The UK's crazy misunderstanding of how End To End Encryption works and what it all really means.
##Preface
I have been getting more and more annoyed when the (UK) government has been talking about banning encryption, removing privacy etc etc etc. I thought I would do a write up.
Oh, and before I continue, anyone who has the argument: "If you have nothing to hide, why do you care?" as an argument as to why we should let the government ban encryption and remove our right to privacy, I respond to you, "when you go for a shower, or to the toilet, everyone knows what you are doing in there, but you still lock the door. Why? Because you want privacy. This isn't about secrecy, this is about the right to privacy".
Intro
At what point can the government step in and stop us using methods of communication. I don't understand where they think human rights stops and government intervention starts
There is a lot in the press at the moment about governments stepping on the use of encryption. Encryption that's breakable, is apparently OK to use. Encryption that is unbreakable by a law enforcmement agency, is apparently not OK to use. Or maybe it is, if it has a backdoor built into it.
Let's talk about this then.
Lets start by removing technology from the picture entirely. Do I have a right to privacy? Within reason? I.e if I am suspected of breaking the law in some way or other, then a warrant can be granted to search my premises. Within that, the law enforcement agency can break the lock off a safe, search my belongings etc etc. Fine, so within reason, I have a right to privacy. What if the information they want is in my head - i.e its information they want? Can they prise it out using any means available? Torture?
So what if they find a box they cannot open and only I have the key to? They can smash the box if they have something to administer the necessary force. That is within their capabilities. Force is just a case of how much money can you throw at building a machine that can administer that force. Tesla designed a machine that could crack the earth in half if he so wanted. So force isn't a question to a law enforcement agency. Perhaps they need to be a bit careful if they want the contents of the box to be left in tact, but that's not a big deal. What if they couldn't break in without damaging the contents, and they knew it? Can they force me to tell them where the key is? When does it become toture once again.
So now the question comes really down to information. Tactics to get that information have tended to be spying, negotiating, buying... torturing. The first three are probably considered fair game by most people. Infact anything that does not require me to act against my will is fair game by a law enforcement agency.
There is ofcourse the information they don't know, they don't know. Information I would actively have to tell them they don't know that they don't know. But that's a different kettle of fish.
So the phsyical world has been cracked by law enforcement, so to speak. If what they want is in a box, and they can throw enough resource at getting into the box, then they can probably do that without encroaching on my human rights. So it's fair game.
But when it comes to information, I can store information in a way that no amount of force will get at it. Encryption. All encryption is is maths. Clever maths, but maths all the same.
Until the 1970s information was often stored in an encrypted fashion by hand. That is the person with the information, would write it down, following a set of rules that would make the information unreadable. It was a long an arduous process, but it was possible to do. To get back to the original information, you needed to know something secret. Something that the author would know, and not tell anyone else. To get at that information the author would have to give up the secret. You could ofcourse torture the author for the information, but one thing was for sure. Force would not get you the information, in the same way it will get you to the contents of a box.
The technique I am referring to is called a One Time Pad. Claude Shannon proved mathematically, that correctly used, a One Time Pad was the unbreakable cipher. Without knowing the secret you will not get access to the information it hides.
So to demonstrate the ease of this, I went out into the street and asked 40 people, for a random letter of the alphabet each. I wrote those letters down in the order they were given to me. I will not tell you the sequence of those letters.
I then decided on a piece of information I want to keep completely secret. Then, using these two things and the following set of rules, I "encrypt" the information.
- Take the first letter of the message you want to keep secret (assume for now it's the letter D)
- Take the first letter of your random string of letters obtained from members of the public (assume for now its the letter R)
- Add the two letters together, and subtract one.
- I.e D is the fourth letter of the alphabet, R is the 18th letter. 4 + 18 - 1 = 21.
- Write down the equivelent letter for the number obtained (The 21st letter of the alphabet is U). If the number is greater than 26, subtract 26 from it.
- Repeat until your entire message is encrypted. The one rule of the One Time Pad is your random string of letters is as long as the message you want to encrypt.
Once complete you will have a string of letters such as the following:
ORWRM KNWER TWQBK DJZUN VRJWH MXESD BULXU OSGCZ`
The spaces are there just for readability. They are meaningless otherwise. From the above, you know how I encrypted the information, and you know how many letters I encrypted (40 letters). But try as you might, and throw all the government computing power at it, you will not be able to determine what message I originally encrypted. What's also important is I did not use any computer power to encrypt the message. Just my brain. If I were to keep the random string of letters I used to encrypt the message in my head, the only way you would get to the original message is to prise the information out of me, or negotiate that I give it up.
So what does the government do about this? They don't have any technological solution to the problem, and assuming they won't torture me, they can negotiate with me, spy on me, record my conversations, search through my bins to see if I wrote the original message (or the random string of letters down) and threw it away. But what's for sure, is they will not be able to break the above cipher without my assistance (whether I meant to give it to them or not).
In actual fact, if you want to see how I got to the above, here are my workings. no computer used
You can see the random string of letters I used top left, the message I wanted to encrypt underneath it and on the right is the workings to get from the message to the cipher text.
The random string of letters:
vksly pjfrf pjxzk qwlbv cdukd qgwzv oosqm wfsjv
So if a government can explain to me why I should have to give up that random string of letters (that is stored in my brain), of course thats assuming that they truly beleive the information it hides is of use to them.
The problem in reality with this One Time Pad, is that that string of random letters must only be ever used to encrypt one message. So in reality its totally impracticle to communicate with someone else who is not beside you. You need to agree on a new random string of characters for every message.
One technique however that has been used in the past is to agree on a book between you and the people you want to communicate with, that will suffice as the generator of the random string of letters. Once a book has been agreed on you take each letter in turn off the pages in the book and use them as the random string of letters. You never reuse a sequence of letters/words from the book. This gives you a random string of letters as long as the book is in letters to encrypt messages between you and your companions. See "The Beale Ciphers" for a use case of this that has yet to be broken. Without knowing the book(s) used, its impossible to break the cipher.
To ease my process of encrypting with such a technique, I could write a piece of software. Assuming my piece of software works as intended, its just a more convenient way of doing the same thing I did on paper as before. If my piece of software knows the book I am using as my secret, then me and my companions can talk in secret.
Where am I going with this? Well does a government have a right to know what book I am using? Do they have a right to have access to the implementation of the software I wrote? What if I don't give it to them? What if they have access to all legitimate uses of the software, but not to the ilegitimate uses? I.e the only messages they know they can break should they need to, are people who are using it for good reasons anyway. And who says the people who work for these governments, who are actually going to decrypt the messages on their behalf are law abiding "good" citizens. What about in 20 years when the government and its motives may differ entirely (see Germany between the 1920s and the 1940s).
In other words, if there is a method that I can do something in my head, and it's agreed that prising it out of my head is against my human rights, then why is it OK that when I write that down, for my own use it OK for a government to demand I hand that piece of paper over?
In reality what I am saying is if I use a piece of technology to ease what I would otherwise have to do in my head, why is that not a violation of my human rights that a government have access to it?
So to take it further if I use a piece of software (which in essence is just a sexed up notepad) to keep my secrets secret, why is it OK for a government to have control of the inner workings of that piece of software?
Take that even further. When an organisation makes a piece of software to help me do that, and I buy a copy, why should the government have control of the software they sold me? And what about the other governments, the less trusted ones who once one government has this capability, they will want it to?
And if we are stating that because of the few who do evil, we should all give the above up, then we live in a very sad world, with an extremely lazy government who are incapable of doing the job that we pay our taxes for - to keep us safe (secure) without affecting our right to privacy. If I am giving up privacy for security, what is the point in either?
Realise that the information is obtainable that you need to suspect me of a crime without explicitly reading the messages that I am encrypting. You just need to think a bit more intelligently than the brute force approach that you are currently applying.
Also realise that you do not own the internet. You do not own the capability of me to communicate with others in any way I wish. I can create an Internet that you cannot monitor. It maybe inconvenient for me, but if I really wanted to I could be off your radar. Push us to that, and you have problems that you cannot realise now.
