Skip to content

A compromise to security is always just that.

Last month the Australian government suggested they might require tech companies to provide back doors into their systems to help law enforcement use those back doors to catch bad guys. Apple immediately dispatched people to go talk with them about it. Apple’s stance has been that such back doors don’t help catch bad guys and just make the rest of us less secure. Is that really true?

Systems like Apple’s iMessage (their text messaging service) use encryption ensuring that all messages sent between Apple devices via iMessage are encrypted with keys that Apple does not have. They keys are on your device. Law enforcement agencies want Apple and others to provide a means of decrypting those messages without having to obtain the device itself. The problem is that if the government and Apple can get in, others will inevitably find a way to exploit that same back door too, making us and our data less safe and secure.

What some governments have failed to understand is that the bad guys can bypass any back door by using their own encryption. The smart bad guys probably assume that these back doors exist now (or at least aren’t taking any chances) and are already using their own encryption for their communications. How hard is it to write software to encrypt and decrypt messages? Do bad guys have access to programmers smart enough to do this? Yes, they almost certainly do.

Let’s take a look at what is involved in using¬†Xojo to write an app that encrypts and decrypts messages. First, two keys need to be generated, a public key and a private one. The public key allows anyone to encrypt a message that only the holder of the matching private key can decrypt. Public keys can only encrypt. They are no good for decrypting messages. This means you can give anyone your public key which they can then use to send encrypted messages to you that no one else but you can decrypt.

Dim privateKey As String
Dim publicKey As String
If Crypto.RSAGenerateKeyPair(KeySize, privateKey, publicKey) Then
 PrivKey.Text = privateKey
 PubKey.Text = publickey
 SaveNewKeys(privateKey, publicKey)
Else
 Beep
 MsgBox "An error has occured. Keys could not be generated."
End If

This is just 10 lines of code and it could be further reduced. I wrote this to make it easier to read. The important function is RSAGenerateKeyPair on the third line. Next, you need to be able to encrypt a message using someone else’s public key. Let’s take a look at the code to do that:

Dim publicKey As String = RecipientsPublicKey.Text
Dim msg As MemoryBlock = OriginalMessage.Text
try
 Dim encryptedData As MemoryBlock = Crypto.RSAEncrypt(msg, publicKey)
 beep
 If encryptedData = Nil Then
  MsgBox("Encryption failed.")
 else
  Dim c As New Clipboard
  c.Text = Encodebase64(encryptedData)
  c.close
  MsgBox("Your encrypted message has been copied to the clipboard.")
 End If
Catch rte As RuntimeException
 If rte IsA CryptoException Then
  Beep
  MsgBox "Encryption failed because the Public key provided is not valid."
 Else
  Raise rte
 End If
End Try

This is 21 lines of code, most of which is handling errors. The one line that is really doing the work is the fourth one that contains RSAEncrypt. Next we need to be be able to decrypt. Here’s what that code looks like:

Dim privateKey As String = privKey.Text
try
 Dim decryptedData As MemoryBlock = Crypto.RSADecrypt(DecodeBase64(EncryptedMessage.Text), privateKey)
 Decryptedmessage.Text = DefineEncoding(decryptedData.StringValue(0, decryptedData.size), Encodings.UTF8)
Catch rte As RuntimeException
 If rte IsA CryptoException Then
 Beep
 MsgBox "The message could not be decrypted because the incorrect key was provided."
 Else
 Raise rte
 End If
End Try

This is 12 lines of code and like the other code examples, is mostly error checking. The important line is the third one that calls RSADecrypt. There is some additional code to save the keys to a text file and load them back in automatically when the app is launched. However, even adding in all that code gets you to only about 80 lines total. In other words, this is not a big app and not beyond the ability of someone with intermediate programming skills or even perhaps a very dedicated novice. (To learn about this in more depth, read Using Public/Private Key Encryption in Xojo).

If you’d like to try out encrypting messages with the app from which the code above originated, you can download CryptoMessage for macOS,¬†CryptoMessage for Windows or CryptoMessage for Linux. Have a friend do it as well and you can send encrypted messages back and forth. If you’re more adventurous and would like to try playing around with the source code itself, make sure you have Xojo installed (which can be downloaded and used for free) then download the CryptoMessage Xojo Project.

Xojo has a crypto library (the part that provides key generation, encryption and decryption) built-in to it. However, if a programmer wasn’t using Xojo, they could easily find a crypto library on the Internet to use. In other words, building your own app to encrypt and decrypt messages is not very challenging. As I mentioned earlier, the bad guys (at least the smart ones) are likely already doing this as they are probably sufficiently paranoid that despite public announcements to the contrary, the back doors already exist.

The assumption that compromising our security enables catching more bad guys is a flawed one that I have written about before. It won’t work and we will all suffer needlessly. Imagine not being able to carry on a private conversation via your smartphone. That would make your device feel a lot less useful. Some governments have “experts” that have suggested it would be possible to have a back door Law Enforcement could use but could not be compromised by anyone else. That is a logical impossibility. Governments do not possess magic powers. They are made of up people like you and me. That is wishful thinking at best and negligent at worse.

When your government starts making noises about doing this, I advise you to make it clear to them that for the reasons I have stated in this post, such a compromising security is all downside with no upside at all.