blueshiftoverwatch
April 4th, 2009, 02:25 AM
I was thinking about encryption for Internet based communications, it's weaknesses, and how these weaknesses could possibly be overcome. I'm by no means an expert in the art of cryptography but here are some of my thoughts about the weaknesses of currently existing encryption systems and some suggestions on how they could be made more secure.
The only downside to encrypting your email or instant messaging conversations through protocols like OpenPGP (PGP and GPG) and Off-the-Record Messaging is that it would extremely obvious to any third party that might be watching (ie authoritarian governments) that you were using encryption. I'm no expert but it seems as though the same software that can be used to scan for certain key words or phrases and red flag emails/IM's that contain those key words or phrases could also be used to scan for encryption. Because instead of being a series of recognizable words the encrypted email or IM would be a string of seemingly random letters and numbers. A metaphor for this might be if everyone who was sending letters through the physical mail using encryption put their letter in a red envelope instead of the standard white. Anyone who saw the red envelope would instantly know that the person sending the letter cared enough about other people not being able to know it's contents that he encrypted the message instead of sending it clear text like most people do. Giving rise to the suspicion that the sender had something to hide. Just as anyone who might be viewing the conversation of two invididuals using encryption would be able to instantly tell that they were using encryption because the text would appear to be a bunch of gibberish instead recognizable of words and sentences.
So although encryption will make your conversations private to people who might try to intercept them, the fact is that the overwhelming majority of Internet users don't use encryption. So the people who do use it will stick out like sore thumbs among the rest of their peers who don't use it. Giving rise to the suspicion that they have something to hide. Which might cause (in the case of authoritarian governments) the persons house to be raided, their computer confiscated, and their encryption keys taken from them. Or the person being threatened with prison time (or worse) if he didn't turn over his keys to the authorities.
But I have thought of two possible solutions to the above mentioned problem.
Idea #1: A solution for filters being setup to red flag encrypted communications between individuals could be to artificially increase the number of encrypted messages being exchanged over a given network to make the people who are using encryption blend in more with the crowd. For example, if you were charged with finding a single person out of a crowd of 100 people that might be a difficult task. But if you knew the person you were looking for was wearing a red hat that would make looking for him significantly easier. But the greater the percentage of people in that crowd who were also wearing red hats the greater the time it would take to find that person would be. Likewise, if you were tasked with finding people who were using encryption over a given network to flag as "persons of interest" the more people who were using encryption the more people who would be red flagged and the more time would be wasted on wild goose chases. Possibly not the best metaphor but hopefully you've gotten the point. Anyway, perhaps distributed computing like software could be developed that people could install on their computers and delicate a portion of their bandwidth to having the software send encrypted messages to other people using the software. This would have the effect of flooding the email and IM networks with a greater percentage of encrypted conversations. Making it much harder for eavesdropping third parties to figure out which conversations were actual people using encryption and which were just bots meant to distract them and waste their time.
Idea #2: Instead of using encryption based on strings of seemingly random letters and numbers being sent between the parties involved which could be vulnerable to filtering software as mentioned above. Maybe a new type of encryption algorithm could be invented that instead of using random letters and numbers used random words or phrases in place of actual words. For example the word "the" might be encrypted and transferred over the network as the phrase "kittens are cute". This would make it much harder to filter and red flag conversations where encryption was suspected to be in use because the encrypted conversations in question would require greater scrutiny to determine whether or not they were encrypted.
Those were just some ideas floating around in my head. Feel free to critique and thank you to everyone who actually bothered to read the entire message. I'm not a programmer so I have no means to actually implement any of the the ideas I have suggested. But perhaps this message will be read by someone who does. Or at the very least spark some debate. I'm aware that political discussions are banned in the Ubuntu Forums and my examples of authoritarian governments arresting people for using encryption was just an example used to illustrate a point. Not to spark a political debate about the role of government.
The only downside to encrypting your email or instant messaging conversations through protocols like OpenPGP (PGP and GPG) and Off-the-Record Messaging is that it would extremely obvious to any third party that might be watching (ie authoritarian governments) that you were using encryption. I'm no expert but it seems as though the same software that can be used to scan for certain key words or phrases and red flag emails/IM's that contain those key words or phrases could also be used to scan for encryption. Because instead of being a series of recognizable words the encrypted email or IM would be a string of seemingly random letters and numbers. A metaphor for this might be if everyone who was sending letters through the physical mail using encryption put their letter in a red envelope instead of the standard white. Anyone who saw the red envelope would instantly know that the person sending the letter cared enough about other people not being able to know it's contents that he encrypted the message instead of sending it clear text like most people do. Giving rise to the suspicion that the sender had something to hide. Just as anyone who might be viewing the conversation of two invididuals using encryption would be able to instantly tell that they were using encryption because the text would appear to be a bunch of gibberish instead recognizable of words and sentences.
So although encryption will make your conversations private to people who might try to intercept them, the fact is that the overwhelming majority of Internet users don't use encryption. So the people who do use it will stick out like sore thumbs among the rest of their peers who don't use it. Giving rise to the suspicion that they have something to hide. Which might cause (in the case of authoritarian governments) the persons house to be raided, their computer confiscated, and their encryption keys taken from them. Or the person being threatened with prison time (or worse) if he didn't turn over his keys to the authorities.
But I have thought of two possible solutions to the above mentioned problem.
Idea #1: A solution for filters being setup to red flag encrypted communications between individuals could be to artificially increase the number of encrypted messages being exchanged over a given network to make the people who are using encryption blend in more with the crowd. For example, if you were charged with finding a single person out of a crowd of 100 people that might be a difficult task. But if you knew the person you were looking for was wearing a red hat that would make looking for him significantly easier. But the greater the percentage of people in that crowd who were also wearing red hats the greater the time it would take to find that person would be. Likewise, if you were tasked with finding people who were using encryption over a given network to flag as "persons of interest" the more people who were using encryption the more people who would be red flagged and the more time would be wasted on wild goose chases. Possibly not the best metaphor but hopefully you've gotten the point. Anyway, perhaps distributed computing like software could be developed that people could install on their computers and delicate a portion of their bandwidth to having the software send encrypted messages to other people using the software. This would have the effect of flooding the email and IM networks with a greater percentage of encrypted conversations. Making it much harder for eavesdropping third parties to figure out which conversations were actual people using encryption and which were just bots meant to distract them and waste their time.
Idea #2: Instead of using encryption based on strings of seemingly random letters and numbers being sent between the parties involved which could be vulnerable to filtering software as mentioned above. Maybe a new type of encryption algorithm could be invented that instead of using random letters and numbers used random words or phrases in place of actual words. For example the word "the" might be encrypted and transferred over the network as the phrase "kittens are cute". This would make it much harder to filter and red flag conversations where encryption was suspected to be in use because the encrypted conversations in question would require greater scrutiny to determine whether or not they were encrypted.
Those were just some ideas floating around in my head. Feel free to critique and thank you to everyone who actually bothered to read the entire message. I'm not a programmer so I have no means to actually implement any of the the ideas I have suggested. But perhaps this message will be read by someone who does. Or at the very least spark some debate. I'm aware that political discussions are banned in the Ubuntu Forums and my examples of authoritarian governments arresting people for using encryption was just an example used to illustrate a point. Not to spark a political debate about the role of government.