Encryption Demystified
With encryption, you can even be a whistle-blower and not worry — Brian Acton
Maybe you want to trust the government, but you shouldn’t because you don’t know where things are going to go in the future — Jan Koum
We live in a constantly connected world. The average human spends at least 6 hours a day on the internet accounting for 3 months a year spent online. From sending emails to replying to direct messages on social media, conversing with one another has never been easier. The evolution of technology and the growth of the internet has redefined how we communicate.
The increased rate of communication has brought about problems of its own and the major issue being security. Over the years, there have been several security lapses in the tech industry with many of the big players getting affected.
One of the most memorable of our time is the Facebook — Cambridge Analytica data scandal in 2016. The British political consulting firm mined personal data of millions without their consent and used it in political advertising.
Other companies have also had their share of bad press due to security concerns including Adobe and Google. Despite countless efforts being made to secure our information online by developers and security experts, once in a while, a loophole is discovered and the effects can be catastrophic.
Cryptography — the science of secret writing — is at the front line of the never-ending fight of securing our data online. Encryption is the most popular form of cryptography being employed to curb malicious activities and to protect our information from unintended eyes.
What is Encryption?
Encryption is the process of taking a message — plain text — and jumbling it up to form a ciphertext. This process enables us to transmit information over the public domain i.e the internet without anyone in between knowing the contents of the message.
Once the information is received by the recipient, the process of jumbling it up is reversed (decryption) and the result is the human-readable message. There are two types of encryption — Symmetric encryption and Asymmetric encryption.
Symmetric Encryption
To better understand how this works, let’s come up with a hypothetical scenario. Two parties, Alice and Bob, want to exchange letters and avoid eavesdroppers in the process. Alice decides to purchase a lock and create a copy of its key. She then finds a clever way of sending the key to Bob and now both of them have their copy of the key.
Now Alice can place any letter she wants to send to Bob in a box and lock it. Once Bob receives the box, he will be able to open the lock using his copy of the key and retrieve the letter.
Despite its success in the delivery of confidential messages, this shared key method only works well if 2 people are involved in the conversation. If third parties are to be introduced, 3 people will now have a copy of the key.
If Alice and Bob wanted to exchange letters, they would register with the third-party service and they would each get a set of matching keys and a box with a lock.
Alice would place her letter in a box and lock it using her key and send the box to the third-party company. The company would then have to open the box to determine who the message is addressed then lock it again and deliver it. Once Bob receives the package, he would use his key to open the lock and access the contents of the box.
Then came Whitfield Diffie. From an early age, Diffe was fascinated by the world of cryptography. At his time major advancements and research in cryptography were being done by the NSA — an intelligence agency of the United States Department of Defense.
In the early 1970s, IBM partnered with the NSA and came up with The Data Encryption Standard — a key and box version for the digital era. The key which locked the box was replaced by a more elegant and secure digital key in the form of complex math equations — Ahsan Barkati.
Before the announcement of the new Data Encryption Standard — DES, Diffie was also thinking of developing a new method for securing data online. The news of IBM’s new encryption standard got him by surprise but after reviewing it he believed there was a better way.
Diffie together with Martin Hellman envisioned a non-secret type of encryption. He examined the shared key encryption and came up with an alternative. What if, instead of sending a copy of your key to whoever you want to communicate with, you instead send them an open lock?
In this example let’s assume Alice wants to communicate with Bob. Alice would buy a lock, keep the key then send the open lock to Bob. Bob would then write his message, place it in a box and lock it using Alice’s lock.
Once he does this no one else — not even Bob himself — can open the box to see the message. Bob would then forward the parcel to the third-party delivery service and ask them to deliver the parcel to Alice.
Now, Bob’s message to Alice is completely confidential. Alice can buy multiple locks, keep the keys and send the open locks to anyone who wants to communicate with her.
She could also have them stored by the delivery service and whoever wants to send her a message can request for her open lock. This was the birth of asymmetric encryption.
The open lock plus its key are considered as two separate keys since the open lock scrambles the message and the key unscrambles the message. This is opposite to the symmetric encryption where one key did both the scrambling — encryption — and the unscrambling — decryption.
The open lock is the Public key since it is shared over the public domain to anyone who wants to communicate with Alice and the locks’ key is the Private Key since Alice keeps it to herself. The two keys form the Private and Public key pair.
The Trap Door
Instead of using the old-fashioned metallic locks and keys, Diffe instead made use of mathematical one-way functions — easy to compute (encrypt) but difficult to reverse (decrypt). However, Diffie’s goal was to build a “trap-door” into the one-way functions — a shortcut — only accessible to whoever has the Private Key — in our case — Alice.
This was the genesis of trapdoor one-way functions — one-way functions with shortcuts built into them. The information would be scrambled using the recipient’s public key — accessible to anyone — and only unscrambled with the help of the recipient’s private key — the shortcut.
In most scenarios, your device will generate the private and public keys and only send the public key to the server. Anyone willing to communicate with you will first have to access your public key from the server before using it to encrypt a message intended for you.
Encryption in Online Banking
When interacting with your bank using mobile banking, a secure connection needs to be established between you and the bank to exchange confidential information, for instance, credit card information. To establish a secure connection, the Transport Layer Security (TLS) is used.
TLS is used not only in mobile banking but in securing connections between websites and browsers — click on the lock next to the URL on your browser. Transport Layer Security makes use of symmetric encryption to secure the data being sent from the website’s server to your browser.
The main purpose of TLS is to secure data in transit. Symmetric encryption, in this case, works fine as only two parties are involved in the communication — you and your bank.
Encryption in Email Services
Transport Layer Security — Symmetric encryption — is also used by email service providers to protect your emails in transit. This prevents eavesdroppers from accessing your emails as they travel through the internet.
However, in this scenario, the final destination of the email isn’t the email service provider. The email service provider should only act as a middleman whose responsibility is to forward your message to the correct recipient. This is not usually the case with most email providers.
Once the encrypted email reaches the email provider, they decrypt it and store it in their database to run targeted ads, auto add stuff into your calendar like diary entries, delivery information, flight information and a whole load of other stuff before forwarding it to the recipient. Those are the terms and conditions we blindly accepted.
We also collect the content you create, upload, or receive from others when using our services. This includes things like email you write and receive, photos and videos you save, docs and spreadsheets you create, and comments you make on YouTube videos — Google.
The controversy with this approach — symmetric encryption — is that the middle man can be pressured by legal entities to release information about its users. Service providers might be ordered by the government to hand over communications between suspects or even innocent civilians living repressive governments and mass surveillance.
Your messages should be in your hands. That’s why we don’t store your messages on our servers — WhatsApp
In April of 2016, Whatsapp made the bold move of introducing End-to-End encryption (E2EE) — an implementation of asymmetric encryption — on all data going through their servers. E2EE is specially built for messaging systems where only the communicating parties can read the messages.
To understand why Whatsapp was one of the first major companies to make this move, it’s imperative that we look into Jon Koum’s background — founder of Whatsapp.
Koum would recall his anger and frustration of being unable to contact his father and the rest of his family that he had left behind in the Ukraine. Other than through the telephone which was both expensive and not secure, He hoped that one day they would be a way for people from across the world to keep in touch with each other — Yoel Bermant
Life for the Koum family was far from luxurious. He grew up under basic living conditions coupled with a constant fear of the secret police who had extensive invasive powers, especially among members of the Jewish community. In 1992 when the gates to Jewish immigration from the former Soviet Union opened, Koum — then 16 years old — and his mother decided to move to the United States.
He developed an interest in technology during his high school years and took up a night job at Ernst & Young as a security tester to pay for his studies at San Jose State University.
While still in university, he periodically worked at Yahoo! before deciding to drop out of school and commit to Yahoo! full time. While at Yahoo!, Koum met Brian Acton with whom they decided to launch their own company — Whatsapp
We don’t have to know a lot about our users. To target advertisements well, companies need to know where you are, what you might be doing, who you might be with, what you might like or not like. That’s an insane amount of data — Koum
Growing up under a repressive regime, Koum was determined to build a platform that enabled its users to communicate freely without fear of eavesdroppers. He was able to achieve this after partnering with Moxie Marlinspike — a renowned computer security researcher.
Together with Trevor Perrin, Moxie authored the Signal Protocol which is a cryptographic protocol that is used to provide end-to-end encryption. WhatsApp makes use of the Signal Protocol to encrypt voice calls, video calls and instant messaging conversations.
End to End encryption has prevented Whatsapp from reading the data that is sent across its network. This move has made Whatsapp unable to comply with court orders demanding access to the content of any message, call, photo or video traveling through their service.
Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front — one that spans roughly a billion devices — Michael Friberg, Wired.
Apple also had their run-in with the US government after receiving a court order to release information about a suspect involved in the San Bernadino shooting which left 14 people dead.
The FBI wanted Apple to create a special version of iOS that would accept an unlimited combination of passwords electronically until the right one was found. The new iOS could be side-loaded onto the suspect’s iPhone giving the FBI the ability to crack the phone.
Cook refused. The new version of iOS — if misused, leaked or stolen — would have endangered the privacy of millions of iPhone users.
Governments around the world are pressuring tech companies to provide them with backdoors to prevent criminals and terrorists from taking advantage of End to End Encryption to plan attacks. This is one of the most controversial issues regarding this form of encryption.
According to Koum, if tech companies were to build back-doors into their products, or remove encryption entirely, that wouldn’t stop bad actors. They’d just go elsewhere.
In the age of open source software, encryption tools are freely available to everyone. The encryption genie is out of the bottle.
Max Krohn — CEO at Keybase — proposed a counter-argument to the ethical use of end-to-end encryption during an interview with Tom Eston.
Are door locks illegal? Won’t criminals use them to prevent law enforcement from breaking into their houses? Should we all live without locks on our houses?
What if I don’t have anything to hide?
You should. If you — let alone the government — can’t even count how many laws there are, what are the chances of you being sure that you aren’t violating any of them?
If everyone’s every action were being monitored, and everyone technically violates some obscure law at some time, then punishment becomes purely selective. Those in power will essentially have what they need to punish anyone they’d like, whenever they choose, as if there were no rules at all — Moxie Marlinspike.
Want to learn more about Encryption?
Thanks for taking the time to read this article. What are your views on encryption? Should governments have backdoors that would allow them to read our messages? Is encryption even necessary? Share your thoughts below.
