In a zombie-like state, feeling stressed and deprived of sleep, she had been staring at the same five lines of code for 20 minutes, but there was more at stake than the competition. Her work could one day protect Americans from criminals, the NSA or the FBI.
Sarah Shibley is a senior computer science major at Cal State Long Beach. For nearly a year she has been juggling work, school and a software project, but her effort has not been without reward.
Shibley received honorable mention at last month’s CSULB Student Research Competition for her work on a computer program named Lemon, which she claims will provide “absolute security” for those looking to store or share encrypted files on the cloud.
Shibley thought of the name Lemon as a reference to the ancient technique of writing secret messages in lemon juice that could only be revealed by heating the paper.
In a post-Edward Snowden society, the debate over privacy and national security is the loudest it has been in years, and the recent Apple vs. FBI controversy has brought it all to a climax.
Businesses are concerned with the integrity of their products and services, while law enforcement and the government look to use every available resource to protect Americans.
Each has a mass of supporters backing their agenda.
Shibley and projects like Lemon are key components in the debate. As millennials secure more influence in society as consumers, voters and innovators, so do their values and creations.
“I think the government’s just gonna keep reaching out, trying to get more, which isn’t a terrible thing in some situations,” Shibley said. “It is nice to have them keeping us safe, but for some of it you don’t really want the government having their hands in everything that you do.”
The Project
Categories ranging from creative arts to mathematical sciences are featured in the annual CSULB Student Research Competition. Students present the work they produced with the guidance of their faculty mentor.
Professor Mehrdad Aliasgari was Shibley’s mentor. He has a doctorate in computer science and engineering and is CSULB’s cryptography and information security expert.
Aliasgari thought of the concept for Lemon a few years ago and approached Shibley last year to work on the project because of her enthusiasm, despite her inexperience with the subject.
“At the time I knew nothing about security, and I had never used some of the tools and languages I needed to work with,” Shibley recalled. “After one of our first meetings when he explained the overview and end goal of our project, I remember being totally overwhelmed and asking myself, ‘Where do we even start?’”
Aliasgari remembered the joy of first learning about encryption, and bringing the same to students is his passion as an educator. He described Shibley as “an excellent person, very intelligent and hardworking.”
“It is OK that you don’t know it,” Aliasgari said. “I didn’t know it when I was young. Motivated students like Sarah, they say, ‘Well there has to be a way. I keep working on it till I can crack it,’ and that characteristic, to me, is pretty much all you need to succeed.”
To keep the project on track Shibley and Aliasgari would meet weekly. One other student contributed briefly before leaving the country.
As the competition neared, the work became more intense. In the three days leading up to the presentation Shibley slept for a total of five hours, guzzled coffee and struggled to focus.
“The couple days before the competition are kind of a blur,” Shibley said.
Shibley described her honorable mention, the equivalent of third place, as “a very surprising and rewarding moment.” Though Lemon needs more work before it is ready to be released, finishing the competition was a relief for her.
“Afterwards, I had a whole slew of things I wanted to do to celebrate it being over, but I was so tired that when I got home I just fell asleep for the rest of the day,” Shibley said.
Lemon
When it comes to fostering uncertainty while delivering convenience, “the Cloud” is in a category of its own. Lemon was created with the goal of replacing that uncertainty of privacy with confidence while maintaining the beloved convenience of storing and sharing everything in one place.
“Some people feel kind of uncomfortable with the government being able to have full access to everything that they store on the cloud, but there aren’t really a lot of other resources that we can use because everyone wants to use Google’s stuff,” Shibley explained.
Cloud storage providers encrypt users’ files, but the provider still has control of the key and the file. This means that the government or a criminal could access the file with the provider’s keys. Lemon solves this dilemma by allowing users to securely store and share files through Google Drive or Dropbox by encrypting them before they leave the user’s computer, according to Shibley.
Lemon also stores all of the pieces to the puzzle in different places. The public key, used to encrypt the file, is stored on Lemon’s server, the file is stored in the cloud, and the private key to unlock the file is only on the user’s computer.
Other methods require users to give away their private key when sharing a file, increasing the likelihood that the key becomes compromised. Since the public key only encrypts the file, a sender can retrieve the recipient’s public key from Lemon’s server, encrypt the file and then only the recipient’s private key can unlock the file.
If law enforcement seized the encrypted file or a criminal intercepted it, it would be nearly impossible to crack. The data would be completely useless.
“It is computationally infeasible because the algorithms that we use, they’re the ones that are the most tested and accepted by the international security community. So they are pretty much uncrackable,” Shibley said.
There are so many possible key combinations that even the nearly 14 billion years the universe has existed would not be enough time for the world’s strongest supercomputer to come close to guessing the correct key, according to Shibley.
Apple vs. FBI
In ancient Egypt around 1900 B.C., a scribe wrote the earliest recorded encrypted message using non-standard hieroglyphics. Over a millennium later scribes were using encryption to transcribe the book of Jeremiah from the Old Testament, according to the SANS Institute, an organization that specializes in information security.
The practice of hiding messages from prying eyes predates modern civilization, but today it is thriving more than ever. Encryption has advanced exponentially since those first hieroglyphics with some form of encryption touching the lives of countless Americans daily.
When the courts ordered Apple to assist the FBI in cracking an iPhone, Apple and those in favor of complete encryption condemned the move as dangerous, despite the iPhone in question being a key piece of evidence in the San Bernardino terrorist attacks.
“I think it would be really neat if Apple could hold off and not let the FBI have a back door because that’s pretty sketchy … and once there’s a backdoor it means that anyone could hack it,” Shibley said. “It wouldn’t just be the government that could gain access to it. It could be anyone that could find their way in.”
The FBI has insisted that it wants Apple to hold onto the program used to unlock the phone, and that this is an instance of cracking a single phone, not all of them.
Assistant professor Christine Scott-Hayward, who has a doctorate in law and society, is CSULB’s Fourth Amendment law expert. She says that the outcome of the Apple vs. FBI controversy is unclear.
“There is a dispute as to whether the statute that the FBI is relying on, the All Writs Act, can be used to require Apple to take affirmative steps to help the FBI,” Scott-Hayward said in an email. “One of the factors to be considered is the burden on Apple, which it argues is high.”
In a similar New York case where the U.S. government ordered Apple to unlock an iPhone as part of a drug investigation, Magistrate Judge James Orenstein ruled in favor of Apple on Feb. 29. In the San Bernardino case, the iPhone is running newer software and the burden on Apple is greater. Under the logic of the decision in New York, the FBI should lose, according to Scott-Hayward.
With threats from Tim Cook, the CEO of Apple, to take the case all the way to the Supreme Court and the U.S. government already appealing the New York decision, these cases could have sweeping implications for the security community and software like Lemon that provide unbreakable encryption.
Aliasgari believes this complicated issue must be considered from three aspects. There are the implications on Apple’s business, the powers the law grants the government, and the technical details of breaking into an iPhone. There may also be more going on behind the scenes.
“Maybe this is a time that CIA, NSA and FBI are trying to prepare the society to accept their behavior and so that is why they are bringing it out … it is PR for both sides of them and they are both pursuing their own agenda,” Aliasgari said. “Maybe what they are hoping to get out of this is that eventually people will say, ‘Hey, you know what? I give up my privacy. We don’t need to have that,’ or maybe people will say, ‘No, I want to keep it.’”
Shibley will hold onto her privacy and believes others will begin to do the same. She predicts that more people will practice encrypting information locally with programs like Lemon to take the power over information from the hands of the corporations that store it.