“File:PGP message.svg” by Cqdx is licensed under CC BY-SA 3.0
You will probably want to read Part One and Part Two of this series before continuing…
We’ve talked about asymmetric and symmetric encryption keys here but without really going into them. Encryption is a way of scrambling data so that it is unreadable, unless you have the key to turn it back into the original message. If Alice has something she wants to keep secret (or Victoria, for that matter), she can get a box with a lock. She can lock the box with the key, and if she wants to let Bob into her box, she can give him a copy of the key. In a nutshell, the same (symmetric) key locks and unlocks the box, and the key can be copied and given to other people, should Alice want to let Charlie and Dave into her box, too. Filth!
Asymmetric keys are a bit special. Imagine Alice has a box with a clever lock that has 3 settings – A, B and C. A and C are locked, no one can get into Alice’s box. Only when the lock is in position B can the box be opened.
There are two keys for this clever lock, one will turn the lock from A to B to C, and the other will turn from C to B to A. Alice picks the key that will turn the lock “forwards” (from A to B to C) and this is called the private key because only Alice has it. The second key is called the public key, and Alice can make copies for Bob, Charlie, and anyone else if she’s feeling especially accommodating. She’ll even give it out to people she’s only just met! The public key can only turn the lock “backwards” – from C to B to A.
So, when Bob wants to put something into Alice’s box, he takes the unlocked (lock set to position B) box, and uses the public key he got from Alice to turn the lock to A. The only key that can turn the lock back to position B and open the box is Alice, using her “forwards” private key to turn the lock from A to B.
Alice can do one more thing with her special box. If she uses her private key to lock the box from B to C, anyone who has her public (“backwards”) key can use this key to unlock this box. The only person who can lock the box from B to C is Alice with her private (“forwards”) key, so Bob knows that only Alice can have locked the box. This is called a digital signature – it’s a way of authenticating that the contents of the box were put there by the person you were expecting.
Encryption keys in the online world are basically very long numbers – see Old Trout’s previous articles on GP for this. The idea is that you don’t need to exchange the secret, private keys that someone else can intercept and then use to peek on your conversations. Only the public key is ever shared, it is enough to lock the box. Only people with the private key (which is never shared) can unlock the box. This public / private key pairing is used to generate a shortlived encryption key for the duration of your https connection, the entire conversation is encrypted with this. When your conversation is over, the key should be thrown away.
Whilst the encryption itself is pretty hard to crack, it is not mathematically impossible. Sufficiently motivated people with enough time can run enough iterations of the numbers in your keys to stumble upon the key. This is known as brute forcing the key. For a single key, it would take the most powerful computer several years to chew through the numbers and find your key. This of course is if those that created the encryption mechanism themselves did not make a mistake, or worse, were forced to leave a back door in to circumnavigate the key. The problem here is that if there is a back door to break the cypher, anyone could potentially find it.
There is also the possibility that the owner of the secret key may be compelled to give it up to a third party. This is what happened to Lavabit. It is also what the government is targeting when they talk of WhatsApp and other encrypted messaging systems – they want to be able to use the secret key to read your messages, or for the messaging provider to log the message content for them to peruse. The minute that secret keys are disclosed on a regular basis means that the platform is no longer viable – who would trust a banking application that the council can, on a whim, start looking through transactions?
The first real protection offered by public / private key pairings was PGP – pretty good privacy. The guy that wrote it was subjected to a number of travails for his pains.
Unfortunately various parties want to have a look at our conversations, for reasons of crime, intellectual property protection or “security”. There are a number of things about your conversations on the internet that these people are interested in.
Before encryption became mainstream, people used to file share music mp3 files on a service called Napster. Napster would allow you to share some of your mp3 files, and get access to other peoples too. And thus, internet piracy was born, ahaaar. Instead of just making a mix tape of your kewl choonz for your girlie, all of a sudden the mass theft of record companies’ intellectual property was enabled. Napster was so popular it could swamp networks with file sharing traffic, until it was shut down. Napster ushered in the age of peer to peer (P2P) networking, where files would be chunked up for upload and download, effectively distributing the file across the internet. You could be downloading the first chunk from Alice, and the last chunk of your file from Zachary – at the same time. Your P2P software would stitch the files back together again, even if it received the chunks out of sequence. Napster had a fatal flaw initially – it used only one socket to communicate. A socket is referred to simply by an unsigned 32 bit integer; 0 -65535 and belongs to a specific machine.
A network socket is essentially a two way pipe that data can be exchanged through. Obviously a single socket is going to only be able to talk to one IP address at a time, so a variant called a server listen socket can be used. You can consider it a bit like the main phone line for a large company – you call the main switchboard on a single number and get routed through to the extension you want, leaving the main reception desk’s number free again. University campuses and ISPs began limiting traffic on this port, and the RIAA (legal arm of the record industry in the USA) used port number based captures to prosecute file sharers. This was bad enough until people realised they could start sharing videos too; once DVD encryption was broken and published by a teenager, DVD John. This meant DVDs could be ripped from disc to file, and then shared. Poor handling of the decryption key was the root of the cracking. The MPAA (legal arm of the US film industry) then began hammering file sharers too, successfully taking many to court. P2P changed and evolved due to this, and began dynamically changing port numbers to avoid either detection or bandwidth throttling. The propagation of Napster type services was pretty dire too; great for local coverage but petering out with distance. New protocols were designed to facilitate better spread of files, and BitTorrent emerged as the best. This saw the birth of P2P tracker websites where the files shared could be indexed and then found. The Pirate Bay was one of the first P2P trackers to allow users to search and download almost unlimited, unpaid for content. The filesharing aspect was not only limited to breaking the law by stealing copyrighted works; new bands would happily offer up their tracks for free downloads to get publicity, and big open source software installations would also be distributed by BitTorrents – a much cheaper way than hosting the huge files on a server and paying for the bandwidth for people to download the files. The point is – P2P has legitimate uses.
This decentralisation displeased the international media giants, and they began lobbying to be allowed to perform what is called Deep Packet Inspection. It was no longer enough to see traffic on a “dodgy” port to prove that their copyright was being ripped off; they needed to be able to look at the packets of data to identify what exactly was being transmitted in order to prove that theft had taken place. The “deep” part comes from the fact that the outer part of the packet can be seen in cleartext but the “core” of the packet is deemed private, even if not encrypted. There was a varying degree of success, and a lot of court cases. Pressure was brought to bear on ISPs to police this, who were able to claim common carrier status; similar to the way that the Post Office is not liable if someone sends something illegal; that liability rests with the sender. DPI in any case is expensive and time consuming.