The inclusion of backdoors in encryption tools would introduce new technological risks to IT infrastructure and might turn systems designed for law enforcement into vulnerabilities, a recent paper from the European Union Agency for Network and Information Security (ENISA) states.
The report suggests that such backdoors would create a risk higher than the benefits, as cybercriminals or nation state attackers could use them to their advantage.
The paper comes in response to the recent debate on the use of strong encryption in communications, which hinders law enforcement agencies when conducting their investigations. The debate sharpened following a series of deadly terrorist attacks, such as those in Paris in November, but some governments are still opposing the idea of encryption backdoors.
In July 2015, computer code experts at Massachusetts Institute of Technology published a report suggesting that special access to encrypted communication would result in criminals and nation-states attacking individuals. A more recent study also revealed that mandatory backdoors would be ineffective, given the international nature of the encryption marketplace.
ENISA’s new paper reiterates that encryption backdoors are more likely to put individuals and organizations at risk than they would help protect them. It also states that strong and trustworthy cryptographic tools represent a corner stone in a society and economy that is increasingly depending on electronic services.
Although protected communication can be seen as a threat from a certain perspective, the lack of trust in digital services should be taken into consideration as well, since it is an inhibiting factor for the digital market, ENISA says. While some voices suggest that the use of cryptographic tools should be regulated, ENISA suggests that this would pose multiple difficulties from a technical perspective.
Backdoors, including key recovery and escrow, are theoretically possible, but they would require a fundamental change of the current communication infrastructure, the Agency says. However, since the resulting infrastructure would be more complex, it would also be potentially more vulnerable to attacks, and would also create an undesirable economic impact.
“In addition future advances in cryptology and computing power might turn any mechanism that is specifically designed for law enforcement in a vulnerability that can be explored by criminal and terroristic organizations. Lastly, it is likely that restricting the use of cryptography in commercial products, will damage the EU based IT industries,” the paper reads.
The paper also suggests that individuals would be able to bypass the implemented systems, which would be unnoticeable to law enforcement, thus making the mechanisms completely inefficient. It also notes that policy makers should refrain from limiting in any way security features or the export of security features in computer software, as well as lifting any existing limitations for security features.