Ancient Arab pioneer's art turned modern-world threat
After 1,200 years, cryptography has come home to the Arab world. In the 9th century, it was the Iraqi intellectual Abu Yusuf al Kindi, who pioneered the study of hiding - and finding - secret messages within text. His legacy is reflected in today's English language; the word cipher, meaning a code used to scramble and unscramble data, is derived from the Arabic sifr (meaning zero).
But today, on the same peninsula where al Kindi's tribe originated, cryptography is landing one of its most prominent commercial proponents in legal hot water. Unless a solution is soon found, in about eight weeks sifr could also describe the number of working BlackBerry phones in the UAE. The battle between regional governments and Canada's Research In Motion (RIM), the maker of the BlackBerry, has brought the little-discussed field of cryptography into the spotlight.
Reports abound of secret "back doors" into RIM's e-mail encryption system, a "master key" that lets its owner unlock any message they please, and the sharing of algorithms with Chinese state security and Russian spies. But for the volume of media noise surrounding RIM and its encryption, little is known about precisely how the system works and how foreign governments, particularly in the US and UK, manage to monitor communications that are encrypted using technology from BlackBerry and others.
The UAE Government has maintained it is only looking for the same access and privileges that RIM has given to these states - but exactly what those privileges are, and if they even exist, remain as mysterious as a block of text after it has been run through one of RIM's famous algorithms. Stewart Baker, a former general counsel of the US National Security Agency, says such demands are becoming increasingly common around the world.
"There's a widespread view in government circles that surely some other government is getting a better deal than I am," he says. But Mr Baker, who also served as the policy chief of the US department of homeland security, says such requests could put companies like BlackBerry in a bind. "There is a fundamental difficulty for companies making secure or encrypted products: their customers want assurance that the product is secure against at least some governments ?
"There is demand for products whose security is not within the control of the company that is selling them." Alisa Finelli, a spokeswoman for the US department of justice, says the country's law-enforcement agency uses "lawful authorities, including court authorisation as appropriate, when it obtains relevant information from providers". The country has federal laws requiring telecommunications providers to let law enforcement listen in to communications passing through their networks.
But these laws are complicated by BlackBerry and other secure communications providers, which are not legally required to help authorities unscramble the communications of their customers. An effort in the early 1990s to introduce the Clipper chip, a government-developed encryption system with an inbuilt "back-door" that allowed eavesdropping by the authorities, quickly failed. Attempts over the past decade to include encryption services under the umbrella of communications providers that must give listening services to authorities, have also failed.
Many security experts believe that authorities in the US and around the word have developed a method to bypass the encryption used by BlackBerry phones, with some speculating that BlackBerry itself would have been pressured to co-operate in the effort. There is no publicly available evidence that BlackBerry's encryption has been broken by US authorities. Mrs Finelli says the department of justice is not "at liberty to comment on the specifics of law enforcement techniques".
The art and science of scrambling information to make it readable only by a select group has a long history. It was used by ancient Egyptians, Hebrew scholars and ancient Greek archivists. In its oldest form, it was as simple as shuffling the letters in a word, or replacing each letter with another. In the most basic form of encryption, each letter is replaced by the one that follows it in the alphabet, turning HELLO into IFMMP. The cipher in this case replaces each letter with another in the alphabet.
A secondary detail is the encryption "key" - the variable element that interacts with the cipher to scramble the information (in this case, the key is the equivalent of "move forward one letter"). As long as only the sender and receiver know the code and the key, both can make sense of text that appears as gibberish to others. While simple encryption like this can be easily broken, the advent of microprocessors, advanced mathematics and sophisticated security software means that today, the average UAE resident can download an encryption system from the internet that can be broken only by the world's most powerful supercomputers.
And the BlackBerry phone, which has turned from a niche corporate tool into a mass-market gadget, has put that kind of encryption technology into more than 500,000 local hands. The Telecommunications Regulatory Authority (TRA), the UAE telecoms regulator, has stressed such a situation is in breach of national law and has demanded that RIM provide it with the tools needed to unscramble all encrypted communications passing through its networks.
But does such a tool exist? Technically, security experts say, a well-made encryption system is almost impossible to break. "If they do not have access to the key used to encrypt they cannot decrypt the messages sent or stored," says Bart Preneel, the president of the International Association for Cryptologic Research. In the BlackBerry encryption system, the sending and receiving handsets each generate a private key, known only by the handset and the BlackBerry server. The system, like all good encryption services, is built to ensure that keys remain private.
"Encryption moves the protection of the confidentiality and authenticity of data to the protection of the confidentiality and authenticity of secret keys," says Mr Preneel, likening the system to home security. By putting locks on the doors, we create a secure system that prevents entry. But we also put the entire security in the hands of the key. Anybody with the key, or a copy of it, can enter the home as they please.
What RIM could do, experts agree, is create a system that deliberately leaks these keys to a third party, such as law enforcement agencies. It could even include the key in publicly transmitted information sent by the handset, hidden in a way that only authorised parties could find. More drastic would be to write a vulnerability into the system itself - although such a vulnerability is likely to be quickly discovered by the security community, particularly in a device as popular as the BlackBerry.
"While it is technically possible to create a system in which one master key allows you to decrypt all conversations," Mr Preneel says, "I am not aware of any company that has fielded such a system." Bruce Schneier, an international authority on cryptography, said there were a number of ways a company like RIM could give third parties the ability to read encrypted data. "A back door can be put into any encryption algorithm," Mr Schneier says. "Here's one simple way to do it: when you generate a key, you use a random number generator to make the key.
"What you do is, you do that process really badly so they are not really random numbers - really, there is only 1,000 possible numbers. You can give those thousand numbers to whoever you want ? This notion of RIM saying 'there is no way of doing this' is obviously not true." In the US, Mr Schneier says, the reach of security services - and their collusion with the communications industry - is best exemplified by the 2007 revelation that the American National Security Agency (NSA) had gained full and unsupervised access to many of the country's largest telecoms networks.
Controversy followed but there has been no significant roll-back of the programme. It has reached a point where "we don't follow law any more when it comes to eavesdropping", says Mr Schneier, who now serves as the chief security technology officer of the telecoms company BT. Businesses and individuals looking to communicate without government oversight should forget the notion that data can be secure and simply "hope that the people eavesdropping are doing it with vaguely good intentions", he says.
"Or, don't send truly sensitive information electronically." email@example.com
Published: August 7, 2010 04:00 AM