Cryptography

The History and Mathematics of Codes and Code Breaking

Tag: NSA (Page 1 of 2)

Cryptography by the People for the People

The passage that stuck out to me the most from the novel was Marcus’ description of the use and benefits of cryptography from page 57. Even though it’s at the beginning of the book, this passage gets to the core of how cryptography works for us today. Cryptography is used by everyone because is as accessible to everyone. Thankfully, our government does not have a monopoly on cryptography; “the math behind crypto is good and solid, and you and me get access to the same crypto that banks and the National Security Agency use” (Westerfeld 57). Because it is so widely used, we can be sure of its effectiveness.
The quote continues to discuss how cryptography is useful to us today. Even if we do not have anything to hide, “there’s something really liberating about having some corner of your life that’s yours, that no one gets to see except you.” This reminds me of the article I read regarding the actions of the National Security Agency and invasion of civilian privacy due to bulk data collection. The fact that personal information as well as government intelligence is encrypted using the same means shows that the government has access to all of our information as well. This is not a bad thing; access to this information can be useful in ensuring peace. The question still remains: when does government access of individual data cross the line from protection to trespassing?

Freedom of the Press Still Requires Bravery - Taking on the NSA

"How to save the Net: Break up the NSA." This is a bold statement for a bold article. Bruce Schneier, renowned cryptographer and writer, bravely authored this article for Wired as a part of the "Save the Net" series, "featuring bold solutions to the biggest problems facing the Internet today." Schneier proposes that the NSA should be separated into its three main components: government surveillance, citizen surveillance, and defense of U.S. infrastructure, and these three sectors placed into different departments. Especially the more we learn about the NSA's reaching power and what they can do, they seem like such an untouchable superpower. I really admire Schneier's audacity to suggest such a radical solution, and I think his ideas make sense. Considering the Snowden leaks, the NSA's international mission should be protected at a military level in the Department of Defense, domestic surveillance goes hand in hand with the mission of the Justice Department, and, Schneier argues, the defense of American infrastructure should be by a new and open organization. I think what we find so intimidating about the NSA is that if they have the power to hack into a foreign government, what would stop them from looking into my personal phone or computer? But we don't seem to have a problem with the military cybersecurity having a similar power. It would be interesting to continue to explore the possible consequences of having a governmental agency that people trust devoted to protecting American citizens online, while the Departments of Defense and Justice combine forces with current NSA programs to secretly do what they need to do to protect us. And ironically, the NSA will most likely see and read this article that was published online, but that's what the freedom of press is all about!

9/11 Changed Everything

At the time Singh wrote the novel, there was no blatant reason for the government to use surveillance for the interest of national security. Then September 11, 2001 happened. This day completely changed the interests of both the American citizens and the government. After this terrorist attack, people were willing to give up their privacy in order to achieve more security. I am not saying that the government should have complete control over all communications all the time. What I am saying is that the government should have substantial surveillance over communications in order to prevent other significant threats to the citizens of the United States.

In times of fear, people are willing to give up some of their privacy in order to feel safer. The thing is, cryptography should not disappear. Cryptography will only keep improving, and there is little to nothing that the government can do to slow it down. What the government, mainly the NSA, can do is keep its cryptanalysis above and better than the cryptography present at the time. Then the government can use its cryptanalysis in order to analyze and read encrypted messages. The government used wiretapping in the 1920s, but its new weapon is code breaking. Of course, citizens will always want their information to be private, but with the new information age, the government can use data mining and break through encryptions in order to evaluate certain suspects without any normal computer user ever noticing. The government can give people the illusion of privacy while also providing them with the reality of security.

It’s not so much whether the government can have wide latitude but what it can do with its wide latitude. For all we as normal citizens of the nation know, the government can read any and all of our messages. The government has the technology to break into almost any kind of encryption with its super computers, so as long as the government stays within its boundaries of security and does not blatantly invade its citizens’ privacy, it can continue to successfully use its array of electronic surveillance.

Photo Credit: "tower1-2"  by Damlan Korman via flickr CC.

Photo Credit: "tower1-2" by Damlan Korman via flickr CC.

 

Every Security Measure Has a Weakness

One of the things which stood out to me throughout the book Little Brother was how it was so easy for even everyday people to foil the security measures put in place by the Department of Homeland Security. One of my personal favorites was the "arphid cloners" which could replace all of the electronic information on things such as your credit cards and identification and replace that with those of someone else. A particular passage showcasing this was when Marcus' father came home after being pulled over and questioned twice. This occurred because his father had been all over town recently to many various places, or so the DHS thought from their surveillance data. His father really had done nothing wrong, but various people who had been "given" his identity were making it look like he had very odd travel patterns. This marked a turning point in the novel as Marcus' father finally realized that there were some potential downsides to all of this surveillance the DHS was performing.

This concept of messing with security goes far beyond this one specific type of exploit, and goes further than the book as well. Every method of surveillance must have some weakness, whether that be an ability to avoid it or to attack it with so much information it cannot sort through it all properly. That raises the question of how useful every surveillance implement of the government is in the real world. It is possible that any day a random group of people could come up with a method to completely mess with some form of NSA surveillance. However as seen in the book, it is us as citizens who are the ones that are punished when there are flaws in surveillance systems. Thus we must ask ourselves if we are truly comfortable continuing to give up some of our privacy to groups such as the NSA and if that our relinquishing some of our right to privacy is actually helping in any way at all.

Justification

The National Security Agency has one main priority, the protection analysis of communications, both domestic and foreign , that pose a threat to the United states of America. The NSA would be unable to do their job if they weren't able to tap into communications that
the NSA developed the Data Encryption Standard (DES) weak enough to be broken by them using means that were well wicould lead to a legitimate threat to the US. In order to do their job most effectively and not waste manpower developing new ways to break codes,within their grasp. In deliberately weakening the DES, the NSA left businesses and personal messages with a standard that wasn't as strong as it could possibly though it was strong enough to keep their secrets relatively private. The senders of the messages that used the DES were generally angry that they couldn't have more secure encryption that had been created already, but the NSA was justified in keeping the security of the DES at a lower level the possible. In doing this, the NSA made it more difficult more threats against the US to develop within the US, which is the biggest threat to the security. While foreign attacks on the US are a more likely possibility, it is the home grown attacks that prove the most dangerous because security within the US is relatively weak in comparison to the security of getting into the US. Home grown attacks also more difficult to detect because there are a larger number of people that could be in on a plot and the members of a plot might be more diverse and harder to track. The solution to home grown attacks would be to either make it easier to identify attackers or make attackers jobs more difficult by increasing security; increasing security would first of all be a logistical nightmare because of the size of the US and secondly it would also cause mass protests amongst the US population who already despise the relatively simple security measures of airport security. Because of that, the NSA had to go with solution b and make it easier to identify attackers by making their communications open to the NSA if they ever become suspicious, while allowing the NSA to focus more time on investigating foreign communications.

Image: "Elderly Armenian Woman Guards Home" by United Nations Photos, Flickr(CC)

Safe Enough?

When Horst Feistel developed the Lucifer system for encrypting information on computers, it had an infinite number of keys that could be used to encipher so it would actually be beyond the code breaking abilities of the National Security Agency (NSA). So when the NSA decided to adopt Feistel's system as the Data Encryption Standard (DES) they wanted to make sure they limited the possible number of keys so they would still be able to break the encrypted data just by using brute-force with their supercomputers, but at the same time civilians would not be able to break the code. They decided to limit the number of keys to roughly 100,000,000,000,000,000. This number of keys would provide privacy and security within the civilian community, but would still allow the NSA to break into messages if they needed to.

I personally believe that the NSA was justified in limiting the number of keys in the Lucifer cipher. I think it is vital for the NSA to be able to read certain messages if they really need to. If they didn't limit the number of keys every message would be completely private and secure. This might sound great in theory, but would actually be relinquishing our security as a nation. Anything could be sent by anyone to anyone and no one would ever know about it even if the government were

suspicious. So if two known terrorists were communicating, we wouldn't be able to read what they were saying. However when the keys are limited to a certain number, any of our messages are completely secure and private within the civilian community, but the government would be able to read it if they wanted to. I think that this is a reasonable violation of our privacy. Also, the government is not going to do anything with the information they read if it is innocent, so most people have nothing to worry about. They are only going to care about things that involve national security. So I think it was justified for the NSA to limit the number of possible keys to a number high enough that the correspondences within the civilian community would be secure, but a number low enough that only the NSA could break into the message if they really needed to.
Image: "Castello di Sermoneta" by Andrea Marutti, Flickr (CC)

Right to Security?

Cryptography has always been about outdoing and outperforming the cryptanalytic efforts of others, trying to create an unbreakable, perfectly secure code. Today with the help of computers we have been able to get closer than ever before, creating encryptions that cannot be broken by any normal means. However, now is also the first time that the efforts to create such an unbreakable cipher are being held back. The National Security Agency, in order to stay on top cryptographically, limited the Data Encryption Standard to something they could crack if necessary. According to Singh, one of the first examples of this was back in the 1970s, when Horst Feistel created Lucifer, the strongest encrypting machine of its day. However, before it was adopted, the NSA argued to limit the number of keys such that no personal computer could break it, but the NSA could if it needed to.

Spying

This seems relatively reasonable. When necessary, the government can intervene and get the information they need, but it would be sufficiently hard that they would not be taking information all of the time. But wait, what about the right to privacy? Shouldn't we have a right to an unbreakable encryption, if we so choose? This comes down to the increasingly important argument of privacy over security. Are you willing to sacrifice some of your privacy (the NSA can see everything you do if it wants) in order to grant a little bit of security?

I think not. If the NSA can crack the encryption, I would bet that there are others who can as well, be it other governments or something more sinister. Obviously the vast majority of the population has nothing even vaguely interesting to hide in the eyes of the NSA, but the fact that they can look into the personal life of any person they choose is frightening.

Photo Credit: BramstonePhotography

The NSA Standard: Invasion or Protection?

Computers, by their simple invention, launched the complexity of cryptography to levels of security that before had seemed unattainable. Ciphers could not only be computed quicker, with more efficiency, and with less chance of human error, but also the amount of cryptanalysis required to decipher encrypted text multiplied. With such advancements, the government saw its ability to monitor communications effectively slip from its hands as mathematicians such as Horst Feistel created new cryptography systems that utilized the new technology. The National Security Association, in November of 1976, created a Data Encryption Standard, or DES, that would allow businesses and people to communicate through secure processes that involved up to 100,000,000,000,000,000 keys, yet t

The adoption of the DES by the NSA was a reasonable standard, seeing as the number of keys were limited to 56-bit, a number that could only be broken by the technology available to the NSA (Singh, 250). Businesses are still able to communicate with optimal security, depending on which encryption system they use, yet, the NSA can intercept and decipher messages they perceive to be dangerous to the country. While businesses can express concern that DES could allow rival companies to be able to hack into their data and use it to their personal advantage, the NSA has determined that the DES is strong enough to protect against such actions (Singh 250). Businesses and citizens are asked a small price to pay in return for their nation's security. The NSA uses the data they've collected to ensure the safety of citizens, and the enforcement of the DES is a small price to pay for what the NSA gives back. he NSA could still decipher it. The transparency required by the standard does not correlate to the government's need to monitor all forms of communication, but rather the necessity of an efficient system of monitoring communications that could result in the harm of the United States and its citizens.Another concern that may arise when considering the justification of the NSA's decision is whether or not limiting the number of keys invades the privacy of citizens. While such a controversial issue cannot be simply proven wrong or right, considering the issue at hand, if a person or company has the necessity of using an encryption system that not even NSA could break, then there actions may prove to be illegal, in which case the NSA has every right to know about and intercept any information communicated via ciphertext.

Image: 30 seconds of my life by Jeff Carson, Flickr

Should Unlimited Security be Limited?

When the Data Encryption Standard (DES) was created, the National Security Agency made sure that it was weak enough that they could break it.  The Data Encryption Standard was a result of Horst Feistel’s product, Lucifer.  Lucifer was a machine that could encrypt data, making the encryption nearly impossible to decrypt.  In 1976, the NSA made the decision to limit the DES to 100,000,000,000,000,000 possible keys.

The strength of a cipher is directly correlated to the number of possible keys.  With so many possible keys, no common computer could possibly decrypt a DES encrypted cipher.  Most powerful computers are capable of finding the correct key when the number of possible keys is only 1,000,000.  By limiting the number of possible keys to a number higher than what a typical computer is capable of breaking, the NSA justified its decision.  The DES was created so that all businesses could communicate securely and reliably.  Even with a limit on the number of possible keys, the same goal was achieved.  Though the security was less than optimal, the security would still be unbreakable.   More importantly, if the DES were too strong, the government and NSA would be incapable of tapping information.  As we’ve previously discussed in Little Brother, there are times where the government needs full access to all forms of communication.  If the NSA did not limit the number of possible keys, it would put domestic and international security at risk.  In this way, the NSA was justified in making sure it was weak enough that they could break it.

Image: "Bokeh Command" by Robert S. Donovan, Flickr (CC)

The Cost of Safety

Though almost every American instinctively cringes at the mention of government limiting freedoms and invading privacy, I believe that often this invasion of privacy is a necessary evil to ensure safety. By limiting the DES, or Data Encryption Standard, to 56 bits or less for civilian business use, the NSA ensured that they would be able to crack an encryption through brute force if needed. Though this meant that businesses would be less secure, it also meant that the NSA would be able to investigate any dubious behavior by cracking the encryption. This is only a small example of the greater debate of privacy vs security. Unfortunately, it is almost impossible for a government to ensure both privacy and security; one must be greater than the other.

"Privacy" by Alan Cleaver

Though the business encryption of 56 bits is less secure than it could be, Singh states that 56 bits would be almost impossible for any civilian computer to brute-force break (250). Though some might argue that civilian computer power has increased to be able to break 56 bit encryption and the NSA has left businesses vulnerable, this is not true. Within the U.S., there is no restriction on the level of cryptography that one can use, and the only restrictions lie on exporting cryptography (Johnson 2002). This is because the NSA needs to be able to break encryption from possible terrorists or other groups that might want to harm the U.S. The government has even realized the weakness of DES and has encouraged a new encryption system called Advanced Data Encryption that can use up to 256 bits instead of 56 (Institute 2001). By increasing the standard encryption level, the NSA has shown that they are working to promote security for civilians, not intentionally limiting security to put people in danger.

A small amount of limiting of security, though it may put companies at risk, is a small price to pay to allow the NSA to, if necessary, break the encryption of data that would help protect the U.S. from a disaster that would cost lives. Though a break in security at a large company might cost them millions of dollars, the cost of lives lost from not being able to decrypt data is priceless.

Johnson, M. (2002, October 14). Where to Get PGP. Cryptography.org. Retrieved November 5, 2012, from http://www.cryptography.org/getpgp.htm#IS_PGP_LEGAL_

Institute of Standards and Technology. (2001, November 26). Federal Information Processing Standards Publication 197. Csrc.nist.gov. Retrieved November 5, 2012, from csrc.nist.gov/publications/fips/fips197/fips-197.pdf

Page 1 of 2

Powered by WordPress & Theme by Anders Norén