Having read all the other Dan Brown’s works I got interested in reading Digital Fortress : A Thriller, especially knowing that it’s background theme is computers and cryptography. In the other books (DaVinci Code, Angels & Demons and Deception Point) most of the facts look to me like they are accurate, perhaps because I’m not an expert in any of the fields they touch (neither art, fossils or the Vatican situation). But I know something more about computers and I have always liked cryptography, so I have been studying it for some time, and having read the book I found some things which don’t really fit.
Some of these things are what we could call “artistic licenses”, where the author has invented something which doesn’t really exist so the novel is plausible, but others are factual errors which look like Dan didn’t get really documented about it. And it’s a pity, because he says two ex-NSA cryptographers contributed to the book and they should know much better what they were talking about. Dan, are you really sure they were ex-NSA members?
Finally, I’m getting a list of some errors not related to computers. As the novel is partly ambiented in Seville, a Spanish southern city, and I’m from Spain I found some gross errors about the city and about the country. I don’t live in Seville, but I have been there on holidays, so I’m sure more errors about the city can be found. Anyways, let’s go with the list.
WARNING: for those who haven’t read the book and have the intention of doing it, this contains all kind of spoilers.
“The notion of a rotating cleartext function was first put forth in an obscure, 1987 paper by a Hungarian mathematician, Josef Harne. Because brute-force computers broke codes by examining cleartext for identifiable word patterns, Harne proposed an encryption algorithm that, in addition to encrypting, shifted decrypted cleartext over a time variant. In theory, the perpetual mutation would ensure that the attacking computer would never locate recognisable word patterns and thus never know when it had found the proper key. The concept was somewhat like the idea of colonising Mars—fathomable on an intellectual level, but, at present, well beyond human ability.”
Although the mentioned mathematician didn’t really exist we could try to believe in the concept of rotating-cleartext but this doesn’t stand. So, an algorithm which produces data that variates over the time so you can’t know whether you got the real data or not. OK, then how does the intended receiver know the data? He will need something more (taking in consideration that this could really work), like the time when it was encrypted and the current time. These will be simply more bits in the keyspace to be brute-forced, so you can always find the original content.
“TRANSLTR had just located a sixty-four-character key in a little over ten minutes, almost a million times faster than the two decades it would have taken the NSA’s second-fastest computer.”
The multi-processor computer is able to find a 64-bit key in approximately ten minutes, but runs almost 18 hours trying to find the key for Digital Fortress. What the hell is it doing? If, in average, it spends 10 minutes we can suppose it has tried at least half the possible keys, so to try all of them it will spend 20 minutes. So, what has the computer been doing the rest of the time? Testing the keys again and again?
Leave apart the fact that an algorithm designed to work with data ends up executing some of it. It has happened sometimes in commercial software, these are called bugs and they sometimes get into software and become security flaws, but in a NSA designed algorithm in a NSA computer? No way they would let it slip into the software.
Another strange thing is they never take into consideration that the encrypted code they download might be junk, random characters which don’t make any sense and that can’t be decrypted. This would also exhaust the keyspace and not be able to find a correct key.
“Susan had learned about the Bergofsky Principle early in her career. It was a cornerstone of brute-force technology. It was also Strathmore’s inspiration for building TRANSLTR. The principle clearly stated that if a computer tried enough keys, it was mathematically guaranteed to find the right one. A code’s security was not that its pass-key was unfindable but rather that most people didn’t have the time or equipment to try.”
OK, another invented name. Nobody has ever heard about Bergofsky Principle outside this book and for a reason. It says “mathematically guaranteed to find the right one”, but it would be only correct if it said “mathematically guaranteed to test the right one”. That is the concept behind brute-force: try all the possible keys, so it’s sure one of them will be the correct one. The difficult part is how to know if the one we tested was the correct one.
But, let’s talk about One-time pad, an encryption algorithm “which has been proven, from theoretical first principles, to be unbreakable when properly deployed”. It works because the key-length is the same as the length of the data, so a lot of different keys will give results which might look like plausible. From a message encrypted with this algorithm you can find the original text you want simply by variating the key used. So, when trying to decode one of this messages TRANSLATR is guaranteed to test the correct key, what is not guaranteed is to be able to know it’s the correct one.
“Susan had created, in effect, a directional beacon disguised as a piece of E-mail. She could send it to the user’s phony address, and the remailing company, performing the duty for which it had been contracted, would forward it to the user’s real address. Once there, the program would record its Internet location and send word back to the NSA. Then the program would disintegrate without a trace. From that day on, as far as the NSA was concerned, anonymous remailers were nothing more than a minor annoyance.”
There’s no way the tracer can work with the current state of e-mail. E-mail is just data, not executable, so the user is the one who has to execute it, it can’t execute itself to know where it is and even less make itself disappear. The only way something like this can work is with web bugs, attaching a link to the email which will be visited when the recipient receives the email and opens it, but it needs the cooperation of the recipient and can’t delete itself (well, maybe if there’s a bug in the e-mail software used to open it, highly doubtable)
“She knew mutation strings were programming sequences that corrupted data in extremely complex ways. They were very common in computer viruses, particularly viruses that altered large blocks of data.”
This really doesn’t make any sense, so I’m considering it simply another artistic license. Even Dan himself doesn’t seem to know what he wants to represent with mutation strings, so even less do I.
“After we make the switch,” Strathmore added, “I don’t care how many pass-keys are floating around; the more the merrier.” He motioned for her to continue searching. “But until then, we’re playing beat-the-clock.”
So Strathmore’s intention is to replace the file with Digital Fortress code with an altered version of it with a backdoor so the NSA can read all messages encrypted with it. But, what if someone downloaded it previously? He will be able to get the original version without any backdoor, so the plan completely fails. Even more, he can get also the other version with the backdoor, so he will be able to compare both and find the backdoor in it.
“Now Susan was even more doubtful. Encryption algorithms were just mathematical formulas, recipes for scrambling text into code. Mathematicians and programmers created new algorithms every day. There were hundreds of them on the market—PGP, Diffie-Hellman, ZIP, IDEA, El Gamal. TRANSLTR broke all of their codes every day, no problem. To TRANSLTR all codes looked identical, regardless of which algorithm wrote them.”
When he says scrambling text into code I hope he’s not meaning executable code… But, what I don’t like about this paragraph is that he confuses different kinds of algorithms: public-key (El Gamal) and private-key (IDEA), with encryption systems, like PGP which uses the other two in combination to work. PGP is not an algorithm and neither is ZIP, this is a compression system, which can, optionally, encrypt the data, originally with a propietary protocol and nowadays using AES, an standard for encryption.
““I don’t understand,” she argued. “We’re not talking about reverse-engineering some complex function, we’re talking brute force. PGP, Lucifer, DSA—it doesn’t matter. The algorithm generates a key it thinks is secure, and TRANSLTR keeps guessing until it finds it.””
Susan says the TRANSLATR can find the key even if it doesn’t know what algorithm was used. This is impossible, as you need the algorithm to test whether the key works or not.
“Four-bit alpha groupings,” she puzzled. “They’re definitely not part of the programming.”
PFEE SESN RETM MFHA IRWE OOIG MEEN NRMA
ENET SHAS DCNS IIAA IEER BRNK FBLE LODI
Sorry, Dan, but a bit is either 0 or 1, so these are not four-bit alpha groupings. These are simply 4-character groups, where each character (if using standard codification) uses 8 bits.
“Primes were the fundamental building blocks of all encryption algorithms”
Sorry, but no. There are a lot of encryption algorithms which don’t use prime numbers as its basis, and to put it easy I’ll repeat myself in the example: “one-time pad”.
“Public-key encryption was a concept as simple as it was brilliant. [...] The only way to unscramble the message was to enter the sender’s “pass-key”—a secret series of characters that functioned much like a PIN number at an automatic teller.”
Sorry, but again: NO!. this is not how public-key encryption works. If it was better explained it would be how private-key encryption works. But Dan, you need to read the Wikipedia and not say this kind of things.
“With a few quick keystrokes, she pulled up a program called ScreenLock. It was a privacy utility. Every terminal in Node 3 was equipped with it. Because the terminals stayed on around the clock, ScreenLock enabled cryptographers to leave their stations and know that nobody would tamper with their files. Susan entered her five-character privacy code, and her screen went black. It would remain that way until she returned and typed the proper sequence.”
Five character passwords in a computer managed by a NSA member? Not long enough to be credible. The most paranoid of my friends use twenty characters passwords, so I imagine NSA should use something a bit longer than 5 chars.
Oh, and Greg manages to install a keylogger in all these computers, so I should say the system operator is not very efficient in keeping the systems secure. At least, lock the computer case inside a box so nobody can access it directly.
To finish this list, how did they plan to decipher the Digital Fortress code if they didn’t have the decryption code? OK, you get the passkey but you need the decryption code, which is encrypted with itself. Mmmm, a no-no…
Let’s get with the errors not related to computers.
“The phone began to ring. Becker guessed five rings was all it would take. It took nineteen.”
I don’t know how it works in United Stated, but in Spain a telephone never rings nineteen times. If nobody picks it up it cuts the call in, at most, fifteen calls, so nineteen seems highly improbable.
“Cranberry juice was a popular drink in Spain, but drinking it alone was unheard of.”
I never heard anyone in Spain asking for cranberry juice. I highly doubt you can find this kind of juice in any bar in Spain, so let alone the possibility of having it mixed with alcohol.
“Becker’s Vespa was no doubt the smallest vehicle ever to tear down the Seville runway. Its top speed, a whining 50 mph, sounded more like a chainsaw than a motorcycle and was unfortunately well below the necessary power to become airborne. In his side mirror, Becker saw the taxi swing out onto the darkened runway about four hundred”
In no airport is it possible to get into the runway with a motorcycle or a taxi, only authorised vehicles can enter it, so this doesn’t make any sense.
“He’d forgotten: Getting an international connection from Spain was like roulette, all a matter of timing and luck. He’d have to try again in a few minutes.”
“A punctured lung was fatal, maybe not in more medically advanced parts of the world, but in Spain, it was fatal.”
Dan Brown says he was some time studying in Seville, but I don’t know what he was doing, because almost everything he says about the city is wrong. It’s almost impossible to find punks in Seville, no hospital has people lying on the floor,… But these two last sentences really struck me. He makes Spain look like some kind of 19th century country. I have to say that spanish medical system is really efficient, I’ve got four operations, one of them really severe which had me one month in hospital, and they did work really good. Also spanish telecommunications system is good, it’s not difficult to get an international conference, only pick up the phone and call. Maybe this could happen like 50 years ago, but it’s not true anymore.
Apart from all this, I should say I didn’t enjoy this book as much as the other one’s from Dan Brown. In the middle of the book it began to get boring and the final was really previsible. I also didn’t like the final part where “hackers” are trying to enter into the computer and they can see them in a monitor, like black lines attacking the datacenter and walls disappearing… This works good for a Hollywood film, but you don’t need it in a book.
If you like this kind of thrillers, from the same author I would recommend (in these order):