Tech Briefing: Encryption for Personal Use

Brief History
Encryption has been around in one form or another since almost 2,000 BC. Around 100 BC was when Julius Caesar first used encryption so that the messages to his generals could not be read by outside eyes. He was credited for invented the Caesar Cipher wheel, pictured below. Using the wheel in this example, every “N” becomes an “A” in the message and so forth. Another message would inform the recipient which letters to line up on the cipher wheel to decode the encrypted message.

Since the invention of Information Technology, encryption has grown from ciphers to become a much more complicated, and important, part of our daily lives. There are many reasons you may want or need to keep your web traffic from prying eyes, such as entering confidential information and having private conversations.

VPNs
One of the most basic forms of encryption that you’re probably familiar with is the Virtual Private Network, or VPN.   There are a variety of different VPNs for different purposes, such as:

• Corporate VPNs that encrypt an entire network’s traffic
• VPNs to connect to corporate servers away from the office (ex. The UA VPN) 
• VPN routers that automatically reroute and encrypt users’ network traffic
• Web or application-based VPNs for personal use

Among the many VPN protocols, IPSec is considered the most secure. In fact, our friend Edward Snowden (or enemy and national traitor, depending on your point of view) has stated that the US Government has yet to crack IPSec, although they have in fact cracked other VPN encryption protocols. Below are a few free IPSec VPN options for personal use:

• CyberGhost

• TotalVPN

• Hotspot Shield (750MB per day limit, which is generous)

HTTPS: HTTP + TLS/SSL
HTTPS is a protocol for encrypted and secure communication for communication with websites over the internet. It means that the HTTP website is protected with Transport Layer Security or Secure Sockets Layer. In other words, the website is verified by a certificate authority to ensure that transmitted data is both encrypted for privacy purposes and not tampered with in transmission. The following is what an HTTPS protected website will have at the beginning of its address:

You should never enter credit card or any personal information on a website that does not have an address that begins like the one pictured above. Today, not only online stores are HTTPS protected, but most websites like Facebook, YouTube, and millions more are HTTPS protected. Note that HTTPS encrypts data between client and server, which provides privacy, prevents tampering with data, and guards against “Man-in-the-Middle” attacks from hackers pretending to be someone they are not, this form of encryption is NOT as secure as End-to-End Encryption.

End-to-End Encryption – Who Can We Trust?

End-to-End Encryption means only the communicating end users can view messages or content. Not even Internet Service Providers or companies*** providing the encryption or messaging service can view messages, or hand them over to authorities. If communications are server-based, it is very unlikely that messages sent by them are E2E Encrypted.

Here are some examples that have encryption technologies in place, but only WhatsApp has End-To-End Encryption (with some caveats):

• WhatsApp: The company claims that it does not store messages on its servers, which means it can’t hand over messages if approached by law enforcement officials.

• iMessage - Apple’s iMessages are end-to-end encrypted, which means they can only be read on users’ phones and the company can’t read them. But, you back up your messages in iCloud, then Apple can read them and could be forced to hand them over to authorities if provided with an appropriate warrant.

• Telegram: Telegram messages can be totally private if you want them to be. The company offers end-to-end encryption if users turn on the app’s “secret chat” feature and thus can’t read those user messages. Regular messages are stored on Telegram’s servers. The app benefited immensely from Brazil’s temporary WhatsApp ban. Telegram claims that it added 5.7 million new userson the day WhatsApp was blocked.

• Signal: Owned by Open Whisper Systems, Signal is also end-to-end encrypted. The company explicitly states on its website that it “does not have access to the contents of any messages sent by Signal users.”

• Line: Line offers end-to-end encryption, but only if both the sender and recipient of a message turn on a feature called “Letter Sealing.” This will encrypt your messages so the company can’t read them, but regular messages without the feature are not end-to-end encrypted and Line may have to hand them over if required by Japanese law.

• Cyber Dust: Cyber Dust messages are encrypted end-to-end and the company claims they never even touch company servers. They’re also deleted from user phones as soon as they’re read (a la Snapchat). That means the company cannot hand over messages to authorities, even if a formal warrant was provided. “Once it’s gone it’s [gone],” CEO Ryan Ozonian told Re/code.

These Companies Can Read Your Messages

• Facebook (Messenger and Instagram):  Both Facebook Messenger and Facebook-owned Instagram encrypt messages only when they are en route between a user’s device and company servers where they are stored. This means Facebook might have to hand over private messages if required by law. 

• Google:  Messages sent via Google Hangouts are also encrypted en route and even on the company’s servers, but Google can still read them if needed. Encrypting the messages while on Google servers is intended to keep others from jacking in and reading them, but Google itself has the encryption key. This means Google might have to hand over private messages if required by law. 

• Snapchat:  Like Google, Snapchat messages are encrypted while at rest on Snapchat’s servers (though the company has the encryption key if needed). Snaps are deleted from the servers as soon as they’re opened by the intended recipients, and Snapchat claims  these delivered messages “typically cannot be retrieved from Snapchat’s servers by anyone, for any reason.” But unopened Snaps are kept on the servers for 30 days before being deleted. That means Snapchat might have to hand over unopened, private messages if required by law. 

• Twitter:  Direct messages on Twitter are not end-to-end encrypted. The company might have to hand over private messages if required by law. 

• Skype:   Microsoft-owned Skype does not offer end-to-end encryption for instant messages. They are stored on Skype’s servers for a “limited time,” which means Skype might have to hand over private messages if required by law.

While E2E is regarded as more secure than most forms of encryption, it is not without its challenges. Most E2E protocols include some form of authentication at the endpoint to keep messages secure from “Man in the Middle” attacks, in which a third party can intercept or alter messages. Using verification from certificate authorities similarly to how HTTPS is verified is one security option. Another is to use cryptographic hashes, which will be explained shortly.

*** Also, it should be noted that some services that claim to provide E2E Encryption may in fact allow messages to be viewed by the service provider. Thanks again to our friend Snowden, we know that Microsoft has handed the NSA Skype messages that were “officially” E2E Encrypted. Apple, on the other hand, won a landmark case last year for refusing to hand over a user, albeit a terrorist’s, E2E Encrypted messages to the US Government.

Hashes
Hashing was mentioned in the explanation of E2E Encryption, although its use is not limited to this function. Hashing is a special form of one-directional encryption that takes data of any length and converts it into a fixed-length data message or “digest”. Because a data string of any length must not produce the same hash value of any other data string, hashing algorithms are extremely complex and sophisticated. Unlike true encryption, hash functions are only one way: encrypted data cannot be transformed/decrypted back to its original state.

Hashing has specific uses in cryptography for:

• Checksums to detect corrupted data
• Digital fingerprints
• Randomization functions
• Password storage
• Ciphers

Example Hash function: http://www.fileformat.info/tool/hash.htm

TOR

TOR, short for The Onion Router, is perhaps the best tool to provide true anonymity on the internet. TOR is a web browser that encrypts data at the application layer, then relays it through over 7,000 locations in a virtual circuit to completely hide users’ IP addresses and physical locations. A typical VPN might reroute web traffic a few times, but TOR does thousands of times to conceal users’ web traffic. That’s exactly why it’s called The Onion Router, each relay encrypts and decrypts only the previous’ data to essentially provide 7,000 “layers” of protection, like how an onion has layers.

You’ve probably heard of “the Darknet” or “the Deep Web” which is essentially a collection of websites including illegal goods marketplaces SilkRoad and Agora that can only be accessed via TOR. TOR is often confused with the Darknet itself, but really TOR is the primary tool used to access the Darknet. Trying to reach Darknet websites like these from any other browser, like Chrome and Safari, is impossible. Darknet websites such as these which connect buyers and sellers of illegal drugs, pornography, assault weapons, stolen identities, and much more are only accessible via TOR to ensure that all activity is hidden within TOR’s layers from the eyes of the outside world and law enforcement.