Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (10 page)

Radio's ability to essentially instantaneously traverse great distances
gave military commanders tremendous flexibility. Generals and admirals
no longer had to be in the thick of battle to learn what was occurring; they
could be updated almost instantly from anywhere reachable by radio from
the field. The advantage of radio communications was that one could
transmit anywhere, but the disadvantage was large: anyone could listen
in." For radio to be beneficial to the military, all field communications
had to be encrypted.

Ciphering was slow and backlogs of material were common;" the
solution was mechanization. In the period after World War I, there were a number of inventions related to cryptographic encipherment. Gilbert
Vernam, an AT&T engineer, designed a system in which the key was
marked on a tape and fed into an enciphering mechanism, which automatically combined the key with the message.19 The original system developed by Vernam had one flaw: too short a key. The system was vulnerable
to frequency analysis, which relies on the fact that within each language
there is a well-known distribution of letters.20

An Army major, Signals Corps member Joseph Mauborgne, modified
Vernam's system to produce a very long key. Encrypting with this key,
once and only once-it is known as a one-time pad-is a secure method of
encryption;21 it is truly unbreakable. This is because any message can be
decrypted into any other of the same length. The reason one-time pads
are not widely used is the problem of key distribution. The amount of key
used in encoding a message is exactly the length of the message. If participants can securely share the key ahead of time and only a few, short messages need to be transmitted, one-time pads work exceedingly well.
Otherwise they fail to solve the problem of secure communications.

German engineer Arthur Scherbius designed a rotor machine, an electromechanical device consisting of a set of rotors" or wheels with electrical
contacts on each side of the rotor producing a complex substitution cipher.
This was the famed Enigma. Multiple wheels gave polyalphabetic substitution
ciphers, in which multiple substitution alphabets are used for encryption:
the first alphabet is used to encode the first letter of the unencrypted
message, the second for the second letter, and so on.23 The complexity of
the Enigma's encryption scheme seemed to make decryption impossible
without the key.

Enigmas came into commercial use during the 1920s, but their important deployment occurred during World War II. Initially the German military used three-rotor Enigmas, later replacing them with four-rotor versions.
The encryption provided by these devices was daunting for the Allies to
break, but an impressive combination of mathematical skill, computational power, periodic German misuse of the machines, and some determined efforts to obtain encryption keys24 meant that the British were able
to decrypt a high percentage of Enigma-coded messages.

If radio was the driver for cryptography's use by the military, collection
and distribution of sensitive, unclassified information by the U.S. government drove cryptography's adoption in the public sector. By the early
1970s, the U.S. government realized it needed to protect the sensitive civilian data that it was electronically transmitting and storing.25 In the mid1970s the Data Encryption Standard (DES) became a federal information processing standard. U.S. civilian agencies were to use the algorithm for
secure transmission and storage of unclassified but sensitive data.

DES was an algorithm with a 56-bit key, a controversial choice at the
time. A number of cryptographers argued that DES's 56-bit key size was
too small.26 If DES was, in fact, secure, then the time to break a DESencrypted algorithm should have been about 255 steps.27 That was far too
large a problem to be solved quickly in 1975, but Moore's law, which
roughly says that computing power doubles every two years, spelled trouble
for DES. By 1998, the speed of computing had sufficiently increased that
the Electronic Frontier Foundation was able to build a $250,000 specialpurpose computer that decrypted a DES-encoded message in fifty-six
hours.28 By then the U.S. government was taking steps to replace DES. In
1997 the National Institute of Standards and Technology announced a
competition for a DES replacement and algorithms were submitted
from around the world. The winner was the Belgian-designed Advanced
Encryption Standard (AES), with key lengths of 128, 192, and 256 bits.
This became DES's successor and has been widely adopted throughout
the world.

DES and AES are private-key or symmetric-key cryptosystems; the same
key is used for encryption and decryption. The problem of securely transmitting the key to cryptosystem users is a problem that has bedeviled many
designers of encryption systems. It is one thing if the system is being
developed for use in a known, relatively small, community, whose members
have had some secure way of communicating prior to using the algorithm
to encrypt the message (such was the case for the Navajo code talkers in
the Pacific29 or the resistance fighters flown into occupied Europe by the
British in World War II30). It is quite another if the encryption system is
to be utilized by a large, dynamically changing set of users-for example,
people using the Internet for doing ecommerce with Amazon or eBay.
In that case, there needs to be a way to exchange an encryption key,
but how do you securely transmit a key if the network is subject to
eavesdropping?

In 1976 computer scientists Whitfield Diffie and Martin Hellman proposed a remarkable solution: public-key cryptography. The method relies on
two keys: a widely known public key issued for encryption, and a privately
held one, the private key, used for decryption. Diffie and Hellman's idea is
based on complexity: some mathematical problems are easy to compute
but their inverse appears computationally difficult.31 Integer multiplication
and the inverse problem, factoring integers into their prime factors, seem
to be one such pair. While multiplying two large prime numbers can be done quickly,32 the time apparently required" to factor an integer into its
prime factors is significantly greater.

Public-key cryptography allows two parties who have not previously
communicated to establish a secure communication link over an insecure
channel. If Alice is sending a message to Bob, she encrypts her message
using a publicly known algorithm and Bob's public key. Bob uses his private
key, known only to him, to decrypt the message. Public-key cryptography is
the enabler of many things digital. Undoubtedly the widest use is for key
exchange for secure web sessions (https). Other uses include encrypted
email and virtual private networks (VPNs), which securely connect remote
users to the inside of a protected network (they do this through creating
a private, encrypted channel to a server on the protected network). While
the Internet's dramatic expansion since the early 1990s is due to the openness of the TCP/IP architecture, the ability to secure communications,
which public-key cryptography supports on an Internet-wide scale, was
undoubtedly the network's ecommerce enabler-and thus its other driver.

Because it is easy to make a perfect copy of digital material, it is somewhat
counterintuitive that there might be a message-dependent way to sign
digital material that could not be forged. Diffie and Hellman's other
achievement was digital signatures, electronic signatures that do exactly
that.34 These use public-key cryptography to provide authentication in a
digital environment. To sign, Alice encrypts a cryptographically created
shorter version of her message with her private key and appends this signature to the communication. When Bob receives the message, he uses
Alice's public key to decrypt her message-dependent signature. Because
only Alice has the key to enable signing this cryptographically shortened
form of the message, only Alice was able to have signed the message. Thus
Alice cannot successfully later deny that the signature is hers; this is called
the property of nonrepudiation. By comparing the decrypted signature with
his own computation of the cryptographically shortened version of the
message, Bob can discover whether any alterations have been made to the
message in transit, thus ensuring the message's integrity.

Having spent the 1970s through the 1990s first opposing public research
in cryptography and later the deployment of strong cryptographic algorithms in nonclassified settings,35 in June 2003 the NSA approved the use
of AES as a "Type 1" algorithm, meaning it could be used in protecting
classified information.36 This development was quite striking. Given the
ability to use AES for the protection of classified information, this meant
security equipment manufacturers would now have two markets with
systems supporting AES: the national security one37 and the civilian one.

AES is one piece of securing a communications network, but to function
effectively, the system must also have algorithms for establishing keys for
the secure communication, for digital signatures (to ensure authenticity),
and for performing message-integrity checks. In 2005 NSA put forward
"Suite B," comprising a full set of algorithms to do exactly that. Suite B
includes AES; Elliptic-Curve Diffie-Hellman, a public-key algorithm for
securely establishing keys; Elliptic-Curve Digital Signature Algorithm, an
algorithm for signing documents in a manner that cannot be repudiated;
and the Secure Hash Algorithm, a function for converting variable-length
inputs to fixed-length outputs that enables the establishment of message
integrity.38 Without fanfare, the NSA had endorsed the idea of widespread
availability of end-to-end encryption for communications. It would take
time to get there, of course. The public, while in principle wanting private
communications, in practice appears willing to make it private only if the
system is simple to use, does not affect the communications by slowing
them down or degrading quality, and cheap (as in little or no cost to the
user). Thus, for example, when the default settings for Google's gmail were
for unsecured communications-a situation that changed in January
2010-few people bothered to turn on encryption and secure their email
even though doing so took minimal effort.

During the period when DES became a standard and public-key cryptography was developed, concerns were over communications security:
protecting the confidentiality, integrity, and authenticity of the transmission of messages. Time was to show, however, that attacks on the Internet
had a completely different-and quite unexpected-flavor. Public-key
cryptography could not solve, at least on its own, the problem of authenticity: How could you know with whom you are communicating? If you
have a way of connecting Alice with her public key, you can ask Alice to
sign her messages. What if you have never met Alice? How do you know
that it really is Alice, and not Alice (the second "Alice" actually has a "1"
instead of an "1" as the second "letter" in her name)? This issue of establishing identity, only rarely a problem for the PSTN,39 turned out to be a
more complicated problem for the Internet than any of the original DARPA
engineers might have imagined.

3.4 Attacks on the Internet

As the network moved from being a small DARPA effort to supporting a
much broader NSF constituency, the researchers were caught short by an
unexpected event: the 1988 "Morris worm."" Written by Cornell University graduate student Robert Morris Jr.,41 the worm was a self-replicating program
that spread from machine to machine. The resulting congestion brought
down about 10 percent of the network as it then existed.42

The program was designed so that as soon as the worm was on one
computer, it would attempt to open a connection to another. That it could
do so was the result of Cerf and Kahn's internetworking. Once the program
succeeded in opening a connection, it would find one of several vulnerabilities and copy itself to the new computer. Then it would repeat the
process. Unlike some worms, which corrupt and may even destroy other
files on the system, the Morris worm was relatively benign. But although
it did not attack files, its self-replication caused an exponential increase in
the number of copies, and this clogged the system.

Whether the Morris worm was an experiment gone awry or something
with more sinister intent, it nonetheless marked a "boundary between the
largely trusting Internet of the time and the heterogeneous, dangerous
worldwide Internet of today."" Morris's attack on the network thrust both
him and the Internet out of Eden.44

Since then attacks have proliferated. Solutions to prevent them are not
easy to come by. Attacks like the Morris worm rely on unpatched vulnerabilities in the network hosts (endpoint computers) and simply use the
Internet as a distribution method. Another type of attack is on the Internet
infrastructure itself. Routers are one source of such problems. Keeping
routers functioning properly is fundamental to the Internet's smooth
running.

Recall that routers continually update each other with the best routes
to distant hosts. If a routing table is deliberately misconfiguredpoisoned-this error will propagate to other routers, so packets will be
misrouted through the network. The system ends up with too many
packets on a particular link or packets going round in an infinite loop,
repeating and repeating their path. The network becomes congested and
unreliable.45

Yet another source of problems arises from the popularity of the network
and the difficulty of knowing addresses of all the sites one may have occasion to visit. IP addresses are very difficult for people to remember. Originally the mapping of names to addresses was done by having a copy of a
file on every computer on the network listing all computers and their corresponding IP addresses. This was not sustainable once the network grew.

Name lookup turns out to be a surprisingly difficult problem. It is also
an extremely important one to get right. If you enter your name and
password on a site purporting to be bankofamerica.com but actually is a criminal fake to which you have been misdirected, the result could be quite
unfortunate. Because of the importance of doing such name direction correctly, I will explain this issue in some detail.