Technology Case Studies
|
Tales from Decrypt: Current Issues in Cryptography
| posted 08-31-2009 |
Average Rating: 
|
 The Cold War is over? Think again. Sure, the East-West geopolitical standoff may have subsided, but the cryptographic arms race rages on, largely behind closed doors, rarely shedding blood but affecting virtually everybody on the planet. On one side are the white hats—academic and military researchers working on new ways of encoding information to protect it from prying eyes and guarantee its integrity. Working against them are hackers, criminals, and again, well-funded military researchers—black hats—all working on ways of breaking the latest codes. And there’s the public, which these days has little choice but to trust that the white hats continue to maintain the upper hand—and can only trust that they’re truly white. The fact is, the mathematics underpinning most cryptographic techniques in use today are way beyond the average person’s ability to understand them, so it’s well nigh impossible to determine if the techniques actually work as advertised. After all, who but those privy to the most classified cryptographic research—which the government guards as strenuously as the designs of nuclear weapons—can be sure that common cryptographic programs don’t contain “back doors” that would easily enable government agencies, for instance, to read information that to others remains encrypted? In short, cryptography demands a fair amount of trust. Like the atom bomb before it, it’s a technology that’s profoundly shaping the modern world but whose complexities only a few individuals, most of them sworn to absolute secrecy, fully understand. Keys to the net Though historically the purview of armies, secret agents, and governments, cryptography today is pervasive and pretty much everyone’s business. In a way, it’s what makes the Information Age tick. For without the ability to hide information from prying eyes—think credit card numbers—there’d be no e-Commerce on the Web. And without so-called hash techniques, which use crypto techniques to assure that the binary 1s and 0s of a digital object remain unaltered, only fools would run any software downloaded from the Web, even from known sources. Strong cryptography is obviously key to the viability of cash machines and retailers’ credit card terminals, but it also guards online consumer banking, transfers of money between banks, and wireless networking in homes and offices. And that’s only the beginning. The general assumption is that black hats, if they care to, have no trouble tapping wires or snooping on wireless data transmissions, so it is always up to the senders and receivers of information to protect sensitive data through their own encryption efforts. As more personal computing gets done up in the cloud, so to speak—in remote computers available over the Internet—the public may demand better data protection and insight into how it works. In mid-June 2009, in fact, 37 top security researchers publicly beseeched Google to beef up the security on its popular Web apps, such as Gmail and Google Docs. When not using their browsers’ crypto-based HTTPS option, the researchers said, Google’s users are left vulnerable to having their email messages and documents read by others. “As a market leader in providing cloud services, Google has an opportunity to engage in genuine privacy and security leadership and to set a standard for the industry,” the researchers stated in an open letter to Google. Among the signers was Ron Rivest, who is the “R” in RSA, a widely-used encryption algorithm. Google, in response, agreed that HTTPS would certainly benefit users and indicated that it may widen the protocol’s use. But it also noted that because HTTPS’s encryption routines take some time to execute—around 1/4 second each time a Web page gets refreshed, according to others’ measurements—using HTTPS all the time could make cloud apps less responsive. Unstated was that HTTPS would also consume considerably more computing power at Google’s end. Phony protection Meanwhile, as an increasing portion of voice telephony moves to the Internet—a.k.a. Voice over Internet Protocol, or VoIP—cryptography is finding yet another use and arousing yet more controversy, too. In the past, only presidents and spies could afford to secure telephone calls against eavesdroppers, but now, anyone can do it—and perhaps ought to, considering that, compared to traditional, wire-based telephony (PSTN or Public Switched Telephone Network), VoIP is potentially much more vulnerable to eavesdropping, spamming, and fraud, for instance. Software called Zfone, currently offered at no charge but planned to show up as a commercial product, enables individuals to secure VoIP calls made directly between computers (though not over the popular Skype service, which employs non-standard protocols). In brief, Zfone uses a key, uniquely generated for every call, to scramble each packet of voice data before it hits the Internet—all in a way, the software’s makers claim, that’s simpler and more secure than other such schemes proposed for home and office use. The controversy? Zfone’s encryption appears to be strong enough to thwart even the National Security Agency (NSA), the government agency that specializes in making and breaking codes of all kinds. And that means mobsters, terrorists, and other bad guys could, in theory, use it to hide their calls’ content from FBI, CIA, and local police. VoIP already presents a challenge to those agencies’ wire-tappers, because voice-data packets flow across the Net independently of each other, following potentially many different paths and mixing in with billions of other, unrelated packets. White knight The creator of Zfone, however, is not unfamiliar with government anxiety over his efforts. Philip R. Zimmermann is perhaps best known as the techno-political activist who invented and made freely available something called PGP (for Pretty Good Privacy), a crypto-based scheme for protecting email that’s strong enough to resist virtually any attack. Zimmermann has made it clear over the years that his ultimate aim is not to aid any bad hats but instead to help all citizens and especially political and human-rights activists around the world to communicate in a way that’s safe from government snoops. And with Zfone, he sees growing commercial opportunity in the business world, where corporations are waking up to the need to secure their telecommunications against industrial spies. “We all know how organized crime has been taking over the Internet,” Zimmermann says, noting that it takes only a few minutes for an unprotected computer connected to the Net to be attacked and even shanghaied into a botnet. “When VoIP takes over from the PSTN, the Russian mafia will start attacking VoIP, too. It’s only a matter of time. Everyone knows that the future of telephony is the Internet. We have no choice but to encrypt our calls.” Trust is a must? Yet another area where cryptography is likely to have significant impact is in so-called trusted computing. Traditionally, owners of personal computers have been free to run any software they like—any operating system, any application, any digital copy of a movie. But conceivably, brand-name makers of computers and software—and users, too—might have an interest in setting up restrictions on what software runs where. Neither Hollywood studios, musicians, or software companies like to see purloined copies of their wares getting distributed across the Net, for instance. And no user wants to see his or her computer hijacked by malicious code injected by a criminally-run website. Trusted computing attempts to eliminate those and similar scenarios by enforcing cryptologically-defined linkages between all hardware and software components. From a special, tamper-proof chip on the computer’s motherboard to operating system to applications to individual MP3 music tracks, for instance, a unique crypto-based digital signature would identify each component as being both properly licensed and unaltered since its creation, or not. Any code or content missing a proper signature could be disabled. In technical terms, the scheme prevents a computer’s owner from obtaining root access to the machine. Freedom fighters Critics, such as the Free Software Foundation and the self-styled Cypherpunks, an activist group, view this scheme as infringing on consumers’ rights, calling it “treacherous computing” and the “Mother(board) of all Big Brothers”. If one owns a computer, one ought to be able to run any software or content one likes, they argue—especially open-source programs like Linux. But some 170 companies, including Intel, Microsoft, and Seagate Technology, are backing it as a way to prevent pirating and to keep malicious and offensive programs from disrupting the computing environments for which they provide relatively costly support. For now, the idea’s getting used only sporadically: Certain Intel microprocessors have unique ID numbers burned into their silicon—a necessary first step in making trusted computing work—and Apple relies on trusted computing techniques to control apps for its popular iPhone. Better living through better secret codes? There’s no question that cryptography’s role in everyday life has been widening over the past couple of decades and that it will continue to pervade more and more of daily life—even if it’s only humming away quietly in the background. And chances are, experts say, that from now on, its advances will be driven as much, if not more, by industry rather than the NSA and other government agencies. Zfone’s Zimmermann likens the technology to microelectronics, where the Pentagon surely funded early progress but which soon was being driven by the private sector. “At some point in the 1990s, things crossed over,” he says. “Today, there are way more technical people working on cryptography outside the NSA than there are inside. The U.S. government even purchases crypto gear that they didn’t design. We’ve all gotten better at it.” ______________________________ The theory and practice of cryptography Verifying elections wtih cryptography ______________________________  COMMENTSCryptographic methods are pervasive now, but what risks does society face as it trusts more of its information to protection by this arcane technology? Leave your response in the comments below. |
