So you have a killer idea for a tech novel. And your character (or villain) needs to protect a file on their computer. Or maybe your character (or villain) needs to break into a file on someone else’s computer? All the recent press might make you think encryption makes the user invulnerable. This is a myth.
First, let’s talk about what encryption really is. When you encrypt data, you use an algorithm to make that data difficult to read without the key. If you like metaphors, you can think of encryption as the act of putting a physical document in a safe. The document is difficult to retrieve unless you have the key or combination.
There are two main use cases for encryption: securing communications, and securing files. It’s important to understand the difference for your scenarios to be plausible. The little lock that appears in your browser window when you’re shopping at Amazon is an example of securing communications. The lock icon tells you that when you send your credit card number to Amazon, anyone who might be listening in won’t get to go on a shopping spree. Securing communications is the act of encrypting data in-transit.
Securing files is often referred to as encrypting data at-rest. Let’s say you’re a treasure hunter, and you’ve figured out where the ship full of gold coins sunk. The map to your payday would be a good thing to encrypt.
The most important thing to remember is that encryption is not bulletproof. Encryption does not guarantee the privacy of data against determined adversaries. This is especially true if your character has attracted the attention of law enforcement.
How can you break the encryption of data in-transit? It’s not that hard, if you have a target in mind.
As an example, let’s say you have a private investigator named Alice who is tracking a serial killer named Bob. Bob does a lot of shopping online, and Alice naturally wants to know what he’s buying. She only had five minutes with his computer when she broke into his apartment, but she was able to install a new root certificate and change his web browser settings so that all of Bob’s traffic now goes through her proxy. The change is invisible to Bob.
The new root certificate means that Alice can trick Bob’s web browser into thinking her server is amazon.com. The next time Bob places an order, Alice pretends her server is amazon.com, decrypts Bob’s traffic, then re-encrypts it and passes the order along to Amazon. Alice knows exactly what Bob ordered (12 feet of nylon rope), and Bob has no idea because his order arrives with no problems. This is called a Man-in-the-Middle attack, and it’s a common problem in encryption. Wikipedia has a pretty good explanation, if you’re curious about the details.
To return to our intrepid Alice, let’s switch the example around. Let’s say Alice is a human rights lawyer in China, and Bob works for a government agency eager to know about her clients. Alice is smart and encrypts all her client files, but this isn’t necessarily going to protect her. Bob has researched Alice and knows she uses a program called SunshinePGP to protect her files. He asks his agency software testers if they know of any vulnerabilities in SunshinePGP. Luckily, they do. SunshinePGP creates temporary files that are not encrypted, and then fails to delete them. Bob arrests Alice, examines her computer, and is able to grab clear text copies of her client files.
These are just two examples, but they highlight the general reasons why encryption is not bulletproof. Encryption is implemented in software, software is written by humans, and humans make mistakes. The other consistent weak point is key management. The first time you establish an encrypted channel with anyone is a vulnerable time, because you have verify the key is correct. If an attacker is able to interrupt that process, as in our example with Alice the private investigator, then you can eavesdrop on the connection.
Additionally, keys are just files stored on a computer. They must be protected well, or encryption is of limited use. Typically, keys are protected by putting them in a hard to read location such as a thumb drive, or by requiring a passphrase to use the key, or sometimes both of these things. Even with these precautions, keys can be vulnerable.
Another way for Bob the government agent to break into Alice’s files is to use a memory scraper. Memory scraping is a technique used to pull sensitive information from memory. Any data processed by the computer ends up in memory for a short period of time, and this includes decryption keys and passphrases. If Bob can trick Alice into installing malicious software on her computer, he can use that software to spy on her decryption keys and passphrases.
And that’s how snooping can win over encryption.