Secure communication

Last updated April 13, 2024

Secure communication is when two entities are communicating and do not want a third party to listen in. For this to be the case, the entities need to communicate in a way that is unsusceptible to eavesdropping or interception.^[1]^[2] Secure communication includes means by which people can share information with varying degrees of certainty that third parties cannot intercept what is said. Other than spoken face-to-face communication with no possible eavesdropper, it is probable that no communication is guaranteed to be secure in this sense, although practical obstacles such as legislation, resources, technical issues (interception and encryption), and the sheer volume of communication serve to limit surveillance.

With many communications taking place over long distance and mediated by technology, and increasing awareness of the importance of interception issues, technology and its compromise are at the heart of this debate. For this reason, this article focuses on communications mediated or intercepted by technology.

Also see Trusted Computing , an approach under present development that achieves security in general at the potential cost of compelling obligatory trust in corporate and government bodies.

History

In 1898, Nikola Tesla demonstrated a radio controlled boat in Madison Square Garden that allowed secure communication between transmitter and receiver.^[3]

One of the most famous systems of secure communication was the Green Hornet. During WWII, Winston Churchill had to discuss vital matters with Franklin D. Roosevelt. In the beginning, the calls were made using a voice scrambler, as this was thought to be secure. When this was found to be untrue, engineers started to work on a whole new system, which resulted in the Green Hornet or SIGSALY. With the Green Hornet, any unauthorized party listening in would just hear white noise, but the conversation would remain clear to authorized parties. As secrecy was paramount, the location of the Green Hornet was only known by the people who built it and Winston Churchill. To maintain secrecy, the Green Hornet was kept in a closet labeled 'Broom Cupboard.'' The Green Hornet used a one-time pad. SIGSALY was also never broken.^[4]

Nature and limits of security

Types of security

Security can be broadly categorized under the following headings, with examples:

Hiding the content or nature of a communication
- Code – a rule to convert a piece of information (for example, a letter, word, phrase, or gesture) into another form or representation (one sign into another sign), not necessarily of the same type. In communications and information processing, encoding is the process by which information from a source is converted into symbols to be communicated. Decoding is the reverse process, converting these code symbols back into information understandable by a receiver. One reason for coding is to enable communication in places where ordinary spoken or written language is difficult or impossible. For example, semaphore, where the configuration of flags held by a signaler or the arms of a semaphore tower encodes parts of the message, typically individual letters and numbers. Another person standing a great distance away can interpret the flags and reproduce the words sent.
- Obfuscation
- Encryption
- Steganography
- Identity Based
Hiding the parties to a communication – preventing identification, promoting anonymity
- "Crowds" and similar anonymous group structures – it is difficult to identify who said what when it comes from a "crowd"
- Anonymous communication devices – unregistered cellphones, Internet cafes
- Anonymous proxies
- Hard-to-trace routing methods – through unauthorized third-party systems, or relays
Hiding the fact that a communication takes place
- "Security by obscurity" – similar to needle in a haystack
- Random traffic – creating random data flow to make the presence of genuine communication harder to detect and traffic analysis less reliable

Each of the three types of security is important, and depending on the circumstances, any of these may be critical. For example, if a communication is not readily identifiable, then it is unlikely to attract attention for identification of parties, and the mere fact a communication has taken place (regardless of content) is often enough by itself to establish an evidential link in legal prosecutions. It is also important with computers, to be sure where the security is applied, and what is covered.

Borderline cases

A further category, which touches upon secure communication, is software intended to take advantage of security openings at the end-points. This software category includes trojan horses, keyloggers and other spyware.

These types of activity are usually addressed with everyday mainstream security methods, such as antivirus software, firewalls, programs that identify or neutralize adware and spyware, and web filtering programs such as Proxomitron and Privoxy which check all web pages being read and identify and remove common nuisances contained. As a rule they fall under computer security rather than secure communications.

Tools used to obtain security

Encryption

Encryption is a method in which data is rendered hard to read by an unauthorized party. Since encryption methods are created to be extremely hard to break, many communication methods either use deliberately weaker encryption than possible, or have backdoors inserted to permit rapid decryption. In some cases government authorities have required backdoors be installed in secret. Many methods of encryption are also subject to "man in the middle" attack whereby a third party who can 'see' the establishment of the secure communication is made privy to the encryption method, this would apply for example to the interception of computer use at an ISP. Provided it is correctly programmed, sufficiently powerful, and the keys not intercepted, encryption would usually be considered secure. The article on key size examines the key requirements for certain degrees of encryption security.

Encryption can be implemented in a way that requires the use of encryption, i.e. if encrypted communication is impossible then no traffic is sent, or opportunistically. Opportunistic encryption is a lower security method to generally increase the percentage of generic traffic which is encrypted. This is analogous to beginning every conversation with "Do you speak Navajo?" If the response is affirmative, then the conversation proceeds in Navajo, otherwise it uses the common language of the two speakers. This method does not generally provide authentication or anonymity but it does protect the content of the conversation from eavesdropping.

An Information-theoretic security technique known as physical layer encryption ensures that a wireless communication link is provably secure with communications and coding techniques.

Steganography

Steganography ("hidden writing") is the means by which data can be hidden within other more innocuous data. Thus a watermark proving ownership embedded in the data of a picture, in such a way it is hard to find or remove unless you know how to find it. Or, for communication, the hiding of important data (such as a telephone number) in apparently innocuous data (an MP3 music file). An advantage of steganography is plausible deniability, that is, unless one can prove the data is there (which is usually not easy), it is deniable that the file contains any.

Identity-based networks

Unwanted or malicious activities are possible on the web since the internet is effectively anonymous. True identity-based networks replace the ability to remain anonymous and are inherently more trustworthy since the identity of the sender and recipient are known. (The telephone system is an example of an identity-based network.)

Anonymized networks

Recently, anonymous networking has been used to secure communications. In principle, a large number of users running the same system, can have communications routed between them in such a way that it is very difficult to detect what the complete message is, which user sent it, and where it is ultimately coming from or going to. Examples are Crowds, Tor, I2P, Mixminion, various anonymous P2P networks, and others.

Anonymous communication devices

Typically, an unknown device would not be noticed, since so many other devices are in use. This is not assured in reality, due to the presence of systems such as Carnivore and unzak, which can monitor communications over entire networks, and the fact that the far end may be monitored as before. Examples include payphones, Internet cafe, etc.

Methods used to "break" security

Bugging

The placing covertly of monitoring and/or transmission devices either within the communication device, or in the premises concerned.

Computers (general)

Any security obtained from a computer is limited by the many ways it can be compromised – by hacking, keystroke logging, backdoors, or even in extreme cases by monitoring the tiny electrical signals given off by keyboard or monitors to reconstruct what is typed or seen (TEMPEST, which is complex).

Laser audio surveillance

Sounds, including speech, inside rooms can be sensed by bouncing a laser beam off a window of the room where a conversation is held, and detecting and decoding the vibrations in the glass caused by the sound waves.^[5]

Systems offering partial security

Cellphones

Cellphones can easily be obtained, but are also easily traced and "tapped". There is no (or only limited) encryption, the phones are traceable – often even when switched off^{[ citation needed ]} – since the phone and SIM card broadcast their International Mobile Subscriber Identity (IMSI). It is possible for a cellphone company to turn on some cellphones when the user is unaware and use the microphone to listen in on you, and according to James Atkinson, a counter-surveillance specialist cited in the same source, "Security-conscious corporate executives routinely remove the batteries from their cell phones" since many phones' software can be used "as-is", or modified, to enable transmission without user awareness and the user can be located within a small distance using signal triangulation and now using built in GPS features for newer models. Transceivers may also be defeated by jamming or Faraday cage.

Some cellphones (Apple's iPhone, Google's Android) track and store users' position information, so that movements for months or years can be determined by examining the phone.^[6]

The U.S. Government also has access to cellphone surveillance technologies, mostly applied for law enforcement.^[7]

Landlines

Analogue landlines are not encrypted, it lends itself to being easily tapped. Such tapping requires physical access to the line which can be easily obtained from a number of places, e.g. the phone location, distribution points, cabinets and the exchange itself. Tapping a landline in this way can enable an attacker to make calls which appear to originate from the tapped line.

Anonymous Internet

Using a third party system of any kind (payphone, Internet cafe) is often secure, however if that system is used to access known locations (a known email account or 3rd party) then it may be tapped at the far end, or noted, and this will remove any security benefit obtained. Some countries also impose mandatory registration of Internet cafe users.

Anonymous proxies are another common type of protection, which allow one to access the net via a third party (often in a different country) and make tracing difficult. Note that there is seldom any guarantee that the plaintext is not tappable, nor that the proxy does not keep its own records of users or entire dialogs. As a result, anonymous proxies are a generally useful tool but may not be as secure as other systems whose security can be better assured. Their most common use is to prevent a record of the originating IP, or address, being left on the target site's own records. Typical anonymous proxies are found at both regular websites such as Anonymizer.com and spynot.com, and on proxy sites which maintain up to date lists of large numbers of temporary proxies in operation.

A recent development on this theme arises when wireless Internet connections ("Wi-Fi") are left in their unsecured state. The effect of this is that any person in range of the base unit can piggyback the connection – that is, use it without the owner being aware. Since many connections are left open in this manner, situations where piggybacking might arise (willful or unaware) have successfully led to a defense in some cases, since it makes it difficult to prove the owner of the connection was the downloader, or had knowledge of the use to which unknown others might be putting their connection. An example of this was the Tammie Marson case, where neighbours and anyone else might have been the culprit in the sharing of copyright files.^[8] Conversely, in other cases, people deliberately seek out businesses and households with unsecured connections, for illicit and anonymous Internet usage, or simply to obtain free bandwidth.^[9]

Programs offering more security

Secure instant messaging – Some instant messaging clients use end-to-end encryption with forward secrecy to secure all instant messages to other users of the same software. Some instant messaging clients also offer end-to-end encrypted file transfer support and group messaging.
VoIP – Some VoIP clients implement ZRTP and SRTP encryption for calls.
Secure email – some email networks are designed to provide encrypted and/or anonymous communication. They authenticate and encrypt on the users own computer, to prevent transmission of plain text, and mask the sender and recipient. Mixminion and I2P-Bote provide a higher level of anonymity by using a network of anonymizing intermediaries, similar to how Tor works, but at a higher latency.
IRC and web chat – Some IRC clients and systems use client-to-server encryption such as SSL/TLS. This is not standardized.

Criminal use

Several secure communications networks, which were predominantly used by criminals, have been shut down by law enforcement agencies, including: EncroChat, Sky Global / Sky ECC, and Phantom Secure.

Related Research Articles

In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telephone systems, as well as mobile phone calling over LTE (VoLTE).

Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video. The word steganography comes from Greek steganographia, which combines the words steganós, meaning "covered or concealed", and -graphia meaning "writing".

<span class="mw-page-title-main">Instant messaging</span> Form of communication over the internet

Instant messaging (IM) technology is a type of online chat allowing immediate transmission of messages over the Internet or another computer network. Messages are typically transmitted between two or more parties, when each user inputs text and triggers a transmission to the recipient(s), who are all connected on a common network. It differs from email in that conversations over instant messaging happen in real-time. Most modern IM applications use push technology and also add other features such as emojis, file transfer, chatbots, voice over IP, or video chat capabilities.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

In cryptography and computer security, a man-in-the-middle (MITM) attack, or in-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to the layers of an onion. The encrypted data is transmitted through a series of network nodes called "onion routers," each of which "peels" away a single layer, revealing the data's next destination. When the final layer is decrypted, the message arrives at its destination. The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes. While onion routing provides a high level of security and anonymity, there are methods to break the anonymity of this technique, such as timing analysis.

An anonymous P2P communication system is a peer-to-peer distributed application in which the nodes, which are used to share resources, or participants are anonymous or pseudonymous. Anonymity of participants is usually achieved by special routing overlay networks that hide the physical location of each node from other participants.

Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted. In general, the greater the number of messages observed, the greater information be inferred. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is also a concern in computer security.

Information leakage happens whenever a system that is designed to be closed to an eavesdropper reveals some information to unauthorized parties nonetheless. In other words: Information leakage occurs when secret information correlates with, or can be correlated with, observable information. For example, when designing an encrypted instant messaging network, a network engineer without the capacity to crack encryption codes could see when messages are transmitted, even if he could not read them.

End-to-end encryption (E2EE) is a private communication system in which only communicating users can participate. As such, no one, including the communication system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to converse.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

A session border controller (SBC) is a network element deployed to protect SIP based voice over Internet Protocol (VoIP) networks.

In computer networks, a reverse proxy is an application that sits in front of back-end servers and forwards client requests to those servers instead of having the client directly talking to the servers. Reverse proxies have a number of uses, and help increase scalability, performance, resilience, and security; resources returned to the client appear as if they originated from the web server itself. Using a reverse proxy also has a number of risks.

Email privacy is a broad topic dealing with issues of unauthorized access to, and inspection of, electronic mail, or unauthorized tracking when a user reads an email. This unauthorized access can happen while an email is in transit, as well as when it is stored on email servers or on a user's computer, or when the user reads the message. In countries with a constitutional guarantee of the secrecy of correspondence, whether email can be equated with letters—therefore having legal protection from all forms of eavesdropping—is disputed because of the very nature of email.

An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It is a proxy server computer that acts as an intermediary and privacy shield between a client computer and the rest of the Internet. It accesses the Internet on the user's behalf, protecting personal information of the user by hiding the client computer's identifying information such as IP addresses. Anonymous proxy is the opposite of transparent proxy, which sends user information in the connection request header.

Network eavesdropping, also known as eavesdropping attack, sniffing attack, or snooping attack, is a method that retrieves user information through the internet. This attack happens on electronic devices like computers and smartphones. This network attack typically happens under the usage of unsecured networks, such as public wifi connections or shared electronic devices. Eavesdropping attacks through the network is considered one of the most urgent threats in industries that rely on collecting and storing data. Internet users use eavesdropping via the Internet to improve information security.

Human rightsandencryption are often viewed as interlinked. Encryption can be a technology that helps implement basic human rights. In the digital age, the freedom of speech has become more controversial; however, from a human rights perspective, there is a growing awareness that encryption is essential for a free, open, and trustworthy Internet.

References

↑ D. P. Agrawal and Q-A. Zeng, Introduction to Wireless and Mobile Systems (2nd Edition, published by Thomson, April 2005) ISBN 978-0-534-49303-5
↑ J.K. and K. Ross, Computer Networking (2nd Ed, Addison Wesley, 2003) ISBN 978-0-321-17644-8
↑ The schematics are illustrated in U.S. patent 613,809 and describes "rotating coherers".
↑ Bauer, Craig (2017), The Early History of Voice Encryption, Boston Studies in the Philosophy and History of Science, vol. 324, Cham: Springer International Publishing, pp. 159–187, doi:10.1007/978-3-319-53280-6_7, ISBN 978-3-319-53278-3 , retrieved 2021-10-23
↑ "High-tech bugging techniques, and a costly fix". Popular Science. August 1987.
↑ Wall Street Journal: How concerned are you that the iPhone tracks and stores your location?
↑ Pell, Stephanie K., and Christopher Soghoian. 2014. "Your secret stingray's no secret anymore: The vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy." Harv. JL & Tech 28(1).
↑ Open Wi-Fi proves no defence in child porn case, The Register
↑ 'Extortionist' turns Wi-Fi thief to cover tracks, The Register

External links

Media related to Secure communication at Wikimedia Commons

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] D. P. Agrawal and Q-A. Zeng, Introduction to Wireless and Mobile Systems (2nd Edition, published by Thomson, April 2005) ISBN 978-0-534-49303-5

[2] J.K. and K. Ross, Computer Networking (2nd Ed, Addison Wesley, 2003) ISBN 978-0-321-17644-8

[3] The schematics are illustrated in U.S. patent 613,809 and describes "rotating coherers".

[4] Bauer, Craig (2017), The Early History of Voice Encryption, Boston Studies in the Philosophy and History of Science, vol. 324, Cham: Springer International Publishing, pp. 159–187, doi:10.1007/978-3-319-53280-6_7, ISBN 978-3-319-53278-3 , retrieved 2021-10-23

[5] "High-tech bugging techniques, and a costly fix". Popular Science. August 1987.

[6] Wall Street Journal: How concerned are you that the iPhone tracks and stores your location?

[7] Pell, Stephanie K., and Christopher Soghoian. 2014. "Your secret stingray's no secret anymore: The vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy." Harv. JL & Tech 28(1).

[8] Open Wi-Fi proves no defence in child porn case, The Register

[9] 'Extortionist' turns Wi-Fi thief to cover tracks, The Register

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]