I am the furtherest thing from an expert in cryptography. But, from what I have seen on TV and read, admittedly things made for laymen, one of the things that made a code crackers life easier is knowing some or part of an encrypted message, it can help crack the system. One of the reasons ultra defeated enigma was since the Germans often sent reports in standard form, whose format the code breakers knew and this were able to use the known bits to find the keys.
In the case of a lot of commercial applications, like WhatsApp, Telegram and VPNs the Government controls and can access infrastructure that the messages travel on. The also control the licensing of SIMs etc.
Surely, if they want to break WhatsApp they can do it. Buy 5000 mobile phones and set up 5000 Sims. Download WhatsApp and Telegram.
Send known messages from these phones and tap them. See what the messages get scrambled into aand use those to analyse and find the key.
What you’re talking about is called a plaintext attack. It can be effective, although I can’t say for sure whether it will be effective enough to crack modern encryption. The technology has advanced considerably since the 1940s.
The problem is that even if successful, they will only be able to find the key for their own WhatsApp or Telegram account. Which they already have the contents of. It will not in any way give them access to some kind of master key, because there is no master key. Each sender has their own private key.
Why would anyone want to use an encryption code that is easily crackable by anybody? Makes no sense. The government is made up of people and people are the weak link because people are flawed and have their own agendas.
If they are easily crackable by governments, they are easily crackable by anyone–as the government is very poor at keeping secrets. For example:
In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of National Security Agency secrets. Since last summer, they’ve been dumping these secrets on the internet. They have publicly embarrassed the NSA and damaged its intelligence-gathering capabilities, while at the same time have put sophisticated cyberweapons in the hands of anyone who wants them. They have exposed major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers, forcing those companies and their customers to scramble. And they gave the authors of the WannaCry ransomware the exploit they needed to infect hundreds of thousands of computer worldwide this month.
After the WannaCry outbreak, the Shadow Brokers threatened to release more NSA secrets every month, giving cybercriminals and other governments worldwide even more exploits and hacking tools.
Modern ciphers are designed to be resistant against both known-plaintext attacks and chosen-plaintext attacks, a more powerful form where the adversary can select arbitrary messages to be encrypted.
I’m not very well versed in the maths and algorithms underpinning it all, but this StackExchange discussion is a good primer. As far as I could understand it, it boils down to the key space of modern ciphers being so large that attempting to brute force the key is prohibitively expensive.
Not only expensive but time consuming. If it takes years to crack a code then most likely the information is either obsolete or common knowledge by the time its cracked.
Sure, but adding a single character is much more effective than varying the case and alphanumerics, because the extra character varies the exponent, not the base, unlike adding characters to the usable set.
So you get something like 36^8 options for all the cap/alphanumeric options, but 26^9 for simply adding a single character. (my discrete & combinatorial math is too rusty to actually figure out the actual numbers)
This has mostly been covered, but let me spell it out in more detail:
Getting a bunch of phones and the app is equivalent to getting a couple of enigma machines, but unlike WWII Germany What’s app isn’t depending on the protocols involved being a secret.
Figuring out the keys involved for those phones won’t help you decrypt conversations between other phones. I’m not going to sit down and read the whole Signal Protocol definition to get the details, but the keys for a specific conversation is definitely unique to the phones involved, and possibly to the conversation. You use some public key encryption to exchange a new secret key.
The Germans regularly changed the key they were using, but since everyone used the same key across the forces, there was enough time between key changes (Wikipedia says they changed daily) for the British to break that key and get some useful information.
It was still hard, and that was for a system that encrypted one letter at a time. Encrypting blocks at a time instead of single letters is only one of many big evolutions in cryptography since then that make a plaintext attack less feasible, and has been pointed out you need to know some of your target’s plaintext, which your approach misses.
Cracking an average person’s account is probably pretty easy for the CIA.
Breaking an encryption system is something else entirely. A country which could do this would have a huge intelligence advantage. It would be like having the first nuke, intelligence-wise.
It should be pointed out that actually there were some serious flaws in the Enigma that made it crackable. Primarily the fact that letter could not be encrypted as itself. Soviet systems* based on the same basic premise were considered uncrackable for decades after WW2. Although some post-war systems based on the same premise were very hackable as the NSA had a cozy relationship with the manufacturers and ensured flaws were introduced that meant they could crack them.
not the “Venona” system which should have been completely uncrackable to this day as it used one-time-pads, but during WW2 resources were so scarce the soviets started duplicating their one-time-pads.
I wasn’t actually thinking of brute forcing the password but rather tricking the person into installing surveillance tools (malware) and getting the password that way. Ransomware infections are very common and that’s with the poor toolset available to the bad guys. The NSA have the best tools and can use legit certificates, etc to fool their prey.
It’s not that hard, with modern encryption systems, to implement something that would take trillions of times longer than the lifetime of the Universe to crack. Work on a thousand devices at once? Congratulations, now it’ll only take billions of times longer than the age of the Universe.
No, password requirements have nothing to do with breaking encrypted communications.
The strength of your password is only tangentially related to whether or not the encryption can be broken. If the CIA has the phone on which you were using Telegram and your password is simple (or, depending on things, even if it’s not), then they can get into your phone and read your messages.
As long as your phone is physically secure, your Telegram messages can’t be cracked from the transmitted data, even if your password is “12345”, because the Telegram encryption key is not based on your password.
For context: I create an encryption key pair and I can give you one of the keys - you can now use that key to encrypt data, and you can compare the input and output to your heart’s content. What you can’t do is undo the encryption - the process doesn’t work backwards (well, it sort of does, but if and only if you have the other key in the pair - the one I didn’t give to you)
That is to say, you can watch the exact process of encryption being done, and that still won’t allow you to generalise a method for undoing it.