The US government is struggling just like the private sector with record security breaches in all major branches of the US government. How could US corporations place all of its investment eggs in one basket hoping nothing bad would ever happen with the decryption passcode being lost or misplaced with a US government agency? Why would US corporations want to expose themselves to the rest of the world with hackers always trying to break into their products?
Having a "backdoor" in US based encrypted products would allow technology savvy terrorist organizations to continuously attack a product that could expose the data of thousands of US companies and create massive security breaches on an exponential scale. This could hurt the overall US economy.
Let's say the US government gets its way and mandates "backdoors" for every encryption technology product made in the USA. What if the US government agency lost or misplaced the decryption passcode. This could destroy a US corporation if the "backdoor" decryption passcode was lost.
Is the US government going to be responsible and accountable for the major financial losses and the workers that get laid off? What is the US government going to do for the company they just financially destroyed and the fallout for the impacted companies that just had their sensitive data exposed? Is their immunity or a safe harbor for all the impacted US companies?
A compromise may be in order. As an Air Force veteran, we all want to fight terrorism on a domestic and global level. We will have situations where the US government will need to solve terrorist attacks within the USA and abroad. Just saying "no" to assist our US government to prevent and solve terrorism is not a solution. While the idea of having a "backdoor" and having a master key has been discussed by many, this solution can cause severe economic harm to a company as it is not a practical solution. This is the solution I propose using mobile devices as an example:
1. Modify existing algorithms (AES256 or Triple DES) to create a random key for each unique mobile device, whereby a separate encryption key is installed only on one device. No more master encryption key for every device which can expose every device.
2. The encryption key that is stored on a device can be easily read. For instance, the encryption key can be the device serial number imprinted on the device and displayed by default on the main PIN entry screen.
3. For Part 1 of the decryption method--The device serial number can be reverse engineered with a special algorithm (held with the device manufacturer i.e. Apple) to determine the device encryption key. Once the encryption key is determined, the encryption key value will need to go through a second algorithm to determine the first half of the encryption key that can only partially unlock one device. The second part of the encryption key will need to be decrypted by the US government and requires two independent parties to complete the entire process. The manufacturer is in full control of the decryption process.
Sign up for Computerworld eNewsletters.