't lose data by losing an encryption key, enterprise software typically includes the ability to recover lost or unavailable cryptographic keys. For example, you might need to recover keys might after the loss of a critical employee.

If an organization's chief financial officer is unavailable for some reason (sometimes called the "CFO hit by a bus" scenario), for example, the organization will still need to get access to all the business information the CFO had. If the CFO used encryption to protect this information, you'll need to recover the key the CFO used.

More commonly, key recovery is needed when users forget a password that controls access to an encryption key. To avoid the loss of data that was encrypted with a lost or missing key, an authorized key recovery administrator will recover a securely archived copy of a key.

Thus, the capability to recover keys is required by enterprises. This is a feature that privacy advocates would probably call a "backdoor" in the software, but it's absolutely necessary for the business use of encryption.

On the other hand, if individual consumers want to accept the risks associated with careless key management, such as losing any data that they might have encrypted, there may be no regulatory or compliance pressures to keep them from doing this. If they want to accept the risk of losing the data on their personal laptop or phone because they lose the key used to encrypt the data, that is a risk that they are able to take.

The technology used to recover a key because a user forgets the password produces the same result as recovering a key because a law enforcement official compels it with a warrant. But while the users of business encryption need this capability, most individual citizens do not. In fact, many of them do not want this capability to exist at all and might be unwilling to use any commercial products that include it.

Key management: One size does not fit all

Because of this, the key management that supports the enterprise use of encryption is typically very different from the key management that supports consumer use of the technology. Key recovery is a necessary feature of enterprise software, and it is very difficult to sell products that do not include it.

But the same technology is seen as a very undesirable feature of consumer products, and it is probably close to impossible to sell consumer products that include it unless the capability is required by law.

From the point of view of consumers, the problem is that it is very difficult—perhaps even impossible—to tell the difference between them recovering their own key and someone else recovering that same key. It might be the consumer who gets it; it might be a government agent who gets it.

The result is the same: Someone gets a copy of the backed-up key; the only difference is exactly who gets the copy. Because of this, to avoid the possibility of a government agent being able to get access to their private data, consumers are willing to forgo the possibility of other forms of key recovery, even ones that might be useful to them.

So while the ability to recover keys is an essential feature of enterprise software, individual consumers might interpret that same capability as providing a way for their privacy to be violated by law enforcement officials.

And because many of them are worried about the possible loss of privacy that could occur when government agencies abuse any ability to use key recovery technology to decrypt sensitive information, many consumers would not want the same robust key management technology that enterprises rely on.

Backdoors rising

Backdoors in encryption technologies seem to be getting more popular with governments. These backdoors might one day reduce the security provided by consumer products because they provide a way to bypass encryption that wouldn't be there in their absence.

But enterprise encryption products already have a backdoor that's caused by their ability to do key recovery. And because these backdoors are already there, mandating them probably won't significantly affect enterprise encryption.

Topics: Security