We interrupt this broadcast to bring you something that might distract you from the ongoing developments of the coronavirus crisis. At least for a minute. While COVID-19 threatens to break down respiratory health at a cellular level, it is almost the biological play-out of what happens when code (be it cryptographic, DNA or otherwise) gets hacked, manipulated, breached. Fundamentally, a virus works the same way across “platforms” and attacks good health, or strong code. In our case, cryptographic code. Try not to draw any parallels as we explore what’s good, bad and tricky about keeping our encrypted assets secure. And how, exactly, we do it. Whether it’s crypto or corona, please take care of yourselves and stay safe.
Whit Diffie, co-inventor of the Diffie-Hellman Key Exchange
Meet Whit Diffie, the bookish, brainy "average-achiever" who landed a spot at MIT and solved the encryption enigma.
“Shouldn’t we be encrypting this stuff?”
This was essentially the question Bailey Whitfield Diffie asked mentor Marvin Minsky at MIT’s Artificial Intelligence lab in 1966. He was there for work with the Mitre Corporation after attending MIT as an undergrad. Prior to MIT, his performance in school had been lackluster, only obtaining admission by some astronomical test scores.
Not receiving the answer he wanted (“the NSA is working on that, but it’s for government only”) he eventually moved west and landed at John McCarthy’s Stanford AI School, where he met Martin Hellman, an assistant professor of electrical engineering, former MIT associate, and fellow crypto-head. “It was a meeting of the minds,” Hellman later said.
Together, the two puzzled over the practical workings of a commoditized encryption reality, until they got a lead from IBM. A posting from the National Bureau of Standards (NBS) highlighted work between the tech company and the US government which proposed a new encryption algorithm (previously the main purview of government agencies). It was the Data Encryption Standard, or DES. While feeling there was something “left out” of the document, the two researchers nevertheless pored over its contents and used it as a litmus test against their own evolving theories.
Then, at an informal crypto seminar hosted by Hellman and Diffie, Berkley computer scientist Peter Blatman mentioned a problem being worked on by a colleague; the issue of two strangers—who could not have exchanged secret keys prior—communicating securely on an encrypted network. This got to the heart of the unsolvable question Diffie had been trying to answer.
Until then, all Diffie had found were one-way solutions, passwords or trapdoors with no way of authenticating the return. At best, there were symmetric key pairs, in which the same key that encrypted also decrypted the message, making distribution a shaky business as it exponentiated the risk of discovery.
What if, Diffie thought, we did the unthinkable and made one of the keys public (unheard of) and then made the other key different. Asymmetrical. One could provide the lock, the message would contain a trap door, and only the person holding the other non-matching mate could unlock it.
With that, cryptography as we know it was born and Alice and Bob explain the rest. We’ll do a little demo rehashing here just for nostalgia:
Alice wants to talk to Bob. She finds his public key—could be in an address book for all we care, it’s public—and scrambles the message. It’s a one-way mathematic formula. You can’t unscramble it unless you have several lifetimes to compute, or Bob’s private key. Which you don’t. Bob is the sole possessor of his private key, which allows him to read his mail, and open (unscramble) the encrypted message from Alice. If anyone intercepts the message in transit, tough luck. This isn’t symmetric encryption where the initial key is all you need to encrypt or decrypt. Alice’s public key is no use. Alice encrypts the message with a public key, Bob checks his mail with the private key, and Walt Diffie and Martin Hellman namesake perhaps the most widely used encryption protocol of the 20th century.
Now you know.
Ajit Pai, Chairman of the Federal Communications Commission
It's guaranteed that when Whit Diffie and Martin Hellman came up with public key cryptography they had loftier goals than this, but we have to thank them for getting this nuisance off our backs.
On March 31, the FCC will vote on a measure that will require all phone carriers to implement the SHAKEN/STIR protocols to ferret out robocallers operating under false pretenses. The FCC presented this as a voluntary measure a year ago, with predictably limited buy in (kudos to Spring and TDS for leading the charge).
Now, nobody's asking.
Drummed up last year, the SHAKEN/STIR protocols would prevent robocallers from hiding their identity in a swiped real number. Flagged callers could get outed with a warning or blocked, depending on the carrier.
Thanks to Diffie and Hellman (see above), digital certificates and public-key exchange will be used to authenticate caller and number. Once verified, receivers (us, with the caller ID) will receive a notification if the number is suspect.
We All Have to Play
For this to work, all carriers have to participate. Since public-key cryptography requires sender and receiver to authenticate, both the network receiving and the one sending the call must have the protocols implemented. The patchwork adoption seen over the course of 2019 wasn’t cutting it, and now, Congress is stepping in.
The TRACED Act, inked in December of last year, outlines the government’s requirement on the FCC for ensuring this transparency.
Soon, we’ll have the gratification of knowing just whose number we are blocking, and better yet—of not getting a host of solicitous calls to begin with.
The solution doesn’t translate well to overseas callers (prime offenders?) but with the mandate up for a vote, we can at least hope to cancel out some domestic noise for now.
Unless you want to enter your survey responses for a chance to win a timeshare.
It looks like some prime deets for the upcoming iOS 14 June release were somehow leaked and can now be found for consumer perusal on fan-based Apple advisory boards. How nice.
However, this shows more than a demand from overnight Apple Store campers (all Apple stores are currently closed for COVID-19).
The perspicuity with which the inner workings of the OS are scrutinized only gives us a glimpse into what information would be more readily accessible to bad actors should lawful-access backdoors be implemented.
“Embedded in this is the unspoken idea that the world is divided neatly into goodies and baddies, that only people wearing white hats will use this backdoor,” reads an article from Apple Insider.
The Impossible Dream
At this point, either there is fundamental misunderstanding or avarice at play, but the issue has been rehearsed by cryptographers (and plenty of thoughtful cybersecurity experts) that a selective backdoor just isn’t possible. If Bob’s key is weak, it’ll be weak for the criminal who steals it, too. It doesn’t magically transform (and change math) on transfer. They're mathematicians, not magicians.
So, rather than letting the landscape be equally porous for everyone, a lot of experts, like the DoD, advise that it be equally safe.
Special departments of the US government already have allocated forces for cracking the cryptography of iPhones, Androids and encrypted apps, like those that came out in the autopsy of the FBI handling of Apple in the 2015 San Bernardino shooting case. Making a doable job even easier would now make an impossible one doable for the bad guys.
If fans’ rabid enthusiasm is any indication, the secrets of iOS 14 (or any OS) are a payload valued for all the right (and wrong) reasons.
Let’s not make it any easier.