Encryption has been a hot topic for some time now. High profiles leaks of classified information have revealed large scale surveillance programs such as Prism that appear to have skirted around laws of privacy and human rights. Some claim the US National Security Agency gained direct access to the servers of internet giants such as Google and Facebook – something the companies have denied any involvement with – and shared the data with UK intelligence agencies
Newspapers reported internal documents, boasting of intelligence service access to “email, video and voice chat, videos, photos, voice-over-IP (Skype, for example) chats, file transfers, social networking details, and more”. But how? Surely these communications are encrypted?
Some internet services encrypt transmitted data, some don’t. Let’s look at one example:
HTTPS is used by Facebook, for example. ‘HTTP Secure’ isn’t a protocol in itself, but sends normal web HTTP data (such as webpages) using SSL (Secure Socket Layer) protocols.
It is easy (in computational terms) to generate two numbers connected by a mathematical relationship - several mathematical algorithms can be used, and prime numbers often feature. One of the numbers – the public key – can be distributed freely, while the private key is kept… well, private (on Facebook’s servers, in this example). The maths chosen to generate the key makes it currently impossible to deduce the private key using just the public key, so the data stays secure.
So what is SSL? It involves the use of trusted digital certificates to prove ownership of public keys. A public-private key combination can allow two computers to authenticate the identity of each other, and then to exchange a different private key. This ‘shared secret’ allows the maintenance of a private link. It works at the ‘transport layer’ in the OSI model (which is, by the way, an excellent example of abstraction in computing).
Given enough time and computing power, however, a brute-force attack can defeat private keys – at least in theory. By checking all possible keys, the combination will at last be found and the data decrypted. GPUs (Graphics Processing Units) found in high-end PCI graphics cards are better at these repetitive tasks than GPU’s, and are sometimes clustered to provide sufficient power. The computing power required to crack 128-bit and 256-bit encryption is huge, however – one theoretical model states the energy required to break 128-bit encryption with a conventional processor as equivalent to consuming 30 gigawatts of power for one year!
So, how did the NSA’s Prism program do it? By adding ‘back-doors’ (vulnerabilities) into commercially available software – apparently in covert partnership with the firms making it. Some newspapers also speculate about ‘upstream’ data collection, directly tapped from fibre optics and phone lines. To decrypt this in real-time requires, as we have seen, great computing power; are quantum computers already here?
The encryption debate will rumble on – US and UK governments disagree (at least in public) about whether to criminalise the use of encrypted web traffic.
Watch this space (I’m off, now, to put on my tin-foil helmet).
Start a discussion about online security with the Big Data debate kit in the eLibrary.