If anyone had insisted a year ago that there was a giant government warehouse in Utah that was poring through every electronic communication sent from around the world, from text messages to emails to web traffic, they would be accused of having paranoid delusions. Now in 2014, though, it’s yesterday’s news.
After former NSA contractor Edward Snowden leaked information on the United States’ security programs that are looking through each piece of data we transmit, thus pulling back the curtain on how much our privacy has truly been invaded, the world has changed as our eyes were opened. Encryption is becoming a very important topic in online news, and so is the underlying field, called cryptography.
As consumers living in a post-Edward Snowden world, we should remain aware of what cryptography applications are out there, and how we can utilize them to keep our information (and thus, ourselves) safer. This article is intended to discuss some of the more practical usages of cryptography in modern computing, including PGP/GPG encryption, encrypted chat programs such as Cryptocat, the anonymous Tor browser, and will touch on a major buzz item of 2013, Bitcoin.
All technologies written about in this article are currently (at the time of publishing) legal to use in the United States.
Some Common Cryptography Terms:
Cryptography: The study and practice of techniques for secure communication in the presence of adversaries.
Adversary: A third party who may attempt to decipher an encrypted message. Hackers, rival companies, and identity thieves are all common adversaries in the cryptographic sense.
Encryption: The process of encoding messages or information in such a way that only authorized parties can read it.
Code: A method used to transform a message into an obscure form called codetext so it cannot be understood without special information, called a key.
Cipher: An algorithm used to perform encryption on plaintext to obscure it into ciphertext.
The encryption that is probably most useful for the average consumer is online message encryption. People have used cryptography to secure sensitive messages for millennia (such as the famous “Caesar Cipher” used by Julius Caesar to communicate with his generals). However, most modern email is sent through the web as plain text, which means anyone intercepting it needs to do minimal work to read the messages you are sending. As well, Google can effectively read all of your email sent through its services, and it was revealed that the NSA also has access to your email’s metadata (information about an email such as time sent, size, location of origin and destination). This creates issues of privacy and security for users of these email services, and thus, they may want to take certain precautions to protect themselves.
One of the most common email encryption methods dates back to 1993, and is modestly dubbed Pretty Good Privacy, (PGP for short). The PGP package of encryption tools for business is owned and distributed by digital security company Symantec. There is also a GNU open-source version called GNU Privacy Guard, (GPG) that is available free for home and business use.
PGP uses a public key encryption scheme, meaning it utilizes two separate keys for encryption and decryption. The first, a public key, is sent out to those who users want to send them encrypted messages, which they then install on their device. The second, a private key, is used to decrypt the messages sent to the user, and should never be shared. Thus, users of PGP need to keep track of public keys shared with them, (most encryption software keeps a digital “keychain” for public keys) and should encourage their friends, family members and business associates to also utilize such a system to ensure that all emails sent remain encrypted at both ends.
While it may seem like a hassle to use, since you need certain software to utilize these keys, and the software encrypts everything sent in the email’s contents (including any malware, making antivirus virtually useless until you open the email, and then it’s too late), it can keep sensitive information from prying eyes when used properly. PGP and GPG are software implementations of cryptography that are worth looking into for peace of mind in business and home use.
Besides reading emails and chat messages, the government, hackers, and other adversaries can typically glean a lot of information about a person based on their internet browsing patterns and history. To prevent this, one good technology to use is Tor.
Tor, which previously stood for “The Onion Router”, is a software package used for internet anonymity and prevention of censorship. The Tor package, when installed on a device, allows users to channel their internet browsing through multiple other computers on the network, each with its own level of nested encryption (much like the layers in an onion). Each time information is passed between computers, the data only knows what layer it came from and where it is going next. Thus, if it is ever intercepted, it is very difficult to trace what IP address the information originated at.
The layered nature of the Tor network also makes it useful for avoiding firewalls imposed by a government. As well, sites can be hidden in the Tor browser from the rest of the internet. Further, the peer-to-peer nature of Tor means that the network exists as long as there are computers running it, so it cannot be taken down. While this may seem like a source for shady anonymous activity, government agents and the military also use Tor.
The Tor Browser Bundle uses a modified version of the Firefox web browser which allows for low latency anonymous browsing, and is available for download for free from The Tor Project.
In late January 2011, during the Arab Spring revolutions in the Middle East, the Egyptian government shut down nearly all internet and cellular service in the country. Popular bloggers had already been imprisoned in Egypt for years for speaking out against the government or religion, and Twitter was fast becoming one of the fastest and most reliable news sources regarding the revolution. The huge amount of censorship and attempting to “pull the plug” on the internet shows just how much power a government can have over their people’s freedom of information.
To avoid this type of persecution by governments, activists can turn to cryptography applications for aid. Cryptocat, for example, offers encrypted chat services in an easy-to-use and visually appealing browser extension. Though it does not mask a user’s IP address (and thus, their identity), chat is encrypted to the point that even the Cryptocat network can’t read what you’re writing. For full anonymity, Cryptocat’s creators suggest using the Tor browser.
Twister, a microblogging application currently being developed in Brazil following the mass protests there, uses the BitTorrent and BitCoin protocols to function as a peer-to-peer, decentralized, and encrypted Twitter-like service, intended for revolutionaries and other activists to use to spread news without fear of the government persecuting them.
Cryptocat is available for free as a browser extension for Chrome, Opera, Firefox, and Safari, as well as on Mac OS X. Twister is currently in alpha and thus is very difficult to compile without software development experience, but you can learn more about it by visiting the development site.
In 2013, the online currency known as Bitcoin surged in prominence, popularity, recognition and value. Bitcoin is a cryptocurrency, which means that it is both created and distributed through cryptographic means (in this case, Bitcoins are created through SHA256 cryptographic hashing on specialized hardware, and transferred using public-key encryption).
Bitcoin uses a peer-to-peer network, meaning that the Bitcoin economy is not located on one physical server (and thus is not controlled by the creators directly). Instead, a “block chain” exists on all Bitcoin “nodes” (devices where the Bitcoin client is installed) which checks against all other nodes whenever a transaction is made. This prevents double-spending of Bitcoins, for example, and ensures consensus on the value of a Bitcoin.
Getting involved in Bitcoin trading is as easy as installing a client program, downloading the block chain, and setting up a digital wallet. Many online (and offline) retailers and service providers worldwide, from restaurants and hotels to web developers and mohels, allow payment in Bitcoin. It is a fast, cheap and effective method for making financial transfers when compared to services like PayPal that have a transaction fee.
While its real-world exchange value currently fluctuates based on the popularity and perceived value of the currency, Bitcoin values are likely to get more “sticky” as more coins are mined and more vendors begin accepting it as a form of payment.
As mentioned above, at the time of publishing, all technologies mentioned in this article are legal in the United States. However, understanding the legal implications of the programs throughout their history is still useful. As of early December 2013, Chinese banks cannot exchange Bitcoin for the Yuan, but the Bitcoin traders themselves still exist.
An interesting story from the history of cryptography concerns Phil Zimmermann, the creator of PGP. In 1993, Zimmermann became the target of a criminal investigation by the US government for “munitions export without a license” after PGP made its way across the border, as cryptosystems using keys larger than 40 bits were considered munitions alongside guns and bombs at the time. To get around this restriction, Zimmermann printed the entire source code of PGP in a hardback book, which was distributed and sold, and could be scanned using a character recognition program (or typed in by hand), thus allowing anyone to compile their own version of PGP. After all, the export of books was protected under the First Amendment. Since this incident (which never reached court, and the charges against Zimmermann were eventually dropped), it has been ruled by two federal courts that cryptographic source code is speech protected by the First Amendment. PGP no longer qualifies as a non-exportable weapon, though certain restrictions on cryptographic software exportation do remain in place.
The government may take action against certain services and their providers should they feel that the encrypted data or means of encryption could compromise national security. Shortly after Edward Snowden revealed the extent of the NSA’s eavesdropping, secure email service provider Lavabit was leaned on by the NSA to release the emails and information of a specific unnamed user of the service (which was used by Edward Snowden… read between the lines). However, rather than compromise the security of its users and the integrity of the service, Lavabit chose instead to close down while dealing with the courts (though they hope to re-launch with improved encryption once the legal matters have passed).
An interesting case of some of these technologies being used in tandem is the recently taken down Silk Road website. Used as a trading hub and black market for illicit goods and substances, The Silk Road was notorious for its security as much as for the wares it pushed. The site was only accessible to users using a Tor browser, and accepted payment only in Bitcoin to help preserve anonymity of both buyers and sellers.
Silk Road’s Bitcoin wallet was seized following the site’s takedown in October 2013, and the federal government plans on auctioning off its contents (currently worth about $24.5 million USD). This will be the first auction by the federal government of a cryptocurrency. Silk Road’s founder, Ross Ulbricht, (aka “Dread Pirate Roberts”), was arrested on charges of narcotics trafficking, computer hacking, money laundering, and soliciting murder-for-hire in connection with the site.
The lessons to be learned from these examples are twofold. First, cryptography can be a very powerful tool, and if used for illegal purposes, it can be very hard to deal with. Second, users should know not to rely on any one service too heavily. After all, should it go away or be compromised, one may be very much out of luck in terms of finances, safety and privacy.
Even after reviewing all these applications, it is important to remind all readers this that just encrypting communications doesn’t mean your data is necessarily secure. You must take a holistic view of security to ensure your safety in today’s digital age. Putting a password on your machine, configuring your network properly, avoiding malicious sites, patching software regularly, only sharing personal information with trusted recipients, and checking your router logs to make sure that it isn’t compromised are just as important to maintaining security as encrypting your traffic and checking for vans parked outside with antennas sticking out of the top.
In light of recent revelations regarding the NSA’s PRISM program, it has become clear that software and practicing safe computing are only part of the equation. Organizations like the NSA may lean on companies such as Intel who create the pseudorandom number generators that cryptography programs rely on to have them use certain prime numbers for generation, or pay companies to put in backdoors to their cryptography programs for easier access (as has happened in the past with RSA Security’s BSAFE toolkit from 2004 to 2013, among others). Thus, the hardware you are using may itself be compromised from the start by certain parties. Even if you take all necessary precautions, someone could break into your residence and install a keylogger on your computer, and so on.
While it may seem futile to attempt to secure your computer against such monolithic entities as the NSA, it is not a waste of time. Consumer-level encryption technology at the least will make sure that anyone attempting to intercept your data has to put in their due diligence to reach you, and will likely keep out run-of-the-mill hackers and other interested parties.
Like home security systems, encryption does not make your computer impervious to all break-in attempts. However, sometimes it just needs to be harder to break into your property than to break into a neighbor’s down the street to keep you and your privacy safe.
“You can’t stop the signal.”