Episode: 1390
Title: HPR1390: 02 - Encryption Basics
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1390/hpr1390.mp3
Transcribed: 2025-10-18 00:41:55

---

Inferno
This is a hookah and welcome to our channel.
This is a hookah and welcome you to Hacker Public Radio and another and our ongoing series
on security and privacy.
And what I want to do today is I want to talk about some of the basics of encryption.
You know, it's important that we get a handle on some of this.
And I think it's nice to understand how we got to where we are with all of this.
In my last program, I said that if you do it properly, you can in fact communicate securely
and privately and not have it cracked by anyone.
But let's start developing some of these ideas.
Now we know that the issue of securely sending information without having it read by others
has been with us for a long time.
One of the earliest examples of this that we know about is Herodotus, who in the fifth
century BC was writing about a war between Persia and the Greeks.
And in his writings, he mentions a couple of things.
One of them was writing a message on a writing tablet and then adding a wax layer on top
to hide it.
Now writing tablets normally had a wax layer, so that was perfectly reasonable and the
message got through.
Another one was shaving the head of a messenger, writing something there, waiting until the
hair grew back and then sending the messenger on his way.
And then when he got where he was going, he'd shave his head again and there would be the
message.
One hopes they used indelible ink.
Now these are examples really of what properly should be called stegonography, which comes
from the Greek steganos, which means covered, and gruffae, which means writing.
So stegonography is hiding a message in such a way that the observer does not know there
is a message at all.
Later examples, microdots, you could copy something I know of reading my new piece of film,
so small, you could put it into the period of a sentence.
In the digital age, we do steganography with things like JPEG images, where you can take
the code for the JPEG image and embed a message inside of it that people wouldn't know about.
The problem is that once the observer knows about it, it's very easy to defeat the secrecy
and grab the message.
In World War II, intelligence agencies learned all about microdots and how to find them.
Now if you hold a page at a certain angle, the film would cause the light to glint off of
it in a way that a normal printing wouldn't.
And once you know where to look, there's no secrecy at all.
What you want is a way to stop someone from reading your message, even if they physically
have it in their possession.
And that is what we mean by encryption from the Greek cryptos, which means hidden.
It even uses a cipher to turn your message from the one that is read by anyone to a message
that should ideally be unreadable to anyone who doesn't know how to decrypt the message.
This is also very old.
We have an early example, but Julius Caesar wrote about his Gallic Wars, and on that account
it's referred to as a Caesar cipher.
So this cipher moved each letter of the alphabet a fixed number of spaces.
So if you moved everything one letter, for instance, H-A-L-H-L becomes I-B-M.
A lot of people commented on that after the movie 2001 came out.
If you've ever seen Rott 13, that's a very common Caesar cipher, in that case you just
you're Rott is for rotation, so you're rotating everything 13 spaces.
So a letter A becomes a letter N, a letter B becomes a letter O, and so on.
Now of course this kind of cipher is very easy to decrypt, because you really only need
to test a handful of variations once you know what the method is.
To make a more secure system of encryption, people next move to a more random and less
systematic method, creating what we call substitution ciphers.
Here there is no pattern for how the letters are substituted for each other.
Now in the United States I often see these in newspapers as brain teas or puzzles.
They're generally not that hard.
In fact, the Arab scholar Al-Kindy showed the way in the 9th century by demonstrating
that language is in fact subject to statistical analysis.
In English, for example, the most common letter is E. The second most common letter is T,
and so on.
The top of this list for English would be E, T, A, O, I, N, S, H, R, D, L, U.
So if you had a text that was encrypted using a substitution cipher, your basic technique
is to start saying, well what's the most common letter in the text?
You know assume it's an E and see where you go.
If it's not an E, try a T, blah, blah, blah, and so it's usually not that hard.
As I say, they print these in newspapers and they expect people to figure it out.
So the next step was taken by an Italian named Bellasso and then later rediscovered by a
Frenchman visionary, visionary now gets all the credit.
So it's called the visionary square, Sikh transit, Gloria Mundi, poor Bellasso.
Now this uses a key word or phrase to essentially change the substitution cipher for each letter,
which initially was very hard to break.
So you would write your phrase, you know, so let's say your phrase was Monty Python and
you'd write that across the top of the square and that's probably not 26 letters.
So you'd just repeat it until you'd filled out all 26 letters and same thing down the
side and then you take each letter and look at its position there and then go down to
the right row and pick that out.
So it's more complicated.
But Charles Babbage, and yes that's the same Charles Babbage of creating the difference
engine, showed that even this could be defeated by statistical analysis.
And you know, when you dig into the history of this, statistical analysis is very good
way of defeating a lot of these things.
But a fellow named Joseph Moborn, so that you could make a completely secure cipher
using something called a one-time pad.
Now one-time pad, every sheet has a completely random key used to create a visionary square.
You make two copies, one for encoding and a duplicate for decoding.
Done properly, there is no known way to defeat this type of encryption.
But there are problems.
First you have to create all of these pads and ship them to all of the people who need
to communicate with you.
Second, if even one of these pads is ever intercepted in any way, you no longer have any security.
Third, it is very laborious, particularly if you need to send a lot of messages.
For these reasons, no nation has ever adopted one-time pads for the bulk of its security needs.
Now the next step involves mechanical systems of encryption.
Now the very first ones were just a simple pair of disks with different diameters.
You could rotate one disk to line up the letter A with a different letter on the second
disk and then begin encrypting.
Another example known to old-timers in the US is something called the Captain Midnight
Secret Decoder Ring.
But if you think about it, this is really just a simple caesar cipher, although doing
it with this mechanical help is certainly more efficient than doing it with pencil and paper.
But just after World War II, a German inventor named Arthur Sherbius took this basic idea
and solved a lot of the problems to create the enigma machine.
This instead of just one disk had six different disks and something that would rotate the
settings after each letter was encrypted.
So it got really very, very complicated and in fact it was so complicated that the Germans
were convinced that it was completely secure and completely unbreakable.
Turns out they were wrong.
In fact it was Polish cryptanalysts who figured out how to crack the encryption.
And they did this because they had the best of all possible motivations.
In the 1930s they were looking across the border and saying, all right, these guys are
going to invade us.
We need to get ready.
There's something about necessity being the mother of invention.
So the Polish cryptanalysts did in fact crack the enigma code and they did pass their
results onto Britain and France.
And Britain, once World War II had started, created a fairly mammoth operation at Bledchley
Park that decrypted these messages all the way through the war.
Now there was, you could certainly say there was some sloppiness in the German implementation.
But even if they had gotten rid of the sloppiness, the messages still could have been decrypted
though with somewhat more difficulty.
Because essentially a mechanical system like the enigma machine has a built-in flaw.
No mechanical system can be truly random.
And if it isn't random, there will be a crack in the wall that a skillful cryptanalyst
can exploit.
The Poles and then the British realized that the key lay in mathematics.
And so recruited a large number of mathematicians to work on the cryptanalysts, cryptanalysis
of these messages.
Now the enigma machine was the source of the main cipher used by the Nazis.
But there was an even more secure encryption called the Lorenz cipher.
And that was the one that was used by Hitler to communicate with his top generals.
And that was even hairier.
In order to decrypt those kinds of messages, the British created what was essentially the
first modern computer.
They beat Eniac by several years.
If you take a look at a lot of your histories of computing, they'll say that Eniac was
the first computer.
No, it was Colossus.
One of the things we discover here is that the British government had some very, very talented
people who were never allowed to publicize what they did.
And so a lot of the breakthroughs in both encrypting and decrypting were first invented by the
British, but they don't get any credit for it.
That's one of those interesting things.
So with Colossus, you had the beginning of computerized decryption.
And then it was only a short step to computerized encryption.
And several people started looking at that.
And this is when the NSA and the United States started trying to actively stop the research.
A number of researchers just found themselves stymied at every opportunity.
They couldn't get the funding, they started having legal problems, what have you.
Right after the aftermath of World War II, the US was the dominant country in both computers
and crypts analysis.
Now this is, again, it's an important point.
If the NSA could simply throw computing power at any encryption and break it, they would
never have behaved the way they did and still do to this day.
This is the very fact that they cannot do so that leads them to weaken the standards
and oppose the research.
By the 1950s, 1960s, rather, it was clear that computers could create encryption schemes
that could not be broken so long as the users did not make a mistake.
But the big problem was distributing the keys.
That's the same problem if you recall that we had with the one-time pads, which is also
a totally secure method, except for that one flaw.
The key used to create the cipher is essential.
And if I want to send you an encoded and enciphered message, I want to correct that coding.
Codes and ciphers are two entirely different things.
A code is not an attempt to hide anything.
A cipher is, think about Morse code.
You're not trying to hide the message, you're just using an encoding scheme.
So if I want to send you an enciphered and encrypted message, you have to know what the
key is before you can decrypt it.
Well, if I send you the key through the mail or email or text message or whatever, anyone
can intercept that.
So the key is essential in getting it to the people who need these without anyone else
getting it to say big problem.
Now as it happens, Whitfield, Diffie and Martin Helman, working with a fellow named Ralph
Merkel, created what a lot of people call Diffie Helman.
That Helman himself has said it should be called Diffie Helman Merkel, because there were
three of them working on it, a key exchange algorithm that showed it was possible to securely
exchange keys even through a public medium.
And Diffie later had the insight that the key could be asymmetric, meaning that the key
used to encrypt the message could be different from the key used to decrypt the message.
Now this would enable Alice to encrypt the message and send it to Bob using Bob's public
encrypting key, and Bob could then decrypt it using his private decrypting key, which only
he knows.
I was a little sideline here.
If you start taking a look at anything involving crypto and secure messages, it's always Alice
and Bob.
And occasionally someone named Eve who was trying to get in there and intercept the message
and do dastardly things.
So Whitfield Diffie had the idea that this was theoretically possible.
But he couldn't quite figure out how to do it, and it was actually a team at MIT that
found a mathematical function to do this.
This team was Ronald Revest, Adi Shamyour, and Leonard Edelman.
And by their initials, this became known as RSA encryption, and it is still basically
the standard in use today.
The way it works without going into extremely deep mathematics is by using a one-way function,
which is a mathematical function that can operate on a number, but when you get the result,
there is no way to go back and see what the initial number is.
So using a public key with a one-way function, Alice can post this key on a public site, print
the newspaper, put it on handbills, and tack it up all over town, or whatever the heck
she wants to do, anyone can use it to encrypt a message to Alice.
But the key will never decrypt the message, only her private key can decrypt.
So these two keys are generated together as a key pair, and basically it's based on
taking two very large prime numbers, a dash of randomness in some interesting mathematics.
If you really want to dig into the mathematics of this, I've put a link in the show notes
to the Wikipedia page for RSA algorithm, and that'll give you a starting point, and
go dive down the rabbit hole.
I don't plan to do that.
Maybe Charles will.
He's better at math than I am, I suspect.
So the key to modern encryption is that it is an example of applied mathematics.
Every message you write can be encoded using ASCII, again, see the distinction between a code
and a cipher?
ASCII is a code, so every message can be encoded using ASCII or some other encoding scheme
into a series of binary digits, zeros and ones.
So that means that any message is equivalent to a number, and any number can be operated
on using mathematics.
And using mathematics we can determine just how secure it is, and that is why we can
have confidence that encryption can be made secure even from government decryption.
They may threaten you with jail if you don't reveal the key in civilized countries, or
threaten you and your family with torture in a totalitarian dictatorship.
But they cannot break the encryption if you don't help them at some point.
Again, the bottom line that everyone needs to understand is that if you use this properly,
it cannot be decrypted using brute force in any reasonable time.
Now when I say brute force, I mean just trying one thing after another.
You can do that with computers, but even computers take a finite amount of time to do this stuff.
So you can mathematically show that a encryption scheme using a key strong enough, you could
set it up that every computer known in the entire world working together would take a
billion years working day and night to craft the cipher.
I'm going to suggest that's secure enough for our purposes.
You know, frankly, if I can just keep the government from looking at my stuff for a hundred
years, I mean by that point I'll be dead and I won't care.
And the NSA knows this, that's why they've tried very hard to stop this technology getting
out.
One of the first people to take RSA encryption and put it in a form that people could practically
use it was a guy named Phil Zimmerman, author of PGP, and they indicted him for exporting
munitions because his code actually escaped from the U.S.
As it turns out, he was never successfully prosecuted.
And to this day, the NSA rarely tries to brute force any encrypted data because it's
hopeless.
What they try to do is get the keys, often by legal compulsion, or find a way to weaken
the keys as they did with the elliptical curve cipher.
So we now have a understanding of the basics and now we can move on in future episodes.
We'll start applying some of what we know and maybe talk about some other security topics.
But for now, this is Ahuka reminding everyone, please do not forget to support free software.
Bye.
You have been listening to Hacker Public Radio, where Hacker Public Radio does our.
We are a community podcast network that releases shows every weekday and Monday through Friday.
Today's show, like all our shows, was contributed by a HBR listener like yourself.
If you ever consider recording a podcast, then visit our website to find out how easy
it really is.
Hacker Public Radio was founded by the digital dog pound and the infonomicum computer
club.
HBR is funded by the binary revolution at binref.com.
All binref projects are proudly sponsored by Lina Pages.
From shared hosting to custom private clouds, go to LinaPages.com for all your hosting needs.
Unless otherwise stasis, today's show is released under a creative commons, attribution,
share a life, free those own lives.