Tuesday, November 11, 2014

[Updated] Hide-a-KeyText encryption, using web page text as symmetric key

[Update 17 November 2014]
A small standalone Java program is now available on http://www.unchartedcharters.com. It is free. The source code is available on the site as an exported Netbeans 8.x project zip.
The algorithm is based on a Beale cipher, where the "standard text" or key is text pulled from a web page specified by the user. We then simply add the Unicode codepoints of the standard text and the message. No wrapping or "mod". More fun is provided by a combobox with several scripts (Unicode blocks) that can be used to shift the message text. Currently, this includes Braille and other goodies. It only shifts up in v. 1 of the program, so an apology to our Japanese, Chinese and other friends is appropriate.
Oh, and no app.
[End of Update]

Millions of homes all over the world have a small container with a house key somewhere near the house. Despite this, burglars almost always have to break windows or doors to get in.
Millions of cars on the roads of the U.S. have small magnetic boxes with a spare car key attached to them, yet car thieves don't take the time to inspect all the nooks and crannies of a vehicle they want to steal.

Imagine any user could encrypt text emails by simply adding a web address to a new field in a "Settings" dialog.

You can do this if the encryption key is like a Hide-a-Key, somewhere nearby but really f***ing hard to find.

The web address would go to a page used as the encryption key. Whatever text is on that page is applied to the email text to encrypt it, like in the one-time pad approach, except that you could use all of the web's "texts".

The recipient, of course, would need to know the URL and enter it into his or her email client.

Since you use our hide-a-key approach only to exchange emails with your grandma, you call granny on the phone and tell her to set the url for all emails coming from you. That call is a one time affair. When you want to switch to a new URL, you tell granny in one of your fancy encrypted emails to use http://let'sbesosecurethatcybercriminalswillweeporstarttodohonestworkforonce.ogr or whatever address suits your needs.

Sure, you have to beg the developers of Outlook, Thunderbird and WhatNotMail to add a new "Senders & URLs" dialog to their email clients. Or get the ten year old nephew to program a plug-in.

So, the next time granny sends you the tracking number for an expensive Christmas gift, it is between you and granny.

Implementation hints:
  1. You can use any web text, provided it is long enough. For example, Mark Twain's Tom Sawyer on Project Gutenberg would be nice. For a short email, why not try the mission statement page of the NSA?
  2. A one-time pad works best if the data of the pad are random. A nice start for experiments would be the many public PGP keys out at the various key repositories. Though you should have the email client grab a bunch of keys and mix them up.
  3. As Westerners, we are so used to having alphabets of no more than 50 or so characters. You can get more mileage out of a small alphabet by using the work of our friends at Unicode.org. Simply move the Latin-1 [we feel like showing off a bit, sorry] up into a different segment, make it fake Japanese by adding the appropriate integer values. Okay, that might require an additional setting the first time you email granny and she'd need to set this in her client, too. Alternatively, you could add this as an instruction to the receiving client, like in a signature footer, because messing with the "alphabet" is not the main security feature.
  4. Yes, the metadata. The whole world knows you love granny, making metadata unimportant. We are still thinking about that, though.
  5. You are too lazy to program something that implements this dastardly simple privacy measure? Guess what -- so are we, although we might just go ahead and give it a try.
  6. Sure, when you need to get in touch with a complete stranger, use PGP.

Disclaimer: As usual, this is between you and granny, although we are aware that granny is a cultural artifact. If you implement this, give us some credit to make sure you also have someone to blame if it doesn't work as expected.

One more thing:
You do not have to use text. Images might even be better -- want some cat photos?

One more one more thing:
If cat pictures are not your thing, there is always a choice, see out Staganography post.

No comments:

Post a Comment