[Cryptography] Questions about crypto that lay people want to understand

[Henry Baker]

On 12/19/2015 11:22 AM, Henry Baker wrote:

> * Ordinary citizens lived thousands of
> years in sophisticated societies and
> never needed clever crypto.  I don't
> recall any crypto in the Bible, and the
> only discussion of crypto in novels
> seems to occur in the context of war
> or high politics -- e.g., Queen Mary
> of Scots.
> 
> Why now?  What is it about modern
> society that seems to require crypto
> for us ordinary citizens?

Here are some of my thoughts on this
question:

Prior to the invention of *radio*, the
use of cryptography was sporadic even
among govts.  I believe that the U.S.
diplomatic corps didn't bother with
cryptography until WWI, for example.

Governments -- especially *navies* --
quickly adopted *long range radios*
in the era before and during WWI.
Indeed, the US govt nationalized the
whole U.S. radio industry in WWI and
seized all of its patents (thank you,
Assistant Secretary of the Navy,
Franklin D. Roosevelt); the Radio
Corporation of America (RCA) was
formed after WWI to re-privatize
these assets.

The problem with long distance radio,
of course, was that it was *long
distance*, and highly *undirectional*.
As a result, these signals could be
heard over significant fractions of
the globe.  It quickly became obvious
that unencrypted radio signals were
too inexpensively eavesdropped upon.

So radio was the impetus for the
rapid adoption of encryption for
govts in the 20th Century.

But for nearly identical reasons,
*radio* once again became the impetus
for the widespread adoption of
encryption with the adoption of
the ubiquitous radio-based cellphone
by ordinary consumers.

Yes, there was a certain amount of
consumer-level encryption of computer
communications prior to the widespread
adoption of cellphones, but it was
limited to "Johnnies who *could*
encrypt" rather than the unwashed
masses.

Most ordinary citizens believed in
the "series of tubes" model of the
Internet, in which all of *their*
communications were narrowly
confined to *secure* tubes -- mostly
telephone lines containing modem
traffic -- and therefore protected
from universal snooping by *warrants*.

The universal consumer adoption of
another *radio* technology -- WiFi --
also heralded the need for encryption
in the form of WEP, and then WPA and
WPA-2, but *only after attacks were
also brought to the consumer level,
and only after massive data thefts
over WiFi from cars parked in company
parking lots.*

Then all hell broke loose with the
revelations of Edward Snowden that
the "series of tubes" of the Internet
was *completely compromised* not only
in the U.S., but almost *everywhere*
around the world.  Not only were
these "tubes" made of incredibly
transparent glass, but *everything*
going through them was subjected to
ubiquitous surveillance.

Of course, many geeks had always
assumed as much, but they were
laughed off as "tinfoil hat" types.
No longer.  When the NYTimes says
on its front page that the NSA was
"collecting it all", the sales of
tinfoil hats (and Guy Fawkes masks) 
exploded.

So *radio*, and "radio-like" networks
in which traffic between points A
and B could be routed via waypoints
located almost anywhere on Earth.
Those bits flowing out of your
computer and cellphone could be
going anywhere on Earth, and those
bits flowing into your computer and
cellphone could have gone via
anywhere on Earth.

Envelopes and sealing wax be damned.
The NSA+friends built a machine
that outperformed the fabulous East
German envelope-steaming machine by
factors of millions and billions.

Of course, transparent tubes are
also transparent to corporations and
criminals (I hope I'm not repeating
myself).  So individual citizens are
under ubiquitous surveillance for
the first time in evolutionary
history.  Humans have not had time
to develop any natural defenses
against this new threat model, so
it will take some time to work out.

The Internet has also been *weaponized*,
complete with (I'm not making this up)
a "cyber command" (USCYBERCOM) run by
an *admiral*.  There is an active war
being waged in "cyberspace" whose
bullets are hitting our computers
and cellphones hundreds and thousands
of times per minute.

One of the major battlegrounds in
this "cyber" war is *your pocket*. 
Govts and criminals are *in your
pocket* right now, trying to
infiltrate your cellphone and steal
its secrets.  Many/most of the
messages headed for the cellphone
in *your pocket* are either outright
missiles which can compromise your
cellphone directly, or are *phishing*
messages, which attempt to get you to
lower your defenses long enough to
allow them to compromise your
cellphone.

Your *only* defense right now is
*encryption*, and it has to be very
strong encryption because the attacks
are coming from nation-states and
well-heeled criminals.

The defensive walls built by encryption
within your cellphone are only a
millionth of an inch thick.  Even the
slightest error in design or manufacture
of these walls will completely compromise
your data.

Apple CEO Tim Cook is absolutely right
when he argues for the strongest
possible encryption of your data.  Your
cellphone is the battleground in a hot
war whose combatants have resources as
big (or bigger) than Apple itself.
We -- the ordinary citizens -- have no
hope without significant help from our
vendors such as Apple.