Secure communication


Secure communication is when two entities are communicating and do not want a third party to listen in. For this to be the case, the entities need to communicate in a way that is unsusceptible to eavesdropping or interception. Secure communication includes means by which people can share information with varying degrees of certainty that third parties cannot intercept what is said. Other than spoken face-to-face communication with no possible eavesdropper, it is probable that no communication is guaranteed to be secure in this sense, although practical obstacles such as legislation, resources, technical issues, and the sheer volume of communication serve to limit surveillance.
With many communications taking place over long distance and mediated by technology, and increasing awareness of the importance of interception issues, technology and its compromise are at the heart of this debate. For this reason, this article focuses on communications mediated or intercepted by technology.
Also see Trusted Computing, an approach under present development that achieves security in general at the potential cost of compelling obligatory trust in corporate and government bodies.

History

In 1898, Nikola Tesla demonstrated a radio controlled boat in Madison Square Garden that allowed secure communication between transmitter and receiver.
One of the most famous systems of secure communication was the Green Hornet. During WWII, Winston Churchill had to discuss vital matters with Franklin D. Roosevelt. In the beginning, the calls were made using a voice scrambler, as this was thought to be secure. When this was found to be untrue, engineers started to work on a whole new system, which resulted in the Green Hornet or SIGSALY. With the Green Hornet, any unauthorized party listening in would just hear white noise, but the conversation would remain clear to authorized parties. As secrecy was paramount, the location of the Green Hornet was only known by the people who built it and Winston Churchill. To maintain secrecy, the Green Hornet was kept in a closet labeled 'Broom Cupboard.'' The Green Hornet used a one-time pad. SIGSALY was also never broken.

Nature and limits of security

Types of security

Security can be broadly categorized under the following headings, with examples:
  • Hiding the content or nature of a communication
  • * Code – a rule to convert a piece of information into another form or representation, not necessarily of the same type. In communications and information processing, encoding is the process by which information from a source is converted into symbols to be communicated. Decoding is the reverse process, converting these code symbols back into information understandable by a receiver. One reason for coding is to enable communication in places where ordinary spoken or written language is difficult or impossible. For example, semaphore, where the configuration of flags held by a signaler or the arms of a semaphore tower encodes parts of the message, typically individual letters and numbers. Another person standing a great distance away can interpret the flags and reproduce the words sent.
  • * Obfuscation
  • * Encryption
  • * Steganography
  • * Identity Based
  • Hiding the parties to a communication – preventing identification, promoting anonymity
  • * "Crowds" and similar anonymous group structures – it is difficult to identify who said what when it comes from a "crowd"
  • * Anonymous communication devices – unregistered cellphones, Internet cafes
  • * Anonymous proxies
  • * Hard-to-trace routing methods – through unauthorized third-party systems, or relays
  • Hiding the fact that a communication takes place
  • * "Security by obscurity" – similar to needle in a haystack
  • * Random traffic – creating random data flow to make the presence of genuine communication harder to detect and traffic analysis less reliable
Each of the three types of security is important, and depending on the circumstances, any of these may be critical. For example, if a communication is not readily identifiable, then it is unlikely to attract attention for identification of parties, and the mere fact a communication has taken place is often enough by itself to establish an evidential link in legal prosecutions. It is also important with computers, to be sure where the security is applied, and what is covered.

Borderline cases

A further category, which touches upon secure communication, is software intended to take advantage of security openings at the end-points. This software category includes trojan horses, keyloggers and other spyware.
These types of activity are usually addressed with everyday mainstream security methods, such as antivirus software, firewalls, programs that identify or neutralize adware and spyware, and web filtering programs such as Proxomitron and Privoxy which check all web pages being read and identify and remove common nuisances contained. As a rule they fall under computer security rather than secure communications.

Tools used to obtain security

Encryption

is a method in which data is rendered hard to read by an unauthorized party. Since encryption methods are created to be extremely hard to break, many communication methods either use deliberately weaker encryption than possible, or have backdoors inserted to permit rapid decryption. In some cases government authorities have required backdoors be installed in secret. Many methods of encryption are also subject to "man in the middle" attack whereby a third party who can 'see' the establishment of the secure communication is made privy to the encryption method, this would apply for example to the interception of computer use at an ISP. Provided it is correctly programmed, sufficiently powerful, and the keys not intercepted, encryption would usually be considered secure. The article on key size examines the key requirements for certain degrees of encryption security.
Encryption can be implemented in a way that requires the use of encryption, i.e. if encrypted communication is impossible then no traffic is sent, or opportunistically. Opportunistic encryption is a lower security method to generally increase the percentage of generic traffic which is encrypted. This is analogous to beginning every conversation with "Do you speak Navajo?" If the response is affirmative, then the conversation proceeds in Navajo, otherwise it uses the common language of the two speakers. This method does not generally provide authentication or anonymity but it does protect the content of the conversation from eavesdropping.
An Information-theoretic security technique known as physical layer encryption ensures that a wireless communication link is provably secure with communications and coding techniques.

Steganography

is the means by which data can be hidden within other more innocuous data. Thus a watermark proving ownership embedded in the data of a picture, in such a way it is hard to find or remove unless you know how to find it. Or, for communication, the hiding of important data in apparently innocuous data. An advantage of steganography is plausible deniability, that is, unless one can prove the data is there, it is deniable that the file contains any.

Identity-based networks

Unwanted or malicious activities are possible on the web since the internet is effectively anonymous. True identity-based networks replace the ability to remain anonymous and are inherently more trustworthy since the identity of the sender and recipient are known.

Anonymized networks

Recently, anonymous networking has been used to secure communications. In principle, a large number of users running the same system, can have communications routed between them in such a way that it is very difficult to detect what the complete message is, which user sent it, and where it is ultimately coming from or going to. Examples are Crowds, Tor, I2P, Mixminion, various anonymous P2P networks, and others.

Anonymous communication devices

Typically, an unknown device would not be noticed, since so many other devices are in use. This is not assured in reality, due to the presence of systems such as Carnivore and unzak, which can monitor communications over entire networks, and the fact that the far end may be monitored as before. Examples include payphones, Internet cafe, etc.

Methods used to "break" security

Bugging

The placing covertly of monitoring and/or transmission devices either within the communication device, or in the premises concerned.

Computers (general)

Any security obtained from a computer is limited by the many ways it can be compromised – by hacking, keystroke logging, backdoors, or even in extreme cases by monitoring the tiny electrical signals given off by keyboard or monitors to reconstruct what is typed or seen.

Laser audio surveillance

Sounds, including speech, inside rooms can be sensed by bouncing a laser beam off a window of the room where a conversation is held, and detecting and decoding the vibrations in the glass caused by the sound waves.

Systems offering partial security

Cellphones

Cellphones can easily be obtained, but are also easily traced and "tapped". There is no encryption, the phones are traceable – often even when switched off – since the phone and SIM card broadcast their International Mobile Subscriber Identity. It is possible for a cellphone company to turn on some cellphones when the user is unaware and use the microphone to listen in on you, and according to James Atkinson, a counter-surveillance specialist cited in the same source, "Security-conscious corporate executives routinely remove the batteries from their cell phones" since many phones' software can be used "as-is", or modified, to enable transmission without user awareness and the user can be located within a small distance using signal triangulation and now using built in GPS features for newer models. Transceivers may also be defeated by jamming or Faraday cage.
Some cellphones track and store users' position information, so that movements for months or years can be determined by examining the phone.
The U.S. Government also has access to cellphone surveillance technologies, mostly applied for law enforcement.