Digital Fortress: what Dan Brown got wrong

Digital Fortress : A Thriller

Having read all the other Dan Brown’s works I got interested in reading Digital Fortress : A Thriller, especially knowing that it’s background theme is computers and cryptography. In the other books (DaVinci Code, Angels & Demons and Deception Point) most of the facts look to me like they are accurate, perhaps because I’m not an expert in any of the fields they touch (neither art, fossils or the Vatican situation). But I know something more about computers and I have always liked cryptography, so I have been studying it for some time, and having read the book I found some things which don’t really fit.

Some of these things are what we could call “artistic licenses”, where the author has invented something which doesn’t really exist so the novel is plausible, but others are factual errors which look like Dan didn’t get really documented about it. And it’s a pity, because he says two ex-NSA cryptographers contributed to the book and they should know much better what they were talking about. Dan, are you really sure they were ex-NSA members?

Finally, I’m getting a list of some errors not related to computers. As the novel is partly ambiented in Seville, a Spanish southern city, and I’m from Spain I found some gross errors about the city and about the country. I don’t live in Seville, but I have been there on holidays, so I’m sure more errors about the city can be found. Anyways, let’s go with the list.

WARNING: for those who haven’t read the book and have the intention of doing it, this contains all kind of spoilers.

“The notion of a rotating cleartext function was first put forth in an obscure, 1987 paper by a Hungarian mathematician, Josef Harne. Because brute-force computers broke codes by examining cleartext for identifiable word patterns, Harne proposed an encryption algorithm that, in addition to encrypting, shifted decrypted cleartext over a time variant. In theory, the perpetual mutation would ensure that the attacking computer would never locate recognisable word patterns and thus never know when it had found the proper key. The concept was somewhat like the idea of colonising Mars—fathomable on an intellectual level, but, at present, well beyond human ability.”

Although the mentioned mathematician didn’t really exist we could try to believe in the concept of rotating-cleartext but this doesn’t stand. So, an algorithm which produces data that variates over the time so you can’t know whether you got the real data or not. OK, then how does the intended receiver know the data? He will need something more (taking in consideration that this could really work), like the time when it was encrypted and the current time. These will be simply more bits in the keyspace to be brute-forced, so you can always find the original content.

“TRANSLTR had just located a sixty-four-character key in a little over ten minutes, almost a million times faster than the two decades it would have taken the NSA’s second-fastest computer.”

The multi-processor computer is able to find a 64-bit key in approximately ten minutes, but runs almost 18 hours trying to find the key for Digital Fortress. What the hell is it doing? If, in average, it spends 10 minutes we can suppose it has tried at least half the possible keys, so to try all of them it will spend 20 minutes. So, what has the computer been doing the rest of the time? Testing the keys again and again?

Leave apart the fact that an algorithm designed to work with data ends up executing some of it. It has happened sometimes in commercial software, these are called bugs and they sometimes get into software and become security flaws, but in a NSA designed algorithm in a NSA computer? No way they would let it slip into the software.

Another strange thing is they never take into consideration that the encrypted code they download might be junk, random characters which don’t make any sense and that can’t be decrypted. This would also exhaust the keyspace and not be able to find a correct key.

“Susan had learned about the Bergofsky Principle early in her career. It was a cornerstone of brute-force technology. It was also Strathmore’s inspiration for building TRANSLTR. The principle clearly stated that if a computer tried enough keys, it was mathematically guaranteed to find the right one. A code’s security was not that its pass-key was unfindable but rather that most people didn’t have the time or equipment to try.”

OK, another invented name. Nobody has ever heard about Bergofsky Principle outside this book and for a reason. It says “mathematically guaranteed to find the right one”, but it would be only correct if it said “mathematically guaranteed to test the right one”. That is the concept behind brute-force: try all the possible keys, so it’s sure one of them will be the correct one. The difficult part is how to know if the one we tested was the correct one.

But, let’s talk about One-time pad, an encryption algorithm “which has been proven, from theoretical first principles, to be unbreakable when properly deployed”. It works because the key-length is the same as the length of the data, so a lot of different keys will give results which might look like plausible. From a message encrypted with this algorithm you can find the original text you want simply by variating the key used. So, when trying to decode one of this messages TRANSLATR is guaranteed to test the correct key, what is not guaranteed is to be able to know it’s the correct one.

“Susan had created, in effect, a directional beacon disguised as a piece of E-mail. She could send it to the user’s phony address, and the remailing company, performing the duty for which it had been contracted, would forward it to the user’s real address. Once there, the program would record its Internet location and send word back to the NSA. Then the program would disintegrate without a trace. From that day on, as far as the NSA was concerned, anonymous remailers were nothing more than a minor annoyance.”

There’s no way the tracer can work with the current state of e-mail. E-mail is just data, not executable, so the user is the one who has to execute it, it can’t execute itself to know where it is and even less make itself disappear. The only way something like this can work is with web bugs, attaching a link to the email which will be visited when the recipient receives the email and opens it, but it needs the cooperation of the recipient and can’t delete itself (well, maybe if there’s a bug in the e-mail software used to open it, highly doubtable)

“She knew mutation strings were programming sequences that corrupted data in extremely complex ways. They were very common in computer viruses, particularly viruses that altered large blocks of data.”

This really doesn’t make any sense, so I’m considering it simply another artistic license. Even Dan himself doesn’t seem to know what he wants to represent with mutation strings, so even less do I.

“After we make the switch,” Strathmore added, “I don’t care how many pass-keys are floating around; the more the merrier.” He motioned for her to continue searching. “But until then, we’re playing beat-the-clock.”

So Strathmore’s intention is to replace the file with Digital Fortress code with an altered version of it with a backdoor so the NSA can read all messages encrypted with it. But, what if someone downloaded it previously? He will be able to get the original version without any backdoor, so the plan completely fails. Even more, he can get also the other version with the backdoor, so he will be able to compare both and find the backdoor in it.

“Now Susan was even more doubtful. Encryption algorithms were just mathematical formulas, recipes for scrambling text into code. Mathematicians and programmers created new algorithms every day. There were hundreds of them on the market—PGP, Diffie-Hellman, ZIP, IDEA, El Gamal. TRANSLTR broke all of their codes every day, no problem. To TRANSLTR all codes looked identical, regardless of which algorithm wrote them.”

When he says scrambling text into code I hope he’s not meaning executable code… But, what I don’t like about this paragraph is that he confuses different kinds of algorithms: public-key (El Gamal) and private-key (IDEA), with encryption systems, like PGP which uses the other two in combination to work. PGP is not an algorithm and neither is ZIP, this is a compression system, which can, optionally, encrypt the data, originally with a propietary protocol and nowadays using AES, an standard for encryption.

““I don’t understand,” she argued. “We’re not talking about reverse-engineering some complex function, we’re talking brute force. PGP, Lucifer, DSA—it doesn’t matter. The algorithm generates a key it thinks is secure, and TRANSLTR keeps guessing until it finds it.””

Susan says the TRANSLATR can find the key even if it doesn’t know what algorithm was used. This is impossible, as you need the algorithm to test whether the key works or not.

“Four-bit alpha groupings,” she puzzled. “They’re definitely not part of the programming.”

Sorry, Dan, but a bit is either 0 or 1, so these are not four-bit alpha groupings. These are simply 4-character groups, where each character (if using standard codification) uses 8 bits.

“Primes were the fundamental building blocks of all encryption algorithms”

Sorry, but no. There are a lot of encryption algorithms which don’t use prime numbers as its basis, and to put it easy I’ll repeat myself in the example: “one-time pad”.

“Public-key encryption was a concept as simple as it was brilliant. […] The only way to unscramble the message was to enter the sender’s “pass-key”—a secret series of characters that functioned much like a PIN number at an automatic teller.”

Sorry, but again: NO!. this is not how public-key encryption works. If it was better explained it would be how private-key encryption works. But Dan, you need to read the Wikipedia and not say this kind of things.

“With a few quick keystrokes, she pulled up a program called ScreenLock. It was a privacy utility. Every terminal in Node 3 was equipped with it. Because the terminals stayed on around the clock, ScreenLock enabled cryptographers to leave their stations and know that nobody would tamper with their files. Susan entered her five-character privacy code, and her screen went black. It would remain that way until she returned and typed the proper sequence.”

Five character passwords in a computer managed by a NSA member? Not long enough to be credible. The most paranoid of my friends use twenty characters passwords, so I imagine NSA should use something a bit longer than 5 chars.

Oh, and Greg manages to install a keylogger in all these computers, so I should say the system operator is not very efficient in keeping the systems secure. At least, lock the computer case inside a box so nobody can access it directly.

To finish this list, how did they plan to decipher the Digital Fortress code if they didn’t have the decryption code? OK, you get the passkey but you need the decryption code, which is encrypted with itself. Mmmm, a no-no…

Let’s get with the errors not related to computers.

“The phone began to ring. Becker guessed five rings was all it would take. It took nineteen.”

I don’t know how it works in United Stated, but in Spain a telephone never rings nineteen times. If nobody picks it up it cuts the call in, at most, fifteen calls, so nineteen seems highly improbable.

“Cranberry juice was a popular drink in Spain, but drinking it alone was unheard of.”

I never heard anyone in Spain asking for cranberry juice. I highly doubt you can find this kind of juice in any bar in Spain, so let alone the possibility of having it mixed with alcohol.

“Becker’s Vespa was no doubt the smallest vehicle ever to tear down the Seville runway. Its top speed, a whining 50 mph, sounded more like a chainsaw than a motorcycle and was unfortunately well below the necessary power to become airborne. In his side mirror, Becker saw the taxi swing out onto the darkened runway about four hundred”

In no airport is it possible to get into the runway with a motorcycle or a taxi, only authorised vehicles can enter it, so this doesn’t make any sense.

“He’d forgotten: Getting an international connection from Spain was like roulette, all a matter of timing and luck. He’d have to try again in a few minutes.”
“A punctured lung was fatal, maybe not in more medically advanced parts of the world, but in Spain, it was fatal.”

Dan Brown says he was some time studying in Seville, but I don’t know what he was doing, because almost everything he says about the city is wrong. It’s almost impossible to find punks in Seville, no hospital has people lying on the floor,… But these two last sentences really struck me. He makes Spain look like some kind of 19th century country. I have to say that spanish medical system is really efficient, I’ve got four operations, one of them really severe which had me one month in hospital, and they did work really good. Also spanish telecommunications system is good, it’s not difficult to get an international conference, only pick up the phone and call. Maybe this could happen like 50 years ago, but it’s not true anymore.

Apart from all this, I should say I didn’t enjoy this book as much as the other one’s from Dan Brown. In the middle of the book it began to get boring and the final was really previsible. I also didn’t like the final part where “hackers” are trying to enter into the computer and they can see them in a monitor, like black lines attacking the datacenter and walls disappearing… This works good for a Hollywood film, but you don’t need it in a book.

If you like this kind of thrillers, from the same author I would recommend (in these order):

Angels & Demons, Special Illustrated Edition The Da Vinci Code Deception Point

More info | Wikipedia.
More info | MathFiction.

12 thoughts on “Digital Fortress: what Dan Brown got wrong”

  1. What Dan Brown write about Seville is really crazy. It is impossible he had been in seville for a single whole day: Ayuntamiento is very far from plaza de España, the airport is not upon the Highway to Huelva, it is upon de highway to madrid, the suposed typical Spanish drink, cranberry juice is not known at all in Spain, the Giralda tower has not any ladder, it has a slope, the cathedral is very far from having a single exit “to defend from moorish attacks in the midlle age”, because it was built after the moorish were expulsed from the city, actually, the Giralda tower is the only remain of the former moorish mosk. Triana, for the author, is a suburb of prostitution and drug dealing, but the real Triana is a popular part where regular families live……And of course buses in Seville does not run with the doors open as a “cheap air conditioner” and hospitals in Seville are not derelictions with patients lying in the floor. Regarding the Spanish health system, I have to say, not only bullet injuries can be very efficiently treated (despite i fact we are far from the big experience of American doctors in bullet injuries), but also Spain is the second country in world in organ transplantation after the USA (Spain have abut eight time less population) with a slight difference: In Spain organ transplantation (and bullet injury treatments) are made in PUBLIC hospitals for ANY spaniard, poor or rich, but in the USA organ transplantation is only for those that can pay for it. In other words, in this moment there are hundred of low income people in the USA that would need organ transplantation, but are dying dreaming on have being borned in Seville…………… There are much more crazy things, the list is too long.
    Definitively I cannot believe a single word wrote by this author, specially from subjects that I do not know, like those of Da Vinci Code. You cannot trust him anymore.
    By the way Dan, try to bribe a Spanish policeman, as it is done in the novel and you will know the only part of Seville that you should visit again: the jail.

  2. I have just read the book and it seems a joke. I live in Spain and in the novel doesn’t appear the Seville I have visited hundreds of times.

  3. Mi querido sr. Brown: Si los idiotas volaran , tú serías ministro del Aire. Hay que ver cuantas tonterías escribes sobre Sevilla sin el más leve fundamento. Un saludo de un lector que jamás,repito, jamás te va a leer un libro.
    P.D. No entro a valorar tu super “Beseler” porque heriría la sensibilidad de los inteligentes.

  4. Dan Brown and Nsa…he says that only 3% of american people knowing Nsa…is it possible? Nsa and EFF…I know nsa but Eff? is it real? and really has a power so big in this age specially after the 11 september! I think now Nsa can work absolutely free and nobody can say them to not control any e-mail o phone talking all over the world crypted or not crypted…sorry for my english but I think this way.Dany from Italy

  5. Im glad some spaniards cleared that up for me, I had my doubts as well about the way Seville was portrayed in this book. He described it like some third world country or something, even I felt insulted by his comments and only being tied to Spain by heritage(Im from Puerto Rico). Gracias por sus comentarios compañeros, continuare con mi deseo de algun día viajar a España, saludos.

  6. Another one for the collection of ‘mistakes’ in Spain:-

    When in the Cathedral, Becker kneels to receive communion and sees the assassin behind him in the goblet just as he is about to be given the wine…..

    Unless I’m very much out of touch, Catholic churches in Spain reserve the wine for the clergy – the people receive only the wafer/bread (and then aren’t allowed to touch it) for fear of dropping/spilling the body and blood of Christ.

    I don’t mind mistakes which are of necessity fiction, but just as some of the glaring inaccuracies of the DVC, it’s little things like this which convince that whatever his strengths as a story-teller, Dan Brown is a lazy researcher.

  7. Believe me, The Da Vinci Code isn’t much better. He basically cites the controversial and largely debunked stuff from Holy Blood, Holy Grail as factual; but beyond that it’s the same old garbage. His creative etymology for the name of Rosslyn Chapel is the same kind of BS you saw in Digital Fortress.

  8. the only explanation i see for the cranberry juice thing is that mr. brown wanted to speak about patxaran (more popular in the basque country… oh yes, basque country, andalusia, who cares huh?) but he was too drunk when the barman told him that it was made of blackthorns (they remotely resemble blueberries). back home go figure “bilberries, blueberries, huckleberries… sod it… cran… be… rries… yeah that’s it”.

    another explanation is that he was unable to even recall were the hell was he studying (?) and chose one country randomly.

  9. Hi,

    Please forgive me as I haven’t read all of the postings on your site and this may have already been mentioned, but I have a question regarding Digital Fortress which I have just read. Why does Strathmore need to put a backdoor into an altered version of the file? If they have the pass key then they can open all encrypted files anyway. Brown doesn’t mention that the pass key could/ could not be changed by the winning bidder…

    Have I missed something?…

    Many thanks.


  10. “After we make the switch,” Strathmore added, “I don’t care how many pass-keys are floating around; the more the merrier.” He motioned for her to continue searching. “But until then, we’re playing beat-the-clock.”

    So Strathmore’s intention is to replace the file with Digital Fortress code with an altered version of it with a backdoor so the NSA can read all messages encrypted with it. But, what if someone downloaded it previously? He will be able to get the original version without any backdoor, so the plan completely fails. Even more, he can get also the other version with the backdoor, so he will be able to compare both and find the backdoor in it.

    it says later that they were going to send out an “update” that would change any previous digital fortresses to their new back door version

  11. I’d like to point out that the enigma machine used by nazi in WWII is not a twelve tons beast as Dan wrote, but a device that looks like a regular typewriter.

  12. Umm if you read the book properly it said that TRANSLT had a virus thats why it took so long.
    Tankado put a virus into transltr on purpose! it was never a key in the first place!

Comments are closed.