Public Key Encryption

Ask somebody if they've ever heard of, or used Public Key Encryption and I pretty much know what the answer will be. If they're being nice, it'll be "No". If not, they'll look at you and say "Go away geek!".

Those that say they've never used it or never heard of it would be shocked to hear just how much Public Key Encryption is used today and how much we rely on - what is essentially - a set of very large, special numbers. Prime Numbers - divisible only by themselves, and 1.

Public Key Encryption is used all over the Internet and in everyday life. When you visit websites sporting that little padlock to joining WiFi networks!

It's all in the numbers

Public Key Encryption uses some very clever (but basic) mathematics. In basic terms, this technology is based on the multiplication of two large prime numbers to create a new, even larger number called a semi-prime. In doing this, we are able to generate cryptographic 'keys' that are used (in their basic use) to encrypt and decrypt data.

As an example, if we take two small prime numbers (my maths is not that good) of 3 and 5. We multiple these together to create a semi-prime of 15. Easy. The larger the starting prime number, the larger the resulting semi-prime.

So what's this got to do with Public Key Encryption?  Well data is secured using cryptographic keys generated from massive prime numbers. The keys consist of a public and a private key pair.  The public key is used to encrypt the data, and the private key is used to decrypt it.

It works like this

We take two prime numbers, P₁ and P₂ and multiply them together to create a composite number, C. Computers are amazing an multiplying two numbers together but not so good at doing the reverse, taking composite C and trying to find the two original prime numbers, P₁ and P_2.

NB: It's worth noting that these numbers are not as small as in the above example, they are often of the magnitude of 617+ digits long, creating a 2048-bit public key.

We now take C and generate a public key from it. This is used to encrypt the information and keep it secure while being sent over an insecure channel, such as the Internet.

P₁ and P₂ (which make up the private key) are then used to decrypt the data by the recipient. Should the encrypted data be intercepted en route to the recipient, the interceptor will need to reverse engineer C to discover the two original primes used to create C. This is known as factorisation, and computers are not so hot at doing this - but if you have P₁ and P₂, it's possible to decrypt the message (encrypted with C) in seconds!

As I mentioned earlier, my maths is not that strong so let me drop in a video here from NumberPhile:

NSA 'Cracks' Web Encryption

Well, what an announcement! But, really?

I don't believe for a moment either the NSA (National Security Agency) nor GCHQ (Government Communications Headquarters) have actually broken or successfully hacked AES or public key encryption that - I hasten to add - underpins the trust and security of the Internet; securing every online transaction, secure email, secure VPN (Virtual Private Network) tunnels, WiFi, stock trading, 3G and 4G mobile phones, online banking... I could go on and on!

Where would this leave eCommerce and international trading? How could - for example - China trade securely online with a competitor market of the US, when all the time the US NSA are intercepting these highly secure and encrypted communications, decrypting them and figuring out a way to undermine this and all future deals?

International markets would suffer beyond belief, sending stocks tumbling and all markets into turmoil. They haven't... but why?

School yard Bully

What these reports should explain is, the NSA haven't broken the mathematics behind the original encryption algorithms but in fact circumvented it by deliberately introducing weaknesses into the encryption, using secret court orders, coercion and bullying the IT companies and providers into handing over encryption keys, installing escrow keys or replacing secure random number generators for less random generators. These are not direct breaks of the encryption algorithms but 'back-doors' (or zero-day exploits) deliberately introduced to reduce the effectiveness and strength of the encryption or, bypass it altogether.

Hiding under their 'national security' umbrella and playing the 'terrorism' card allows the NSA to easily obtain secret court orders and force companies into complying with their demands or make their CEO's face potential prison time and or fines.

The problem here is not so much that giants like Facebook, Google, Microsoft etc. are complying (whether under duress or not) but that CA's (Certificate Authorities) may also have been forced to comply.

Bent CA's is a serious concern. CA's are responsible for issuing TLS/SSL certificates for HTTPS secured websites and web services. You will recognise these sites from the padlock icon in your web browser.

If these organisations have been nobbled by the NSA then every website secured with a TLS/SSL certificate will have a back-door or some other way for the NSA to monitor the the sites traffic or otherwise get around the encryption. Why spend millions (or billions) of dollars and computing time trying to break complex mathematical algorithms - that as yet, to the best of my knowledge are unbreakable - when a bent CA can give direct access to unencrypted data? It's a no-brainer! Is this why Google and other companies have tripped over themselves to offer TLS/SSL protected searches? Are they trying to look like they're protecting their users'  privacy when in fact all your search terms are accessible to the NSA anyway? The NSA and GCHQ weren't that concerned that these companies decided to move the HTTPS route, in fact they recommended they did... why? Because they knew the encryption would provide a sense of security for people (especially criminals) and they could bypass the security anyway to retrieve any data passed over the 'secure' protocol?

TLS/SSL is a hybrid encryption solution - the primary encryption employed by TLS/SSL is public key encryption (it also employs AES symmetric encryption also but this is discussed in another post). This relies on the fact that current computer systems cannot factor large semi-prime numbers easily. 

A semi-prime is a number resulting from the multiplication of two prime numbers. So, if I gave you a semi-prime number of 15 and asked you to find the two primes making up this number, it's not that hard. This is called factoring. The larger the primes used to create the semi-prime, the harder it is to factorize. The largest prime number known today is 2^43,112,609-1 and when printed, it eats up 4,376 pages!

Simon Pampena - the mathematical genius explains more.

Computers are amazing at maths, they can take mere seconds to multiply two large prime numbers together to create an even bigger number (semi-prime) but reversing this process, that is to take a very large number (semi-prime) and find the two primes that made this can take a time greater than the age of the Universe to complete. The larger the key size, the greater the attack time. The sort of processing power required to factor these immense semi-primes just doesn't exist today.

Take a look at this short video. It will demonstrate what I'm saying.

Quantum Computing

It's worth mentioning at this point Quantum Computing.

Quantum Computing (QC) is the next generation of computing. It's the future! Current computing technology uses binary, a one or a zero. These bits are used to process instructions sequentially, and can only process them sequentially. QC operates on Qubits. A Qubit can be both a one or a zero at the same time. This gives Quantum Computers immense processing power and when these become more advanced and main-steam, they will blow public key encryption apart. They'll do this because they will factor massive numbers far quicker than current systems. Remember public key cryptography relies on the fact we cannot quickly factor large semi-primes, quantum computing will fix this problem, meaning we either find even larger prime numbers to create these public/private key pairs or we look to another encryption solution for this security problem.

What about AES?

Quantum computers pose no real threat to symmetric encryption. Unlike public key cryptography (relying on the discrete logarithm problem and complex prime factorisation to secure data), symmetric encryption requires a key to encrypt and decrypt data. This key (assuming brute force attacks) can only be broken by trying every possible combination. This will take many try/fail attempts to find the correct key to decrypt the ciphertext. However, although this encryption won't be broken as easily as asymmetric (public key) encryption, it will be possible to try more combinations of a key in a shorter time period than current systems are able to.

From my understanding, AES-128 can be broken with 2⁶⁴ steps, meaning AES-256 in a quantum world will only actually provide the equivalent of AES-128. We'll need bigger keys! 

So I'm confident the NSA (and GCHQ) have not actually broken the encryption algorithms used to secure data transfer over the Internet but introduced dangerous zero-day exploits into the current systems. Some may say 'so what?', well from a developers point of view, deliberately introducing zero-day exploits into software is definitely not the brightest thing to do... for anybody!  Why would anyone deliberately introduce a security hole into any software, never mind software designed explicitly to protect data? I think it smacks of desperation! Plain and simple... desperation! The US and UK security services are so obsessed with data mining and harvesting internet communications they are doing whatever they can to achieve this. Even if it means introducing security flaws into otherwise secure software.

What does it matter?

Zero-day exploits are dangerous. They are often exploited by hackers to gain unauthorised access to computers, networks and applications and such breaches often go undetected for a long time. Deliberately introducing such exploits into trusted commercial applications not only undermines the trust put into those companies by their customers, but is an open invite to hackers to find the 'back-door' and exploit it for their own gains.

In my opinion, the NSA are playing a very dangerous game. They are dismantling all freedom and privacy on the Internet and putting honest people's confidentiality and privacy at great risk. So what's the solution?

Open Source

With talk of large corporations bowing down and being raped of all honestly and integrity by the NSA, can you trust the software produced by these companies? Can you be sure your private, encrypted data is confidential? If you're a government, can you be sure the US and its allies aren't eavesdropping on your conversations?

Don't get me wrong. I completely understand the need for national security - and I agree with it - but what pisses me off is how this card is played every time the governments are caught out doing something illegal. Collating emails, images, videos, phone meta data, instant messages etc. for analysis (storing it for years), keeping it quiet - but when busted, some high ranking official as if having Tourette's yells 'terrorism!', 'national security!'  There, that'll do it. That should cover our illegal activity and scare the public into accepting what we're doing is right!

Well it's not right. Far from it! In the 90's the NSA tried to introduce the Clipper Chip, which was essentially a back-door into all encryption services/devices which whilst allows the data to be encrypted, it would always allow the NSA a way into documents, files or device.  This was given the boot by the US government at the time but the NSA didn't roll over and take this.  This was the start of a multi-billion dollar hacking and bullying program whereby the NSA effectively introduced flaws into encryption algorithms and used their power to threaten companies into handing over passwords, encryption keys and give them access to their networks and data upon demand. As this progressed and their thirst for more and more data took over them like a vampire craving fresh blood, other programs came online such as Prism. These programs are funded by the US black budget and are classified.

So if all the 'reputable' companies are nobbled and the NSA have keys in all the mainstream commercial software, allowing them to hack into any system they see fit - what do you do?

Open Source is where many people will begin a fight back again this abuse. Open Source software is available to anybody to view and scrutinise and is so much harder for the NSA to implement back-doors in the code base as it will be spotted by developers and questions will be asked.

Much of the commercial software available out there to day (I'm thinking mainly of PGP) is also available as Open Source. The Open Source version of PGP is called OpenPGP. Software such as Privacy Guard is built on the OpenPGP standard and provides a vast array of encryption and security tools.

Personally, I would always recommend, where possible, the use Open Source (or open source based)  software when it comes to security, especially in light of the recent revelations from Edward Snowden.

It's not all doom and gloom!

So right now, I would say the the NSA and GCHQ have a long way to go to break the encryption in use today. Breaking is not the same as cracking. Cracking a cryptographic algorithm (DES for example) means the cryptanalyst has found a way to speed up any potential key retrieval. It does not mean they have broken the algorithm itself. Modern algorithms are very secure and standards like AES (the Advanced Encryption Standard) is in use today for a reason - it's yet to be broken!

iOS7 Review

On Monday June 10th Apple released their new look iOS.

iOS7 was reported to be an all new, all singing, all dancing OS; a complete new look by overhauling the current iOS look and feel. Apple certainly made a change - a change to their usual coolness, reliability and trustworthiness by releasing iOS7 'beta' for developers on this first day of their WWDC 2013.

In the past,  Apple always exceeded all expectations and rolled out an amazing piece of software - even in beta.

I've used iOS7 for 6 days and I've found the following 'issues':

• Tweets randomly fail from iOS.
• Doesn't always show as a connected device in My Computer.
• Camera doesn't work (intermittenty) from lock screen - wont take picture.
• Asking to choose a WiFi connection when there are none available.
• Calendar crashes when adding appointments.
• Safari crashes randomly.
• iMessage broken - cannot receive any messages via iMessage.
• FaceTime broken.
• Can't access LAST called in ALL CALLS - the list rolls up and stops at second from last but chops this in half - preventing you seeing this record also.
• No push notifications.
• iOS Facebook app crashes regularly.
• Reminder app is now too complex to use easily. Total overkill!
• Siri still as bad as in iOS6.
• Too much time spent on appearance,  i.e floating icons and motion responsive Home Screen.
• Camera app faded out and stopped recording video after 30 seconds.
• Camera stays black or blurry at times when attempting to shoot photos.
• Deleting images from CAMERA ROLL also deletes them from your PHOTO STREAM -WTF?!
• Task switching slow to respond - on a 4s anyway.
• Forgets passwords - for twitter for example.
• Time adding pointless stuff like flash light when more important stuff needed doing.
• New UI doesn't look right - it lies over the apps etc. Kind of bodged together.
• After an initial Google search, you cannot modify the search string in Google - safari moves this up and forces you into using its omni-box.
• Battery life is hammered 6% in 7 mins.
• No car/position icon in maps.
• Phone flashes apple logo when using apps - as it regularly reboots.
• Randomly throws a load of blank lines at the end of a note in notepad.
• YouTube app randomly crashes on video playback.
• Security screen can be bypassed.
• Doesn't appear to confirm to Apples own HIGs.
• Phone slower to charge and drains faster.
• Cannot use select/highlight (double click text and adjust highlight) when hovering. If flashes and jumps all over!
• On HTTPS sites you cannot use drop down menus for selecting security parameters like letters from passwords etc.

Overall, for me, iOS7 (beta 1) is a huge disappointment - in my opinion it's the most unstable beta ever released and I feel it should have been released as an ALPHA. My previous reviews - of iOS6 for example - shows how Jobs and Forstall got it right, Cook and Ive well, they have got it just plain wrong!

It comes to something when you have to leave your unwell partner and child at home and travel an hour to an Apple store to have iOS7 removed and reverted back to iOS6 simply because you cannot trust it with important stuff you need such as receiving a call, SMS or iMessages - without even mentioning shit like reminders, appointments, notes etc. 

People arguing "it's a beta dude!" doesn't cut with me - Google's Gmail was in beta for many, many years and since 2005 I can honestly say, I have never had any problems with their 'beta' versions of Gmail.

Come on Apple - this is simply NOT good enough; it says a lot when an avid Apple fan like myself has to come to a Google platform to slate an Apple product that in the Jobs' days, would have been simply... amazing!!