ENISA explains why encryption backdoors are a dumb idea

Feb 16, 2016 11:00 GMT  ·  By

The European Network and Information Security Agency (ENISA) has released a paper debunking the myth that encryption backdoors are the best way to safeguard against terrorist activities.

For some years now, government agencies have been asking regulators to write and pass laws that allow them to request companies to provide decryption keys for encrypted data, or even force firms to include a backdoor that they can easily access whenever needed.

This push has intensified tenfold after last year's Paris terror attacks, even if there was no evidence that the terrorists plotted and carried out the attack via encrypted communications.

With fearmongering at its all-time high in Europe, and with governments giving encryption backdoors a long hard look, the EU's IT security experts from ENISA are now trying to tell everybody to calm down.

ENISA is not supporting encryption backdoors

In their paper released this past Friday, ENISA is providing a simple-worded explanation for why encryption backdoors can be the worst idea EU regulators might be willing to formulate into continent-wide legislation.

ENISA agreed that having encryption backdoors might help law enforcement in their investigations, but having encryption key recovery and escrow systems has its disadvantages.

First of all, it will be expensive to implement across all agencies, a cost some countries might not be willing to make if they knew they also introduced vulnerabilities in their state's security.

ENISA explains that key recovery and escrow systems come with their own set of vulnerabilities, besides the ones from the encryption protocol.

Attackers would also benefit from encryption backdoors

Law enforcement pushing for encryption backdoors are doing nothing more than to enhance the attack surface on encrypted communications by providing more weaknesses for attackers to target.

"Key escrow and recovery is theoretically possible, but it would need a fundamental change of our communication infrastructure and joint development efforts of many experts," ENISA concluded. "The resulting infrastructure would be more complex, making it potentially more vulnerable to attacks and less resilient to failures. The economic impact might be undesirable."

Further, ENISA explains that a compromised key escrow system is impossible to detect. If an attacker is using the same encryption backdoor as law enforcement agencies do, nobody would ever be able to tell.

Banning encryption altogether is even a dumber idea, ENISA says, since it's technically impossible to implement.