Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Decoding the Encryption Debate (Bonus: My Bank Password!)
This isn’t a commentary on the Apple case. I’m not following that very carefully. I’ve been frustrated for quite some time by silly encryption talk, and it’s just now boiling over. So I’m going to share, in layman’s terms, what modern encryption means and how it works. After that, I’ll explain why the encryption debate is like a bad joke gone too far.
Politicians, Republican and Democrat alike, frame the conversation in a completely misleading way that exploits the public’s ignorance of the underlying technology. I pray this is just a result of their own ignorance, and not a more cynical, informed duping of the American public.
Washington seems to treat encryption like Democrats treat guns. They think it’s controllable, can be regulated, and will somehow stop “the bad guys.” We, on the other hand, know there’s no stopping the inevitable. Better that the good guys have access, too.
So, what is encryption?
Modern encryption is based on something called RSA encryption. RSA stands for Rivest, Shamir, and Adleman, the three brilliant mathematicians who discovered a truly beautiful mathematical insight, one that keeps our credit cards safe, our passwords secure, our health records confidential, and our correspondence private.
Before we dive into RSA, a short recent history of encryption. Until RSA, the best encryption methodologies were just exceedingly complex cipher machines, or one-time pads. You may be familiar with a simple cipher from a puzzle book. For example: “A becomes P, B becomes N, etc.” The famous German Enigma machine added complexity by changing the letter mappings each time a letter was keyed into the machine. (Note that it did this in a predetermined way.) The key to cracking the Enigma code was figuring out the initial mapping; from there, if you knew the pattern in which subsequent mappings changed, you could decrypt any intercepted message. In tech lingo, if you can decrypt a message with the same information used to encrypt it, it’s symmetric encryption.
Even older than the Enigma, and more rudimentary, is the one-time pad. In a sense, it’s a cipher as well. Even though it’s older and lower-tech, to this day it remains, under the right circumstances, the only truly unbreakable form of encryption. The key is “under the right circumstances.” More on that later.
A perfect one-time pad is a series of truly random numbers (true randomness is really hard, if not impossible, to get). The person sending the message has one copy of these numbers; the recipient has the other. The sender uses these random numbers to translate his or her message letter by letter, usually just incrementing each letter by the corresponding number. After the pad is used once, it should never be used again. Hence the name one-time pad. If it were to be used again, an attacker could infer the original numbers from their repetition.
Like the Enigma, this is symmetric encryption; that is, the material used to encrypt the message is used to decrypt the message as well. If ever the pad is lost, stolen, or intercepted (worst case), the system fails completely. The beauty is that if everything goes completely according to plan, the one-time pad is the only known method of perfect encryption. Unfortunately, it’s quite difficult to get real randomness, and very hard secretly to get the same pad to both the sender and receiver (this is the clandestine work of spies, dead drops, and tradecraft).
So it’s already clear that these methods are already available to good guys and bad guys alike. Nothing the government could do would stop the spread of these forms of encryption. There’s absolutely no back door to a one-time pad, short of seizing property and Orwellian eavesdropping. Things would still slip through.
Back to RSA. It’s foundation is a simple observation about factoring numbers (as in, the number 6 has the factors 1, 2, 3, and 6). While it’s easy to factor small numbers, it gets exponentially more difficult to do as the numbers get larger. In fact, it gets so difficult that if it’s a reasonably large number, the best-known algorithms for factoring would need to run through more iterations than there are atoms in the universe to solve it.
You may think, “Well, of course, but that number would need to be enormous, right?” But don’t forget, the problem is exponential. The number really doesn’t need to be all that large. To put it in perspective, this post would take up more space in a computer’s memory than that number.
So it’s time-consuming and hard to find factors of a big number. So hard that even the NSA and their supercomputers probably couldn’t find them in any reasonable amount of time.
What about going the other way? Well, the most beautiful thing about this system is that going the opposite direction is actually really fast. If we already know two of the factors, it’s quite easy and speedy for a computer to multiply them to get the large number.
Using all these numbers and a dusting of mathematical sorcery, it’s possible to come up with two random really big numbers. One of those numbers works kind of like our friend, the one-time pad. Instead of using the numbers to map letters, like A -> P, we do it a little differently. First, every letter in the secret message is assigned a number. It can be really obvious, too, like A -> 1 and B -> 2; it doesn’t matter. Now our secret message is just a really big number, too! What can computers do well with really big numbers? Multiply them. The product is our encrypted message.
You can send that to whomever you wish. But only the person with the other original random number can decrypt it. In tech lingo, that’s the private key.
This, as you may have inferred, implies a public key.
The public key is the number we combined in our secret message. Because it’s so difficult to factor large numbers, I can confidently publish my public key in tomorrow’s paper. You could take that number, combine it with a secret message, then post it here on Ricochet for all the world to see. I would be the only one able to decrypt it with my private key. This is known as asymmetric encryption because the material needed to decrypt a message is not the same as that needed to encrypt it.
I know it’s a lot to wrap your head around, but trust me when I say it’s based on relatively simple mathematics. It amounts to something so damn near unbreakable that it’s not even worth trying to crack. By the time anyone gets close, we’ll all be six feet under. In fact, I’m so confident of this that I’ll give you the password to my bank account in the bottom of this message. It’ll just be encrypted using my public key.
What does this mean for the so-called encryption debate?
Well, there isn’t one. It’s purely about an invasion of your typical citizen’s privacy. Unbreakable, strong encryption is so readily available to anyone who wants it that it won’t stop a terrorist or a dedicated crook for a minute. When the US first tried to block the export of encryption technology, computer scientists copied the source code of an encryption library into an academic paper and published it in an academic journal. It all just boils down to simple math.
If you think these things don’t apply to you, please look up in your browser’s URL bar. Do you see that little green lock? That’s encryption, and it’s been keeping your credit card details and your passwords safe from prying eyes for years.
So next time you hear someone mention a backdoor, or even a front door, read it as, “We want a super-secret, really big number that we promise to keep super-secret.” Then laugh, because now you know that if that super-secret number ever gets lost, we’re all in for it. Criminals will have the keys to the kingdom. And that super-secret number will get lost. It’s the government, after all.
Here, as promised, is my bank password: Enjoy it.
—–BEGIN PGP MESSAGE—– hQEMA8U6m0wF95yNAQf9EwWkSiOYjUXlplE9TlX5auG2TJ8Ewfpr7FgXLW70tngw 9Rh6U+Uv7pRmn8jrepmUI/sk8neOcTVRHGzMIEXg2Duxju9DU/nT5Zfv3QD2PQAM opkQMc5L/vGHJhq+t1EXpn/nEhimK0YBZnYOWs96P2onf0BaDKrJOzYouTU0SVUP cRvmg2yuH48d2gOSJFm2kqAWEClRZpcx9znwBxxxX2tu+0yp/ZbMCY3g/SOkACrh +TJsRlCCYYJz69WdJtrK/HtyT613BnUyPnMZb/5bsYzc/yWvaTd3lXwrIuHsz82c 6y5IEWM7uiyVYiXJaSSd3zxzOq8KolZ//5Gbshq/B4UCDAMAcEZ6M6graAEP/2i4 s8KngyvDBKlF5p2R1SyzYizfVw5aZqJ4V1NL7QLi8e8/AbBvTjW9yPlPnqH3vnSd n9GSzOMUF/200P31td1ckYDHd2VGPSA3wK8IijEk/A4gW+7l6vEQy5k+PECLEg72 MMspTZ6XESKKe4sFp5EVoOFLhxSvszDjqhXgsDXKL/ukDHwmtUv42V6j9TfhEZjG jIgg4P7retYn/sFyCbT1y/mLRmrXfsotS2XhNvA8FJL3f8rgBC/wd1R3gN08QIzh R2gSlywPiYQAPATaJ9e2dMfSvZX/yPpOtpEIyWmkL8YzcosI6UnbEQBWX/cpiCpi hSM4EP+Us8ou+X65nRM63ayPn4vx7GnRJozUMzO206BR23F2vgy7NengLIG6RcxY EO/2/+XKzrHPvltvni+iVHiR5i2t1cwNeOitqAQCPBFAlIYTJns3hynQ8tyDN9Fu toqyO3JLt8SxihQ/75yaPb6Gv9dHKids8PPQaIXdd32bMiDVr+Nnw59FRzdKHSTl Mt+08xdEP/xNB6vFTypLp4NCfW1gjpPc/ft6+ZpjOmC4ydG5wPrYq0hZ6dLW1P70 9Ht98DumHnTfAtsLp+TMvAbOZwgPvfEc/RUZulvIKYcdIJik1jxtmd6o7hTJeuOW h6WEieeYJgHhToSi5JkJgwU4pwknI1SIPpJ6iCFxhQIMAyjnI65ZV691ARAAqXuO qhzgO2wgPWUsyKBMVK3TiMqMTyevCetos2TWY/lrE5M+I07hKHETsZzxQnm+Rdu0 4bvNdiXLotQ8CfsnPevTnJjobT63XU5xc7NJKoVvf4gaX593WlL9wd/urG5flktm GgjfOvsAUiK8V9Cdg+RMkjvUUHStjiIUsLb2SIhvZ8s8ld5qeXIF9vlJa3YUb2/j FWcRqO4Hva6Fbx5Gpp3GNxdJh0km50EQlQg+pVAYyA25PrQbaaKa+2mAu9giTINo fm5CH5MUQ5g0exU/nv7JKjNZ3S46wLznurCsxWQD00W0bYMs0kZCCFWkU9Fv+y4g rwg1VHLmleTZwlOaXXfE/8ufaetK0QBjcy0y3k0byY0IlCT61UrMX/zTUGph3UVX lH0F2Op+uQ7zDSEaIp6P2qnpIMLQbf1PHD9OO+7f5bFpFBcK41I/vJGrpZsg8f8F RivKgOFIjPB5enB4847tr/AYafYduoxzHUunXeegXN8h45dolC1xSrhL7pHEyLfM 8S//yphyIrUe5bXF2qZS2Wsk3E8ham5tD4c2Hb7W3rTOLgG2p/r2to8boJkRQ8On uvzNkQXHwI5tZRNIUOPP/XqdhudDMWGXXbNSttZDVjZ5+3OLqM0bQ03sFZbqlob8 0AOUgj0QlgfPNMtA5e9LPrDRuTmD5Kup2oRcuHjSRAEl8iMryZhCFPV2P0+nQuJF tIo6opefJEobtRZ63nLmmNxWb14vmjW5srX9HHjIJ7KxzPRusbQPgHm6sxLyEFyH PoTa =swiM —–END PGP MESSAGE—–
Published in Culture, Domestic Policy, General, Science & Technology, Technology
Good point. In theory, proper use also overcomes key logging and screen capture software, but I don’t take advantage of all the features. It would be vulnerable to malware that reads the clipboard contents if such software exists. (I’m so confident it exists that I’m not even going to google it. If I can think of it some hacker thought of it 20 years ago.)
Oh, I have a pass phrase that would be great. How many characters do I get on these?
Thanks!
I’d love to hear Gabriel’s take on KeePass. That is basically what I have now with another program, though I imagine one that is less secure.
1Password and LastPass seem to fit the bill, though I love me a decoder ring!
What do you want to bet that your Ricochet password is stored in the clear? Or was, which still reveals the structure of your algorithm.
I do the same thing, but now use a local (memory rule-based) kid-sister hashing algorithm to obfuscate the connection. My password reminders are now just sitename, username hint, and which of my systems the current password complies with. It’s been evolving since the late nineties, and there’s a lot of cruft :-)
My current Ricochet password is still one version out-of-date. I should update that. If any site ever stored your password in the clear, your algorithm is probably compromised. Obscurity is not actually security, but for those of us who can’t do RSA in our heads, it’s a worthy layer of a defense in depth.
I do not wish to take the plunge and use an external password service. On a good day, I don’t need it. On a bad day, it’s a liability.
I wouldn’t assume that. I did fairly rigorous research when I selected KeePass a few years ago, and there was similar software available that was at least as good – even better if you were willing to pay their price. (I like freeware. Try it out for a few weeks and donate what you think it’s worth if you like it. Capitalism at its finest, IMHO.)
There were also dissimilar alternatives that could be an equally good choice depending on what you like and how you assess certain risks. Lots of smart people who chose differently.
There was definitely some crap out there though. It’s important to make sure you didn’t get crap.
I’ve also looked at KeePass. It seems pretty secure, I like that it’s self managed. So, I think it’s a fine solution. I might even say it’s better than the cloud for the reasons already mentioned here.
That said it’s probably more complicated to use. And the cloud solutions are more than adequate.
KeePass falls somewhere between what I use, Pass, and the cloud options.
I use Pass because I spend most of my working day on the command-line (black screen, green letters, very Matrix-y ;) ) and that’s where Pass shines.
As for Ricochet and its passwords being in clear text, I doubt it. I think Ricochet is powered by WordPress, which will hash passwords relatively well out-of-the-box.
The site was klooged together with a bunch of customization, poorly spec’d and poorly executed. Imagine my shock when I saw that my actual database UserID was my email address without punctuation. Max fixed that, and I am eternally grateful. By then, however, I had been thoroughly “outed”.
So color me skeptical, particularly about the old set-up.
Ah, yes. Social engineering.
That’s why I just got this in a letter from my employer:
“Some” being defined as everybody who worked for XXX in 2015. “Limited” meaning name, SSN and payroll information.
Oh joy.
I am hoping they will be providing you with identity protection services.
Yes, they notified us all promptly and are taking the appropriate steps.
There’s a fascinating and heartbreaking discussion of one time pads in Leo Marks’ Between Silk and Cyanide: A Codemaker’s War, 1941-1945. During WWII Marks was the chief cryptographer for the Special Operations Executive.
From his obituary: