Educational CyberPlayGround ®

Encryption used to transmit
data in ultra-secret form

You're only as secure as your least encrypted hop.

2017 US government: We can jail you indefinitely for not decrypting your data

2016 Moxie Marlinspike helped create the Edward Snowden (9/1/2020 VINDICATED) approved messaging app Signal, and assisted WhatsApp with 1 billion users, deploy end-to-end encryption in the process.

How I Cracked a Keylogger and Ended Up in Someone's Inbox and the comments

2016 Security Researcher Publishes How-To Guide To Crack Android Full Disk Encryption
He published a step-by-step guide on how one can break down the encryption protections on Android devices powered by Qualcomm Snapdragon processors. The source of the exploit is posted on GitHub. Android's disk encryption on devices with Qualcomm chips is based only on your password. However, Android uses your password to create a 2048-bit RSA key (KeyMaster) derived from it instead. Qualcomm specifically runs in the Snapdragon TrustZone to protect critical functions like encryption and biometric scanning, but Beniamini discovered that it's possible to exploit a security flaw and retrieve the keys from TrustZone. Qualcomm runs a small kernel in TrustZone to offer a Trusted Execution Environment known as Qualcomm Secure Execution Environment (QSEE), which allows small apps to run inside of QSEE away from the main Android OS. Beniamini has detailed a way for attackers to exploit an Android kernel security flaw to load their own QSEE app inside this secure environment, thereby exploiting privilege escalation flaw and hijacking of the complete QSEE space, including the keys generated for full disk encryption


Jan. 9, 2003: The Justice Department drafts the Domestic Security Enhancement Act of 2003, aka "Patriot Act II" As Congress debated the USA Patriot Act after the Sept. 11, 2001, terrorist attacks, supporters of strong encryption worried that lawmakers would use the climate of fear and anxiety to slip in a provision targeting encryption. That didn't happen; the Patriot Act didn't address the subject at all. But nearly two years after it took effect, President George W. Bush's Justice Department prepared a successor bill, the Domestic Security Enhancement Act of 2003, that did address encryption—in a major way.
August 2007: Security researchers expose Dual_EC backdoor in NSA-backed encryption protocol. Edward Snowden siad the “NSA became the sole editor” of the standard.
May 4, 2012: FBI pushes legislation to ensure a wiretap-friendly Web
June 6, 2013: The second Snowden document exposes a massive Internet surveillance program. Silicon Valley exploded with outrage in response to the PRISM revelations, which came from former NSA contractor Edward Snowden's trove of documents. A few months later, more Snowden files revealed that the NSA had penetrated the links between data centers owned by Google and Yahoo around the world.
Sept. 5, 2013: Snowden documents expose NSA campaign to break encryption
September 2014: Apple and Google add full-disk encryption to their mobile operating systems
Oct. 10, 2015: Obama administration says it won't seek encryption backdoor legislation Nov. 17, 2015: Congress starts looking at encryption
Dec. 17, 2015: Firewall maker reveals likely backdoor in its code Almost two years after NIST told companies to stop using the Dual_EC random-number generator in their encryption, Juniper Networks announced the discovery of “unauthorized code” in several versions of its ScreenOS software, which ran on its NetScreen firewalls. A few days later, security researchers revealed that the code was based on Dual_EC, the NIST pseudorandom-number generator that the NSA had secretly sabotaged with a backdoor.
Dec. 23, 2015: China says it modeled its new encryption policy on U.S. law
Jan. 4, 2016: The Netherlands becomes the first country to formally reject backdoors
Jan. 21, 2016: U.S. state lawmakers propose bans on unbreakable encryption
Feb. 10, 2016: House lawmaker introduces bill to prevent state encryption bans
Feb. 29, 2016: New York judge denies government's request for iPhone unlocking order
March 31, 2016 security engineers—especially those at One Infinite Loop—began processing an unsettling fact: Someone had given the U.S. government a previously unknown iPhone exploit. According to Reuters, the government didn't own the technique—it had only bought the ability to use it—so it couldn't submit the exploit to the White House-coordinated disclosure review process. Another problem was that the FBI had classified the tool that it designed with the exploit and used on the phone, limiting the government's ability to speak publicly about it.
April 13, 2016: Senators Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) officially introduced their bill requiring companies to provide authorities with encrypted user data in an “intelligible” format or render any assistance necessary to make it readable. Security experts immediately assailed the bill, dubbed the Compliance with Court Orders Act of 2016. University of Pennsylvania professor Matt Blaze said it was worse than the Clipper chip, the NSA backdoor device whose major flaw he famously exposed in the 1990s, leading the Clinton administration to shutter its plans to mandate the chip's use in consumer technology.
April 20, 2016: U.K. law-enforcement official confirms that new spy bill would let cops force companies to decrypt data
“As a result of the Snowden revelations,” Clapper said at a Christian Science Monitor breakfast, “the onset of commercial encryption has accelerated by seven years.” Clapper attributed the finding to an NSA analysis. Snowden, a staunch advocate of strong encryption, responded by tweeting, “Of all the things I've been accused of, this is the one of which I am most proud.”


End-to-End Encryption and the Web
W3C TAG Finding 15 July 2015


Cant is an example of a cryptolect, a characteristic or secret language used only by members of a group, often used to conceal the meaning from those outside the group. Cryptographic Message Syntax Email

National Cryptologic Museum in Laurel, Maryland -- Pictures
The National Cryptologic Museum is the National Security Agency's principal gateway to the public. It shares the Nation's, as well as NSA's, cryptologic legacy and place in world history. Located adjacent to NSA Headquarters, Ft. George G. Meade, Maryland.

Bletchley Park Headquarters of British code-breaking during World War II. Invented in 1918 the Enigma cypher "Britain's best kept secret" -- the place where the German Enigma was finally deciphered in an incredible cooperative super-effort.Detailed tutorials for the mathematically inclined explain how the Enigma cipher machine worked and how the Lorenz code was broken by the British-built Colossus machine. A Bletchley Park photo album presents snapshots of an ordinary-looking, extraordinary place.

Cipher Machines - Hagelin Ciphers
1925 Arvid Gerhard Damm of Sweden was the last of the four cipher machine inventors at the end of WW1 to file for a patent on his rotor based cipher machine. Two investors were K.W. Hagelin and Emanuel Nobel (nephew of Alfred, famous for his dynamite and Prize). Hagelin had his son, Boris, join the firm in 1922 in order to protect his investment.
The first cipher machine produced was the B-21, which had two rotors and two pairs of pinwheels to produce an irregular stepping action for the two rotors. This mechanism will continue to play a key role in all the future mechanical cipher machines from Hagelin's firms and also for the later derivative cipher machine from the Swedish company Transvertex. The B-21 had a light panel like the Enigma machine.
In 1940, Hagelin took his C-38 to the US and sold his design to the US government. This machine was manufactured by the L.C. Smith-Corona Typewriter Company under license from Hagelin's firm.
After WW2, Sweden passed laws classifying cipher machines as munitions which could not be exported. Hagelin moved his company to Zug, Switzerland in 1952. Crypto AG was founded in 1952 by the legendary (Russian born) Swedish cryptographer Boris Hagelin. During World War II, Hagelin sold 140,000 of his machine to the US Army.
What the users of these Hagelin machines did not know was the single greatest coup in the history of military intelligence. In 1957, William Friedman was called out of retirement by the US NSA to make a secret deal with Boris Hagelin, giving the US access into all the secret communications using the Hagelin machines. The US shared this information with England. Later, as the cipher technology advanced from mechanical devices to electronics, the new Hagelin machines installed a back door written by the NSA. Dictators and madmen, such as the Iranian Islamic regime, Saddam Hussein, Moammar Gadhafi, Ferdinand Marcos, Idi Amin, as well as friendly nations and the Vatican all had their most secret communications read instantly by Washington and London. This unfettered access would continue for decades. This open book into the world's secrets would start to unravel in 1983.
The ownership of Crypto AG has been to a company in Liechtenstein, and from there back to a trust company in Munich. Crypto AG has been described as the secret daughter of Siemens but many believe that the real owner is the German government. The German secret service, the Bundesnachrichtendienst (BND), is believed to have established the Siemens' connection.
Several members of Crypto AG's management had worked at Siemens. At one point in time, 99.99 percent of the Crypto AG shares belonged to Eugen Freiberger, the head of the Crypto AG managing board in 1982. Josef Bauer was elected to the managing board in 1970. Bauer, as well as other members of Crypto AG management, stated that his mandate had come from the German company Siemens.


1993 Matt Blaze and The clipper chip Phil Zimmermann and PGP
The clipper chip invented in 1993 is a little-known tale of the battle between US government code makers and private citizen code breakers which placed the privacy rights of US citizens in the balance. In this battle of wits, the code-breakers were victorious, keeping Big Brother government from trampling the privacy rights of all US citizens. The code breakers took advantage of this window of opportunity to release a public domain encryption program called Pretty Good Privacy or PGP, which was quickly adopted world wide. In the battle of wits between the code makers and code breakers, this was a major win for the code breakers and especially the US public.
The first release of this software on the internet, including source code, was made on June 5, 1991. By February of 1993, Zimmermann was the target of a federal criminal investigation for exporting "munitions" without a license. Software encryption was classified as a munition and export outside of the US carried severe penalties.
Zimmermann was never charged, but came up with a creative solution for future releases of software. He published the source code in a book which could be purchased for $60, scanned into a computer as text and then compiled for use as a program. His reasoning was that export of munitions, including encryption software, was illegal but export of a book was protected by the First Amendment.
By the late 1990s, laws restricting export of encryption software were liberalized, PGP and other encryption hardware and software were no longer classified as munitions.

Cracking Code, Encryption Software used to transmit data in ultra-secret form 1998 - 2011






11/11 Full-disc encryption is too good at keeping your computer secure. So good, in fact, that it's got digital CSI teams tearing their hair out.
Computer security engineers, including a member of the US Computer Emergency Response Team, are complaining in a research paper this week that crooked bankers, terrorists and child abusers may be getting away with crimes because it is proving impossible for digital investigators to unlock their encrypted hard drives. As New Scientist related in February, full-disc encryption is a major consumer security leap. It scrambles everything on a drive when you turn off your computer, time out or log out. But the flipside, of course, is consternation for some crime fighters.

7/11/11 When Asked To Disclose Laptop Password, Woman Invokes 5th Amendment
Robert Siegel talks with Declan McCullagh, chief political correspondent for CNET, about a federal case in which Ramona Fricosu, a Colorado woman, is refusing to disclose a laptop password to authorities — arguing it would violate her Fifth Amendment right against self-incrimination. Fricosu is facing several charges related to a mortgage scam. The encrypted laptop was seized from her bedroom during a police raid. McCullagh tells us more about the case — and what legal implications it may have.

Can You Keep A Secret?
3/5/98 Encryption is simple enough. But when millions of people want to ensure privacy on a medium as public as the Internet, things get complicated. By John J. Fried

If you conduct business over the Internet, use the Web to transmit sensitive documents, or like to chat on your favorite cybersites without leaving tracks, you are at the center of a furious battle in Washington.
Maybe not you personally and directly, but your right to have access to encryption software used to transmit data in ultra-secret form.
This may come as a surprise, because for much of the last decade, the clash has centered on Washington's efforts to regulate the export of strong, hard-to-break encryption programs.
Now, however, legislators and law enforcement agencies, most notably the Federal Bureau of Investigation, are clashing with cyberlibertarians and powerful commercial interests over efforts to extend controls on so-called strong encryption to domestic uses.
The worry once was that strong encryption would aid America's enemies abroad. More recently, some members of Congress and the FBI have begun to worry that without domestic fetters on strong encryption, home-grown criminals, too, will have free rein on the Internet.
Cyberlibertarians, meanwhile, fret that new efforts to control encryption will rob Americans of privacy. And major business interests warn that anything less than strong encryption will cripple their efforts to move commerce fully onto the Internet and into the 21st century. Says David Banisar, a lawyer and senior policy analyst for the Electronic Privacy Information Center, a nonpartisan Washington research organization focusing on civil liberties issues concerning electronic communication: ``The FBI is determined that nothing passes they won't accept. Industry and the public is not thrilled with what the FBI wants. It is a fairly intractable problem."
There is no argument over the basics of encryption.
Secret codes are simple to use when only a small group of people depend on them. Before exchanging messages, the users simply exchange solutions to the codes. But when millions want to keep secrets on a medium as public as the Internet, things become more complicated.
What is required then, is an encryption method that guarantees tha only the right person gets the decoding key to a message. Moreover, the process by which the secret communication is carried out has to guarantee that the last decoding key does not decode the sender's next message. Peter may want Paul to read a message with a credit-card number - but not the love letter to Mary.
The solution rests in using public-key encryption.
With that method, the encryption code has two component keys.One, called the public key because it is available to anyone who wants to use it, encrypts the message. For now, such public keys are available because they are part and parcel of late-model Web browsers such as Netscape and Internet Explorer. Eventually, every Net user - whether a corporation or a private person - will have an individualized public key that will be published for all to see. The other, private key, however, remains in the hands of the recipient of the message.
It works this way:
Suppose that you have an Internet browser armed with a strong encryption utility. And suppose that you want to do business on your financial service's Web site, which also has an encryption utility. Once contact is established, the encryption utilities exchange public keys. With the help of private keys at each end, your site and your broker's site encode and decode messages as they flow back and forth. When you log off, all traces of the communication vanish, leaving nothing behind that anyone else can use.
Public-key cryptology is only part of the answer to computer security.
Encryption codes - written in bits or sequences of zeros and ones, the language of computers - have relatively short shelf lives. As recently as last year, at least one message written in a 56-bit key - which could comprise 70 quadrillion (that's 15 zeros after the 70) secret combinations - was solved by computer experts.
As a result, 128-bit encryption - think of the possible combinations as an eight followed by 37 zeros - is gaining favor. And 192-bit and 256-bit codes are on the horizon.
The idea that the 128-bit code and its successors may fall into the wrong hands is what has kept a lot of people in Washington staring at the ceiling in the middle of the night.
For most of the 1990s, the concern was that strong encryption would be used by terrorists, hostile governments, and international drug cartels for encoding data. To stop that from happening, Washington imposed export controls on strong encryption software.
U.S. software developers were allowed to export only if they agreed to give copies of private keys to third parties. Those key holders would be required to make key copies available to government agencies if they obtained judicial permission to have them.
Encryption software vendors grumbled that the key escrow requirements would cut them out of the massive and growing international market for their software, but most found ways to live with them - some by applying for and getting exemptions from the controls.
``The number of export licenses granted on this special case, on that special case" slowly mounted during 1997, so that the export restrictions have come to ``resemble the Massachusetts blue laws that say that there is not much you can do on Sunday unless it is on this list of 400 special cases," says Daniel E. Geer Jr., vice president of Certco LLC, a Cambridge, Mass., company specializing in Net security.
Some firms have set up manufacturing subsidiaries abroad or joined forces with foreign companies that develop and sell encryption programs.
But now, as Congress prepares to deal with several encryption bills and a fistful of variations on some of them, the struggle over encryption has increased substantially.
According to James X. Dempsey, senior staff counsel at the Center for Democracy and Technology, a Washington nonprofit public interest organization that defines itself as protector of cyberspace civil liberties: ``The FBI radically changed the nature of the debate by saying that they not only oppose changes in the export law, but wanted domestic controls on encryption."
In testimony to Congress, FBI Director Louis Freeh put it starkly: Drug dealers, members of organized crime, pedophiles, and a host of other criminals stand ready to take full advantage of strong encryption.
``Unless we have some solution to unbreakable encryption, we will be devastated with respect to our ability to fight crime and terorrism," Freeh said.
Freeh is not alone in believing that key escrow holds the secret to civil safety.
The Senate Judiciary Committee's subcommittee on terrorism, technology and government information has received letters from every major law enforcement agency, arguing against strong encryption.
To many on Capitol Hill, the argument that law enforcement agencies should be able to tap into computer communications just as they can tap into telephone conversations makes sense.
If they don't get that right, U.S. Sen. Dianne Feinstein (D., Calif.) said during the hearings with Freeh, ``it's going to just create enormous problems downstream."
But the notion that law enforcement agencies should have access to encrypted communications appalls civil libertarians, who see in key escrow the potential for unbridled intrusion into the lives of Americans.
The proposal also has rattled the business community.
Leaning heavily on the opinions of many cryptography experts, businesspeople argue that a key-escrow system would make hash of secure Internet communications. The computers of third parties holding keys in escrow, they say, would be subject to successful criminal hacking efforts.
More to the point, the opponents say, there is no guarantee that employees of escrow companies themselves would not steal crucial keys, sell them to criminals, or give them up in response to blackmail threats.
Even if hackers were unable to crack key-escrow accounts, the mere possibility that they could do so would undermine electronic commerce, critics of the plans say. Buyers and sellers who want to renege on Internet transactions could claim that transactions bearing their secret codes were fraudulent, that argument goes.
Some observers in Washington think that the FBI and its allies would be willing to back off on domestic encryption controls if a proposal for establishing a national technology center were to pass.
Under the the provisions of one of the encryption bills moving through Congress, such a center would help law enforcement officials at the federal, state and local levels deal with decryption and other electronic challenges.
``That logic says that we should focus on developing the right tools" to cope with illegal encryption, rather than force encryption ``technology back into the bottle," says a Washington privacy expert who did not want to be identified.
Still, some Washington experts think there is a 50-50 chance that Congress will send encryption-control legislation to President Clinton for his signature this year.
Given that the White House wants to keep a tight grip on the crime issue, which it has wrested from the Republicans, the chances are good that Clinton would sign a bill that would deny criminals a safe harbor in encryption, those observers say.
Other observers, meanwhile, think that no matter what tack Congress and the White House take, the courts are likely to come up with the solution that civil libertarians and businesses are hoping for.
In a suit challenging the validity of the controls on exporting encryption software, a U.S. District Court in California has ruled of speech protected by the First Amendment.
That case is before the Federal Court of Appeals for the Ninth Circuit in California.
In hearing arguments, the appeals-court judges asked questions that seemed to indicate that they were leaning toward accepting the lower court's ruling, said David Banisar, of the Electronic Privacy Information Center.

2009 Mission Impossible: The Code Even the CIA Can't Crack
A sculpture called Kryptos, created by DC artist James Sanborn, commissioned in 1988, when the CIA was constructing a new building behind its original headquarters is 865 characters of seeming gibberish, part of a sculpture called Kryptos punched out of half-inch-thick copper in a courtyard. 20 years after its dedication, the text has yet to be fully deciphered. With Kryptos Sanborn has made his strongest statement about what we don't see and can't know.


4/16/98 Commerce Chief Calls Encryption System Flawed
Source: New York Times Author: Jeri Clausing Issue: Encryption
Yesterday, Secretary of Commerce William M. Daley said in a speech to the high-tech industry that the Clinton Administration's attempts to control encryption technology has failed and are forcing U.S. software makers to "concede ground" to foreign competitors. Secretary Daley's comments are the strongest indication to date that the administration is considering "parting ways" with the FBI and other law enforcement and spy agencies over the issue of data scrambling. "We are headed down a lose-lose path, and we have to get back to win-win," Sec. Daley said.

Internet security systems can be bypassed

1997 Commerce Chief Calls Encryption System Flawed Internet security systems can be bypassed
by Paul Andrews
It sounds like a computer user's worst nightmare: Someone gains access to your personal computer via the Internet and deletes files. Alters money accounts. Destroys information stored on the hard disk. And it all takes just a minute or two. Fred McLain demonstrated how in San Francisco, renewing heated debate over a nagging concern of computer users today: Internet security. Using a Microsoft technology called ActiveX and Microsoft's Internet Explorer Web browser, McLain invaded a remote computer on the World Wide Web and moved files, altered a bank account, called up tax records and wreaked digital havoc on the PC's hard disk using Net-transmitted programs.
McLain's feat became the talk of JavaOne, the conference where he put on the demonstration and where about 10,000 developers who use the software language called Java were in attendance. Other technologies with similar capabilities are on the horizon. The risk comes with the ability to gain access to a Web user's hard drive from a remote computer. Java, which until now has protected against disk access, is being altered to provide just that. Java supporters say they are building in extra security layers to protect against ActiveX-type incursions. But security experts say any disk-access technology poses risks. In any case, McLain said, "I'll be right there to expose" potential risks to computer users "from any technology." So far, the focus is on fast, compact Internet-transmitted programs, called applets, which need access to a computer's hard disk to work. The benefits of using applets are considerable, and many observers believe they are the next big phase of advancement for the Internet. These little applications - hence the term "applets" - can handle everything from text and numbers to games, animations, finances, health advisories and shopping aids.
Hard-disk access is also key to the current big wave of new Web technology, called "push." Advertisers, vendors and company information-systems directors are expected to use push technology to automatically "broadcast" a variety of applications and services over the Web to users who have indicated specific interests and needs. The commercial potential of push is estimated in the billion-dollar range.
For push to work, however, the door to your computer will have to be left open. And that poses risks.
Estep sees a culture clash at the heart of the hacker ethic. Broadly speaking, he sees the people who run computer networks and design their programs as wanting an open environment to enable free exchange of files, programs and information. Corporate managers, however, worry about theft or abuse of proprietary information.
Hackers can be viewed as performing a whistle-blower function for the user public, their defenders say. "Security is always more important to corporations and consumers than to companies selling software," Littman said. "Hackers are doing a service for the public. The industry may not like it, but ultimately it's to their advantage."
Netscape co-founder Marc Andreessen acknowledged as much when his company's market-leading browser was under fire from hackers. "I'm happy hackers are concentrating on trying to break our products," he said. "As a result, we get to improve them."
McLain's demonstration and a similar ActiveX program he posted last fall on the Web called "Internet Exploder" have gotten him in hot water with a leading security certifier on the Web. "Exploder" seized control of a remote PC on the Web and shut the computer down after making sure no programs or data would be damaged. The effort gave McLain the distinction of being the only person to have his license revoked by VeriSign, a Silicon Valley company that authenticates the digital identity of a program's source.
"What Fred's doing is entirely legitimate," said Ben Thorsteinson, like McLain a veteran Seattle bulletin-board system operator. "Sun, IBM (and) Microsoft know Fred, and know that Fred knows what he's talking about."

Title: Daley Calls For Compromise in Encryption Debate 4/16/98
Source: Telecom AM
Issue: Encryption Description: Speaking to an Information Technology Policy Council forum, Secretary William Daley warned that if the sides of encryption debate don't start compromising, the data security industry will move overseas and US policy and products will become obsolete. Sec Daley called for 1) online intellectual property legislation from Congress and 2) the industry to start doing a better job on self-regulation on privacy. A Commerce Department report says that electronic commerce lowers purchasing and marketing costs, increases inventory flexibility, and improves customer service. The report also find many companies waiting for a resolution of the encryption debate before they expand their Internet business.