14 comments

[ 2.3 ms ] story [ 41.4 ms ] thread
This person's lack of cryptography knowledge is pretty pathetic - but if even committed terrorists still think security by obscurity is the way to go, what chance do we have with the general public?
The articles mentioned that they knew about AES, PGP, etc but did not trust it because "non-believers" used/developed these protocols.

Instead, they developed their own encoding mechanism in the hopes that it would evade detection or decryption by possible backdoors in existing algorithms.

In many cases, security by obscurity is a viable tactic, especially in combination with other tactics.

It was more than just security-by-obscurity; these guys refused to use an existing package that would solve their issues... the "mujahaddin secrets" package (ostensibly jihadist in origin) that did implement AES cyphers.

Guess what, if you're so purist you can't trust experts in your own field because they use "contaminated knowledge", then you better be a true genius, or you're not going to be very effective.

It sure is convenient that the people who have such bad judgement that they want to plant bombs on airliners also have such bad judgement that they roll their own crypto.

And I don't think it's a coincidence. It really boils down to them not being able to figure out which people (especially, which "authorities") to trust.

For whatever it's worth to you, most of the pre-DES-era encryption techniques betray themselves to basic statistical analysis. It's hard to hide that you're using puzzle book crypto, even if it produces what appears at first glance to be binary gibberish.

Like I said, there is a security-by-obscurity game to be played with this stuff: tamper with a known algorithm (even if you don't trust it, it's not like you can tell the difference between AES and TEA just by looking at ciphertexts).

And that's assuming the traffic is being subjected to the statistical analysis required for detection.

Timing also plays a big role. Many times a piece of intelligence is only useful for a duration of x.

Narus boxes are not magic, they can only do so much ;).

I wrote this comment only to make it clear that the stats required to figure out if something is "really" encrypted are trivial. They take significantly less than a second for a Ruby program to perform. You'd just always run them.

Sorry I wasn't more explicit (or if you already realized that).

A Caesar cypher, specifically.

Wow.

The fact that there's really nothing in between "Jesus-era" crypto and the 1970s that actually protects anything makes this article a bit hyperbolic. If he had used "Napoleonic" cryptography, or even WWII crypto, he'd have been no better off.

By modern standards, his data was simply "not" encrypted. That's not very interesting. An interesting story would have been, this guy didn't believe AES was safe, so he took a generic block cipher design and customized it, and that got broken. Of course, that would never in a million years happen; had he simply taken DES and added a few rounds to it, nobody ever would have broken his cryptography.

"There were two kinds of codes in cryptography, codes that stopped your little brother from reading your message and codes that stopped major governments from reading your message, and this was the first kind of code..."

(from HPMOR: http://www.fanfiction.net/s/5782108/62/Harry_Potter_and_the_...)

That quote is derived from one that originally appeared in "Applied Cryptography" by Bruce Schneier:

"There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files."

Awesome, thanks! I haven't read enough Schneier to have picked up on that (really just Secrets and Lies).
I think there's a much more important angle to this story than "lol the guy doesn't know crypto basics". The angle you're looking for is "White, Jewish kaffirs can't make anything as pure and effective as our Muslim bretheren".

I did a quick search on "islam cryptography" and came up with this:

Cryptography in Islamic Civilization http://en.islamstory.com/cryptography-islamic-civilization.h...

There's a series of howlers in this allegedly academic text:

"For transposition to be effective and secure, letters rather than words need to be rearranged, this effectively scrambles the message and produces an "Anagram". Transposition could be done for example by writing the order of letters in a word backwards, so that word becomes drow. It is more effective to rearrange the letters in whole sentences or the whole message rather than single words.

If transposition was not limited to words or a certain order the number of different possibilities for rearranging a thirty five letter message rises to 50,000,000,000,000,000,000,000,000,000,000 different distinct rearrangements making the task of working out the correct rearrangement impossible even if all the people on earth were to check a single rearrangement every minute."

...notice the careful attention paid to frequency distribution analysis, which the author later claims is another output of Islamic civilisation. Additionally, if you preserve word boundaries cryptanalysis can include word length, which makes breaking the cipher all the more easier.

"Substitution is the other method by the meaning of a message may be concealed...Working with the plain English alphabet, allowing the algorithm to be any arrangement of the different letter, it is possible to generate more 400,000,000,000,000,000,000,000,000 different distinct rearrangements of letters and so the same number of different ciphers, thus producing a high level of security, baring in mind that the recipient need only to keep the key safe."

Besides mis-spelling bearing, how, exactly, were you planning on distributing the key again? Is the distribution channel more secure than your allegedly secure cipher? What happens when you re-use the key? For the love of God...you'd have thought they didn't bother reading "Cryptanalysis" by Helen Gaines, if they even wanted to pretend to make an effective cipher.

No evidence for this, but I bet you the BA plotter was drinking the koolaid a bit too much and thought too highly of the 1400s.