Two Ways to Improve Online Privacy


Following the continuing Snowden revelations, it’s fair to say that large swathes of online correspondences may be captured and processed by scanning software. If the communications that are captured are encrypted, then they’re stored and kept until they can be decrypted and read. To increase privacy, we want to make the decryption process as difficult as possible.

Strengthening Encryption

NSAIn theory, anything encrypted with a large number of bits (256, 512, etc.) should be impossible to decrypt without an immense amount of computing power. But there are weaknesses in implementation (from the way plain text is stored and more) that make decryption easier than it should be. I believe encryption should be enhanced by other methods to maximize privacy.

So how can you enhance the encryption? Let’s ignore the usual tenet of encryption “obscurity = insecurity” on the basis that unless you’re a “Person of Interest” you’re just one individual amongst millions or billions. In which case, the trick is to look normal to scanning software while still sending information within the email.

Consider an email containing a few hundred characters of plain text, that you want to keep completely private — maybe it contains new passwords, website urls, a one-time pad, source code, etc. You’ll want to encrypt it with the public key of the receiver as a starting point, so that in theory only he/she can read it using the private key. I say in theory because the Snowden revelations say that RSA, the most commonly used method of Public Key Encryption, has been broken for 1024 bits.

Incomplete Information

After the public key encryption, you’ll have a collection of a few hundred bytes to deliver. If it’s 300 bytes, then it’s 2,400 bits of information. Let’s split those bits into eight different streams. How we do this isn’t important. We might create one stream for each of the bits or create a stream from the eighth bit (0, 8, 16, etc.) with seven others — each offset by one, for 1, 9, 17, etc. Then we group each of the eight bitstreams into its own byte stream that gets emailed to the intended recipient. The eight email messages will likely be stored by “big brothers” with a note that they are encrypted and presumably linked to you and the recipient.

Eight messages received in a row are likely to be perceived as related, if not as one large message, so let’s not make it too easy for them. You could send them at different times, from and to different email addresses, or all of the above. Can the email addresses be tracked back to you? Possibly. But It doesn’t really matter. We’re not trying to defeat meta data links here, just send information that can’t be decrypted in isolation. With each message making up only 1/8th of the whole, no one will never be able to be successfully decrypted by itself.

I said 1/8th, but you could split the message up in a lot of different ways, like 1/16th.

Disguising Encrypted Data

If you have the software to do the processing (and it’s not difficult) then instead of sending a bunch of encrypted bytes (like “05 GE 41 8A 23 0E”) you can use a one-time pad and send the messages as text. A one-time pad consists of 256 unique words like “the”, “and”, “grape”, etc., with each word mapped to a unique value from 0-255.

If you’re really clever, you can have the words look like normal sentences. It wouldn’t fool a human reader but depending on the sophistication of the scanning software, it may not have to. For example, If I sent an email to you saying “here’s my list of 300 favorite Scrabble words” and included the encrypted message, might it fool the scanning software? The trouble is, nobody knows. Instead of words, how about equations (y=x*x, y= 2*x+ 4 dtc)? Or even the “source code” of a program? Some other plausible ways to disguise encrypted data include:

  • Scrabble Words
  • Equations
  • Source Code
  • Accounts figures
  • An Invoice
  • Catalog list
  • Sentences from a book

I’m sure there are many more. All you need is 256 of each for the one-time pad. The receiver converts the items into the byte stream using the one-time pad, rebuilds the original encrypted data and unencrypts it.

One-Time Pads and Virtual Keyboards

One-time pads are the best way to guarantee privacy because every message uses a different encryption scheme. They can also be used through virtual keyboards.

Virtual keyboards are a type of one-time pad that are intended to help defeat keyloggers. To use one, you display a bunch of keys as clickable buttons on your monitor screen. The buttons are clicked and build up the message in memory, bypassing any keylogger that is running on your PC.

Virtual Keyboard

You can take it a bit further re-arranging the position of the keys on the virtual keyboard, so it’s not just arranged as QWERTYUIOP. To do this, you’ll generate a random number and use it as a seed to a pseudo random number generator that you use to generate the position of each of the virtual keys. It’s a bit harder to “type” sentences with a re-arranged keyboard, but it’s also harder to decrypt.

Instead of sending the message as text, you send the coordinates of the key clicks for each letter. Along with coordinates, you’ll need to send the original random number, so the receiver can regenerate the sequence of numbers that defined the positions of the keys. As long as none of the keys overlap, it should be possible to figure out which key was clicked each time. If each key was 40 x 40 pixels in size, then there are 1,600 different positions that could have been clicked that correspond to each letter. However, the clicks are likely to be normally distributed around the center of the button.

A different random number with each message is what makes the virtual keyboard a one-time pad. However, care must be taken with the choice of PRNG (Pseudo Random Number Generator). It has to be one with a very long repeat cycle. A Mersenne Twister, for example, would make a good choice.


One Response to “Two Ways to Improve Online Privacy”

October 09, 2013 at 1:35 pm, J Lawrence Randall said:

The naivete of the writer is rather obvious. Anyone who has been involved with high-level encryption will understand immediately that Mr. Bolton has no understanding of either the methods or the craft.

There is ZERO protection in long keys. Never has been, and never will be. The strength of any high-level cryptographic device or system lies in its ability to produce an output that does not reveal the key.

The “RSA system” discussed by Mr. Bolton are low-level to mid-level PRIVACY systems. They are not worthy for consideration for Tactical, Strategic, or Diplomatic communications.

Mr. Bolton also displays a complete lack of knowledge when he discusses the One Time Pad. Suffice it to say that his “version” is even less secure than RSA.

For those interested in Cryptography, “The Codebreakers” by David Kahn is considered by those of us who are or have been in the industry as “The Bible of Cryptography”. There are two versions: one without the technical details, and one with. I recommend the latter, as one can skip the technical details if one wishes, and David’s writing style is both informative and entertaining.


Post a Comment

Your email address will not be published.