Authors: Boston T. Party,Kenneth W. Royce
Special Agent Douglas Bleth walks west on Penn past the red-roofed newsstand and enters the building. He is to brief the Director at 9AM, who had been phoned by the Wyoming Secretary of State to look into the odd and possibly alarming sudden influx of new residents. A plainclothes guard at the desk checks his badge and plastic smart card ID as Bleth signs in. The guard nods and presses a hidden button under the desk. One of the elevator doors swishes open. Again, just like
Brazil
.
Bleth steps inside and presses "7." The FBI top brass "sultans of the 7th floor" commanded sweeping views of Penn Avenue. But of course.
After a brief wait, Bleth is shown into the Director's office.
"So, who's behind all this?" asks the Director without preamble. Such pleasantries as "Good morning" were usually a waste of his time.
Bleth says, "We have yet to learn the personalities of their C
3
I."
C
3
I stands for Command, Control, Communication, Intelligence. "Analysis of new residents' email traffic shows that their instructions likely came from encrypted messages forwarded in bulk by foreign emailers. 'Remailers' they're called."
The Director parries, "If these Wyoming people are receiving encrypted foreign email, then how do you know this isn't a foreign operation?"
Bleth has already considered this. "Technically, we don't, but what would any foreign country have to gain by any of this? It seems like a domestic operation, probably from the right-wing element given the conservative nature of Wyoming."
"Good point," the Director says, nods—satisfied. "What are these nine thousand people up to?"
"We think that they are part of, or somehow connected to, the Free State Project. You know, that group which "
The Director harumphs. "Yes, I've heard of them. Just another libertarian pipe dream, like colonizing space on personal rocket ships. It's a last gasp effort of people who just can't get along in society. Desperate kooks."
"I agree, sir, it is farfetched, but the FSP makes no secret of desiring to take over a state through the electoral process, even though their membership officially chose New Hampshire back in 2003. The new residents of Wyoming already have five counties. That's nearly a fourth of the state. And it's all been legal as far as we can tell."
"Right as far as we can
tell
," says the Director. He is silent for a moment and then asks, "How are these people in communication?"
"Through PGP encryption, but with a twist. Let's say that you want to send a group message to a thousand people, but encrypted. Not only is the message identical, the encryption is identical, or else you would have to encrypt it a thousand different ways — one way for each recipient according to their unique public key half. For large group comm, this is far too cumbersome. So, public key encryption is not the answer unless everyone had the
se cret
key, allowing the sender to encrypt the message with the public key. Although this could be done, it's needless extra work."
"Why is that?" asks the Director.
"Because of the way PGP operates, secret keys are not added to third party keyrings — only public keys are. Secret keys are added to the secret key ring only during a key pair's generation by the creator. I don't think PGP will allow an outside secret key to be added to the ring, and even if it can be done I'd bet it's really tricky. Too tricky for most users. The other way to do it would be to send out a file secring.pgp containing this group secret key and have the users substitute it for their own PGP secret keyring file when decrypting group email. Either way, it's a lot of extra work."
"And the 'needless' part?"
"PGP users who want to encrypt something solely for
themselves
don't have to use the RSA public key algorithm since they're not sending it to anybody else. As the sender and the recipients are all of the same group, it's like they're the same person for the purposes of this encrypted message. Therefore,
single
key, or symmetric, encryption is what you'd use. Meaning, the passphrase both encrypts and decrypts the message.
"As far as the algorithms go, asymmetric encryption is no stronger than symmetric. All asymmetric encryption does is allow two people to exchange encrypted messages without having first shared a passphrase. If a secure channel exists for communicating a common passphrase, then there is no problem using symmetric encryption. The key bit lengths are not equal, however. A 128-bit symmetric IDEA key is about the same as a 1024-bit asym metric RSA key."
The Director looks lost. "What exactly are 'bits'?" The Director, a for mer federal judge, is notoriously ignorant of technical matters. Science, mathematics, computers all of it is beyond him.
Bleth groans inwardly. "A binary digit, b- , -it. Computers are just a collection of switches and can only read ON/OFF, 1 or 0. Humans use a base 10 numeric system, and computers use base 2. Although any of our numbers can be translated in base 2-bits, it takes many more bits to do so."
Bleth pauses to see if the Director is following him.
"I understand. Go on."
"Given equal encryption strength, an asymmetric key is longer than a symmetric key because asymmetric algorithms are not as efficient."
"I'm with you. Continue."
"So, for these thousand people to individually decrypt your email, they must all know the common passphrase, right? But here's the problem, how do you secretly tell all of them in advance what the passphrase is? You need a secure prior channel to them. What the NSA believes is that each of the Wyoming people were, before they moved, initially contacted through their
own
key pair and told of the group passphrases to be used in the future. While it would be sweaty work, you'd only have to do it once. After everyone was on board with the passphrases, encrypted group emailings would be easy."
The Director is looking off into space, thinking. "Any success decrypting those emails?"
"None, sir. The NSA is working on them now."
"But hasn't the RSA algorithm been broken before?"
"Yes and no."
"What do you mean?"
"RSA is considered a very strong algorithm; it has no glaring weaknesses. Same for IDEA, Blowfish, Twofish, MARS, RIJNDAEL, and many others. A cryptological attack on such is actually an attack on the
key
itself, and a short key will compromise an impregnable algorithm. In symmetric encryption the key length decides the number of possible permutations, or "keyspace.' However, in asymmetric encryption like RSA, key length determines the size of the product of two huge parent prime numbers. The two encryptions are attacked differently. Symmetric by dictionary brute force, and asymmetric by factoring.
"The alleged cracking of RSA was merely a successful factoring attack on a 425-bit key, which is about like a 50-bit DES symmetric key.
'Fisher Price encryption,'
one analyst called it. Nobody serious about their privacy uses anything less than a 1024-bit RSA key, if not 4096 or more. Nevertheless, it took six months and 1,600 PCs to break that 425-bit key in a distributed Internet attack. The combined effort equaled about 5,000 computer years, or what the techs call MIPS."
"Goodness. What if the key is longer?"
"If a key is at least 128-bit symmetric, or 1024-bit asymmetric, it is considered unbreakable by brute force."
"Come on!
'Unbreakable?'
The NSA has
26 acres
of computers!"
"Yes, sir, unbreakable. And the NSA could have 26
million
acres of computers. A 128-bit IDEA key has 2
128
permutations, which is 3.4 times 10 to the 38th power. That's an ungodly number; the keyspace is astronomical. Every bit is like a fork in the road, and every single one of them must be guessed correctly. The trouble is, you have to make up to 3.4×10
38
guesses before you're told if you guessed them correctly. It's like a giant labyrinth, except that you're never told which turns were wrong. Every attempt is a failure but one, and there are no shortcuts. All the computers on the planet working in tandem couldn't crack it in a million years."
"
Really?
That sounds like wild hyperbole, Bleth."
Patiently, Bleth explains, "The Japanese have an array of computers in Osaka used to track and simulate global environmental conditions. The array is huge; the size of four tennis courts. Their Earth Simulator is capable of 35
trillion
instructions per second, and is as powerful as the twelve next fastest computers
combined
. It could have cracked that 50-bit DES key in a max time of just 75 minutes. A 60-bit key would need 53 days. A 70-bit key about 64,000 years. A 128-bit key would take them up to 2×10
19
years
to crack. That's 2 followed by 19 zeroes, which is a billion times longer than the age of the universe."
The magnitude of the problem is beginning to sink in. The Director is now fairly aghast. "A
billion years
longer than the age of the universe?"
"No, sir, a billion
times
longer than the universe's 20 billion years."
"
Jesus
. But computers are getting faster every day isn't it just a matter of time before they bridge the gap?"
"Except for older encrypted files, no sir. In fact, it's just the opposite. Faster computers help encryption far more than decryption."
"
What?
How can
that
be?"
"Because it's easier to
generate
a key than it is to crack it, increases in computational horsepower help encryption far more than decryption. Adding just one more bit to a key
doubles
the number of permutations, and thus computer time. A 256bit key isn't merely twice as tough as a 128-bit key, it's as many
times
tougher than the 128-bit key is on its own."
The Director brightens with understanding. "Because it's 2 to the 256th power? It's like two 128-bit keys multiplied against each other."
He's beginning to get it
thinks Bleth. "Yes, sir! So, no matter how fast our computers become, it's an effortless thing for encryption technology to stay ahead by increasing key bit length. Not even just stay ahead, but
increase
the gap. Think of it this way: for every penny decryption gains, encryption gains a billion dollars. Forever. Ever since PCs became powerful enough to run Phil Zimmermann's PGP that's been a foregone conclusion. It was Game Over the moment the game began."
"
Shit!
It's
that
bad?"
"Actually, sir, it's far, far worse, especially with factoring attacks on asymmetric encryption. It is a million million quadrillion times more difficult to factor a product than to generate one. That's 10 to the 27th power. So, for every penny that decryption gains due to computational increases in processing power, asymmetric encryption gains a stack of $100 bills about 1,074 light years in length. Or, 33,941,566 round trips to the sun."
"A stack? Not laid end-to-end?" the Director asks, facetiously.
Bleth smiles thinly. "Yes, sir. Right now, there is encryption software which support huge key lengths, like 4096 and bigger. A 4096-bit key couldn't be broken if every atom in the universe were used to construct a giant computer and it chewed on it for 20 billion years. That's why the NSA fought so long and hard to prevent civilian encryption software from becoming ubiquitous.
'Every day the dike doesn't break is a victory'
is how one NSA official put it back in 1992. When that proved unstoppable, they then tried to force 56-bit DES as the standard because they could break DES. When that didn't work, they tried to implement key-escrow
1
under Clipper. Director Freeh was a tireless supporter of it, as you may recall."
"Yes, but Clipper went nowhere and the civilian encryption cat is out of the bag. What is the NSA doing about it?"
"Short of some miraculous mathematical advance in factoring
2
to crack RSA keys, or the construction of a quantum computer in the next five years, there is little they
can
do about it."
"So, I take it the NSA is . . . less than hopeful in our case?"
"They say that several things will likely make decryption impossible. One, they have no plaintext to work from; two, the message lengths are short, under 500 bytes; three, the symmetric key length is a robust 128-bits; and four, we may be seeing a regular change in keys."
"What do you mean by a 'regular change in keys'?" The Director braces himself for yet another avalanche of new information.
"NSA believes that these new Wyoming residents were given several different passphrases in advance, which have so far been used only once. The email subjects contain prefixes such as 'Adam' and 'Brian,' which likely signify which key was used. These keys are, in effect, 'single session' keys which makes them virtually impossible to crack, especially without any plaintext. Since 'Edward' is so far the highest letter name used, NSA hopes that a short stack of only five different keys — 'A' through 'E' — were provided and that the email receivers will at some point begin to reuse the earlier keys. Remember, these people are neither trained agents nor computer experts. They're just average folks so their comm network cannot be overly complex. I think the NSA is right, that they'll start reusing old keys for simplicity's sake. Their superiors are not likely to repeat the trouble of individually PGPing each of their new residents with new key passphrases.
"So, when they begin to reuse old keys the cumulative message length per key will increase, which will slightly ease decryption efforts. Even if the NSA does crack one of the keys, the messages encrypted with the remaining keys will remain unsolved."
The Director interrupts with a question. "What if the original stack of keys was not a short stack? What if the stack is twenty-six passphrases high from A to Z and we never see anything past 'J'?"