

BA jihadist relied on Jesus-era encryption - mukyu
http://www.theregister.co.uk/2011/03/22/ba_jihadist_trial_sentencing/

======
tptacek
The fact that there's really nothing in between "Jesus-era" crypto and the
1970s that actually protects anything makes this article a bit hyperbolic. If
he had used "Napoleonic" cryptography, or even WWII crypto, he'd have been no
better off.

By modern standards, his data was simply "not" encrypted. That's not very
interesting. An interesting story would have been, this guy didn't believe AES
was safe, so he took a generic block cipher design and customized it, and
_that_ got broken. Of course, that would never in a million years happen; had
he simply taken DES and added a few rounds to it, nobody ever would have
broken his cryptography.

------
asymptotic
I think there's a much more important angle to this story than "lol the guy
doesn't know crypto basics". The angle you're looking for is "White, Jewish
kaffirs can't make anything as pure and effective as our Muslim bretheren".

I did a quick search on "islam cryptography" and came up with this:

Cryptography in Islamic Civilization [http://en.islamstory.com/cryptography-
islamic-civilization.h...](http://en.islamstory.com/cryptography-islamic-
civilization.html)

There's a series of howlers in this allegedly academic text:

"For transposition to be effective and secure, letters rather than words need
to be rearranged, this effectively scrambles the message and produces an
"Anagram". Transposition could be done for example by writing the order of
letters in a word backwards, so that word becomes drow. It is more effective
to rearrange the letters in whole sentences or the whole message rather than
single words.

If transposition was not limited to words or a certain order the number of
different possibilities for rearranging a thirty five letter message rises to
50,000,000,000,000,000,000,000,000,000,000 different distinct rearrangements
making the task of working out the correct rearrangement impossible even if
all the people on earth were to check a single rearrangement every minute."

...notice the careful attention paid to frequency distribution analysis, which
the author later claims is another output of Islamic civilisation.
Additionally, if you preserve word boundaries cryptanalysis can include word
length, which makes breaking the cipher all the more easier.

"Substitution is the other method by the meaning of a message may be
concealed...Working with the plain English alphabet, allowing the algorithm to
be any arrangement of the different letter, it is possible to generate more
400,000,000,000,000,000,000,000,000 different distinct rearrangements of
letters and so the same number of different ciphers, thus producing a high
level of security, baring in mind that the recipient need only to keep the key
safe."

Besides mis-spelling bearing, how, exactly, were you planning on distributing
the key again? Is the distribution channel more secure than your allegedly
secure cipher? What happens when you re-use the key? For the love of
God...you'd have thought they didn't bother reading "Cryptanalysis" by Helen
Gaines, if they even wanted to pretend to make an effective cipher.

No evidence for this, but I bet you the BA plotter was drinking the koolaid a
bit too much and thought too highly of the 1400s.

------
graceyang
This person's lack of cryptography knowledge is pretty pathetic - but if even
committed terrorists still think security by obscurity is the way to go, what
chance do we have with the general public?

~~~
runjake
The articles mentioned that they knew about AES, PGP, etc but did not trust it
because "non-believers" used/developed these protocols.

Instead, they developed their own encoding mechanism in the hopes that it
would evade detection or decryption by possible backdoors in existing
algorithms.

In many cases, security by obscurity is a viable tactic, especially in
combination with other tactics.

~~~
tptacek
For whatever it's worth to you, most of the pre-DES-era encryption techniques
betray themselves to basic statistical analysis. It's hard to hide that you're
using puzzle book crypto, even if it produces what appears at first glance to
be binary gibberish.

Like I said, there is a security-by-obscurity game to be played with this
stuff: tamper with a known algorithm (even if you don't trust it, it's not
like you can tell the difference between AES and TEA just by looking at
ciphertexts).

~~~
runjake
And that's assuming the traffic is being subjected to the statistical analysis
required for detection.

Timing also plays a big role. Many times a piece of intelligence is only
useful for a duration of x.

Narus boxes are not magic, they can only do so much ;).

~~~
tptacek
I wrote this comment only to make it clear that the stats required to figure
out if something is "really" encrypted are trivial. They take significantly
less than a second for a Ruby program to perform. You'd just always run them.

Sorry I wasn't more explicit (or if you already realized that).

------
jgershen
"There were two kinds of codes in cryptography, codes that stopped your little
brother from reading your message and codes that stopped major governments
from reading your message, and this was the first kind of code..."

(from HPMOR:
[http://www.fanfiction.net/s/5782108/62/Harry_Potter_and_the_...](http://www.fanfiction.net/s/5782108/62/Harry_Potter_and_the_Methods_of_Rationality))

~~~
jazzyb
That quote is derived from one that originally appeared in "Applied
Cryptography" by Bruce Schneier:

"There are two kinds of cryptography in this world: cryptography that will
stop your kid sister from reading your files, and cryptography that will stop
major governments from reading your files."

~~~
jgershen
Awesome, thanks! I haven't read enough Schneier to have picked up on that
(really just Secrets and Lies).

------
billybob
A Caesar cypher, specifically.

Wow.

------
pavel_lishin
I wonder what this idiot's actual job was.

