You probably read the title of this post and wondered what Brennan did this time to piss me off. Truthfully he didn’t really piss me off this time. What he did was make a public statement that really requires being an idiot to make.
Everything old is new again. As before, the United States government is busy debating whether or not mandatory backdoors should be included in civilian encryption. Security experts have pointed out that this is a stupid idea. Crypto-anarchists have pointed out that such a law would be meaningless because the Internet has enabled global communications so finding foreign encryption algorithms that don’t include a United States backdoor would be trivial. Hoping to refute the crypto-anarchists, John Brennan made this statement:
Brennan said this was needed to counter the ability of terrorists to coordinate their actions using encrypted communications. The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.
“US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them,” Brennan said.
“So although you are right that there’s the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues.”
Theoretical ability? Let’s have a short discussion about the Advanced Encryption Standard (AES). AES is one of the most prolific encryption standards in use today. Most full disk encryption tools, many Transport Layer Security (TLS) connections, and a load of other security tools rely on AES. Hell, many devices even include hardware acceleration for AES because it’s so heavily used. AES was originally a competition held by the National Institute of Standards and Technology (NIST) to find a modern encryption standard. In the end an algorithm called Rijndael won. Rijndael was created by Joan Daemen and Vincent Rijmen. If those two names sound foreign it’s because they are. Joan and Vincent are Belgians. So one of the most common encryption algorithms in use today, an algorithm chosen by an agency of the United States government no less, was created by two foreigners. I’d say foreign encryption tools are a bit beyond theoretical at this point.
Adding insult to injury, let’s discuss Theo de Raadt. Theo, for those who don’t know, is the creator and lead developer of both OpenBSD and OpenSSH. OpenBSD is an operating system known for being security and OpenSSH is probably the most common secure remote connection tool on the planet. Both of them are developed in Canada:
It’s perhaps easy to forget, but the cryptographic landscape was quite different in 1999. A lot has changed since then. Cryptographic software was available, but not always widespread, in part due to US export controls. International users either had to smuggle it out printed on dead trees, or reimplement everything, or settle for the 40 bit limited edition of their favorite software. Many operating systems originated in the US, so it was difficult to integrate cryptography top to bottom because there needed a way to build the export version without it. OpenBSD had the advantage of originating in Canada, without such concerns. The goto public key algorithm of choice, RSA, was encumbered by a patent for commercial use. The primary symmetric algorithm was still DES. You could use blowfish, of course, but it wasn’t officially blessed as a standard.
Again, the availability of foreign encryption tools is more than theoretical. I would think the director of the Central Intelligence Agency (CIA), which is supposedly tasked with spying on foreign countries, would be very aware of that. But the CIA has a long history of failure so it being unaware of very real encryption tools originating in foreign countries isn’t really that surprising.