11

Suppose you're constantly being menaced by high profile hackers and agencies that try to intercept messages sent between you and a friend.

The question is: what's the safest way to send messages to him without any malicious user or agency being able to either:

  1. Intercept and decrypt yours or your friend's messages.
  2. Interrupt your communication by means of MiTM or DDoS. Do cloud servers hosted in different parts of the world help offloading DDoS traffic and making it difficult to shut down the servers? What about multiple proxies without any sensible info forwarded in the headers, so that your internet provider doesn't know about the server you're contacting in case someone manages to seize internet browsing logs?
  3. Any other attack such as replay attack, Meet-in-the-Middle-Attack and so on that in a nutshell would finally derive message content or lead to impersonation.

Also suppose you're a student and can't afford a powerful laptop to crunch big numbers, so a cryptographically slow algorithm is to exclude to begin with.

This is the situation we're in:

                              C                     B
                       ----------------     ------------------
         A             |              |     |                |
      -------          |    Server    |'''''|     Friend     |
      | You |''''''''''|              |     |                | 
      -------          ----------------     ------------------
                 |                              |
               |                D                 |
             ---------------------------------------
             |                                     |
             |                                     |
             |      Malicious user or agency       |
             |                                     |
             |                                     |
             ---------------------------------------

A should be able to send anything to B through C without D being able to interact.

Is exchanging the key through RSA and using it as encryption/decryption with say AES128 enough? What about using both RSA and PGP so that after you decrypt with the RSA key you have to decrypt with PGP too? Or is that superfluous?

I've thought about a sort of MAC-then-encrypt-and-encrypt-again schema: AES128(Message + RSA pub key) + (PGP pub key + nonce) <-> server <-> ((AES128(Message + RSA pub key) + (PGP pub key + nonce)) - nonce) == PGP priv key == RSA priv key | stop

Let's throw a diagram in there once again to understand it better:

Sender

             -------------     ---------------    
             |           |     |             |
             |  Message  |--+--| RSA pub key |
             |           |     |             |
             -------------     ---------------           
                      \          /    
                       \        /
                        \   D  /
                         \    /
                          \  /
                           \/
                      -------------     -----------------     -----------
                      |           |     |               |     |         |
                      |  AES128   |--+--|  PGP pub key  |--+--|  Nonce  |
                      |           |     |               |     |         |
                      -------------     -----------------     -----------

Receiver

                                                                 \    /
                      -------------     -----------------     ----\--/---
                      |           |     |               |     |    \/   |
                      |  AES128   |--+--|  PGP pub key  |--+--|  No/\ce |
                      |           |     |               |     |   /  \  |
                      -------------     -----------------     ---/----\--
                           /       \                /           /      \
                          /         \              +                    
                         /           \            /             
  ---------------     -----------     +   -----------------            
  |             |     |         |      \  |               |
  |  RSA pubkey |--+--| Message |       \ |  PGP priv key | <----- Symmetric
  |             |     |         |        \|               |
  ---------------     -----------         -----------------   
          \
           +
            \
         ----------------
         |              |
         | RSA priv key | <---- Asymmetric. Only the receiver knows this key.
         |              |
         ----------------
                    \
                     \
                 -------------
                 |           |
                 |  Message  |
                 |           |
                 -------------

Coupling this with (Perfect)Forward secrecy would make it even more secure?

The outcome should be one and only one: unbreakability or very-slow breakability (that would take hundred years even for a supercomputer) by the malicious user.

If possible add facts, references, specific expertise or anything else that doesn't make your answer opinion based.

Alper Turan
  • 299
  • 2
  • 10
  • 6
    For reference, note that RSA isn't nearly as slow as you're imagining. Any modern laptop (even one ten or fifteen years old) would be more than capable of RSA-encrypting email. – Harry Johnston Apr 06 '15 at 00:08
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/22803/discussion-on-question-by-gizko-whats-the-safest-way-to-transmit-a-message-to-a). – Rory Alsop Apr 13 '15 at 18:00
  • Short wave radio. One time pads. – Neil McGuigan Apr 13 '15 at 23:39
  • @NeilMcGuigan Short wave radio is really expensive for someone to run and not being portable the government can easily shut down your infrastructure. Then there is the antenna which must be at least half the wavelength it sends. Can you imagine even having a 10km antenna? – Alper Turan Apr 14 '15 at 17:37
  • @gizko I know, I was kidding. – Neil McGuigan Apr 14 '15 at 17:39
  • @NeilMcGuigan No biggie. I can't read emotions in text :) – Alper Turan Apr 14 '15 at 17:46

7 Answers7

21

Do you really believe that you could detect if your computer was manipulated in a way that one could sniff the plain data directly at the computer or that the encryption software was changed in a way to make sniffing easier? Do you really believe that your father could do this too? If you downloaded the encryption software: how do you know it does what it claims and only that? If you wrote the encryption software yourself: did you really fully understand all algorithms involved and did you made sure that your implementation is not only correct but uses a proper and secure RNG etc, does not leak information in timing attacks etc? Cryptography itself is already hard but it only solves a part of the problem, not the whole problem. Don't forget https://xkcd.com/538/.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 2
    Yeah, the infamous [Rubber hose cryptanalysis](http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis) :) Of course I would take precautions against this where possible. I wouldn't *strictly* download the **software**, rather the library which I've read and understood the implementation, other than the experience of developers using it. It's a grey world but not to such an extent we're living in a matrix where developers are tentacles of the octopus NSA is. – Alper Turan Apr 05 '15 at 15:19
  • Of course computer manipulation and morphing encryption software with or without a backdoor is to exclude. Let's say I've analysed any suspicious udp/tcp/whatever network activity coming from embedded instructions on my motherboard and ruled or sorted that out by having an expert remove them or change them so to send fake data to NSA network data pipes. – Alper Turan Apr 05 '15 at 15:24
  • If you can really make sure that system and software is free of implementation or design problems and is not compromised then I think that using established protocols like TLS, S/MIME, PGP, TOR can actually provide secure communication, as long as all parties truly verify the identities of the communication peer. Of course you can still detect that encrypted communication takes place. But I would strongly advise against inventing some new protocol as long as you can not demonstrate where the existent protocols fail. And no protocol will protect against DOS directly against the peers. – Steffen Ullrich Apr 05 '15 at 20:00
  • One possible flaw: Use of quantum computers by NSA. An experimental one has been already disclosed to the public, and knowing that military technology (and NSA too for that matter) is 30 years ahead of civilian technology, we can imagine they're already running. – Alper Turan Apr 05 '15 at 22:17
  • 1
    I your adversary uses quantum computers the current technology, including your ideas, does not work. For this you need [post quantum cryptography](http://en.wikipedia.org/wiki/Post-quantum_cryptography). But for now I'm sure it is way easier to attack the computer systems you and your communication peers use directly. – Steffen Ullrich Apr 06 '15 at 05:45
  • Even if you wrote the encryption software, did you also [write the compilier](http://cm.bell-labs.com/who/ken/trust.html)? That article was written in 1984.. – gregmac Apr 06 '15 at 06:55
  • @SteffenUllrich On a second thought I think you're right. – Alper Turan Apr 06 '15 at 13:32
  • @gregmac Are you telling me even something as simple as a compiler shouldn't be trusted? If you have enough knowledge you'll be able to spot any backdoor in a compiler. Or are you telling a faulty compiler implementation can be the cause of breaking by the NSA? – Alper Turan Apr 06 '15 at 13:35
  • 1
    @gizko Did you read the paper? *"First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere."* So the question is: can you trust the compiler you're going to use to compile your compiler? See also: [Fully Countering Trusting Trust through Diverse Double-Compiling](http://www.dwheeler.com/trusting-trust/). – Doval Apr 06 '15 at 17:42
6

Your first problem will be determining what the NSA is capable of. For instance, does your laptop have a keylogger installed? Is the BIOS compromised? Is the hard disk's firmware compromised?

Also, since you want to use an intermediary server, you would have to somehow know that the operator of that server is not being blackmailed with a National Security Letter or similar, or you'd have to find a mechanism that protects you in the face of an untrusted intermediary.

With all of these situations, it would be game over.

Secondly, if you are reasonably sure that the hardware is not compromised, here is what I'd look into:

  • Get a new USB stick from a mass-market retail store (not by mail order), and pay cash for it.
  • Download Tails.
  • Disconnect from the Internet.
  • Install Tails onto the USB stick.
  • Remove the hard disk (that would protect you against bad HD firmware, although not against a bad BIOS in your computer itself).

Of course your father would have to take the same precautions.

Next, define what you want to hide:

  • Do you want to hide the content of your message?
  • Do you want to hide the recipient of your message?
  • Do you want to hide the fact that you communicated at all?

If you merely want to conceal the content of your message, PGP is it. The subject line and the recipient will be in plain text, though. From your question, that is it.

If you want to conceal the recipient of your message, you could use SSH to log into a (known not compromised) third-party computer and leave a message there as a text file. Your father would also use SSH to the same computer to retrieve the message.

If you want to conceal the fact of communication at all, you will need to connect through the TOR network.

The final question is what algorithm to use for encryption. First of all, don't use SHA256. It's not an encryption algorithm at all, but rather a hashing algorithm. If you used it, you'd be amazed how quickly you could transfer even gigabyte-sized files in seconds even over a dial-up line. And you'd be amazed about why your father couldn't retrieve the file you sent. SHA256 generates basically a checksum of a few dozen bytes, and leaves he original message intact.

Your idea of a separate key-exchange with public key encryption, followed by a data transfer phase with symmetric encryption, is very good for direct communication.

For the cipher selection, I'd look to what TLS 1.2 offers. RSA for the public key is good. AES128 for the symmetric encryption is also a good choice.

Of course, since you are using an intermediate (your server C), you will be constrained by whatever that server offers.

Kevin Keane
  • 1,029
  • 7
  • 8
  • *Next, define what you want to hide* The second option is obligated, but the third would be preferred in that case. SSH uses Diffie Hellman as its algorithm, so it would be a matter to implement a new protocol by using its specialized derivates such as RSA or ElGamal which have their pros and cons. Altough either negligible. Doh right, SHA256 is bad for this task. The server should be as **dumb** as possible and shouldn't be able to handle the messages other than transmitting them and doing basic routine checking, and end-to-end encryption we're talking about. – Alper Turan Apr 05 '15 at 18:08
  • 1
    I don't think logging into an SSH server will hide who you're communicating with. NSA could trivially just watch traffic on that server and see who's connecting to it. If you want to hide who you're communicating with (as if NSA wouldn't know who Edward Snowden's son is secretly communicating with,) you'd want something like [Tor](https://www.torproject.org/). – reirab Apr 06 '15 at 04:20
  • @reirab You are correct. I made an implicit assumption that is often not true: that the server has many frequent users. In that case, the NSA could determine that you communicated with one of hundreds or thousands of people, but not with which one. Regardless, though, even without Tor, a trusted VPN can provide enough anonymity to make it infeasible to trace the connection back to you. – Kevin Keane Apr 06 '15 at 05:06
  • 1
    How do you know that your Tails download was not tampered with? How do you know that Tails is not a honeypot? – dotancohen Apr 06 '15 at 10:19
  • 1
    @KevinKeane How? We can probably safely say that the NSA is already in a position of being able to monitor traffic across large portions of the Internet. Even if you're connecting through a VPN, traffic still has to flow back and forth as you are logged into the system, or transferring the file. The VPN provides confidentiality of the content of the transmission, but not secrecy of the fact that you are communicating with a particular host. For that you need something else; start thinking high-latency routing. – user Apr 06 '15 at 13:11
  • A private VPN would indeed have that problem. A public VPN would only show that one user is connecting to the server, but not which user. Timing analysis could potentially disclose a correlation between you and the server, but that is hard to do even for the NSA. BTW, the Tor network would also be vulnerable to the same timing analysis. – Kevin Keane Apr 06 '15 at 18:47
  • @KevinKeane Not only that, but Tor isn't even safe from MiTM attacks, and [it's known](http://security.stackexchange.com/questions/34804/how-safe-is-tor-from-mitm-snooping-attacks). – Alper Turan Apr 06 '15 at 19:58
6

One Time Use Pad

Any use of mathematics beyond one time use pads is an oppertunity for the "NSA" to break your algorithm. The instant you use a named algorithm, you must accept the possibility that NSA has broken that particular algorithm. Lacking any information regarding what algorithms they have broken, the only "NSA-proof" algorithm is the one time use pad.

And you better trust your random number generators and your key exchange! (Edit: and by that I mean real Random Number Generators. None of those sissy pseudorandom number generators that run on those new fangled "computer" things!)

Cort Ammon
  • 9,216
  • 3
  • 26
  • 26
  • 3
    And how do you distribute the OTP? One-time pads are useful when you have a secure channel now but won't have one when you want to communicate (e.g. US-Russia, where they can be shipped on weekly diplomatic flights and then used when the missiles are about to fly). But if you want to communicate on an ongoing basis, you have to see the other person on an ongoing basis, in which case there must be some reason you don't just tell him stuff then. – cpast Apr 05 '15 at 21:28
  • 5
    Oh yes, but my statement still holds. When you want to proof your communications against an agency which is devoting an estimate $10 billion towards intercepting and cracking encrypted messages on a budget the size an average car repair bill, you're going to have to accept some level of old-school elegance, at the expense of slick features like Diffe-Hullman key exchange ;-) In reality, the issue is that, unless you think you know the capabilities of the NSA, you can't really design an algorithm to beat them, just an algorithm you think is hard. – Cort Ammon Apr 05 '15 at 21:52
  • @CortAmmon: What do "your random number generators" have to do with your answer?  An OTP generated by a random number generator isn't worthy of the name "one-time pad". – Scott - Слава Україні Apr 05 '15 at 22:05
  • @CortAmmon Interesting. Never knew this was a thing and had a name. I used to *play* with this sort of encryption when I was a kid at school to prevent teachers understanding that we were talking to each other instead of playing a weird game. Anyway, a detection of possible attacks on the server could theoretically exchange a large local database in advance to be used later. – Alper Turan Apr 05 '15 at 22:09
  • What about [NTRU](http://en.wikipedia.org/wiki/NTRU)? Even if the NSA had quantum computers it seems they wouldn't have a chance against this algorithm. From Wikipedia: *NTRU is a patented and open source public-key cryptosystem that uses lattice-based cryptography to encrypt and decrypt data. It consists of two algorithms: NTRUEncrypt, which is used for encryption, and NTRUSign, which is used for digital signatures. Unlike other popular public-key cryptosystems, it is resistant to attacks using Shor's algorithm and its performance has been shown to be significantly better.* – Alper Turan Apr 05 '15 at 22:09
  • And *Unlike RSA and Elliptic Curve Cryptography, NTRU is not known to be vulnerable to quantum computer based attacks. The National Institute of Standards and Technology wrote in a 2009 survey that "[there] are viable alternatives for both public key encryption and signatures that are not vulnerable to Shor’s Algorithm” and “[of] the various lattice based cryptographic schemes that have been developed, the NTRU family of cryptographic algorithms appears to be the most practical"* – Alper Turan Apr 05 '15 at 22:12
  • 2
    @Scott, an OTP generated by a **pseudo**random number generator isn't worth of the name "one-time pad." I was using random number generator in its strictest sense: a device which generates random nubmers. Resistor noise or low-bit of a detuned radio station type of devices. However, when you're paranoid about spooks slipping something in your iced tea at the diner, you even have to think about how much you trust those. – Cort Ammon Apr 05 '15 at 22:24
  • 1
    @wcup: NTRU is stronger against quantum computers, but it is still an algorithm designed men, which may or may not have a flaw. We do not know whether the NSA has cracked it or not, merely that it is an interesting algorithm and hard. (In the end, if facing questions like these in real life, the answer is to develop a threat model that accounts for what you stand to lose if they break it. However, that isn't really written into the problem, so I'm chosing to treat the NSA as a juggernaught of crypto breaking) – Cort Ammon Apr 05 '15 at 22:26
  • @CortAmmon: OK; valid point.  (I personally prefer counting cosmic rays, measuring radioactive decay, or [monitoring the activity of cats](https://www.youtube.com/watch?v=IkKzH3euwf4).)  You might want to [edit] your answer to clarify your meaning. – Scott - Слава Україні Apr 05 '15 at 22:38
  • 1
    I can eliminate the possability they have broken by producing one never before seen (do not doubt that I can); however there is the possibility they could break it sight unseen. I think this remote but not impossible. – Joshua Apr 06 '15 at 02:11
  • @wcup "not known to be vulnerable" != "known to not be vulnerable". In fact, there is a *huge* difference between those two statements. – user Apr 06 '15 at 13:07
  • @Joshua I take you didn't sleep enough :) But sure, a personal closed source *cryptorithm* is as insecure or more insecure than a NSA endorsed one. – Alper Turan Apr 06 '15 at 13:38
  • @MichaelKjörling Right. And I did a mistake believing it to be so. Many crypt algorithms considered safe were broken. As far as encryption goes symmetric encryption with a longer key should still be *quantum resistant*. **Current** asymmetric cryptos are doomed in that regard. – Alper Turan Apr 06 '15 at 13:39
  • 1
    @hizl: Because the discussion is so close to splitting hairs, a personal closed source cryptoalgirhtm is as insecure or more insecure than a NSA endoresed one *with a high degree of probability.* You could get lucky, it just happens so infrequently that we like to claim it never happens. Perhaps if you had a PhD in crypto and had broken 5 or 6 algorithms yourself, you might have good luck! – Cort Ammon Apr 06 '15 at 14:50
  • @CortAmmon Or a trusty friend, parent with a PhD in crypto of course. – Alper Turan Apr 06 '15 at 14:56
  • Your risk analysis is completely off the mark. There are known algorithms that the NSA couldn't break in 2012 and is highly unlikely to be able to break now. On the other hand, you've completely bypassed all the risks with the OTP's generation, storage and distribution. I am fully confident in the NSA's ability to infect the OP or the recipient's computer with spyware. – Gilles 'SO- stop being evil' Apr 06 '15 at 22:32
  • @Gilles What source are you drawing your information about the NSA's ability to break things? Does the NSA publish such information quarterly, or are you relying on a particular unofficial document "published" by an individual a while back? As for the ability to infect a computer with spyware, I 100% agree with you. However, from the original poster's question and its format, he was not even concerned with a compromise of the trusted hardware. – Cort Ammon Apr 06 '15 at 23:01
  • @Gilles I do have a question for you, since you brought it up. In this era of massive thumb drives, do you see any particular reason to believe OTP generation, storage, or distribution is any more difficult than key-material generation, storage, or distribution? With large thumb drives becoming commonplace, I don't see much more challenge in moving 64GB of random data than moving 64k of key material. It seems like there's a massive gap between "things that can be memorized" and "things that are hard to pass using jump drives" – Cort Ammon Apr 06 '15 at 23:03
  • I can't write down a 64GB one-time pad. Or store it in a smartcard (which considerably raises the requirements on the attacker compared with a PC). – Gilles 'SO- stop being evil' Apr 06 '15 at 23:42
3

Get on an airplane and go visit your father. Once you're in a location where it is just the two of you, whisper your secrets into your father's ear. If you insist on the "through a server" part, then write your message on a piece of paper, put it in the server's case, and then have daddy Edwin pull it right back out.

Neither you nor I know what the NSA is capable of. They may compromise not only your software downloads, but everybody's. They may have hardware bugs in your motherboard BIOS, keyboard, router, hard drive, and cell phone. They may have exploits for the items that they have not bugged. They may have cameras, microphones, and other detectors in your house, in your car, and on your person (smart phone).

Oh, and they have near-unlimited budget and access to your past records. They have psychologists and behavioural scientists to profile you. They have influence over mass media and entertainment which influences public opinion and values.

The only winning move is not to play.

dotancohen
  • 3,696
  • 3
  • 25
  • 34
  • How can this be an answer when all you provide is bunch of paranoid assumptions with no basis of proof – Pavin Joseph Apr 06 '15 at 10:48
  • 3
    @Joseph: The tactical abilities of the NSA are extremely well documented. You might want to google for the name "Edward Snowden", note that the OP specifically mentions him. – dotancohen Apr 06 '15 at 11:27
  • I don't see how the airplane helps here. – Paŭlo Ebermann Apr 06 '15 at 11:40
  • @PaŭloEbermann: The airplane is the vehicle to bring Snowden Jr. to Snowden Sr. The implication is that no form of communication, other than direct, is secure. – dotancohen Apr 06 '15 at 11:42
  • Ah, I understood that you want to whisper on an airplane. – Paŭlo Ebermann Apr 06 '15 at 11:43
  • Hoping there aren't mics that can detect frequencies as low as whispering installed on *that* airplane. – Alper Turan Apr 06 '15 at 13:45
  • As @Stephen Ullrich said above:-- Don't forget https://xkcd.com/538/ -- ;If the NSA wants to get your info, they have far easier methods to do it than break 4096 bit RSA encryption with quantum computers or install HW bugs into BIOS or even try and break well tested OSI certified softwares. – Pavin Joseph Apr 06 '15 at 13:57
  • @Joseph Yeah, that's hard to defend against, but not certainly impossible. The key is to make it impossible for them to know you *are* communicating. [Rubber hose cryptanalysis](http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis) is usually executed after it's detected that two people are communicating between each other. In case your hiding fails, you'd need to have iron nerves to endure the torture and wait till they give up. They're not going to kill the son of a whistebower residing outside the US and still a possible *troublemaker*. – Alper Turan Apr 06 '15 at 14:11
  • And anyway, if they employ torture against you to steal your secret (whichever it is), most of the time it means you are of value to them and they'd lose the secret with your life if they kill you. That's if they haven't managed to build a mind reader, *and a good one*, because every bit of the key from your thought should be sent without distortion, which cerebral waves are prone to do. – Alper Turan Apr 06 '15 at 14:18
1

Let me put it this way. Your real problems are physical access and the US Mail. In this hypothetical situation, the NSA is monitoring you. While this can be avoided by sufficient use of cryptography to the extent where this is ineffective, you would have to first, communicate with one-time pad encryption or a key for most solutions. There is nothing stopping the NSA from just searching your mail. They could intercept a router and install a wiretap, or install software on a laptop you get. The best way to make the NSA ignore you is by being so boring that there is no point in looking at you. In 2038, the NSA will in likelihood have enough compute power to crack anything most of us are using today. Use, say, 4096-bit RSA for the keys and 256-Bit Serpent to encrypt them, if any algorithm has a statistical attack devised by the NSA against it it will be AES. Secondly, be boring. Ex. Message, key encrypted by RSA 4096-Bit, three-layer 256-bit Serpent (preventing man-in-the-middle attack) Encrypt "Hi, Dad. I've got a new girlfriend. Auntie Ruth just divorced Uncle Jake, and Granny Snowden is doing better with her chemo. I hope you can come back to the US soon, my GF wants to meet you. -(Hypothetical son of Edward Snowden) Travels through unsecured core servers Picked up by NSA Received by Edward Snowden The NSA will, after decrypting months of messages like that, and using vast amounts of computer power, in all likelihood just ignore you and do something else.

Never underestimate the power of psychology in security. The NSA only will bother at looking at things that seem suspicious.

  • 3
    One of the problems with NSA is that it is not looking at everything in real time. They are archiving material to build a case for you if they ever need it. As Stalin famously said "show me a man, I'll show you the transgression". – dotancohen Apr 06 '15 at 16:16
1

A lot of answers but none very feasible for your average joe, a.k.a Snowden Jr. This answer is written from a present-day scenario. A lot of things can happen or change in a few years, so contemplating on a situation more than 2 decades later is not very worthwhile especially with regard to Information Technology.

Propsed solution

Build/ Use a computer that has no wireless communication systems, meaning no H/W capable of transmitting or receiving data wirelessly. No Bluetooth, Wi-Fi or other wireless communication capability. Also disable any Ethernet or internet connection capability as well. Never connect this computer to the internet even while installing an OS. The newly installed OS should of course be Open Source and extensively tested just to be sure. Encrypt the entire hard drive using Open Source software like VeraCrypt utilizing Deniable Encryption. Inside your "hidden" OS partition, create your PGP keys. Encrypt the Private Key using AES-256 symmetric encryption standard. Use a randomly bought new flash drive and mount it onto a secondary device/PC similarly set up and securely erase, re-partition and format it. Always do this step before connecting it to our primary PC where we actually have our PGP keys.

Once we have typed and encrypted our message on the primary PC, connect the "freshly formatted" flash drive and copy our message onto it.

This encrypted message can now be sent via any secure PC(as secure as a normal, internet connected PC could be), connected to the internet using any secure mail service like ProtonMail.

Pavin Joseph
  • 706
  • 7
  • 10
  • 2
    How do you expect to acquire the open source OS or VeraCrypt? Can you be sure that the download is not tampered with? Can you be sure that there is no backdoor? Can you be sure that there are no zero-day exploits that the NSA is holding? Can you be sure that the software itself is not a honeypot? – dotancohen Apr 06 '15 at 16:13
  • 1
    You can compile VeraCrypt from the source code itself. If you feel up it, read / modify the code yourself. Same goes for any Open Source *UNIX OS. This way you can be sure no one tampered with the downloads even though both VeraCrypt and most LINUX distributions provide checksums to prove otherwise – Pavin Joseph Apr 06 '15 at 18:39
  • What about your compiler? Also, do you really expect to find an intentional, unknown backdoor [hidden in the source that was designed not to be found](http://underhanded.xcott.com/)? – dotancohen Apr 06 '15 at 18:41
  • Use an open source compiler. But then again, with well maintained, distributed projects with proper auditing, you just have to download it and verify your copy's checksum against the original. Another thing I'd like to point out is that NSA themselves recommend using AES-256 standard and RSA-4096 for TOP-SECRET level documents. They also heavily rely on Open-Source standards – Pavin Joseph Apr 06 '15 at 18:52
  • [Ken Thompson](http://en.wikipedia.org/wiki/Ken_Thompson) does not think [that is enough](http://c2.com/cgi/wiki?TheKenThompsonHack). – dotancohen Apr 06 '15 at 18:54
  • @dotancohen Is there something you can suggest then? – Alper Turan Apr 06 '15 at 19:59
  • 1
    @gizko: Meet the guy face-to-face. I think that even Bruce Schneier declared that there is no safe way to transmit data without a preexisting OTP. – dotancohen Apr 06 '15 at 20:05
  • @dotancohen Yeah, that seems the only way. Other than faking your own and the receiver's identity. – Alper Turan Apr 06 '15 at 20:07
-1

As soon as I read the title I was thinking One Time Pad and I'm glad Cort Ammon Posted it :) However, it wasn't to my satisfaction and my post might be a bit long so I didn't want to add it in the comments for his in case it got buried.

I also saw that the relevant xkcd comic was posted too :) Randall Munroe sure got some great mileage out of that particular one :)

So what I have for you is a mufti-tiered approach based on the setup of the problem that you described.

I think your best bet for communication would be a moon bounce! Also known as an EME. Because the NSA could always unplug you from the internet.

http://en.wikipedia.org/wiki/Earth%E2%80%93Moon%E2%80%93Earth_communication

Now back to the One Time Pad. To make it clear the reason you want the OTP over another encryption algorithm is because the OTP is a symmetric type of encryption, where as standard ones used on the net today (RSA,PGP,etc...) are asymmetric, which means that at their core they utilize a type of math problem that is computational expensive to do in the backward direction and easy to do in the forward direction (obviously you set it up in your favor).

In my approach for this you said that it would hypothetically take place in the year 2038 and that you don't have very much money and are Edward Snowden's Son and you want to communicate with your pops. The problem with OTP as rightfully pointed out by cpast on Cort Ammons post is in the sending of the Pad because you end up having to use an asymmetric encryption to transfer your data making the OTP void (theoretically), but the twist I have is that both you and Edward Snowden already have the OTP!

The scheme is that you would have your DNA sequenced (should be cheaper by 2038) and about half of that should match Edward Snowden's DNA which he would also have to get sequenced. Now picking any random 2 humans you should see that 99.5% of their DNA is the same. So of that .5% difference you would only have half, so .25% from Edward Snowden and each human has approximately 3.3 billion base-pairs which means 8,250,000 base pairs worth of data that you can use for your One Time Pad.

The problem is that unless Edward Snowden also has access to your mom's DNA then the transmission will be very inefficient. Because you will have to keep sending the message redundantly eating up the 2^22 (4194304) to 2^23 (8388608) bits of data that you have. I don't really know the math on the probability of getting a message understood on the other side when only half of your OTP matches, but maybe you can ask that on the math side of the forum, my guess is that it should be enough to send a few messages and it could be increased if on Edward Snowden's side he was able to get some algorithms and heavy computers to sift through it to make a readable message.

You should note that sending the same message redundantly isn't a weakness that allows for decrypting the message, however repeated usage of the same OTP information for multiple messages is a weakness and will allow someone to decrypt your messages.

Now you might wonder how would Edward Snowden know to get his DNA sequenced and get a moon bounce setup and all the other stuff. There are two answers to this. Either you both are Superrational (check wikipedia for Superrationality) or Edward Snowden will be like most people with internet trying to figure out the solution to a problem and then Google to see if he can find a way to reach his kid in 2038 ultimately reading this post and realizing that he should do all that DNA and Radio stuff :)

Unfortunately for the both of you, that by posting this the NSA will also be aware and try and steal DNA samples from you to foil your plans at communication so you might have to wear a really funny suit and mask all the time to prevent leaving DNA anywhere.

Also of note is that Edward Snowden in the course of your communication won't be able to tell if you have been compromised by the NSA so you won't be able to send "mission critical" information only casual conversation.

The last way that this might be possible is with some type of yet to be invented completely wireless and more readily available Quantum Communication Scheme. You can read about the basics of a wired Quantum Communication Scheme here:

http://physicsworld.com/cws/article/news/2014/nov/13/secure-quantum-communications-go-the-distance

You could also become the President and then disband the NSA so you don't have to worry about being spied on, but then by that point the paparazzi and agents of foreign governments might be spying on you.

I hope this was helpful :)

Neil
  • 7
  • 1
  • 1
    I would not count on the NSA not also having a copy of my DNA, even more if I'm Edward Snowden or his son. – Paŭlo Ebermann Apr 06 '15 at 11:43
  • Good concept, but I agree with @PaŭloEbermann that it's trivial for NSA to get a copy of your DNA. In the real world you wouldn't go around with gloves and face cover. That just attracts too much attention, and it's difficult to socialize with other people, *which is absolutely needed in this sensible situation*. – Alper Turan Apr 06 '15 at 13:44
  • 1
    Well since it's 2038 it could be the new fashion :) – Neil Apr 06 '15 at 22:11