Pssst, Wanna Hear a Secret – On My Mobile?

One-time_pad_svgWe all have secrets. We also know that if we share those secrets over our mobile devices governments can listen in. Now it seems governments and possibly hackers can take control of your phone using the phone’s own management software. I don’t think I’d use my mobile phone to communicate any secrets.

But some clever programmers have come up with a way to use a smartphone (not connected to any networks and without a SIM card) to enable what is likely reasonably secure communication. A group of programmers and makers in Madison, Wisconsin which are a part of a non-profit called Sector67 came up with the tool they call “NSA Away”.

The basic idea is that they use a random number generator to create a one-time pad, encrypt the confidential data, transmit it to the recipient as human-readable ciphertext, and then display it on the recipient’s screen. The interesting part is that then the smartphone uses optical character recognition (OCR) to processes the data and decrypt it with its copy of the one-time pad. The message is then displayed on the smartphone’s screen. You can read about it at Hackaday. That article also describes how to create your own setup. I’ll warn you in advance, though: you’ll need to build (from their design) a custom device to generate random numbers and store them in SD cards for the one-time pads.

For me there are two especially interesting things about this project: first, the use of a very large one-time pad, and second, the use of a camera and OCR to make the message readable.

If you are not familiar with one-time pads, they work like this:

  • A data source (called the “key”) is identified or created and both the sender and recipient of the message have access to copies of it. Truly random numbers work best as they make the encryption impossible to break (if the key is secret, never re-used, and at least as long as the message to be encrypted). Books were sometimes used successfully, for example, in World War II, however.
  • To send a message the sender selects part of the key that has never been used before (hence the “one-time”) and uses each byte (or bit) to encrypt a byte (or bit) of the message. This is usually done using modular addition.
  • The recipient applies the same mathematics, using the same part of the key and can decode the message.

Wikipedia has a detailed example. We talk about one-time pads and other encryption methods in Learning Tree Course 468, System and Network Security Introduction.  Our Mobile Application and Device Security course is also an excellent resource.

In the case of “NSA Away” the creators say they chose the one-time pad for its simplicity in implementation, but that other algorithms could be used in a future version. That might remove the need for the custom hardware, too.

The idea of a reasonably practical one-time pad implementation using flash storage is interesting. A very large key (tens of gigabytes) can be created and reasonably shared. Of course, the need to share the key is a limitation of the scheme.

The other interesting aspect of this project is the use of OCR in the decryptor. This physically decouples the decryption process from the message transmission. That means that if the decryptor (the smartphone) is kept secure, no outsiders can see the message. The creators note that QR codes could be used as well, but that they are difficult for humans to verify. Some students at the American University of Beirut came up with a similar idea, but using a head-mounted display instead of a smartphone, and using an encryption algorithm other than a one-time pad. I suppose either approach would work with a printed copy of the encrypted message, too. There may be other schemes that do this, but I am unaware of them.

I like the idea. I hope they continue the project. Let us know what you think in the comments below. If you decide to build one of these, let us know how it goes.

To your safe computing,
John McDermott

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.