I don’t think “backdoor” is a particularly good metaphor for the sort of security vulnerability that many organizations want to see introduced into purportedly secure software. The backdoor in my house is a convenient way for me to access my backyard. I have the key to it and I can make it as secure as my front door. A software backdoor can be compared to a traditional backdoor only if we assume the key is left under a plant pot next to the door with the understanding that only “authorized” individuals will use it.
The argument for inserting backdoors — basically “secret” security vulnerabilities — might seem compelling at first. The organizations who want the backdoors are tasked with protecting the public and they need information to do their job. If that information is locked up tight by secure encryption, they’re deprived of a vital resource. That argument itself has flaws, but I want to concentrate on the technical issue — is it even possible to create a backdoor that only lets authorized individuals in?
Theoretically, it might seem so. We create secure front doors — authentication systems that only allow authorized users access to their data. Why can developers not implement a similar system that only allows valid organizations access via the backdoor? It’s possible to argue that point; “secure” systems are breached all the time by motivated online criminals, but a recent paper from a group of elite security experts asks a series of pointed questions about the implementation of a secure backdoors that goes beyond the software engineering difficulties of building secure systems.
“Exceptional access would force Internet system developers to reverse “forward secrecy” design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws.”
The paper itself is well worth a look, but the upshot is that the concept of a secure backdoor is so riddled with technical and implementation problems that even if it was a desirable strategy, it wouldn’t be tenable. The obvious objection is that once a backdoor exists and is known to exist, online criminals would focus their resources on discovering and exploiting it. If systems are deliberately engineered to contain a route past security, they would have to built so as to make that possible rather than being secure-by-design. It would be impossible to architect truly secure systems because all systems would have to be designed from the ground up to allow access to plaintext data by “authorized individuals”.
The task would no longer be to build inherently secure systems, but to build inherently insecure systems that only allow the right people to exploit that insecurity.
Imagine a backdoor inserted into a chat application used by millions of people. The backdoor is protected by the best in authentication technology and public key cryptography. We can rule out any hope of the existence of that backdoor being kept secret. Criminals will discover its existence and try to find a way to exploit it. Even in the extremely unlikely event that a binary analysis doesn’t discover vulnerabilities in the implementation, hundreds of thousands of intelligence and law enforcement officials would have access to the backdoor. The likelihood of access credentials being leaked is high, and when they are, there’s a backdoor into millions of people’s private conversations available to criminals.
Developers have enough trouble creating secure systems in the first place. Most are flawed and the flaws only become apparent after months or years in the wild. Deliberately introducing vulnerabilities and expecting only the “right” people to ever have access via those vulnerabilities is not a valid security approach. It is likely to seriously damage the online economy and those who build businesses that rely on encryption and data privacy, including eCommerce merchants, banks, dating sites, chat applications, non-profit organizations, and just about any other online endeavor you can think of. And, of course, the real criminals will simply use software that doesn’t contain the backdoor.