s
s
Sections
Sections
Subscribe

In a hearing set for March 22, a federal court will hear Apple’s initial arguments against the FBI’s demand that the company write software to sneak around a password and allow the government access to encrypted data inside an iPhone owned by the San Bernardino agency where deceased terrorist Syed Rizwan Farook was employed. Farook and his wife, Tashfeen Malik, killed 14 people and injured 22 in a shooting rampage on Dec. 2.

A House Judiciary Committee of 39 representatives, including two Republicans and four Democrats from California, meets on March 1 for a hearing on encryption, and invited Apple to attend.

Business leaders including Google CEO Sundar Pichai, Twitter CEO Jack Dorsey and editorial writers of the Wall Street Journal, Washington Post and The New York Times all sided with Apple CEO Tim Cook in his Feb. 16 stand for privacy and against the FBI’s efforts on encrypted iPhone data. Apple lawyers on Feb. 25 filed documents arguing that the government doesn’t have authority to force the company to help the FBI, and the demand places undue burden on Apple.

The battle pits encryption, which protects everyone’s privacy, against needs of law enforcement.

“Law enforcement is upset because terrorist 1 encrypts a message, sends it to terrorist 2,” said Sonoma State University encryption scholar George Ledin, Ph.D. “The FBI intercepts but cannot decrypt. The FBI protests against strong encryption because they cannot decrypt it themselves. Whenever they claim that they need back doors, it’s very misguided. It will make the job of the enemy easier. Hackers will find it. You have vulnerability that will be exploited. Why would they do that?”

Before tackling encrypted data inside Farook’s phone, the FBI has to get inside. The FBI worked with San Bernardino County to reset the password to Farook’s iCloud account where his phone data automatically backed up; the reset may have impeded subsequent backups. The FBI obtained from Apple backup data from the iCloud up to October 2015. Phone access, as the FBI demands of Apple, might have been unnecessary if auto-backups had continued.

“If we are going to protect privacy and make sure we are not penetrated, not just ordinary users but everybody up to the president of the United States,” Ledin said, then potent encryption must be employed with no backdoor decryption available to the FBI or hackers.

Encryption technology can keep a smartphone-guided life private, Ledin said, and shield bank and investment accounts from hackers who might steal every dime. But encryption is not yet smooth, easy or automatic.

“It requires dedication and resources. People will simply say, forget it until it is easy-to-use and automatic,” Ledin said. “Who cares if I send you an email: ‘On your way home, pick up a dozen eggs.’ You need to encrypt that?”

Some industries demand encryption. With “commercial paper, banks, warrants, there is a complicated infrastructure where liability is legally understood,” he said. “A dozen eggs is not important, but transferring $1,000 into an account is. Those systems use strong encryption.”

The potential market for encryption technology is enormous, Ledin said, especially in financial transactions; that industry is barely developed. “There will be lots of bumps,” he said. “The curious thing about smartphones,” is that their technology, driven by billions of users worldwide, has leaped forward, including encryption.

Primes, elliptic curves

“We have strong encryption at Apple and others. It is relatively easy to implement a strong system — symmetric and asymmetric. You could encrypt in such a way that nobody could decrypt — the one-time pad.”

The one-time pad uses modular or “wrap-around” addition such as is used in a 12-hour clock, which starts a new count after every 12 hours. Plain text is paired with a random secret key, originally written on a paper pad. Gilbert Vernam obtained a U.S. patent in 1919 on encryption based on this principle — the Vernam-cipher.Encryption described by Vernam can be attained using alphabet letters with “26-squared-factorial possible arrays,” Ledin said, a number with some 1,600 digits. “It’s fantastic. The best supercomputers today would take years to deal with that even though it is an encryption method invented” years ago.

In symmetric encryption, the secret keys to lock and unlock a message are the same, or one can readily be transformed to the other, and are held by two communicating parties. Symmetric encryption requires an initial secure channel to provide parties the secret keys. In asymmetric or public-key encryption, keys to encrypt and decrypt differ. Only the intended recipient has the decryption key; many people might have the public encryption key.

In the early years of personal computers, much cryptography drew on RSA technology, a prime-number-based system where a public encryption key is used with a secret decryption key. “RSA was the natural and simple way to implement public encryption,” Ledin said.

RSA was produced in 1977 by MIT computer scientists Ron Rivest (R) and Adi Shamir (S), and mathematician Leonard Adleman (A). The Apple 1 was released in 1976 by founders Steve Jobs and Steve Wozniak. RSA cryptography relies on a math quirk that students encounter in school: it’s easier to multiply secret prime numbers, especially big ones, than to factor the result into its primes. This fact — that it takes far longer to do the math in one direction than the opposite way — is called a “trapdoor.”

When computing power was slow compared to today’s standards, RSA encryption worked well. If prime numbers were large, say 100 digits, it would take years to coax out primes used as encryption keys. RSA keys could be lengthened to 1,000 digits to gain security. “It’s more secure,” Ledin said, “but much more difficult to use, more than slow, essentially futile” as it gobbles computing power. Supercomputers plow through quadrillions of factoring algorithms in seconds in a “brute force” attack; problems that required years of computing can be solved much faster.

For the past decade, some cryptography relied on elliptic-curve cryptography (ECC), drawn from Weierstrass functions: Y2 = X3 + ax + b. An elliptic curve is not always an ellipse, but more likely a torus, like an inflated inner tube. The curve has an intriguing quirk: the graph is symmetrical, and a non-vertical line drawn through any two points on the graph intersects the rest of the curve at exactly one more point.

An elliptic curve called a “prime curve” forms the foundation of cryptography trapdoors that allow keys smaller than RSA keys. Compact keys provide encryption on smartphones that are tough to crack even with supercomputers. “Elliptic curve was a godsend,” Ledin said, requiring keys a tenth the size or smaller.

RSA lost the smartcard bank market because its keys were so big that they bogged down the transactions, he said.

“ECC is a flexible term,” said Ledin, who teaches cryptography, passwords and authentication in Rohnert Park classes on computer security. ECC includes many curves, mathematically similar, based on discrete logarithms — a form of addition. It’s an exciting math frontier.

“The moment somebody discovers an algorithm for solving a discrete-log problem,” he said, cryptography based on that collapses.

Ledin attends an annual conference of the International Association for Cryptographic Research in Santa Barbara. “Most people who are anybody in the crypto world are there,” he said. “I am almost afraid to go anymore. There’s a big auditorium. If somebody were to detonate something,” an attack could “wipe out 99 percent of the crypto talent. Last year there was no security whatsoever.”

In 2008, Ledin co-authored a paper with Whitfield Diffie, a scholar with Stanford Center for International Security and Cooperation and a pioneer of public-key cryptography, on an encryption algorithm for wireless networks using a substitution box, which makes the relationship between message and encrypted code hard to understand. “The S-box is a 16-by-16 grid”or matrix, Ledin said. Unscrambling it is nearly impossible. “You could recruit all the computers in the world,” he said. Diffie worked with Sun Microsystems, acquired by Oracle in 2010 for $7.4 billion; Sun helped create Unix operating system.

The association’s RSA Conference Cryptographers’ Track runs Feb. 29 to March 4 in San Francisco, with topics such as e-commerce, cryptocurrency, ECC and quantum cryptography. The program committee includes cryptographers from Microsoft Research, Hewlett-Packard and Bell Labs Alcatel-Lucent.

Computers use transistor switches on integrated circuits. Supercomputers at Lawrence Livermore National Laboratory are rated by petaflops. A petaflop is a quadrillion calculations per second. As physics limits speed developments on silicon processors, supercomputers use parallel calculations on thousands of processors in “brute-force” assaults on encryption.

D-Wave, a Canadian firm, makes a quantum computer studied by Google, universities and government labs. Quantum computers use “qubits” of niobium metal magnetically shielded and cooled to near absolute zero: negative 459.67 degrees Fahrenheit. Superconducting qubits achieve +1 and -1 states and a third “superposition,” D-Wave said, looped into a programmable device. The third state allows quantum computers to calculate instantly what regular computers need years to do. Current cryptography would fail under such a potent attack.

Quantum computing is at least decades away. “I would like to come back 100 years from now and check things out,” Ledin said.