Tuesday, 6 June 2017

Pen & Paper cryptography - people always have a safe place to communicate

I have covered this before (here), but, like a bad penny, these arguments keep coming back. The have been cropping up for decades, and the latest rants from Theresa May on regulating the Internet are no different.

So time to bring it up again, and I have updated the video. Please do watch, and maybe show to your MP when you have one.

Update: We are having some work done and my carpenter was around, he saw me working on the video and pulled up a chair to watch it all the way through. That is rare for me as I am a bit techie, but does suggest that even if you are not techie, this is an informative and maybe slightly amusing video - so do watch.

Basically, this explains the very simple method of pen & paper cryptography. Proper school boy stuff. No, I did not invent it, it is old, and simple, and uncrackable, and does not need a computer! It is a simple one-time-pad.

You can't ban it, or stop it, and it shows that the end game of whack-a-mole over controlling terrorist use of encryption is they can still do this, and you can never win. So let's stop playing now and concentrate efforts in other places (some more funding for police may be a good start).


7 comments:

  1. Very clever hidden joke 😅
    Now we know what he was saying all along!

    ReplyDelete
    Replies
    1. Yeah, did a double take when I saw covfefe come out of it!

      Delete
  2. The Government should not ban end to end encryption, as you rightly say, this is totally pointless and would undermine the security for the rest of us. Nor should there be a universal back door for governments to use, as that would make the keys to such a back door much too valuable a target for criminals. Governments generally could not be trusted with a universal back door into all communications.

    But, in my view, I think it is reasonable for the Government to ask the major social media / communications providers to help them intercept encrypted terrorist communications on their platforms, with an appropriate court / government warrant for specific users. It isn't in the interest of the rest of us to prevent the law enforcement authorities from doing their job in trying to keep us safe.

    If the Government wanted to intercept a particular user on a platform, it would be relatively straightforward for the likes of Facebook / Google / Microsoft / Apple to change their smartphone software apps to create additional session decryption keys using Government public keys for each session so that only the relevant Government authority (and not Facebook / Google / Microsoft / Apple themselves) could decrypt any messages they intercept, in addition to the intended end user. The additional session decryption key would only be created for users flagged for investigation by Government court order, so such an approach could not be used to undermine the security for the rest of us who are law abiding and have no government warrants in place for interception of our messages.

    Whilst terrorists could of course use their own end to end encryption which would not be crackable by the authorities, most of these terrorists seem to be pretty unsophisticated types and would likely think that they could get away with using the major social media providers without problem. We shouldn't make it so easy for terrorists to hide behind the encryption we all rely on in every day smartphones / apps.

    ReplyDelete
    Replies
    1. That works until terrorists discover (because it is in evidence against them in court) that this can be done. At which point the credibility of these companies is damaged (as they claim end to end encryption and associated security) - i.e. who knows who else they will give gets to? And my understanding of stuff I read on the internet (!) is that these terrorist groups do indeed have messaging apps already - it makes sense. But nice try.

      Delete
  3. I don't see that the credibility of these companies would be undermined at all, as the end to end encryption would still be in place for almost everyone and the companies would get kudos that they were helping the law enforcement authorities. The only people who would be worried would be those people who might have an interception order placed on them, which is as it should be.

    Taking a similar example from the past - I am doubtful that BT lost phone line business / credibility because the government was able to ask BT to intercept one of their phone lines... And terrorists undoubtedly used BT telephones, even thought they knew they could be intercepted.

    The Government clearly has an intelligence gathering problem in end to end encryption allowing terrorists to communicate without the authorities being able to listen in. If we (as a community) can suggest alternative solutions to banning it, I think it is much more likely that they will listen to us. Its a better strategy than just asking them not to ban it - That doesn't solve their problem at all.

    For those terrorists that want to hide by switching to using their own messaging apps /encryption, this would change the profile of their so-called "Internet Connection Records" and that different profile might help the government identify who is communicating with who. I imagine the government would go after terrorists using their own messaging software in a different way - Probably by compromising their device with a zero day vulnerability and then installing covert spying software in the device itself, instead of trying to break the encrypted communications.

    ReplyDelete
    Replies
    1. It's not the credibility of the social media companies - it's that they are responding to a large-scale "customer" demand, affecting their bottom line. This demand is fuelled by the unprincipled mass surveillance conducted by Western governments (amongst others), and is a completely rational response by users to avoid false positives (for example).

      What the social media companies are more likely to do is to hand over the metadata (who-to-who and when), which is probably more valuable to the spooks anyway.

      It's the absurd over-reach of mass surveillance that's caused this debacle.

      Thanks for the rant by the way, maybe there's some hope given the election result that we'll have less government by Daily Mail, and more by sober and evidence-based rational evaluation which might actually do something worthwhile - I can hope.

      Delete
  4. Take a look at this method which is much quicker than the Vignere table as you can look up using either the key or the message/code and get the same result.

    http://users.telenet.be/d.rijmenants/en/onetimepad.htm

    Scroll about a third of the way down to "One-time Pad Encryption with Letters" where it talks about reciprocal tables.

    ReplyDelete