When we think about secret codes, images of military intelligence agents in smokey basements decoding the Enigma probably come to mind. However, for as long as there has been the need to transmit information in secret, there’s been a way to do it — however rudimentary.
In this article, I’ll explore how the ancient methods of encryption have evolved, the security of WhatApp’s end-to-end encryption, and the political anxiety working against progression in the field of encryption.
An early example of cryptography comes from Ancient Rome, and was recorded by Suetonius in his biography of Julius Caesar. Secret messages were encrypted by Caesar using an extremely simple system, but a system that would produce messages that his illiterate enemies would disregard, assuming they were in a foreign language.
“If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he must substitute the fourth letter of the alphabet, namely D, for A, and so with the others.” — Suetonius, Life of Julius Caesar
Despite the fact that the Caesar cipher is crackable by any modern literate person, there have been cases of modern usage in terrorism and the mafia. Building on the simplistic, essentially useless, Caesar cipher, the Vigenère cipher combined a series of Caeser ciphers to create encryptions that are still uncrackable today. Thankfully, we don’t need to rely on pen-and-paper ciphers in the age we live in. Methods of impenetrable (more on that later) encryption have been around for decades.
How secure is today’s encryption? Private keys and SHA-256
When the news of NSA surveillance came out in 2013, the majority of the population understood it to mean that any data we transmit over the internet isn’t totally secure. At the time, that was true. Their computers could brute force the widely-used MS-CHAP authentication protocol in around 23 hours. That’s the equivalent of someone hammering password attempts over and over again until one of them makes a lucky guess, but on the scale of 18 billion keystrokes per second.
Mass media reports may have made the NSA seem omnipotent, but they were really just taking advantage of our trust in what has since been proven to be an inferior kind of encryption. This revelation pushed software developers — especially those building messaging apps like WhatsApp and Facebook Messenger — to implement better security for their users, and led to an increase in the adoption of key pairs and SHA-256.
SHA-256 is a hashing function that turns any input into a 64-character alphanumeric string, like this:
Once data has been hashed, there’s no way to undo the process. If you can turn any amount of data into just 64 characters (256 bytes), how do these characters map together? Put simply, they don’t.
Imagine pasting the entirety of War and Peace into a SHA-256 hashing tool. There are over 3,000,000 characters in the novel, and 64 characters in a hash; each ‘hash character’ would correspond to over 46,000 ‘book characters’. Even 7zip, arguably the best file archiver, can maybe reduce the size of a file by half — no where near 46,000%.
So, what’s the use of SHA-256 if it’s a one-way operation? In applications like WhatsApp, which offers end-to-end encryption, SHA-256 is just one part of the puzzle.
The two other elements involved in end-to-end encryption are a public key and a private key. Each participant has both, and when a new chat session starts the public keys are shared. Public keys allow you to send encrypted messages, and private keys allow you decode received messages. When you send a message, it’s stored briefly on WhatsApp’s server with SHA-256 encryption. Once decoded, it is destroyed. This means that all communication is transient, encrypted, and the only thing that someone could intercept is a 64-character string of nonsense similar to the one I showed earlier.
Just one of WhatsApp’s Curve25519 private keys would take the entire network of supercomputers on the Bitcoin network hundreds of millions of years to crack. Until we see significant developments in the field of quantum computing, cracking 128 bits of encryption is a practical impossibility. All we can hope for is that progress on cracking this encryption is not done in secret, or we could find our seemingly surveillance-proof technology become obsolete overnight.
The cryptography of the future
We already know how unfathomably secure our current best encryption methods are, but what does the future hold?
Tanja Lange, professor of cryptology at Eindhoven University of Technology, confirms that today’s encrypted data is safe with the computational power we have now, but any records today that remain up to the point of quantum computing are at risk of being retroactively cracked: “An attacker can record our secure communications today, and break it with a quantum computer years later. All of today’s secrets will be lost”.
As tech labs around the world work to further our encryption capabilities, political leaders raise objections out of fear of a crime-torn, accountability-free future. Rod Rosenstein, the Deputy Attorney General under Trump, voiced concerns about the power of encryption in a speech at the U.S. Naval Academy.
“Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant. But that is the world that technology companies are creating […] If companies are permitted to create law-free zones for their customers, citizens should understand the consequences. When police cannot access evidence, crime cannot be solved. Criminals cannot be stopped and punished.”
Is Rosenstein threatened by the notion that 1984‘s dystopian surveillance may remain fiction?
SHA-256 was developed by the NSA and patented in 2004 alongside an open explanation of how the algorithm works. While conspiracy theorists have been buzzing about the possibility of the NSA building a backdoor into SHA-256 and using it to take down Bitcoin, Rosenstein’s concerns would indicate otherwise.
The public should always have a right to protect themselves against new technology by using the same tools themselves. In the hands of the public, SHA-256, key pairs, and other pieces of the cryptographic puzzle are how we protect our personal information in a world where the very organization that developed these secure methods will find brute force workarounds to hack our devices.
In the future, however, it’s possible that we — just like the illiterate enemies of the Roman empire squinting at what looks like gibberish in a foreign language — won’t even be able to recognize encryption when we see it.