Secure communication is when two entities are communicating and do not want a third party to listen in. For this to be the case, the entities need to communicate in a way that is unsusceptible to

eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Etymology The verb ''eavesdrop'' is a back-formation from the noun ''eaves ...

interception In ball-playing competitive team sports, an interception or pick is a move by a player involving a pass of the ball—whether by foot or hand, depending on the rules of the sport—in which the ball is intended for a player of the same team ...

. Secure communication includes means by which people can share information with varying degrees of certainty that third parties cannot intercept what is said. Other than spoken face-to-face communication with no possible eavesdropper, it is probably safe to say that no communication is guaranteed to be secure in this sense, although practical obstacles such as legislation, resources, technical issues (interception and

encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can dec ...

), and the sheer volume of communication serve to limit surveillance. With many communications taking place over long distance and mediated by technology, and increasing awareness of the importance of interception issues, technology and its compromise are at the heart of this debate. For this reason, this article focuses on communications mediated or intercepted by technology. Also see '' Trusted Computing'', an approach under present development that achieves security in general at the potential cost of compelling obligatory trust in corporate and government bodies.

History

In 1898,

Nikola Tesla Nikola Tesla ( ; ,"Tesla"
'' radio controlled boat in

Madison Square Garden Madison Square Garden, colloquially known as The Garden or by its initials MSG, is a multi-purpose indoor arena in New York City. It is located in Midtown Manhattan between Seventh and Eighth avenues from 31st to 33rd Street, above Pennsyl ...

that allowed secure communication between

transmitter In electronics and telecommunications, a radio transmitter or just transmitter is an electronic device which produces radio waves with an antenna. The transmitter itself generates a radio frequency alternating current, which is applied to ...

and receiver. One of the most famous systems of secure communication was the

Green Hornet The Green Hornet is a superhero created in 1936 by George W. Trendle and Fran Striker, with input from radio director James Jewell. Since his 1930s radio debut, the character has appeared in numerous serialized dramas in a wide variety of me ...

. During WWII, Winston Churchill had to discuss vital matters with Franklin D. Roosevelt. In the beginning, the calls were made using a voice scrambler, as this was thought to be secure. When this was found to be untrue, engineers started to work on a whole new system, which resulted in the Green Hornet or

SIGSALY SIGSALY (also known as the X System, Project X, Ciphony I, and the Green Hornet) was a secure speech system used in World War II for the highest-level Allied communications. It pioneered a number of digital communications concepts, including the ...

. With the Green Hornet, any unauthorized party listening in would just hear

white noise In signal processing, white noise is a random signal having equal intensity at different frequencies, giving it a constant power spectral density. The term is used, with this or similar meanings, in many scientific and technical disciplines, ...

, but the conversation would remain clear to authorized parties. As secrecy was paramount, the location of the Green Hornet was only known by the people who built it and Winston Churchill. To maintain secrecy, the Green Hornet was kept in a closet labeled 'Broom Cupboard.'' The Green Hornet used a

one-time pad In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is not smaller than the message being sent. In this technique, a plaintext is paired with a r ...

. SIGSALY was also never broken.

Nature and limits of security

Types of security

Security can be broadly categorized under the following headings, with examples: * Hiding the content or nature of a communication ** Code – a rule to convert a piece of information (for example, a letter, word, phrase, or gesture) into another form or representation (one sign into another sign), not necessarily of the same type. In communications and information processing, encoding is the process by which information from a source is converted into symbols to be communicated. Decoding is the reverse process, converting these code symbols back into information understandable by a receiver. One reason for coding is to enable communication in places where ordinary spoken or written language is difficult or impossible. For example, semaphore, where the configuration of flags held by a signaler or the arms of a semaphore tower encodes parts of the message, typically individual letters and numbers. Another person standing a great distance away can interpret the flags and reproduce the words sent. **

Obfuscation Obfuscation is the obscuring of the intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language. The obfuscation might be either unintentional or intentional (although intent u ...

Encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can dec ...

Steganography Steganography ( ) is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, ...

** Identity Based * Hiding the parties to a communication – preventing identification, promoting anonymity ** " Crowds" and similar anonymous group structures – it is difficult to identify who said what when it comes from a "crowd" ** Anonymous communication devices – unregistered cellphones,

Internet cafe The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a ''internetworking, network of networks'' that consists ...

s ** Anonymous proxies ** Hard-to-trace

routing Routing is the process of selecting a path for traffic in a network or between or across multiple networks. Broadly, routing is performed in many types of networks, including circuit-switched networks, such as the public switched telephone netw ...

methods – through unauthorized third-party systems, or relays * Hiding the fact that a communication takes place ** "Security by obscurity" – similar to needle in a haystack ** Random traffic – creating random data flow to make the presence of genuine communication harder to detect and

traffic analysis Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication, it can be performed even when the messages are encrypted. In general, the greater the number of messages observed ...

less reliable Each of the three types of security is important, and depending on the circumstances, any of these may be critical. For example, if a communication is not readily identifiable, then it is unlikely to attract attention for identification of parties, and the mere fact a communication has taken place (regardless of content) is often enough by itself to establish an evidential link in legal prosecutions. It is also important with computers, to be sure where the security is applied, and what is covered.

Borderline cases

A further category, which touches upon secure communication, is software intended to take advantage of security openings at the end-points. This software category includes trojan horses, keyloggers and other

spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privac ...

. These types of activity are usually addressed with everyday mainstream security methods, such as antivirus software, firewalls, programs that identify or neutralize

adware Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the ...

and

, and web filtering programs such as

Proxomitron Proxomitron, the Universal Web Filter, is a filtering web proxy written by Scott R. Lemmon. This program was originally designed to run under Windows 95. All future development of the program was ceased in 2003 just one year before its author' ...

and

Privoxy Privoxy is a free non-caching web proxy with filtering capabilities for enhancing privacy, manipulating cookies and modifying web page data and HTTP headers before the page is rendered by the browser. Privoxy is a "privacy enhancing proxy", fi ...

which check all web pages being read and identify and remove common nuisances contained. As a rule they fall under

computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...

rather than secure communications.

Tools used to obtain security

Encryption

is a method in which data is rendered hard to read by an unauthorized party. Since encryption methods are created to be extremely hard to break, many communication methods either use deliberately weaker encryption than possible, or have backdoors inserted to permit rapid decryption. In some cases government authorities have required backdoors be installed in secret. Many methods of encryption are also subject to "

man in the middle In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM ...

" attack whereby a third party who can 'see' the establishment of the secure communication is made privy to the encryption method, this would apply for example to the interception of computer use at an ISP. Provided it is correctly programmed, sufficiently powerful, and the keys not intercepted, encryption would usually be considered secure. The article on key size examines the key requirements for certain degrees of encryption security. Encryption can be implemented in a way that requires the use of encryption, i.e. if encrypted communication is impossible then no traffic is sent, or opportunistically. Opportunistic encryption is a lower security method to generally increase the percentage of generic traffic which is encrypted. This is analogous to beginning every conversation with "Do you speak

Navajo The Navajo (; British English: Navaho; nv, Diné or ') are a Native Americans in the United States, Native American people of the Southwestern United States. With more than 399,494 enrolled tribal members , the Navajo Nation is the largest fe ...

?" If the response is affirmative, then the conversation proceeds in Navajo, otherwise it uses the common language of the two speakers. This method does not generally provide

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicat ...

or anonymity but it does protect the content of the conversation from

. An Information-theoretic security technique known as physical layer encryption ensures that a wireless communication link is provably secure with communications and coding techniques.

Steganography

("hidden writing") is the means by which data can be hidden within other more innocuous data. Thus a watermark proving ownership embedded in the data of a picture, in such a way it is hard to find or remove unless you know how to find it. Or, for communication, the hiding of important data (such as a telephone number) in apparently innocuous data (an MP3 music file). An advantage of steganography is

plausible deniability Plausible deniability is the ability of people, typically senior officials in a formal or informal chain of command, to deny knowledge of or responsibility for any damnable actions committed by members of their organizational hierarchy. They may ...

, that is, unless one can prove the data is there (which is usually not easy), it is deniable that the file contains any.

Identity based networks

Unwanted or malicious behavior is possible on the web since the internet is inherently anonymous. True identity based networks replace the ability to remain anonymous and are inherently more trustworthy since the identity of the sender and recipient are known. (The telephone system is an example of an identity based network.)

Anonymized networks

Recently, anonymous networking has been used to secure communications. In principle, a large number of users running the same system, can have communications routed between them in such a way that it is very hard to detect what the complete message is, which user sent it, and where it is ultimately coming from or going to. Examples are Crowds, Tor, I2P, Mixminion, various anonymous P2P networks, and others.

Anonymous communication devices

In theory, an unknown device would not be noticed, since so many other devices are in use. This is not altogether the case in reality, due to the presence of systems such as

Carnivore A carnivore , or meat-eater (Latin, ''caro'', genitive ''carnis'', meaning meat or "flesh" and ''vorare'' meaning "to devour"), is an animal or plant whose food and energy requirements derive from animal tissues (mainly muscle, fat and other ...

and

Echelon ECHELON, originally a secret government code name, is a surveillance program ( signals intelligence/SIGINT collection and analysis network) operated by the five signatory states to the UKUSA Security Agreement:Given the 5 dialects that ...

, which can monitor communications over entire networks, and the fact that the far end may be monitored as before. Examples include

payphone A payphone (alternative spelling: pay phone) is typically a coin-operated public telephone, often located in a telephone booth or in high-traffic outdoor areas, with prepayment by inserting money (usually coins) or by billing a credit or deb ...

, etc.

Methods used to "break" security

Bugging

The placing covertly of monitoring and/or transmission devices either within the communication device, or in the premises concerned.

Computers (general)

Any security obtained from a computer is limited by the many ways it can be compromised – by hacking, keystroke logging, backdoors, or even in extreme cases by monitoring the tiny electrical signals given off by keyboard or monitors to reconstruct what is typed or seen ( TEMPEST, which is quite complex).

Laser audio surveillance

Sounds, including speech, inside rooms can be sensed by bouncing a

laser A laser is a device that emits light through a process of optical amplification based on the stimulated emission of electromagnetic radiation. The word "laser" is an acronym for "light amplification by stimulated emission of radiation". The firs ...

beam off a window of the room where a conversation is held, and detecting and decoding the vibrations in the glass caused by the sound waves.

Systems offering partial security

Cellphones

Cellphones can easily be obtained, but are also easily traced and "tapped". There is no (or only limited) encryption, the phones are traceable – often even when switched off – since the phone and SIM card broadcast their International Mobile Subscriber Identity ( IMSI). It is possible for a cellphone company to turn on some cellphones when the user is unaware and use the microphone to listen in on you, and according to James Atkinson, a counter-surveillance specialist cited in the same source, "Security-conscious corporate executives routinely remove the batteries from their cell phones" since many phones' software can be used "as-is", or modified, to enable transmission without user awareness and the user can be located within a small distance using signal

triangulation In trigonometry and geometry, triangulation is the process of determining the location of a point by forming triangles to the point from known points. Applications In surveying Specifically in surveying, triangulation involves only angle ...

and now using built in GPS features for newer models. Transceivers may also be defeated by jamming or Faraday cage. Some cellphones (

Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple trees are cultivated worldwide and are the most widely grown species in the genus '' Malus''. The tree originated in Central Asia, where its wild ances ...

's iPhone,

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

Android Android may refer to: Science and technology * Android (robot), a humanoid robot or synthetic organism designed to imitate a human * Android (operating system), Google's mobile operating system ** Bugdroid, a Google mascot sometimes referred to ...

) track and store users' position information, so that movements for months or years can be determined by examining the phone. US Government also has access to cellphone surveillance technologies, mostly applied for law enforcement.

Landlines

Analogue landlines are not encrypted, it lends itself to being easily tapped. Such tapping requires physical access to the line which can be easily obtained from a number of places, e.g. the phone location, distribution points, cabinets and the exchange itself. Tapping a landline in this way can enable an attacker to make calls which appear to originate from the tapped line.

Anonymous Internet

Using a third party system of any kind (payphone, Internet cafe) is often quite secure, however if that system is used to access known locations (a known email account or 3rd party) then it may be tapped at the far end, or noted, and this will remove any security benefit obtained. Some countries also impose mandatory registration of Internet cafe users. Anonymous proxies are another common type of protection, which allow one to access the net via a third party (often in a different country) and make tracing difficult. Note that there is seldom any guarantee that the

plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of com ...

is not tappable, nor that the proxy does not keep its own records of users or entire dialogs. As a result, anonymous proxies are a generally useful tool but may not be as secure as other systems whose security can be better assured. Their most common use is to prevent a record of the originating IP, or address, being left on the target site's own records. Typical anonymous proxies are found at both regular websites such as Anonymizer.com and spynot.com, and on proxy sites which maintain up to date lists of large numbers of temporary proxies in operation. A recent development on this theme arises when wireless Internet connections ("

Wi-Fi Wi-Fi () is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio w ...

") are left in their unsecured state. The effect of this is that any person in range of the base unit can piggyback the connection – that is, use it without the owner being aware. Since many connections are left open in this manner, situations where piggybacking might arise (willful or unaware) have successfully led to a defense in some cases, since it makes it difficult to prove the owner of the connection was the downloader, or had knowledge of the use to which unknown others might be putting their connection. An example of this was the Tammie Marson case, where neighbours and anyone else might have been the culprit in the sharing of copyright files. Conversely, in other cases, people deliberately seek out businesses and households with unsecured connections, for illicit and anonymous Internet usage, or simply to obtain free bandwidth.'Extortionist' turns Wi-Fi thief to cover tracks
The Register

Programs offering more security

* Secure instant messaging – Some instant messaging clients use

end-to-end encryption End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, malicious actors, and eve ...

with forward secrecy to secure all instant messages to other users of the same software. Some instant messaging clients also offer end-to-end encrypted file transfer support and group messaging. *

VoIP Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Interne ...

– Some VoIP clients implement ZRTP and SRTP encryption for calls. *

Secure email Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication. Email is prone to the disclosure of information. Most email ...

– some email networks are designed to provide encrypted and/or anonymous communication. They authenticate and encrypt on the users own computer, to prevent transmission of plain text, and mask the sender and recipient. Mixminion and I2P-Bote provide a higher level of anonymity by using a network of anonymizing intermediaries, similar to how Tor works, but at a higher latency. * IRC and web chat – Some IRC clients and systems use client-to-server encryption such as

SSL SSL may refer to: Entertainment * RoboCup Small Size League, robotics football competition * ''Sesame Street Live'', a touring version of the children's television show * StarCraft II StarLeague, a Korean league in the video game Natural language ...

TLS TLS may refer to: Computing * Transport Layer Security, a cryptographic protocol for secure computer network communication * Thread level speculation, an optimisation on multiprocessor CPUs * Thread-local storage, a mechanism for allocating vari ...

. This is not standardized.

Government attacks on encrypted communications

EncroChat

Has been shut down.

Sky Global / Sky ECC

Taken down by law enforcement.

Phantom Secure

Taken down by law enforcement.

Recommendation for future developments

* Use distributed computing to avoid attacks on servers. * Use open source software. Bugs can be corrected and the software can be improved. * Avoid complex operating systems and micro-kernels. Start from scratch. * Use open source hardware including open source CPU. Bugs can be corrected and the hardware can be improved. * Avoid exploitable complex technologies on the secure side. Example:

DMA DMA may refer to: Arts * ''DMA'' (magazine), a defunct dance music magazine * Dallas Museum of Art, an art museum in Texas, US * Danish Music Awards, an award show held in Denmark * BT Digital Music Awards, an annual event in the UK * Doctor of M ...

, USB,

Bluetooth Bluetooth is a short-range wireless technology standard that is used for exchanging data between fixed and mobile devices over short distances and building personal area networks (PANs). In the most widely used mode, transmission power is limit ...

JTAG JTAG (named after the Joint Test Action Group which codified it) is an industry standard for verifying designs and testing printed circuit boards after manufacture. JTAG implements standards for on-chip instrumentation in electronic design autom ...

, Cellular networks,

Ethernet Ethernet () is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in ...

etc... * If complex technologies are absolutely needed, they must run on a separate system / CPU and be started as compromised all the time. * Bridge Secure and insecure areas with basic technologies and implement it with caution. Example :

RS-232 In telecommunications, RS-232 or Recommended Standard 232 is a standard originally introduced in 1960 for serial communication transmission of data. It formally defines signals connecting between a ''DTE'' ('' data terminal equipment'') suc ...

RS-485 RS-485, also known as TIA-485(-A) or EIA-485, is a standard defining the electrical characteristics of drivers and receivers for use in serial communications systems. Electrical signaling is balanced, and multipoint systems are supported. The s ...

I²C I2C (Inter-Integrated Circuit, ), alternatively known as I2C or IIC, is a synchronous, multi-controller/multi-target (master/slave), packet switched, single-ended, serial communication bus invented in 1982 by Philips Semiconductors. It is w ...

, Custom bridges, etc... * Use heavy shielding on secure processing area. * Use spread spectrum technology on CPU clocking and on switching power supplies. * Include true random number generator to your system. * Include some amount random processing and random communication between random peers with random amount of data to improve the security against side channel attacks,

timing attacks In cryptography, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and ...

and network mapping. * Be aware of supply chain attacks.

References

External links

* {{DEFAULTSORT:Secure Communication Secret broadcasting Internet privacy Espionage techniques