A disturbing trend that is emerging nowadays is the increasing use of encryption, high-frequency encrypted voice/data links, Pretty Good Privacy (PGP) etc by terrorists and members of organized crime cartels. Notable examples are:

• Ramsey Yousef, who was behind the bombing the World Trade Center in the USA in 1993 and an aircraft belonging to Manila Air in 1995.

• Leary, who was sentenced to 94 years in prison for setting off fire bombs in the New York (USA) subway system in 1995. Leary had developed his own algorithm for encrypting the files on his computer.

• The Cali cartel, which is reputed to be using sophisticated encryption to conceal their telephone communications, radios that distort voices, video phones which provide visual authentication of the caller's identity, and instruments for scrambling transmissions from computer modems.

• The Italian mafia that uses PGP.

Strong encryption is the criminal’s best friend and the policeman’s worst enemy.

If a criminal were to use 512-bit symmetric encryption, how long would it take to decrypt the information using brute force techniques?

Suppose that every atom in the known universe (there are estimated to be 2300 of them) becomes a computer capable of checking 2300 keys per second, then it would take 2162 millennia to search 1% of the key space of a 512-bit key. The universe is believed to have come into existence less than 224 years ago. The table below summarizes how long a brute force attack will take for various key sizes:

Key size (in bits)	1% of key size	50% of key space
56	1 second	1 minute
57	2 seconds	2 minutes
58	4 seconds	4 minutes
64	4.2 mins	4.2 hours
72	17.9 hours	44.8 days
80	190.9 days	31.4 days
90	535 years	321 centuries
108	140,000 millennia	8 million millennia
128	146 billion millennia	8 trillion millennia

Let us now consider some of the (in) famous cases of criminals using encryption technologies.

• Aum Shinri Kyo (Supreme Truth) Case

  On March 20, 1995, the Aum Supreme Truth cult dropped bags of sarin nerve gas in the Tokyo subway, killing 12 people and injuring 6,000 more. Members of the cult had developed many chemical and biological weapons, including Sarin, VX, Mustard gas, Cyanide, botulism, anthrax and Q fever.

  It is believed that preparations were underway to develop nuclear capability. The cult was also believed to be developing a "death ray" that could destroy all life!

  The records of the cult had been stored in encrypted form (using RSA) on computers. The enforcement authorities were able to decrypt the information as the relevant private key was found in a floppy disk seized from the cult’s premises. The encrypted information related plans of the cult to cause mass deaths in Japan and USA.

• Bolivian terrorists case

  In 1997, a Bolivian terrorist organization had assassinated four U.S. army personnel. A raid on one of the hideouts of the terrorists yielded information encrypted using symmetric encryption. A 12-hour brute force attack resulted in the decryption of the information and subsequently led to one of the largest drug busts in Bolivian history and the arrest of the terrorists.

• James Dalton Bell case

  James Bell was arrested and charged with obstructing and impeding the due administration of the internal revenue laws of the USA. He allegedly did this by:

  • collecting the names and home addresses of agents and employees of the Internal Revenue Service (IRS) of the USA in order to intimidate them
  • soliciting people to join in a scheme known as "Assassination Politics". Under this scheme those who killed selected government employees, including tax collectors, would be rewarded;
  • using false Social Security Numbers to hide his assets and avoid taxes;
  • contaminating an area outside IRS premises in many states of the USA with Mercaptan (a stink gas).

  Investigators found on his computer documents relating to a plan to destroy electronic equipment with nickel-plated carbon fiber.

  They also found an invoice for the purchase of the fiber at his residence, and a bundle of the material at the residence of his associate, Robert East. Bell had exchanged PGP-encrypted e-mail messages with some of his associates. As part of his plea bargain, he turned over the passphrase to his private key. This allowed investigators to decrypt messages that he had received.

• Dutch organized crime

  Dutch organized crime syndicates use PGP and PGPfone to encrypt their communications. They also use palmtop computers installed with Secure Device, a Dutch software product for encrypting data with IDEA. The palmtops serve as an unmarked police / intelligence vehicles database.

  In 1995, the Amsterdam Police captured a PC in possession of one organized crime member. The PC contained an encrypted partition, which they were able to recover only in 1997.

• The Vilseck case

  An encryption case occurring in Vilseck, West Germany involved theft, fraud, and embezzlement of U.S. defense contractor and U.S. government funds over the three-year period 1986-1988.

  The accused had stored financial records relating to the crimes on a personal computer, the hard disk of which had been password protected.

  The police used hacking software to defeat the password protection, only to find that some of the files listed in the directory had been encrypted. They then

  found the encryption program on the hard disk and used brute force tools to decrypt the files.

• Dallas drug ring case

  The Dallas Police Department in the USA encountered encryption in the investigation of a drug ring, which was operating in several states of the USA and dealing in Ecstasy.

  A member of the ring, residing within their jurisdiction, had encrypted his address book. He turned over the password, enabling the police to decrypt the file.

  Meanwhile, however, the accused was out on bond and alerted his associates, so the decrypted information was not as useful as it might have been. The police noted that the Ecstasy dealers were more knowledgeable about computers as compared to other types of drug dealers, most likely because they were younger and better educated.

• Kevin Poulson case

  Kevin Poulson was a skilled hacker who rigged radio contests and burglarized telephone-switching offices and hacked into the telephone network in order to determine whose phone was being tapped and to install his own phone tapping devices.

  Poulson had encrypted files documenting everything from the phone tapping he had discovered to the dossiers he had compiled about his enemies. The files had been encrypted several times using the Data Encryption Standard.

  A US Department of Energy supercomputer took several months to find the key, at a cost of crores of rupees. The result yielded nearly ten thousand pages of evidence.

• Sacramento child pornography case

  The mother of a 15-year old boy filed a complaint against an adult who had sold her son Rs 50,000 worth of hardware and software for Rs 5. The man had also given the boy lewd pictures on floppy disks.

  The man subsequently mailed the boy pornographic material on floppy disks and sent pornographic files over the Internet.

  After three months of investigation, a search warrant was issued against a man in Campbell, California, USA and the adoption process of a 9-year old boy was stopped.

  When the accused was arrested it was found out that he had encrypted a directory on the system using PGP. The police were never able to decrypt the files.