China and US cross swords over software backdoors

Barack Obama criticises Chinese plans to force tech firms trading in China to share encryption keys and put backdoors in software

China has rejected US president Barack Obama’s criticism of its plans to force technology firms that want to trade in China to share their encryption keys and put backdoors in their software.

China's proposed counter-terrorism law requires companies to keep servers and user data in China, to hand over communications records and censor terrorism-related internet content.

The US president told the Reuters news agency he had "made it very clear" China will have to change its policy if it wants to do business with the US.

But China said the move was necessary to combat terrorism, accusing the US of double standards in the light of the National Security Agency’s reported hack of Sim card maker Gemalto.

"The legislation is China's domestic affair, and we hope the US side can take a right, sober and objective view towards it," said Chinese foreign ministry spokeswoman Hua Chunying.

"On the information-security issue, there was a media revelation that a certain country embedded spying software in the computer system of another country's Sim card maker, for surveillance activities. This is only one of the recently disclosed cases.”

Read more about backdoors

'Freak' encryption vulnerability

The war of words erupted as security researchers revealed an old US policy, requiring weaker encryption for export products, is making millions of iPhone and Android users vulnerable to attack.

Although the 1990s US policy had been abandoned, it resulted in a vulnerability inserted into websites and devices still widely in use that attackers can exploit, researchers revealed.

The so-called Freak vulnerability allows attackers to intercept connections between vulnerable devices and web servers of supposedly secure websites, and force those connections to adopt “export grade” encryption, which researchers say can be cracked with relative ease.

US double standards

In reaction to Obama’s criticism of the proposed law, China drew attention to the US imposing restrictions on Chinese companies such as Huawei over security concerns.

China’s parliamentary spokeswoman Fu Ying suggested the proposed law corresponds with the access to internet communications sought by the US and UK governments, reported the BBC.

China’s government news agency Xinhua accused the US of arrogance and hypocrisy, in the light of the NSA’s mass internet surveillance programme and the US spying techniques revealed by whistleblower Edward Snowden.

However, it said that, unlike the US, China’s anti-terrorism legislation is based on transparent procedures that apply equally to local and foreign technology companies.

The proposed counter-terrorism legislation is set to be discussed in China's annual parliament session, opening on 5 March 2015.

Cryptography in politics and practice

Security experts have warned that adding backdoors to software could make products vulnerable to hackers in the same way that the US export laws requiring weaker encryption have done.

Commenting on the Freak vulnerability, TK Keanini, CTO at security firm Lancope, said that, while it is a technical flaw driven by politics, it is ultimately a problem that compromises technological goals.  

“Cryptography has always been highly controversial and will remain this way as long as there are people who want to monitor private conversations.  Even if we set politics aside, we should all treat cryptographic systems as a delay of disclosure and not ultimate privacy,” he said.

Keanini said that, as computing power increases, older cryptographic methods must be retired in favour of newer and stronger ones: “The trick is to ensure that systems are not allowed to negotiate to the older and weaker techniques,” he said.

Read more on Privacy and data protection