Tuesday, February 18, 2020

CRYPTO AG Alternatives?

The latest news about insecure Crypto AG equipment, sold not only to foes, but also to some friends, was not that surprising, given the warning signs that popped up in the past. The scale and duration of the operation is a surprise, but it's all part of the game called intelligence collection.

Despite those early red flags, Crypto AG, and its owners CIA and BND, managed to convince customers to maintain confidence in their crypto products. The reputation of the firm and its location in "neutral" Switzerland helped. The question is whether those customers had any choice, or alternatives?

In reality, truly secure communications is all but easy. Communications security is a highly specialised discipline, comprising a whole range of rules, regulations, technical requirements and equipment. Special dedicated equipment can provide such security, but trusting the manufacturer is essential. However, in the field of cryptography, so intertwined with security and intelligence collection, trusting others is not that smart. What are the alternatives? For a start, they are always costly, either in money or in effort.

Since people tend to prefer easy, they often choose cheap and simple. Today, that’s an application from their app store, or an add-on for their e-mail or browser software. Some diligent distrustful might download actual encryption software and have decent anti-virus software. In general, this creates more problems than solve them, and here’s why.

Normal computers, laptops, tablets and smartphones are absolutely not suitable to run encryption software, despite some vendors claiming otherwise. All these devices have numerous processes running in the background. Plug-ins, add-ons and other unidentified software, often downloaded automatically, for the sake of compatibility, convenience, or at the request of the user.

Software developers who claim their software provides secrecy and privacy on your personal computer or smartphone actually do not know what they are talking about. Not because of incompetence, but simply because they really have no idea of all the processes running before or after installing their software. Often, the user is both cause and problem, with kind assistance of your OSI layers, or Open Systems Interconnection (what's in a name). Seven layers of security nightmare.

Therefore, running crypto software might prevent your wife or neighbour from reading your e-mails, but won’t prevent state actors or professional hackers from doing so. Theoretically it takes far too long to crack strong encryption, but in 95% of the cases they don’t waste time and retrieve your data before encryption.

The most secure solution is off-line encryption on a dedicated computer or device. which is never connected to the security nightmare called Internet. This will make it harder, but not always impossible. Should you use commercial software, proprietary secret encryption algorithms, or develop your own crypto algorithm, and would that be secure?

Various publicly available algorithms are peer-reviewed and pretty secure. They take far too much time to crack, in theory. There are however always actors with more brain power and resources who might discover and exploit a mathematical shortcut. It's important that the user fully understands how the encryption works and can verify its performance, which is very hard. So he just has to trust the manufacturer? What's left?

There’s one type of encryption, truly unbreakable today, and in the future, no matter what technology might arise. Unbreakable because it's an equation with two unknowns, mathematically impossible to solve. It’s called one-time pad (OTP). Hailed in the past for protecting communications for diplomacy, military and intelligence, and still used for special purposes, this encryption method, performed on machines or with pencil and paper, provides secure communications, under the condition that it is implemented properly.

The famous Cold War Washington-Moscow hotline, encrypted with ETCRRM one-time tape machines, is a well known example. The paper version, shown below, was the favourite spy encryption for decades, often used in numbers stations. One-time pad has never been broken, and some erroneous claims are in fact cases of implementation errors.

One-time letter pad booklet with reciprocal encryption table.
Image © Dirk Rijmenants
One-time pad has two main drawbacks, which are however not technically insurmountable: true randomness and key distribution. OTP encryption requires truly random keys, as long as the message, and used only once. This creates logistical issues.

In the heydays of one-time pad, this meant a special courier from the organisation – usually state actors – that securely transports the keys. Secure key logistics is the sole reason why this unbreakable encryption is not generally used today, because secure logistics means costs.

Are costs really a problem? Today’s technology enables easy production and secure physical transport of vast amounts of key material (read bytes) on a small carrier, to provide year-long encryption before fully consumed, making it pretty cheap per byte. It's a question of willing to provide the technical infrastructure and funding. Even quantum key distribution already exists and is operational.

Secure transport might cost more than free exchange of  asymmetric cryptography's public-keys, but costs are relative. Ask Crypto AG customers, both adversaries and friendly states. Their costs for the equipment they bought, the training they received, maintenance and, last but least, the costs and damage caused by their compromised communications... for decades. Extremely expensive in terms of security and possibly also economic losses through industrial espionage.

Crypto AG HC-7845 world's first 1 Gigabit VPN encryption in 2009... can we trust it?
Earlier Cold War Hagelin/Crypto AG machines at the History of Hagelin page.
If they had used one-time pad encryption, common practice until the early 1980s, instead of Crypto AG equipment, it would have been less practical, a bit more costly, but in the end far cheaper than trusting their most critical secrets to outsiders and man-made algorithms with all their flaws, weaknesses and, as history showed, hidden intentional weaknesses. One-time pad, on the other hand, is simple, fast, transparent, easy to verify its proper functioning when applied in machines and yes, less practical.

However, if we talk about vital secure communications, what’s most important? Cheap, easy and insecure, or costly, hard and secure. One lesson throughout history is that real security is never cheap, always requires effort, but pays off. Unfortunately, little Joe, big companies and government agencies all want it to be easy and cheap, and they are at the same time addicted to producing and sending ever larger amounts of sensitive information. Weak security? We actually asked for it, and we got it.

Visit the one-time pad page on Cipher Machines and Cryptology to learn more about the history and use of unbreakable encryption. You want to use encryption that is – clearly – more secure than rigged Crypto AG machines? You can, but only if you strictly follow all the one-time pad rules! Read about it in the Guide to Secure Communications with One-time Pad (pdf). It’s unbreakable, free, transparent and fun, if you have some time to spare. There's also the history of Crypto AG and predecessor Hagelin Cryptos.

If you want to know why public-key cryptography solved the key exchange problem but not the actual security of our communications, check out Is One-time Pad History? (pdf). This was written many years ago, and a note was added in 2015 about how reality had surpassed our greatest fears by far. Well, we doubled down on that one again.


Don Sudduth said...

Great blog - very interesting topics. I completely agree with you about one-time pads. Even attempting to encrypt using a disconnected computer has many possible leaks - for example, data can be transferred through the sound card and fan -> https://wccftech.com/hacking-is-now-possible-using-the-sound-generated-by-the-pcs-internal-fan/ not to mention any intrusion techniques of key loggers, etc. Keep up the great work!

Dirk Rijmenants said...

Hi Don, there are indeed many ways to compromise a machine, but fortunately, it is possible to truly separate insecure and secure machines (red/black concept). That however requires a dedicated device that cannot be controlled from the outside.

Technically pretty easy, but the user has to be willing to use a device that only communicates specific data and doesn’t have the (hugely insecure) functionalities that people take for granted, like plug-ins, add-ons, extensions, automatic updates, cookies, compatibility to whatever data formats.

Most can’t live without all that, and prefer cheap and/or easy, but consequently offer their privacy to the herd of Big (commercial) Brother sheep. The industry makes sure they don’t have a choice, and even the secure communications industry has quite a problem.