Slide: 1 / of 1 .

Caption: Getty Images

Its not surprising that in the wake of the Paris terrorist attacks last Friday, US government officials would renew their assault on encryption and revive their efforts to force companies to install backdoors in secure products and encryption software.

Just last month, the government seemed to concede that forced decryption wasnt the way to go for now, primarily because the public wasnt convinced yet that encryption is a problem. But US officials had also noted that something could happen to suddenly sway the public in their favor.

Robert S. Litt, general counsel in the Office of the Director of National Intelligence, predicted as much in an email sent to colleagues three months ago. In that missive obtained by the Washington Post, Litt argued that although the legislative environment [for passing a law that forces decryption and backdoors] is very hostile today, it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.

With more than 120 people killed in Paris, government officials are already touting the City of Light as the case against encryption.

In the story about that email, another US official explained to the Post that the government had not yet succeeded in persuading the public that encryption is a problem because [w]e do not have the perfect example where you have the dead child or a terrorist act to point to, and thats what people seem to claim you have to have.

With more than 120 people killed last week in Paris and dozens more seriously wounded, government officials are already touting the City of Light as that case. Former CIA deputy director Michael Morell said as much on CBS This Morning, suggesting that recalcitrant US companies and NSA whistleblower Edward Snowden are to blame for the attacks.

We dont know yet, but I think what were going to learn is that [the attackers] used these encrypted apps, right?, he said on the show Monday morning. Commercial encryption, which is very difficult, if not impossible, for governments to break. The producers of this encryption do not produce the key, right, for either them to open this stuff up or for them to give to governments to open this stuff up. This is the result of Edward Snowden and the public debate. I now think were going to have another public debate about encryption, and whether government should have the keys, and I think the result may be different this time as a result of whats happened in Paris.

CIA Director John Brennan said something similar at a security forum this morning (.pdf).

There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it, he said. And I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve. And I do hope that this is going to be a wake-up call.

'Intel agencies are drowning in data... It's not about having enough data; it's a matter of not knowing what to do with the data they already have.' EFF Attorney Nate Cardozo

No solid information has come out publicly yet about what communication methods the attackers used to plot their assault, let alone whether they used encryption.

On Sunday, the New York Times published a story stating that the Paris attackers are believed to have communicated [with ISIS] using encryption technology. The papers sources were unnamed European officials briefed on the investigation. It was not clear, the paper noted, whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate.

Twitter users harshly criticized the Times story, and it has since disappeared from the site (though it is archived) and the URL now points to a different story, with no mention of encryption.

A Yahoo news story on Saturday added to the theme, declaring that the Paris attacks show that US surveillance of ISIS is going dark. Over the past year, current and former intelligence officials tell Yahoo News, IS terror suspects have moved to increasingly sophisticated methods of encrypted communications, using new software such as Tor, that intelligence agencies are having difficulty penetratinga switch that some officials say was accelerated by the disclosures of former NSA contractor Edward Snowden.

Numerous other news stories have suggested that attackers like the ones who struck Paris may be using a video game network. According to the Daily Mail and others, authorities in Belgium, where some of the attackers were based, have found evidence that jihadis there have been using the PlayStation 4 network to recruit and plan attacks. A source told the paper that they are using it because Playstation 4 is even more difficult to monitor than WhatsApp. The sources didnt indicate if they were speaking specifically about the Paris attackers or about other jihadis in that country. But the fallacy of these statements has already been pointed out in other stories, which note that communication passing through the PlayStation network is not encrypted end-to-end, and Sony can certainly monitor communications passing through its network, making it even less secure than WhatsApp.

US law enforcement and intelligence agencies have been warning for years that their inability to decrypt communication passing between phones and computerseven when they have a warrant or other legal authority to access the communicationhas left them in the dark about what terrorists are planning.

But there are several holes in the argument that forcing backdoors on companies will make us all more secure. While doing this would no doubt make things easier for the intelligence and law enforcement communities, it would come at a grave societal costand a different security costand still fail to solve some of the problems intelligence agencies say they have with surveillance.

1. Backdoors Wont Combat Home-Brewed Encryption. Forcing US companies and makers of encryption software to install backdoors and hand over encryption keys to the government would not solve the problem of terrorist suspects using products that are made in countries not controlled by US laws.

Theres no way of preventing a terrorist from installing a Russian [encryption] app or a Brasilian app, notes Nate Cardozo, staff attorney for the Electronic Frontier Foundation. The US or UK government could mandate [backdoors], but Open Whisper Systems is not going to put in a backdoor in their product period and neither is PGP. So as soon as a terrorist is sophisticated enough to know how to install that, any backdoor is going to be defeated.

Such backdoors also will be useless if terrorist suspects create their own encryption apps. According to the security firm Recorded Future, after the Snowden leaks, its analysts observed an increased pace of innovation, specifically new competing jihadist platforms and three major new encryption tools from three different organizationsGIMF, Al-Fajr Technical Committee, and ISIS. Encryption backdoors and keys also dont help when terrorists stop using digital communications entirely. A 2011 AP story indicated that al-Qaida had long ago ditched cell phones and internet-connected computers in favor of walkie talkies and couriers.

News reports about the Paris attacks have indicated that some of the perpetrators lived in the same town in Belgiumwhich would have made it very easy to coordinate their attack in person, without the need for digital communication.

2. Other Ways to Get Information. The arguments for backdoors and forced decryption often fail to note the many other methods law enforcement and intelligence agencies can use to get the information they need. To bypass and undermine encryption, intelligence agencies can hack the computers and mobile phones of known targets to either obtain their private encryption keys or obtain email and text communications before theyre encrypted and after theyre decrypted on the targets computer.

In the case of seized devices that are locked with a password or encryption key, these devices have a number of security holes that give authorities different options for gaining access, as WIRED previously reported. A story this week pointed to vulnerabilities in BitLocker that would make it fairly easy to bypass the Windows encryption tool. And the leaks of Edward Snowden show that the NSA and British intelligence agencies have a constantly evolving set of tools and methods for obtaining information from hard-to-reach systems.

Were still living in an absolute Golden Age of surveillance, says Cardozo. And there is always a way of getting the data that is needed for intelligence purposes.

3. Encryption Doesnt Obscure Metadata. Encryption doesnt prevent surveillance agencies from intercepting metadata and knowing who is communicating with whom. Metadata can reveal phone numbers and IP addresses that are communicating with one another, the date and time of communication and even in some cases the location of the people communicating. Such data can be scooped up in mass quantities through signals intelligence or by tapping undersea cables. Metadata can be extremely powerful in establishing connections, identities and locating people.

[CIA] Director Brennan gleefully told us earlier this year that they kill people based on metadata, Cardozo says. Metadata is enough for them to target drone strikes. And thats pretty much the most serious thing we could possibly do with surveillance.

Some metadata is encryptedfor example, the IP addresses of people who use Tor. But recent stories have shown that this protection is not foolproof. Authorities have exploited vulnerabilities in Tor to identify and locate suspects.

Tor can make the where a little more difficult, but doesnt make it impossible [to locate someone], Cardozo says. And Tor is a lot harder [for suspects]to use than your average encrypted messaging tool.

4. Backdoors Make Everyone Vulnerable. As security experts have long pointed out, backdoors and encryption keys held by a service provider or law enforcement agencies dont just make terrorists and criminals open to surveillance from Western authorities with authorizationthey make everyone vulnerable to the same type of surveillance from unauthorized entities, such as everyday hackers and spy agencies from Russia, China, and other countries. This means federal lawmakers on Capitol Hill and other government workers who use commercial encryption would be vulnerable as well.

The National Security Council, in a draft paper about encryption backdoors obtained by the Post earlier this year, noted the societal tradeoffs in forcing companies to install backdoors in their products. Overall, the benefits to privacy, civil liberties and cybersecurity gained from encryption outweigh the broader risks that would have been created by weakening encryption, the paper stated.

If all of these arent reason enough to question the attacks on encryption, there is another reason. Over and over again, analysis of terrorist attacks after the fact has shown that the problem in tracking the perpetrators in advance was usually not that authorities didnt have the technical means to identify suspects and monitor their communications. Often the problem was that they had failed to focus on the right individuals or share information in a timely manner with the proper intelligence partners. Turkish authorities have already revealed that they had contacted French authorities twice to warn them about one of the attackers, but that French authorities never got back to them until after the massacre in Paris on Friday.

Officials in France indicated that they had thwarted at least six other attack plots in recent months, but that the sheer number of suspects makes it difficult to track everyone. French intelligence maintains a database of suspected individuals that currently has more than 11,000 names on it, but tracking individuals and analyzing data in a timely manner to uncover who poses the greatest threat is more than the security services can manage, experts there have said. Its a familiar refrain that seems to come up after every terrorist attack.

If Snowden has taught us anything, its that the intel agencies are drowning in data, Cardozo says. They have this collect it all mentality and that has led to a ridiculous amount of data in their possession. Its not about having enough data; its a matter of not knowing what to do with the data they already have. Thats been true since before 9/11, and its even more true now.

Read this article:
After Paris Attacks, Heres What the CIA Director Gets ...

Encryption is a method of hiding data so that it cannot be read by anyone who does not know the key. The key is used to lock and unlock data. To encrypt a data one would perform some mathematical functions on the data and the result of these functions would produce some output that makes the data look like garbage to anyone who doesn't know how to reverse the operations. Encryption can be used to encrypt files that the owner feels are too sensitive for anyone else to read. And now, with the rise of the Internet, encryption is used to encrypt data, like a credit card number, and then send it across the net. This way no one can read intercept and read the data while it is traveling through the web. The recipient of the data does have to know how to decrypt the information or else the data will look like garbage to the recipient too.

There are two categories of encryption, private key and public key. The major difference is who knows the key. Encryption is an entirely mathematical process applied to the world of computers. The only thing an encryption program will do is take in data, perform some predefined mathematical operations on the data, and then output the result. Decryption is the process of taking the encrypted data, that now looks like garbage, and reverse the mathematical functions so that the result is the same data that originally existed before the encryption process. The "key" is the set of mathematical operations and values that are used to encrypt and decrypt the data. Encryption and decryption algorithms describe the mathematical operations while key describes the exact process which includes the algorithms and any other random initial values that are used in the algorithms. Lets first look at private key encryption and how it works.

PRIVATE KEY ENCRYPTION

What private key means is that the same method is used to encrypt and decrypt. If someone knows what method was used to encrypt the message then that person can decrypt the message. Thus, the key must be kept private. Only the person sending the data and the person receiving the data should know the key. Private key cryptography, also known as symmetric cryptography since the encryption and decryption processes are just opposites, is an encryption method where the encryption algorithm is known before hand by the sender and the recipient. Accordingly, the two users must communicate beforehand and agree on the algorithm and the key so that the recipient can decode the message. A very simple example of private key cryptology is to take the text that is to be sent across the Internet and use the next letter in the alphabet in place of the original letter. Then send the scrambled text across the Internet. The person receiving the text would have to know how the message he receives is scrambled so that he can unscramble it. Thus, the "key" being used in this example is, 'use the next letter in the alphabet.'

With this key the text, "hi rob" would become, "ij spc". Since the recipient of the message knows the key, that person will take the message he received and take the previous letter in the alphabet. The person would receive the message, "ij spc," and using the previous letter that person would recover, "hi rob." This example is much simpler than the private key encryption algorithms used today, but it illustrates the fact that in private key encryption the encryption and decryption processes are just the reverse of each other

Private key encryption has the benefits of being very fast in that the computer programs that will perform the encryption and decryption will finish executing in a very short amount of time. The more complex the key the longer the process takes. However, even the most complex private keys algorithms can encrypt and decrypt data faster than that of public key cryptology. A disadvantage to private key cryptography is that the key must be communicated before hand. You would have to tell me exactly how you were going to encrypt the messages that you will send to me so that I could recover the original message later.. You could not encrypt this information as I wouldn't know the key yet. In a large organization or over the Internet it is easy for these keys to become compromised because they have communicated, without using encryption, before the actual encryption takes place.

PUBLIC KEY ENCRYPTION

Public key cryptography (asymmetric) was created to eliminate the shortcomings of private key cryptography. The biggest advantage of public key cryptography is that no prior communication needs to take place between the recipient and the sender.

Public key cryptography works like this, everyone has two keys, a public key, which the entire world has access to, and a private key, which only the owner knows. Note that the private key referred to here is completely different than the private key used in private key cryptography. For lack of a better name the secret key in public key cryptography is called a private key. These two "keys" are much different form the "keys" used in private key cryptography. In fact both keys used in public key cryptography are just very large integers, on the order of 300 digits long. With public key cryptography there is only one algorithm that is in use, that algorithm is know as the RSA algorithm. The RSA algorithm is the only algorithm that will be used to encrypt and decrypt data.

The algorithm works by taking in some data, and then using one of the keys which is a large number, and using the key to perform modulo and exponential functions on the data. The result is a message so scrambled that no amount of statistical analysis could break the code. The beauty of RSA is that a message encrypted with a public key can be decrypted with the corresponding private key and a message encrypted with a private key can be decrypted with the corresponding public key. For this reason RSA is know as asymmetric cryptography, different algorithms are used to decrypt and encrypt data. The algorithm is actually just a very complex mathematical identity. Thus, person X can encrypt a message with person Ys public key and only person Y can decrypt the message using his private key, this is the process used to encrypt e-mail. More importantly, if I had a public and private key, and only I know my public key, I could encrypt a message using my private key and everyone could decrypt the message using my public key. If my public key successfully decrypts the message you can be sure that I sent it because the message could have only been created with my private key. The reason it could have only been created with my private key is that my public key was used to decrypt the message. By decrypting the message with my public key you know only my private key created it. This works as long as only I have access to my private key. The process described here is known as a digital signature because by creating a message that only I could have created I am effectively signing the message.

Like private key cryptography the encryption and decryption process must reverse each others actions, but the difference lies in that there are two different numbers and two different algorithms used. One number is the public key and the other number is the private key. These numbers are used in the two different algorithms one to encrypt a message and one to decrypt a message. The important aspect of RSA and public key cryptography is that no prior communication has to take place before a message is sent. If you receive a message encrypted with RSA and your public key you have all the information you need to decrypt the message. RSA does have some disadvantages however, since the numbers used are so large the amount of time it takes to encrypt or decrypt is a lot longer than private key cryptography.

What you should understand now is that there are two methods of encryption, private key and public key, each with its own advantages and disadvantages. You should also understand the concept of a digital signature as this will be used later to prove identity.

To go back to main page click here or to proceed to the page describing digital certificates, click here

Read the original here:
Encryption - UCSD Mathematics