Log in ....Tribune


Dot.ComLatest in ITFree DownloadsOn hardware

Monday, January 14, 2002
Lead Article

An age-old art with many modern twists


Prashant Bakshi

CRYPTOGRAPHY — the art of secret writing — is nearly as old as the art of writing itself, and goes back at least 4,000 years in history. From the handwritten ‘Caesar Cipher’ used by Julius Caesar, to the contemporary ‘PGP’ (Pretty Good Privacy), a freely available cryptographic system on the Internet — the fascinating evolution of this art (some call it science) has transformed it into a key technology of the information age. As far as information security goes, cryptography is of great significance to conduct electronic business, viz. electronic banking, secure communications and online transactions. However, the same technology is also being exploited by criminal and terrorist groups to clandestinely communicate and carry out their operations. This has been the crux of the crypto-debate in the USA and some other Western nations. On one side is the government, expressing its predicament in deciphering high-end encryption used by criminals and terrorists. Opposing them are the activists, who regard restrictions imposed on encryption as an infringement of their right to communicate securely in an information society.

Encryption has undoubtedly emerged as one of the key dual-use technologies, with critical military and commercial applications. The evolution of this ancient art, fraught with controversy, can be clearly understood only by undertaking a brief journey into its contentious past. One would then observe its transition from the exclusive custody of the military and intelligence community to the public domain. While evidence indicates that the earliest form of cryptography was used in Egypt, the Arabs in the 7th century were the first to write down the methods of cryptanalysis (the art of cracking cryptographic codes). Interestingly, in India the Kamasutra places secret writing as 45th in a list of arts women ought to know. Gradually, as technology improved, handwritten forms of cryptography were rendered obsolete, and by World War II, electro-mechanical devices replaced handwritten forms of cryptography. During the war some incredible feats in cryptography were accomplished. Noteworthy among them, were the invention of the revolutionary German communication system called ‘Enigma’ and the consequent espionage and cryptanalysis that led to the breaking of the Enigma code by British Intelligence. Intercepts of Enigma (code named ‘Ultra’), apparently contributed towards Germany’s setback during the war. Historians also express that US may have averted the attack on Pearl Harbour, had they been able to decipher the Japanese coded messages. They however, cracked the Japanese code later, which gave them a distinct advantage in the Battle of Midway.

 


After World War II, the American need for a full-fledged cryptographic agency led to the formation of NSA (National Security Agency). Excluding a few resourceful hobbyists, cryptography was then confined to the military and intelligence community. It was only in the mid-’70s, that the proliferation of computers (especially in the financial sector) necessitated a publicly available cryptographic system. In 1974, the National Bureau of Standards (now the NIST - National Institute of Standards and Technology) asked for proposals for a standard cryptographic algorithm, and IBM responded with the ‘Lucifer’ system, which was evaluated with the help of the NSA and eventually adapted as DES (Data Encryption Standard) in 1976. It is alleged that the NSA installed a trapdoor in DES, or weakened the algorithm from 128 bits in Lucifer to 56 bits in DES. Nonetheless, it became the most widely accepted and publicly available cryptosystem.

Symmetric or secret key cryptography (for instance DES) has an inherent limitation, in that, a single key is used by both the sender and the receiver of the message, whereby security can be compromised by the interception of the key during the transmission process. To overcome this drawback, the concept of Public Key Cryptography (or asymmetric cryptography) was first introduced by Whitfield Diffe and Martin Hellman in 1976. Here, two keys are brought into use — the public and private key. The message is encrypted with the public and decrypted using the private key. The public key, as the name suggests, is available in a directory or public listing while the private key is stored confidentially in the owners’ possession. In 1977, a team of scientists — Ron Rivest, Adi Shamir and Leonard Adelman created RSA — the first public key cryptographic system (named after its creators). America’s worst fears came true, when Phil Zimmerman, a computer scientist, used RSA to create PGP - a public domain version of RSA (an exceptionally strong encryption program offering 128 bits) and made it available in downloadable form on the Internet. With PGP accessible online, a strong encryption program - once forbidden for public use, was suddenly within reach and that too, with a mere click of the mouse (for the latest version of PGP, one can visit www.pgpi.org).

Ever since, the number of Websites offering free cryptography and steganography tools has grown at a frantic pace. Steganography - a form of cryptography (which literally means hidden writing) is fast gaining popularity between terrorist and criminal groups, where images and even sound files are distributed over the Internet with hidden documents and messages. Such abuse of encryption methodologies, is in fact, well documented by American researchers and one of the pioneering efforts was made by Dorothy Denning and William Baugh in a report titled ‘Encryption and Evolving Technologies as Tools of Organised Crime and Terrorism’, published in 1997 by the National Strategy Information Centre’s US Working Group on Organised Crime. The report had interestingly, highlighted the case of Ramsey Yousef, alleged member of the Al Qaeda network, responsible for bombing the World Trade Center in 1993 and a Manila airliner in 1995. When detained at Manila, the FBI discovered several encrypted files on his laptop, revealing information on further plans of blowing up 11 US-owned commercial airliners in the Far East. The report also included the notorious Aum Shinri Kyo cult responsible for the 1995 Sarin nerve gas attack in a Tokyo subway. The cult had apparently stored their records in databases, encrypted with RSA. The encrypted files held evidence that was crucial to the investigation, including plans of deploying weapons of mass destruction in Japan and the USA. Even in the Indian scenario, there have been reports indicative of similar patterns employed by terrorist groups. For instance, militants of the Laskar-e-Taiba group were found to have used a cyber café in North Delhi during the Red Fort attack carried out on the Republic Day last year. The Delhi police were astounded to find pornographic pictures stored on the computers and only later realised that the pictures actually contained hidden messages.

Unable to curb the flow of such technologies on the Internet, sophisticated surveillance and monitoring systems like ‘Echelon’ and ‘Carnivore’ came into existence. While Echelon is a global surveillance system where the US, UK, Canada, Australia and New Zealand collectively operate an extensive network of stations that regularly intercepts e-mail, fax, telex and telephone communications around the world, Carnivore, is an electronic wire-tapping tool used by the FBI for specifically monitoring Internet traffic and is installed at the gateway of the ISP (Internet Service Provider). In recent times, Carnivore has generated considerable controversy as it is suspected of monitoring e-mail and online conversations of ordinary citizens too.

However, September 11 has raised immense doubts on the credibility of such monitoring technologies. The fact that the US intelligence agencies were blissfully unaware of the attacks whose planning began more than a year back reiterates this viewpoint. Even though the thrust on surveillance technologies would continue unabated, one can expect even more stringent legislation and controls on encryption technology. Whether the extremely strong lobby of civil liberty activists allows such legislation to get through, remains to be seen. The scars of the ‘Clipper Chip’ controversy are after all only a decade old and not completely forgotten. Brainchild of the NSA the chip (with Skipjack algorithm) was designed to be built-in cell phones in a manner that the government could monitor all cell phone conversations. The public outcry, with privacy activists at the forefront never allowed the initiative to see the light of day. Post WTC, however, the scenario has changed radically and the government might seem justified in passing the Anti-terrorist Act - even if deemed as highly intrusive and draconian by privacy activists. Moreover, citizens too, fresh with images of the twin towers crumbling down, would be willing to put their privacy at stake for the sake of their security. Finally, even the most stringent legislation, backed with highly sophisticated technology may not provide a completely foolproof solution against non-state actors exploiting technology for their nefarious motives. The simple fact is that the cutting edge of technology works both ways, and that’s why the cliché - ‘technology is a double-edged sword’ becomes most relevant in the information age.

Encryption: The process of concealing data, so that it is inaccessible to unauthorised people. It involves the use of algorithms (or keys).

Cryptography: The making of a cryptographic system or an encryption program.

Cryptanalysis / Codebreaking: The breaking of a cryptographic system.

Cryptology: Science that studies both cryptography as well as cryptanalysis.

Symmetric Cryptography (or Secret Key Cryptography): A system where both sender and receiver use the same key

Asymmetric Cryptography (or Public Key Cryptography): Separate keys (private and public keys) are used for encryption and decryption

DES (Data Encryption standard): The first publicly available cryptographic system (symmetric cryptography), adapted by the US federal government in 1976. Subsequently stronger forms, viz. triple DES and AES have evolved.

RSA: The first public key cryptographic system, (named after its creators) developed by Ron Rivest, Adi Shamir and Leonard Adelman in 1977, and the most widely used public key crypto-system today.

PGP (Pretty Good Privacy): A public domain version of RSA available as freeware on the Internet. Developed by Phil Zimmerman in 1991

Steganography: Literally means ‘hidden writing’. While cryptography hides the message, this form of writing hides the use of cryptography itself. Present day use involves digital images and sound files, with hidden messages transmitted on the Internet.

Echelon: Global surveillance system where the US, UK, Canada, Australia and New Zealand collectively operate an extensive network of stations that regularly intercepts e-mail, fax, telex and telephone communications around the world.

Carnivore: Electronic wire-tapping tool used by the FBI for monitoring Internet traffic. It is installed at the gateway of the ISP (Internet Service Provider).

Home
Top