Category: Privacy

Cryptography Pioneers Receive ACM A.M. Turing Award

Modern day cryptography involves some absolutely fascinating math, some of which I have been fortunate to have been exposed to while working in the field of digital video broadcast systems.  The requirement that calls for the use of cryptography in video distribution is protection the content from pirates attempting to steal the video content.  At the most fundamental level,  the audio/video data that is transmitted is encrypted so that it is not in the clear for anybody and everybody to pick up.  One has to apply the process of decryption in order to recover the original content from a data stream (or bitstream).

The nature of the encryption process determines how easy it is for somebody to break the code in order to obtain the clear version of the data that is being sent.   When symmetric block ciphers are used for encryption, you need the encryption keys to figure out how to decrypt the data.  To break the system one could try to guess at the encryption key, or try to intercept the key that is being sent to the receiver separately.  In general, the shorter the encryption key, the quicker the guessing process is. The Data Encryption Standard (DES) that was more commonly used in the past has become easily breakable with the power of computers today.  These days, the Advanced Encryption Standard (AES), with its longer block sizes and keys, is more commonly used.  AES block ciphers are hard to crack using the brute force of computers even today. If you are trying to do this in real time with a stream of data that is being transmitted, it becomes close to impossible. (People used to think that the NSA had a backdoor into the AES algorithm.  Nowadays people talk more about capability the NSA might have to break the standard using raw computer power rather than by using a backdoor.)

Protection of the content being transmitted does not depend simply on the fact that data is encrypted.  The encryption only assures that nobody can make sense of the data easily as it is being sent.  The security is actually in the knowledge of the key that is needed to decrypt the data, and most efforts to break a system focus on this aspect of the system design.   In a real system there is some form of data exchange between the source and the destination related to the key, and security is compromised if this is discovered.   In any case, when it comes to video distribution, there are many additional strategies applied along with the  data stream encryption process itself in order to protect the content.

The Turing Award is being awarded this year to Whitfield Diffie and Martin Hellman for their invention of Public-Key Cryptography and Digital Signatures.  The concept is quite brilliant!  It is based on the use of an asymmetric cipher, something quite different from the symmetric block ciphers described earlier.  When a symmetric block cipher is used, the same key is used in the processes for encryption and decryption.  With an asymmetric cipher, the key being used for encryption is different from that used for decryption.  There is a relationship between the encryption key (also called the public key) and the decryption key (also called the private key) that cannot be guessed because of the complexity of the math involved in generating the key pair.  What this allows an entity to do is then distribute a public key in the clear to everybody for use in the communications process with itself, knowing that data that is generated during the communications process using this key pair cannot be made proper sense of by any other entity without the use of the correct decryption key, something which remains private.

The algorithms used for Public-key cryptography are more complex than those used for the block ciphers in use today and are ill-suited for real-time streaming of data.  Today, public key cryptography is primarily used for digital authentication of content and the creation of digital signatures that can be used to confirm the identity of the entity that you are communicating with. In the case of video broadcasting, they generally tend to be used for protecting the keys that are used in association with the block cipher encrypted audio/video data that is transmitted.

This is a fascinating subject, but you really need to know your math to delve deeper. There is a great book, a bible if you will, on the subject of Cryptography by Bruce Schneier, that anybody who is interested in the topic should read.

 

 

Apple and Privacy

Privacy is something that none of us who live in the digital connected world really have.  While we would like to believe that we are safe from prying eyes by using the tools provided by the different vendors who design security solutions that incorporate into our systems, I think that this ship has sailed.  The moment you decided to be a part of the Internet, be it on the social media, or be it for simple browsing, or e-mail, or chatting, you created a door into your device, and a means for your information to become available to the snoops, and also for folks who want to misuse your device. The security solutions I mentioned before can barely keep up with the hacking world in this regard. And it only takes one mistake to open the backdoor into your system! The best you can do is try to limit the damage.

There are all kinds of snoops.  There are the ones trying to get at your confidential information to do something bad to you. There are those who are trying to misuse your personal information for other illicit purposes. There are those who are trying to legally or illegally gain some commercial advantage, trying to sell things to you by learning more about you from your computer.  And then there is the government that might suspect you of doing something illegal on your computer.

Why has it been so easy for people to get into our private systems?  For one thing, most of the systems that we work with have fundamental software design flaws that can be exploited.   Next, whenever you are connected into the Internet, you have an address at which you can be reached.  Then, for reasons of convenience, and for supporting required functionalities, systems also include means for others to get access to your working environment for legitimate purposes.  (For example, remote login capability exists for debugging purposes.)

Once you have an identity on the network, there are ways for people to try to access your system for both legitimate and nefarious purposes.  Every time you visit a website you are executing code from the website on your computer.  Websites leave cookies on your computer regularly when you browse them.  And sometimes you give outsiders access inadvertently by going to a website that interacts with your computer in a malicious manner.  Once you have have hit the wrong button on the browser screen, or in an e-mail, or even opened a malicious application file that you downloaded, you could be at the mercy of the entity on the the other side of the communication link established.

And then there are many of us who are willing to give up our privacy willingly in return for something  that we want.  It happens all the time when you give your information to companies like Facebook, or Google, or LinkedIn or Microsoft, to name a few.  It happens when you make a purchase at any online shopping  site like Amazon or even an Expedia.  And then the systems that these organizations use for storing all this information are not foolproof.  Personal information for millions of people have been stolen from the records of more than one government agency.

Your digital communications are themselves not safe from snooping.  Communications from your smart phone can be intercepted by fake cell towers, and communications through an ISP can be snooped upon directly.  Both the bad guys and the good guys take advantage of this approach.

There are rules and regulations meant to address many of the above scenarios to try to protect your privacy, but in many cases rules cannot keep up with either the technologies nor the human ingenuity when it comes to creating problems and creating chaos. Then there are the human tendencies that make us disregard the speed-bumps in the  processes that are meant to make us slow down and think for a minute.  We make mistakes that allow our privacy to be compromised. When was the last time one read a EULA?   When was the last time one read and reacted to the privacy statement (mandated by law) they received from their financial organization?  Do we accept and store all cookies offered up when browsing a website?

Tim Cook at Apple has decided that the privacy of the owner of a device must be protected at all costs.  In this case, he is talking about access to the contents of a device by a third party that has your device in their hands and wants to look into its contents without asking you.  They want to make it extremely difficult, if not impossible, to do something like this. Recently Apple introduced the concept of having all the contents of the device encrypted, and limiting access to the decryption key to the the owner of the device (i.e., even Apple does not know what it is).  In order to be able to use the key, the user has to first get access to his or her device with a password.  If somebody tries to hack the password too many times, the device stops working completely.  The system is “bricked“.  The only way to break the system is to guess the password without too many attempts.  Apple does not have a back door in its current software that lets it bypass this security.

This is where government access to a device becomes the topic of discussion.  What the FBI has asked Apple to do is to hack into their own system so that they can read the contents of another person’s smartphone.  Apple is refusing in spite of being under a court order.  They are in a difficult place. If they attempt to break their own system and are successful, it could indicate that others could also find a way to hack into their supposedly super-secure system.  They designed the system to work this way for a reason!

Is Apple justified in refusing to cooperate with the FBI?  Under ideal conditions I would say that they are not, since once you become a part of a society and its systems and use it to your benefit, you have some responsibilities to the system also.  But we also know that the system is not infallible, and can easily be manipulated and misused (as shown by Edward Snowden).   And the tendency for misuse is somehow inbuilt into the system because of human nature and can perhaps never be fixed.

Where should the line be drawn with regards to trying to protect privacy under these circumstances? It is certainly a dilemma…