Schneier on Security

Clive Robinson • December 7, 2023 8:39 AM

@ ALL,

As noted in the last paragraph of the Reuters article,

‘Earlier this year French developer David Libeau said users and developers were often unaware of how their apps emitted data to the U.S. tech giants via push notifications, calling them “a privacy nightmare.”‘

Yup not just a nightmare, but for many now a “lifelong” one…

To me, it’s been obvious all of this century so far hence my no personal email, social media, messaging apps and the like, and me saying continuously they are a bad idea.

At the very least for “push” to work some central point has to know exactly where your device is all the time.

In essence this is the case for all end to end mobile communications, that move from node to node in a communications net. You need a “Rendezvous Protocol” to permit leaf nodes such as mobiles to reach each other trying to make these protocols anonymous to “observers” is well neigh impossible.

Whilst similar applies to “pull” you as the holder of the mobile can chose the time and place you “connect” to a central service.

On analysis of “traffic” you will probably find that most of your data based communications do not need to be “Push” in the slightest. Further “Push” is bad for your mental health, especially if it disturbs your sleep and rest patterns that are essential for bodily physical health.

Major US Social Media Corps are well aware of these health issues, but they also know that “Push” becomes like an addictive drug, and you become hooked and drawn in thus exploitable. Which is why almost everything these days “requires” that you sign up for “Push”.

People still wonder why I won’t “sign up” to such nonsense, and some have rather less than implied I’m paranoid or not a team player etc in the past[1].

The point is in most Western Nations you have a right to a private home life and the peace and quiet that should go with it.

It does not matter is it’s Law enforcment, an employer, or corporation or obnoxious/stalker type, it’s recognised that you have a right to a private life that should not be abused.

Push technology is fundamentally an abusive process on it’s own. The fact others want to hitch onto that bandwagon and abuse you even further for their own profit at your expense, should tell you why you should not alow it, no matter how much “think of the children” dressing up they give it, they want it to abuse you or others, treat them like you would someone who abuses children and they might start getting the message.

[1] I’ve also had fun telling micro manager type Bosses that “my phone etc” is “personal thus private” and not for “work, work related, or their conveniance” with the important “and the law agrees with this viewpoint”. So if they want to be in contact outside of paid work hours, then they had better pay for the privilege in a form that I find equitable.

Apparently I’m not a “team player” etc etc to which I have responded “nor am I a doormat” 😉

Clive Robinson • December 7, 2023 2:52 PM

@ yet another bruce,

“It seems like you should be able to construct an obfuscated “push” protocol along the same lines as TOR.”

Push to where…

The problem is a mobile device could be connected to any node in the network so two mobile devices would have no knowledge of where the other is.

The only practical way for them to establish any kind of device to device communications when there is more than just a handfull of devices or nodes is through a central service at a known node. The mobiles say who they are and where they are every so often and the central service updates the information held about the mobiles status in a central database[1].

A similar way would have to be done with TOR which means “state information” has to be,

1, Kept in a database
2, The database is known
3, The database service can be served with legal papers etc.

I’ve spent some years off and on trying to make such a service “fully anonymous” and so far there is always a “thread” lrft hanging that authoritarians can “pull at” one way or another.

Which is why I switched my thinking to the use of an anonymous broadcast service rather than a central database. The problem is now how to get the traffic levels down.

[1] In practice though mobiles “go missing” in the central database for a number of reasons, and to get around this the database is in fact partially distributed to limit the lost device and times of peek or disrupted traffic sudden power loss etc. That is each node maintains a list of the mobiles currently and previously connected to it and how they were disconnected –hand-off, reconect time-out– going back some hours in time, this way location data becomes not just more reliablw but of a lower priority on the network compared to traffic that earns revenue. So if a mobile missing in the central database gets such profit earning priority traffic for it the network tries the last known node in the central database first, then walks the nodes around that node looking for the mobile or refrence to it in those node lists with their hand-off information, untill either the mobile is found or it’s last known location is. When a mobile becomes re-connected to a node after service loss, it sends it’s location as a higher priority. The downside of this is that it chews through the mobile battery looking for a node, which is why those “Faraday-bags” are not such a good idea from a users perspective.

Clive Robinson • December 7, 2023 6:49 PM

@ Stevie,

“If that database is zero-knowledge, the legal papers won’t help them.”

I’m not entirely certain you understand all that a “Rendezvous Protocol”(RP) has to do and why.

It’s intent is to provide information about a first party to a second party so the second party can have communications with the first party in a timely and reliable fashion, for all accesses.

For a RP you therefore have to assume the general case that,

1, Neither party has had direct or indirect contact, so no “Root of Trust”(RT) has been exchanged.

2, All signalling traffic should be uniform to avoid creating distinquisher meta-data.

3, All user devices are continuously transient from network node to network node (mobile phone in a car etc).

4, Network Signalling Traffic has to be minimized, otherwise signal trafic will consume available network bandwidth. At an increasing rate of N for a centralised system and ~N^2 for a mobile to mobile system, where N is the number of mobile devices.

5, All parties need fast access to the information. So the design of a distributed system is constrained and at best forms an optimal tree structure with minimal layers thus minimal access nodes.

6, Assume that the adversary can find and monitor all access nodes even with Tor.

After “first contact” and an exchange of “roots of trust” the constraints could in theory be eased up. But then you introduce a “distinguisher”(2) into the system and that is realy bad for security. Put simply no matter how you try to hide a distinguisher, the chances are there will be a “side channel” you can not stop or mitigate and worse there may be a deliberate “subliminal channel” put in that you have no chance of finding or stopping even with full transparancy[1]. This is in part because you will be unaware of such channels, in part because of timing, in part due to power signiture, in part… and the list goes on as you go up the stack from the physical layer to the point where the mathmatics says “You are so out of luck”.

[1] Have a look at the work that’s now a quater of a century old on “Cryptovirology” by Adam Young, and Moti Yung, which can be seen as a follow on from the works of Shannon and Hartley back pre WWII that founded “Information Theory” in the 1960’s that gave rise to the realisation that “Redundancy” was key to communications, but with it came perfect secrecy, channels within channels and in the 1970’s through to early 1980’s with Gus Simmon’s “Prisoner Problem” that has given us his “Subliminal Channels” which can be seen as the use of perfect secrecy to create a channel within a channel even the NSA et al can not demonstrates exists. As far as I’m aware all mathmatics used to create currently known Public Key systems are vulnarable.

Clive Robinson • December 9, 2023 5:13 AM

@ Gilbert, ALL,

“What this shows is you CANNOT EVER, EVER, EVER trust any third party which is seeing packets or anything pass through them.”

As they old saying has it,

“Trust ye not, lest ye are betrayed”

Which is a shortening of what you find in the King James Bible,

“Trust ye not in a friend, put ye not confidence in a guide: keep the doors of thy mouth from her that lieth in thy bosom.”

Which some say is the prayer of spycraft, conspiracy and other villany.

But “third party”, heed well the words of, Benjamin Franklin,

“Any three may keep a secret if two of them are dead”

Second party betrayal is as common as mud beneath water. Most know of the story of Judas Iscariot and the “Thirty pieces of silver”. In fact the law encorages it with “Turning King’s/States Evidence” and some claim that is all the US Justice system is these days.

So with regards,

“It must be encrypted on the device, and only be decrypted on the end-receiving device at the very end.”

Of “End to End Encryption”(E2EE) whilst a very necessary minimum it is insufficient as a third party can turn a second party against the first party. You need deniability as well, which most encryption will not give you, in fact in most cases it will put the noose around your neck, which is why the UK “Regulation of Investigatory Powers Act 2000″(RIPA 2000) has serious penelties for not handing over encryption keys “upon request”[1]. Which many orher countries have no enacted similar.

Thus you need an encryption system that provides “Deniability against betrayal”.

Conventional “short key” encryption systems do not give this. As a rule of thumb, two blocks of a block cipher, or a little over 25 characters are enough to prove beyond reasonable doubt a second parties claim that they have the decryption key to the encrypted message you sent that the third party already has from the “Over The Air”(OTA) or Network.

Thus you need a system where you can have full communications deniability even though encrypted. The only system that most know of that gives you this is where the key works on a bit by bit basis and the bits are kept fully independent of each other thus the key is at least as long as the plaintext message. Such systems are more generally called “One Time Pads”, and have Claude Shannon’s “Perfect Secrecy” as the “unicity distance” is atleast as long as the key, and thus any and all messages under that key are “Equiprobable”.

Further you can also use Gus Simmons’ “Prisoner Problem” idea to put a low bandwidth “Perfect Secrecy” “covert channel” into a normal “Plaintext message”.

Such a “subliminal channel” has two advantages,

1, You cannot prove the channel exists from just the plaintext.
2, You can not prove the channel exists even with the key due to the equiprobability of perfect secrecy.

So providing you take other “real world” precautions the second party beyrayal gets the third party no “Kings evidence” that a prosecutor can use.

[1] Apparently Tony Blair and David Blunkett, were not prepared to “listen to experts” especially those who pointed out that being sent an encrypted message was in no way indicative that you had the key. Thus RIPA was a “God Send” to set anyone up…

Anyway nearly two decades later one of the two started having misgivings about the UK “Guard Labour” in the forms of “Security Services” and “Law Enforcment” going way way beyond what Parliment had envisioned,

https://www.theguardian.com/world/2013/nov/04/david-blunkett-review-laws-security-services

Judges however have treated this aspect of RIPA with a very long barge pole so far, but at the end of the day they are human and subject to pressure or inducement…

Clive Robinson • December 9, 2023 4:38 PM

@ Winter,

“I don’t believe subliminal channels are that effective.”

They work for two basic reasons,

1, Information requires redundancy to be sent.
2, Any redundancy can be treated as a set of subsets.

Claude Shannon showed both of these properties, a decade or more before “information theory” became a named domain of study in the 1960’s.

He also more famously showed what was required for encryption that had certain important properties. Often called the “One Time Pad” people make claims of it being “unbreakable” which is not actually true. You can break the OTP by a simple exhaustive “Brut Force” search, but you can not tell which of all the messages you get is the correct one, that is they are all “equiprobable”.

Unfortunately many do not understand this, and make one of several basic mistakes, the most oft given is “key re-use”. What is less well known or talked about is that the plaintext messages themselves may not be equiprobable. For instance if we know that the plaintext is actuall “English Clear Text” then most messages can be removed leaving only a small subset that are still at that level equiprobable.

Then we “might” have further semantic distinquishers that we’ve been given as part of a second party beyrayal “might” reduce the subset further[1]. Further a second party betrayal of the key whilst it can not be trusted ordinarily can sometimes be pre-correlated with the later actions of the first party.

If you look at Gus Simmons’ “Prisoner Problem” you will see how the first two points can be used to create a secondary or side channel with “perfect secrecy”.

I’ve previously described how you can use semantic redundancy in the likes of salutations to send just a few bits protected by perfect secrecy in a open English clear text message, and even with the alledged key from a second party betrayal you can not prove the channel exists.

[1] Note the use of “might”, most OTP systems are “bit by bit” stream ciphers. As such they are subject to “bit flipping attacks”. If you have English Clear Text with a numerical or xor based checksum appended then it actually serves no purpose. Because you will always find a pattern of bit flips that will change the message to what ever you wish, and likewise change the checksum to match correctly. So why “might” well sometimes message content correlates with other information outside of the communications channel.

Clive Robinson • December 10, 2023 3:47 AM

@ Winter,

Re : Subliminal channels

“But is this effective?”

You need to Define “effective” otherwise the answer is going to be yes for some and no for others.

For instance the redundancy in a PQ PubKey is very high. This enables you by a search process to generate a PQ result where the most significant bits are set to some value you’ve chosen.

It’s not difficult to see how you could use this to covertly reveal the start point for a search for one of the primes.

Thus with a litle over fourty bits selected a billion year or more search becomes an hour or so…

Put that in an obfuscated way into closed source software and you’ve got yourself a “Golden Key Backdoor”.

We know from the debacle that started back in 2004 over the Dual EC_DRBG that “the NSA effectively backdoored” that such things are highly desirable to some.

https://blog.cryptographyengineering.com/2015/01/14/hopefully-last-post-ill-ever-write-on/