Skyfall, the newest James Bond movie has — and this is hardly a spoiler — some pseudo-computer gibberish in it. For instance: when somebody is trying to decrypt a file that you encrypted, somehow you get a signal (that you can track).
That doesn’t mesh with any encryption algorithm that I’ve heard of (or any cursory Googling), but after the movie I was thinking: so far as Hollywood’s bizarre understanding of computers goes, that’s maybe actually reasonable.
Let’s assume some basic cryptography stuff: you have a file encrypted with some kind of password. Like all password-encoded files, if a malicious party gets a copy of the encrypted file, it’s possible to decrypt it with some amount of brute force. So the bad guys manage to get our encrypted file but they don’t know the password, so they have a computer try “aaaaaa”, “aaaaab”… and so on. It might take them minutes, weeks, maybe even centuries, but eventually the computer will find the password that decrypts the file.
Ok, but that doesn’t let us know when they’ve decrypted the file. How can we change the process so that we hear from the malicious party even if they’re brute forcing the password on the other side of the planet.
One time pads are a great crypto tool, a message XOR’ed1 with a one time pad (OTP) is unbreakably encoded without the original OTP (you can just trust me on this). All we need is a server that generates one time pads and before we encrypt the file, we XOR it with a one time pad and include a URL to get the OTP.
Now, whenever someone decrypts the file, instead of getting:
Secret document: The codes are 98239289 230-23...
You would decrypt the document and get:
XOR this file with http://euri.ca/otp.php?u2387ewf3isudf73d2 79b2z9sDd8d46aGI5a9184100b9Jcc88961de5e5fa203d...
A well behaved client (i.e. someone on our team), will know the password, decrypt, download OTP, XOR and destroy the OTP3. This adds a step or two to the process, but that’s all handled in software so we’re just talking about a few more lines of code.
So we now have an encryption algorithm that phones home as part of the decryption process. Tracking the source of the download is left up to the reader4. Anyone who gets a hold of the encrypted file, needs to brute force the decryption AND ping our server.
Hopefully I haven’t made any untenable assumptions (for one: even if the URL of the OTP server is known, there are too many OTPs to cache them all5). Actually, this process immediately suggests a variation where you expire documents regularly and if there’s been an indication of data theft.
So BAM! It’s actually kinda sorta possible. What am I missing?
- A one time pad a basically a long page of random noise that you and the person receiving the message both have. To encode a message, I add the letter from the OTP; to decode, you subtract it. So let’s say we both have the OTP “sdugfa….” and I want to send you the message “bond”:
- I’d add the first letters: B is the second letter, S is the 19th, so B+S=2+19=21=U
- N+U=14+21=35, that’s too big so 35-26=9=I
To decode, you would subtract the letters from the OTP. The computer is actually going to do this rolling over at the bit level and is called XOR-ing (so it’s mod 2 rather than mod 26).
One time pads are great in that they are unbreakable, their weakness is that we have to share a file that’s bigger than the message and we both have to have the same one (whereas you can encrypt in all sorts of ways, including ways where the password to encrypt is not the same as the one to decrypt. ↩
- Naturally, I wrote a reference implementation of the one time pad server, it’s in PHP since that happens to be installed on this machine, but the code is so straightforward, it’s trivial to translate. https://gist.github.com/4044024 ↩
- there’s of course the chance that they’d leak the OTP, but they also have the decrypted message — they might as well leak that ↩
- Although in the case in the movie, you’d probably just disable the OTP ↩
- back of the envelope calculation, 10Kb OTPs with 10 character codes made up of lowercase+uppercase+numbers=(26+26+10)^10 > 840000000000000000, so … ok, I can stop there, nobody is going to cache them ↩