One Time Pad (again).

I did a video 7 years ago: Uncrackable Pen & Paper Cryptography

It had several comments, many of which seemed to think there were ways of "cracking" it. There are not. Having got a comment recently, I did another video, OTP.

Wikipedia explains its quite well. It explains your cannot crack it if :-

• The key must be at least as long as the plaintext.
• The key must be truly random.
• The key must never be reused in whole or in part.
• The key must be kept completely secret by the communicating parties.

Even so, people still comment, and a friend of mine just posted...

"Rev, set a challenge on your blog first to decode message without a key wins a firebrick dragon?"

"I would have thought brittle[sic] force decode first 4 chars and wait till it looks like a word."

I really thought I had explained it, but clearly not.

The short version is YOU CANNOT CRACK IT!

In my second video I tried to explain this by dumbing down the message to just 0 or 1, with two possible keys, 0 or 1, giving a possible encrypted message 0 or 1.

Now, imagine you intercept my message and it is a 1

You can BRUTE FORCE try every possible key:

• Key 0 means message was 1
• Key 1 means message was 0

So what was the message? You don't know. You have no way to tell.

You don't know because every possible message, no matter how meaningful or meaningless is possible with a key, with equal probability of being the actual message.

The "I would have thought brute force decode first 4 chars" misses the point - you can brute force to make every possible first 4 letters, with no clue which of those is correct or even more likely.

And just to be clear, even if you know the first 3 letters are ANX (Ref Enigma) that does not help you because the key for those letters has no impact on the next letters (unlike Enigma).

So let me try and say it again, YOU CANNOT CRACK IT! I suggest reading the Wikipedia article.

Right to private communications

The European Convention on Human Rights protects the right to respect for private life, the home and correspondence. This includes protecting the privacy of messages, phone calls, and emails.

But UK and EU governments are trying to break that right in various ways.

So some thoughts.

1. Encrypted communication is a thing, it exists, it cannot be banned, it is just maths. I have done a nice video on how to make an uncrackable entirely manual encryption (one time pad) here.
2. Criminals can use encryption. My video is an extreme example, but in practice the tools to do this electronically in many effective ways exist and can be used by criminals, and MPs.
3. There are even ways to use encryption in a way that is mathematically impossible to prove you are doing - steganography - where there is no way to tell your encrypted messages apart from random noise in say an image or video.

What this means is that even slightly savvy criminals are safe. The tools all exist and are easy to use. The only issue is if non criminals like you and me can expect that right to privacy.

The Investigatory Powers Act (on which I commented, and was a witness at parliament) did, and does, try to crack encryption as a legal process, maybe, the wording is not ideal. Apple's news on this is one of the key examples. Not the first and not the last, and not something that actually tackles criminals using encryption, it will just make normal people way less safe. Remember criminals can use encryption!

One of the challenges for most normal people is how to use encryption. Most people do not care, or know, why they should even. But there are many ways. The old school ways are using PGP email, which is complex but that is no longer the case. There are many apps and ways to communicate securely, and the obvious ones are things like iMessage (for now). Apple designed it to be secure. But also WhatsApp and Signal.

The problem is that any organisation operating any messaging system that is secure is subject to secret orders from governments to impose back doors.

There are even calls for scanning content for illegal material, which only works if a service has access to the content. This has so many problems, apart from breaking basic human rights. And, I remind you that the "bad people" with "illegal content" can always encrypt what they do anyway, and even secretly if they want to. They actually have an incentive to take the extra steps that normal innocent people do not. The only problem is removing privacy for normal people.

So now to come to the main point of this blog...

Delta Chat

This is an app that works with email, it connects to your provider's email server (not all providers work, but many do, using IMAP and SMTP), and allows a more traditional style messaging app that makes encrypted communications simple.

It is clever, well done.

What is extra clever is this is just an email client. It is not a service that is subject to either Investigatory Power Act or Online Safety Act. Indeed, the latter explicitly excludes email, a term OFCOM consider everyone understands (really!).

But it makes secure encrypted chat a thing anyone can do, easily, in a way that legally there is very little that can get in the way.

So worth considering.

Muddled?

I have been advised this is all a little muddled, and I agree.

• IPA issues with Apple in the middle of OSA coming in to force
• OSA not applying to email, but OSA is not directly an encryption thing, probably.
• EU trying to do content scanning which means service providers having access to content.

I agree, it is muddled, and I bet that is intentional for some, but this is to try and say there is a way to chat, encrypted, with no scanning content, and no age checks, all in one, and easy to use.

How do we explain: Maths does not work like that?

Once again...

Theresa May is asking for back doors in encryption (here).

"These companies have some of the best brains in the world. They must focus their brightest and best on meeting these fundamental social responsibilities."

I don't know how many times we have to try and explain that mathematics does not work like that. You cannot make a way to decrypt something only when there is a valid warrant issued by a judge. Maths does not understand judges or law. The only way it could work is if someone, somewhere, on accepting the warrant as valid, uses some back door that has been built-in to allow access.

Even just that one person, as if it would be only one person, could, on a whim, for their own amusement (or because criminals are paying them enough to move to a new country) decide to do the thing they would do if presented with a valid warrant. That person has means to hack in to encrypted communications - they have to have in order to enact the warrant, so the encryption is inherently flawed to allow that.

The system only works if there are flaws and back-doors, and no matter how you try, these will be exploited by criminals. Simple as that.

So my thought is how the hell do we explain this to politicians.

They are using "passive-aggressive flattery". They are saying we are smart and so surely we can work it out.

Well the same applies to the politicians, surely. They are smart. Surely we have some of the best brains in politics and law making. Surely they can just "make a law" which somehow only applies to "terrorists" and bans them using encryption and is a workable law that they will abide by. This leaves the rest of us the protection that strong encryption affords, but allows the government to see the communications of terrorists. Simples!

Surely they can make a law that would do that? They just need to get the best brains in law making together to focus on making such a law. How hard can it be?

I am no law maker, but surely this must be possible. And I will refuse to accept the comments from anyone being so negative as to suggest that "that is not how law works". They are just not trying hard enough.

Just make an effective and workable law that bans all terrorists from using encrypted communications. How hard is that? Do it!

Go on then? You have a civic responsibility to make such a law, get on and do it already?

Amber Rudd - you do not need to understand encryption

Amber Rudd has made it clear that she feels she does not need to understand encryption. See BBC article here.

Really this is not actually an issue on encryption at all. You do not need to understand it, no.

That said, the principles are not hard to understand, and Amber Rudd could take the time to understand those principles. I am sure there are many trusted advisers who will be happy to explain them. It would help understand the sneering and patronising responses if she understood why her suggestions and comments are so comically stupid.

But let us try to put this in terms a politician should be able to understand.

There is an activity which is common in modern society. We'll try and understand how any activity could be considered for legislation, whether encryption or not.

That activity is conducted by bad actors. In this instance the bad actors are terrorists and extremists, one of the statistically lowest threats we face in modern society, but an issue which is disproportionately important to politicians for some reason.

That activity is conducted by good actors. Indeed, it is used by a lot of people every day. It is hard to find anyone that does not absolutely rely on this activity every day, either directly or indirectly. Everyone with a bank account relies on this activity.

Now, because the activity is conducted by bad actors, it seems that something must be done. It is worth bearing in mind that this is not always the case, and indeed, given that the bad actors in this case, terrorists, represent less of a danger than slipping on a banana skin, the idea of not doing anything is not completely stupid.

So what can be done about this activity. Can it be banned? Can it be restricted? Can it be changed? Can it be controlled? Well, this is where understanding the activity may help, but let us assume it can be controlled in some way for a moment.

The next question, assuming some legislation can be made that will somehow restrict or control the activity, what are the consequences of doing so?

There are two main issues.

1. Will the restrictions impact the bad actors at all?
2. Will the restrictions impact the good actors at all?

---

In this case, we can look at the activity being encryption and we look at these points.

Will the restrictions impact the bad actors at all?

MATHS EXISTS! No matter what law you make it is possible for the bad actors to make use of encryption. It is impossible to un-invent mathematics and encryption.

So, we know the answer to point 1 - will this impact the bad actors? Well, not really - they can move on to other apps, other tools, their own apps. They do not even need to do anything difficult or complex. Even if what they do is illegal, they can still do it. There are even ways of hiding what they are doing so you cannot tell so cannot convict them of breaking those laws. See the video at the end of this post for how to encrypt with pen and paper and dice. Maths cannot be un-invented, sorry.

[update: some useful comments on this below] I agree that it is not quite so simple. I cannot say that terrorists will simply use other apps. I can say that open source communities and privacy activists make good quality apps and not some dodgy "home grown" broken crypto, and they are even working on ways to make those apps invisible to police states and oppressive governments, so the apps to use will exist. It seems odd that terrorists would not make use of them. The issue here is that catching one terrorist by such a measure is not worth it - indeed, if you could guarantee to catch every terrorist ever it still would not be worth it - they still are so few and harm so few - we need evidence based laws and policies and it amazes me terrorists are even on the radar ahead of bee stings.

Will the restrictions impact the good actors at all?

UNDERMINING ENCRYPTION CREATES WEAKNESSES THAT CRIMINALS WILL EXPLOIT!

This has been seen over and over again, and the industry is in a constant battle against criminals. A lot of criminals that cost millions of pounds every day one way or another, and exploit companies, and normal people. Unlike terrorism, this is a big issue impacting a lot of people. The battle is now at the stage that the best defence against criminals is end to end encryption which means that even the intermediate companies cannot see the communication. This is because attacks on the data via those intermediate companies is a real threat where criminals can get in (technically or social engineering, etc). So people rely on this level of security, all the time, every day, for their banking, their medical records, everything.

So, now we know, any attempt to restrict encryption will impact the good actors. They will not be motivated to use other apps or do encryption themselves - why would they, as Amber Rudd says, normal people do not care if their WhatsApp chat is encrypted end to end or not (until they are victim of a crime, obviously). Only the bad actors will in fact be motivated to use alternatives.

So, you do not need to understand encryption really.

You just need to know that this activity is used for a minor threat (terrorism) and that any attempt to control it will not impact that threat but will impact all of the good uses of the activity.

Now you can make a choice of how to address the issue.

This is no different to seeing that terrorists use white vans, so banning them!

This is no different to seeing that terrorists use an underground map, so banning them!

This is no different to seeing that terrorists use ball point pens, so banning them!

It is a simple exercise to understand the options and consequences of those options and making the best decision for the country as a whole.

Home secretary embarrasses herself, again

Today it seems that Amber Rudd, Home Secretary, has once again embarrassed herself by showing her total lack of knowledge of the Internet, encryption, and even logic.

Even if we accepted her arguments that encryption helps terrorists (as do white vans, the M4, and even sandwiches), the step of making secure communications systems weaker does not make logical sense.

If one makes WhatsApp, and similar apps, less secure for "real people" - does that stop terrorists using encryption? Well, no, obviously. Apart from using other common apps (only one app needs to actually do "end to end encryption" to be "useful") they can make there own - maths exists and so does encryption. Heck, you can buy books on it! Apparently terrorists groups already have apps for this - will Amber Rudd go and talk to ISIS and ask for back doors in their apps?

So the logic of actually making these commonly used apps less secure for everyone in order to help catch terrorists just makes no sense.

We then have the condescending and dangerous idea that "real people" do not need secure communications. "Real people" have every reason to keep communications private for lots of (legal) reasons. Oddly, MPs are reported as using WhatsApp simply because it is so secure. One can only conclude that MPs are not "real people" - something many have suspected for some time.

Either she is batshit insane, or stupid (in my personal opinion) or there is a motive to spy on everyone, not just terrorists and criminal. I am not actually sure which applies here. I hope people see how illogical these ideas are and treat them with the contempt they deserve. You do not have to understand encryption to realise this.

Why do we put up with such an embarrassing public figure?

And, to remind people, encryption can be done using pen and paper and dice... No apps needed!