Secure Communications
Definitions, Terminology, Technical Introduction
The fields of cryptography and cybersecurity are awash with arcane and highly technical language. In the following section, I will attempt to demystify some essential concepts and place them in the context of tools like SecureDrop.
Cryptography is the process of rendering a message unreadable to all but the intended audience. In its original, readable form, a message is called plaintext. The means of encryption, or rendering it unreadable, is called a cipher. A cipher takes plaintext and combines it with a piece of secret information, called a key, to produce the encrypted message, or ciphertext. The proper key is required to decrypt the ciphertext back into the original plaintext. A cryptosystem is the ensemble of tools and processes needed to send and receive encrypted messages.
Cryptanalysis is code breaking. Whether by statistical analysis or exhaustive guessing, cryptanalysis is any means of turning ciphertext into plaintext without possession of the key. When an adversary intercepts a message, they may try to break the code through cryptanalysis to learn its contents.
The grounding axiom of cryptographic theory is Kerckhoff’s Principle, named after a nineteenth-century Dutch cryptologist. It states: A cryptosystem should remain secure even if everything about that system besides the key is public knowledge. The information theorist Claude Shannon later rephrased this principle more succinctly, stating that one should assume “the enemy knows the system.”1 This means that even if an adversary captures one of your encryption machines, or if your algorithm is open-source software, the adversary should not be able to decrypt your messages unless they have also intercepted your key. In short, the security of a cryptosystem should be based on the secrecy of the key alone.
Key exchange is the process by which the parties of encrypted communications share the keys to encrypt and decrypt the messages they will later send. This is traditionally the trickiest element of secure communication, especially in large organizations like the military. The strength of the cryptosystem is immaterial, of course, if the key is stolen while it is being exchanged between parties. Since a secure channel seems to be needed for the transmission of the key itself, the ideal means of secure key exchange once seemed like an infinite regress problem.
The modern era of cryptography began with a novel approach to the problem of key exchange devised by Whitfield Diffie and Martin Hellman.2 Previous encryption systems had all been symmetric, meaning that the same key was used to both encrypt and decrypt messages. Diffie and Hellman’s solution was for each party to have a private key that is kept totally secret, and for both parties to use their private keys in a sort of handshake to establish a secure channel. Models like this are called asymmetric or public key cryptosystems.
A year after the arrival of Diffie-Hellman, a team of MIT researchers developed the RSA algorithm, an alternative, proprietary, public-key cryptosystem that became widely used for both encrypting and authenticating messages. With RSA, each user has a widely available public key and a completely secret private key. The public key is used any time someone wants to encrypt a message to a specific person, while that person’s private key is the only thing that can decrypt messages intended for them. A freely distributed implementation of RSA called PGP was developed in the early 1990s and directly resulted in relaxed legal restrictions surrounding the use of encryption by average citizens. Much of the cryptography in SecureDrop and other secure communication systems relies at some level on PGP or related, free software encryption tools like GPG.
The MIT key server is a directory for posting PGP keys, and its records are used in this study as a proxy for the rate of adoption of encryption tools in different newsrooms. When someone creates PGP/GPG keys, they send the public key to one of these servers so that it can be found and used when someone wants to send them an encrypted message. All the major public key directories share data so that each key can be found and confirmed in multiple places.
Yet cryptography is just one element of cybersecurity. Systems can be compromised by many other means besides breaking codes or stealing keys. A computer’s security measures can be circumvented if it receives malicious code, grants access to an unauthorized user, or elevates user privileges so that someone can execute commands beyond their intended limits. There is a vast and thriving market for novel ways of exploiting software, called zero day vulnerabilities because they are not yet public knowledge. Once a vulnerability has been revealed, and presumably also patched shortly thereafter, the vulnerability is dated upward. The logic behind this system is that even a ten-day vulnerability will still affect a targeted system if it has not received security updates in a month.
Experts assess the risks and vulnerabilities of a particular system through processes called threat modeling, security auditing, and penetration testing. A threat model assesses the nature and likelihood of risks. A penetration test is an attempt to identify vulnerabilities by subjecting the system to realistic attacks. And a security audit is a comprehensive, professional assessment of the risks, weaknesses, and needed improvements for a particular system, often combining both penetration tests and threat models.
Hackers are typically classified as white hat, gray hat, or black hat according to their ethical stance. The popular, broadly alarmist sense of the word “hacker” generally refers to the black hats, who are motivated to exploit technological systems for amusement, personal gain, or sheer malice. White hats use many of the same tools and techniques as black hats, but they do so for the sake of identifying and correcting vulnerabilities. Gray hats either believe that black- and white-hat tactics are appropriate in different contexts, or they simply reject this strict moral binary.
SecureDrop is free and open-source software, meaning that every line of its source code is freely available to read, modify, and share. In order to emphasize that the “free” in this term refers not to cost but to freedom, some advocates prefer the term libre software. Along with SecureDrop, all of the leading secure communication tools like PGP/GPG and Tor are maintained as free/libre/open-source projects. From a security perspective, following Kerckhoff and Shannon, open code is considered a basic condition for trusting any cryptosystem. When the code is closed to the public, there is no way to know if it is well implemented, let alone if it contains a secret backdoor. Open code, on the other hand, can be assessed for vulnerabilities and improved upon by anyone participating in the project.