ResearchTransparency and Accountability

Canada’s Quiet History Of Weakening Communications Encryption

By and

Introduction

American and British officials have been warning with an increasing sense of purported urgency that their inability to decrypt communications could have serious consequences. American authorities have claimed that if they cannot demand decrypted communications from telecommunications providers then serious crimes may go unsolved. In the UK this danger is often accentuated by the threat of terrorism. In both nations, security and policing serviceswarn that increased use of encryption is causing communications to ‘go dark’ and thus be inaccessible to policing and security services. These dire warnings of the threats potentially posed by criminals and terrorists ‘going dark’ have been matched over the years with proposals that would regulate encryption or mandate backdoors into any otherwise secure system. Comparatively little has been said about Canada’s long-standing efforts to inhibit end-user encryption despite the federal government’s longstanding efforts to restrict the security provided to Canadians by encryption.

This article outlines some of the federal government of Canada’s successful and unsuccessful attempts to weaken cryptographic standards. It starts by explaining (in brief) what communications encryption is, why it matters, and the implications of enabling unauthorized parties to decrypt communications. With this primer out of the way, we discuss why all of Canada’s mobile telecommunications carriers agree to implement cryptographic weaknesses in their service offerings. Next, we discuss the legislation that can be used to compel telecommunications service providers to disclose decryption keys to government authorities. We then briefly note how Canada’s premier cryptologic agency, the Communications Security Establishment (CSE), successfully compromised global encryption standards. We conclude the post by arguing that though Canadian officials have not been as publicly vocal about a perceived need to undermine cryptographic standards the government of Canada nevertheless has a history of successfully weakening encryption available to and used by Canadians.

Communications Encryption 101

A range of technologies help individuals keep the content of their communications private from third-parties. Third-parties include the intermediaries which are involved in transmitting a communication between the two or more individuals who are communicating with one another. To protect email, the persons who generate and receive the message might transform the text so that third-parties cannot read it. Sometimes encryption is deliberately added by the end-user. As an example Alice could use a tool called GPG to encrypt her email to Bob before she sends it. At other times, encryption could be applied automatically without the end-user intervening. An example of such an application could involve the user browsing to https://server.ca and having all the communications between the web server and web browser encrypted using a protocol called SSL/TLS. Instant message-based communications can also be encrypted such that only the sender and recipient, and not the intermediaries responsible for transiting the messages, can decode them. Instant messages can be encrypted either through user intervention (such as by using tools like OTR) or automatically by the service provider (using tools such as Apple’s Messages application).

Most encryption techniques use random character strings called ‘keys’. Keys are employed to manipulate the message being sent so that it is unreadable to a third party. In order to facilitate encryption that is readable by an intended recipient (Bob), but not by a malicious third party (Marko), a ‘key pair’ is often used. A key pair will typically include a primary key, as well as a secondary key that is generated from the primary, based on a mathematical formula. The relationship between the primary and secondary key is what allows a user (Alice) to encrypt a message in a manner that is very difficult for anyone other than the intended recipient (Bob) to decrypt.

There are a range of ways to encrypt communications. For the purposes of this article, we identify just two. First, there may be a persistent key pair. In such cases, the same keys are always used to encrypt and decrypt a communication so if an unauthorized party ever gets access to a decryption key they can retroactively decrypt all of the encrypted communications in their possession. In this case, if the third-party had been copying encrypted communications between a person’s Web browser (commonly referred to as a web client or user agent) and a SSL-enabled Web server for a year then all of those encrypted communications could be decrypted retroactively and read. Second, there could be a constantly (re)generating series of session keys. In these cases, the Web client and Web server create a new, temporary, set of encryption and decryption keys each time they communicate. Those session keys are then disposed of or deleted following the end of the communication. As a result, while a malicious third-party who gains access to Bob’s secret key might be able to decrypt future communications, the party cannot retroactively decrypt historically captured communications between the Web client and Web server. This is because, assuming that the process is properly configured, it can be functionally impossible for a third-party to (re)generate the same session keys.

Communication encryption tools combined with anonymity tools are important, as they“provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age. Such security may be essential for the exercise of other rights, including economic rights, privacy, due process, freedom of peaceful assembly and association, and the right to life and bodily integrity.” Encryption protects individuals and their communities alike by enabling them to learn and communicate without fear of unauthorized third-parties’ surveillance. As a result, encryption secures the communicative space within which individuals develop as persons. Moreover, given the use of Internet-based communications in all elements of daily life — banking transactions, the delivery of medical records, operation of critical infrastructures, routing of sensitive business information, etc  — encryption provides protections to the vast range of communications and transactions that individuals, groups, and organizations are constantly engaged in.

If the encryption keys that are used to decrypt messages are accessible to unauthorized third-parties then the contents of already-captured communications can subsequently be read by those third-parties. This is a non-trivial problem given that Western security as well as intelligence agencies are known to collect and archive large volumes of encrypted communications for decryption years or decades later (Aid 2009). Moreover, if the persistent key pair or the dynamically generated session keys are accessible to the third-party in real-time then they can also decrypt communications as they take place between the communicating parties. The result is that encrypted communications are no longer private from prying eyes. Such privacy might be violated by a government authority that was legally permitted to violate the communicants’ privacy, by a person inside a company who was inappropriately or illegally accessing communications, or by criminals wanting to know what the communicants are saying to one another. Requiring parties to disclose keys in their possession is deeply problematic because it undermines the whole purpose of encryption. Disclosing keys used for persistent encryption schemes not only allows for access to a specific set of encrypted communications, but exposes all past and future communications encrypted with those keys. A key retention obligation is even worse, as it wholly obviates dynamic keys, undermining the very purpose of the protocol itself.

As we discuss in the following sections, the federal government of Canada has actively attempted on a number of occasions to diminish the privacy and integrity of communications encryption protocols available to Canadians. Historically such efforts have been focused on undermining the privacy that mobile providers, such as Rogers and Bell, could provide to their customers. In the past several years, however, the government has quietly turned its attention to all TSPs which operate in Canada as well as to global encryption standards.

Encryption and Mobile Carriers in Canada

Canadian mobile telecommunications providers are required to agree to – and implement – the Solicitor General’s Enforcement Standards (SGES). Broadly, these standards establish the conditions that mobile providers must meet in order for government agencies to successfully receive information from the providers’ networks. There are a total of twenty-two standards that compose the SGES. For this article we focus on standard twelve; for a broader discussion of the SGES see our report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians.”

Standard twelve states, “[i]f network operators/service providers initiate encoding, compression or encryption of telecommunications traffic, law enforcement agencies require the network operators/service providers to provide intercepted communications en clair.” The annotation for this standard reads: “Law enforcement requires that any type of encryption algorithm that is initiated by the service provider must be provided to the law enforcement agency unencrypted. This would include proprietary compression algorithms that are employed in the network. This does not include end to end encryption that can be employed without the service provider’s knowledge.”

Mobile telecommunications providers have historically been compelled to decrypt or decode text messages, faxes, and voice communications which they encoded upon request by government authorities. This obligation is limited to certain types of encryption techniques – excluded are end-to-end encryption techniques, which may be implemented by the service provider but, once implemented, can be initiated by end users without the knowledge or active participation of that provider. Obviously technologies have changed since the mid-1990s and as a result the government proposed expanding the SGES’ scope of application in a spectrum auction consultation in 2012. After internal debates along with critiques from industry, who opposed expanding the SGES to non-traditional communications without authorizing legislation, the government ‘clarified’ that the updates to the SGES would apply only to communications that were historically carried over ‘circuits’ as opposed to packet-based communications (See: Parsons, 2015). This decision meant that, depending on the encryption mechanism being used, new technologies for generating and delivering SMS, MMS, fax, and voice communications would remain accessible to government authorities. This has seemingly led some telecommunications providers, such as Rogers Communications, to deliberately discuss how to weaken communications-related encryption protocols such as MIKEY-IBAKE. Moreover, discussions at the European Telecommunications Standards Institution have raised whether Canadian providers should ensure any cloud-based storage system they develop be designed with lawful interception functionality baked in (For more, see: The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians.)

Legislating Access to Decryption Keys

The government of Canada has introduced legislation which would have required all telecommunications providers to decrypt communications they encrypted, where the providers retained decryption keys (commonly referred to as ‘lawful access’ legislation). Whereas the SGES applies to mobile providers, successive iterations of lawful access legislation that have been introduced by the federal government would apply to all telecommunications service providers. Thus, the legislation affects wireline and wireless telecommunications carriers, such as Rogers and Bell, as well as other providers, such as Google, Facebook, or Twitter.

Canada’s lawful access debate occurred over more than a decade. The salient portion of the legislative mandate for this article was reintroduced several times as Bill C-46, Bill C-51 and ultimately, in February 2012, as Bill C-30. Amongst a range of other provisions, these Bills imposed novel legal obligations that would make it easier for the state to intercept communications. Sub-sections 6(1) and (2) would have required telecommunications service providers to be capable of: intercepting communications, provide interceptions to authorized parties, offer information about the geographical sites of the communication, and comply with confidentiality or security conditions such as gag orders. Sub-section 6(5) would have required that, when multiple formats were available, telecommunications providers provide intercepted data in the format preferred by the government authorities. Each of these requirements paralleled requirements already established in the SGES.

Sub-sections 6(3) and 6(4) focused on encrypted communications; 6(3) read:

If an intercepted communication is encoded, compressed, encrypted or otherwise treated by a telecommunications service provider, the service provider must use the means in its control to provide the intercepted communication in the same form as it was before the communication was treated by the service provider.

Per this section, where a telecommunications provider is legally obligated to facilitate interception of communications, it would be required to decrypt those communications upon a demand from government if it retained the decryption key. Under 6(4) a provider would not be obligated, however, to “develop or acquire decryption techniques or decryption tools.”

Whereas the SGES imposed requirements principally on mobile providers, Bill C-30 would have applied decryption requirements on all telecommunications providers. The result is that there would have been an explicit legislative clause authorizing authorities to compel telecommunications providers to decrypt communications. The bill was not passed into law. It’s successor, Bill C-13, however includes language that arguably authorizes authorities to similarly request decryption keys.

Receiving Royal Assent on December 9, 2014, Bill C-13 includes preservation and production powers that were identical to those included in the proposed Bill C-30. Under 487.012(1) a “peace officer or public officer may make a demand to a person in Form 5.001 requiring them to preserve computer data that is in their possession or control when the demand is made.” In order to make the demand, the peace officer or public officer must have reasonable grounds to suspect that:

(a) an offence has been or will be committed under this or any other Act of Parliament or has been committed under a law of a foreign state;

(b) in the case of an offence committed under a law of a foreign state, an investigation is being conducted by a person or authority with responsibility in that state for the investigation of such offences; and

(c) the computer data is in the person’s possession or control and will assist in the investigation of the offence.

Conditions may be included as part of the demand; while these can include conditions about disclosing the reception of a demand, a broader (and left unstated in the legislation) set of conditions could be applied. Moreover, assuming that a cryptographic key is captured under the definition of “computer data” that is in a telecommunications provider’s “possession or control when the demand is made” the provider might be obliged to preserve, and subsequently disclose, the key.

In effect, whereas C-30 would have explicitly established decryption requirements of general application on telecommunications providers C-13 did so in a more obscure way. Fortunately, under C-13 a provider could challenge an order whereas under C-30 the same provider would have simply had an obligation to disclose keys. In that regard, the C-13 can be seen as an improvement over C-30 with respect to compelling the disclosure of decryption keys. However, the provisions in C-13 could be more intrusive on a case by case basis, depending on the types of conditions ultimately imposed by law enforcement or judges. So, for example, whereas C-30 did not require service providers to develop new decryption capacities, C-13 might, on a case by case basis.

Compromising Global Encryption Standards

In addition to enabling domestic agencies to retroactively decrypt communications Canada’s foreign signals intelligence agency, the Communications Security Establishment (CSE), has been active in undermining key mechanisms that form the basis for encrypted communications. The CSE is Canada’s premier cryptographic organization. Documents provided by by former NSA contractor Edward Snowden to journalists reveal that CSE’s United States counterpart, the National Security Agency (NSA), successfully weakened an encryption standard called DUAL EC DRBG in 2006 that was then approved by the United States’ National Institute for Science and Technology (NIST).

As noted above, much of cryptography is dependent on mathematical manipulations of communications based on ‘keys’ or large random numbers. This feature of cryptography means that the ability to generate truly random numbers is integral to any successful encryption scheme. DUAL EC DRBG is a random number generator that could be used by a number of encryption schemes to create any necessary keys. A flawed number generator — particularly one with a known flaw — can render any encryption technique that relies on it insecure, because it becomes exponentially easier to ‘guess’ the ‘key’ and subsequently decrypt the message. In this particular instance, the NSA could exploit the flaw in the DUAL EC DRBG and, after NSA had successfully pushed its adoption as a national standard, the agency proceeded to advance it as an accepted international standard.

The NSA’s Canadian partner, CSE, ran the international committee at the International Organization for Standardization (ISO) that was responsible for evaluating and authorizing DUAL EC DRBG. Some “behind-the-scenes finessing” from the head of CSE and members of the NSA took place, which led to the NSA rewriting the drafted international standard. Meanwhile, the NSA ensured that its flawed version of DUAL EC DRBG was included as a Federal Information Processing Standard (FIPS), a set of standards approved by the US Government for use in non-military government computer systems. CSE similarly leveraged its role as steward of Canada’s government defensive capabilities to ensure that the flawed standard was included in a list of approved algorithms that must be used for any Canadian and US Government procurement. The consequence of this  NSA’s ‘finessing’ was to propagate and grant legitimacy to a method of data encryption known to be vulnerable.

As a result, DUAL EC DRBG has been incorporated into a range of products, including those from security company RSA, in operating systems such as Microsoft Windows,and in a version of OpenSSL (a tool commonly used to facilitate website encryption). The integration of the standard with operating systems was significant because, by changing the default method by which the operating system encrypted communications traffic, an intelligence agency could decrypt data now encrypted using DUAL EC DRBG. The secret of the standard’s weakness got out quickly: researchers discovered and disclosed the vulnerabilities in 2007. Nonetheless, the standards’ ISO and FIPS status was not revoked, and agencies such as CSE continued to retain it on their cybersecurity recommendation lists, allowing it to persist in spite of its known flaws.

While organizations like the NSA and CSE are expected to try and break cryptographic protocols, and while they have a history of deliberately providing ‘weak’ encryption to potential intelligence targets, the deliberate weakening of cryptographic standards themselves is dangerous. Such activity calls into question all of the cryptographic protocols that the NSA and CSE (and their allies) have had a hand in testing and approving. Moreover, such weaknesses call into question the legitimacy of established venues to create, test, and legitimize new cryptographic algorithms.

Canada’s Quiet War on Encryption?

In aggregate, the federal government of Canada has been actively trying to undermine the privacy and security afforded by encryption for at least two decades, with varying degrees of success. What began with quiet regulations that only industry insiders were aware of has transitioned to efforts to expand the kinds of communications covered by the Solicitor General’s Enforcement Standards (SGES) and, ultimately, to a legislative language that may compel the preservation and disclosure of decryption keys. At the same time, Canada’s signals intelligence agency has been caught deliberating weakening at least one cryptographic standard.

Canadians’ default ways of conducting mobile communications have been subject to decryption requirements since the 1990s. The SGES largely prevents Canadians from securely communicating using voice or SMS messages, unless they use a third-party Voice Over Internet Protocol (VoIP) or texting application. The result is that they ways that millions of Canadians speak with one another are made insecure by secret government regulation. Moreover, the government of Canada has established encryption key preservation and disclosure laws. Consequently, companies and persons who provide encrypted communications could be compelled to disclose decryption keys to government authorities. Such disclosures would effectively undermine the security that Canadians think they enjoy when communicating using SSL, TLS, or other encryption protocols.

In addition to ostensibly weakening communications for law enforcement purposes, the Canadian government vis-a-vis its signals intelligence agency intentionally advocated for, and propagated, a deficient security standard around the world. This standard rendered hundreds of millions of people’s communications less secure; in addition to the United States’ National Security Agency paying a security company, RSA, $10 million dollars to implement the standard, major operating system vendors such as Microsoft included DUAL EC in their products. The consequence was, and remains, that Canada has intentionally undermined the privacy and security of Canadians who use RSA and Microsoft products along with millions of other people around the world.

Despite the aforementioned activities, the Canadian government has not formally taken as strong a position as the American or British government concerning cryptography. To date, Canadian officials have not publicly called for ‘backdoors’, or deliberate cryptographic vulnerabilities that companies must include in their products in order to provide decrypted versions of communications to authorities upon request. But this public restraint may simply be reflective of the fact that the federal government’s quiet war on encryption has been surprisingly successful: the default mobile communications of most Canadians are accessible to government, decryption keys can be compelled from companies, and hundreds of millions of people have cryptographic suites installed on their computers that are exploitable by Canada’s signals intelligence agency.

How the federal government of Canada develops and implements national encryption policies can deeply influence Canadians’ abilities to compete in the digital economy. Bad policies undermine the sense of security that Canadians enjoy when they conduct daily activities online and when they make purchases online. Bad policies make it harder for non-Canadians to trust the security and privacy assurances given by Canadian businesses. And, perhaps even worse, bad policies mean that Canada’s advice will not be taken when it comes to developing, and advocating for, genuinely secure encryption protocols. In effect, bad policy hinders Canada’s stature in the world and Canadians’ capabilities to participate in the growing digital economy.

Encryption policies should be a non-partisan issue. All politicians, and all Canadians, should advocate for strong, reliable cryptographic protections so that Canadian businesses can thrive and Canadian citizens enjoy private communications. But instead of successive federal governments trying to enhance online security the governments have been actively trying to weaken online security. As a result, encryption policy debates need to receive far more attention from the public, policy makers, and politicians alike: this critical policy issue must debated in the light of the public eye instead of continuing to languish in the shadows of secretive government policy shops.

Text Sources

  • Matthew M. Aid. (2009). The Secret Sentry: The Untold History of the National Security Agency. New York: Bloomsbury Press.
  • Ian Goldberg. (2008). “Privacy-Enhancing Technologies for the Internet III: Ten Years Later.” Alessandro Acquits, Stefanos Gritzalis, Costas Lambrinoudakis, and Sabrina De Capitani di Vimercati (Eds). Digital Privacy: Theory, Technologies, and Practices. New York: Auerbach Publications.
  • Christopher Parsons. (2015). “Stuck on the Agenda: Drawing lessons from the stagnation of ‘lawful access’ legislation in Canada,” Michael Geist (ed.), Law, Privacy and Surveillance in Canada in the Post-Snowden Era (Ottawa University Press).

This post first appeared at the Telecom Transparency Project.