How 'Agents of S.H.I.E.L.D.' Got Encryption Right – and Wrong

Cracks in the S.H.I.E.L.D.

The show's resident hacker Skye (Chloe Bennet, left) and Agent Coulson (Clark Gregg) in S.H.I.E.L.D. headquarters.

The show's resident hacker Skye (Chloe Bennet, left) and Agent Coulson (Clark Gregg) in S.H.I.E.L.D. headquarters.

In the pilot, S.H.I.E.L.D. agents eventually capture Skye, telling her they traced her by matching the "cryptographic signature" on one of her photos with other photos on a website used by political radicals.

This is possible, but has nothing to do with cryptography. Every digital camera has a unique "fingerprint," or pattern of distortion in each photograph, created by tiny misalignments in the camera's sensors. Law enforcement agencies use these "fingerprints" to match photos to cameras.

MORE: How Digital Photos Reveal Who Took Them

Later in the pilot episode, S.H.I.E.L.D. agents can't crack the encryption on the computers in Skye's van.

Skye boasts that her encryption key is connected to her van's GPS coordinates, so that — in theory — the files can't be decrypted unless the van is parked in the right place.

That sounds cool in theory, but in practice, it doesn't work nearly as well as you  might think.

"A GPS coordinate is a poor choice of key for a few reasons," Kevin O'Brien, a security systems architect for the Waltham, Mass., cloud security company Cloudlock, told Tom's Guide.

GPS coordinates are comprised of two seven-digit numbers. The resulting encryption key would only be 14 digits long — not long enough to withstand a basic password guessing, or brute-force, attack, which is when hackers use a computer program that quickly goes through every possible combination of characters in order to crack a password.

Guessing the encryption key would be even easier if you knew that it was based on GPS coordinates.

"Those digits are most likely going to correlate to a location nearby, since the van needs to be able to reasonably reach its decryption location," O'Brien said. "Given that, it's easy to iterate through all possible combinations of coordinates, and, by brute force, gain access."

But how would S.H.I.E.L.D. agents know to look for GPS coordinates?

"Whatever program was handling the decryption would presumably be monitoring a GPS device of some kind for the right set of coordinates," O'Brien said. "That means that I could pretty readily look for that recurring 'question' on the network or via whatever wire connected the two devices."

Technological flaws aside, using GPS coordinates as an encryption key just seems pointless, O'Brien said.

"Why bother?" he asked. "Assuming that the specific location is known to the driver, it's no more secure than having a password memorized. … Coercion can reveal where the van needs to be as effectively as it can reveal a string of letters and numbers."

O'Brien thinks Skye might be better served using a "one-time pad," which encrypts data using a new random key each time.

"Geolocation might make for a good pad [aka encryption key], if it was also time-bound," O'Brien said. "For example, 'only decrypt the data on the van if it is at exactly the right place, at exactly the right time.'"

"That way, once the van was taken away by the agents, the window of opportunity to use the pad would be lost," O'Brien said. "Highly inconvenient cryptography, but significantly more secure."

 Email jscharr@techmedianetwork.com or follow her @JillScharr. Follow us @TomsGuide, on Facebook and on Google+.

TOPICS

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • John Sheffield
    It was pretty obvious that the van needing to be in another location was just a plot device. They had to get Skye away from the team, so she could be kidnapped, drop the bread crumb about erasing a person's electronic records, and set up the episode climax. I would rather they had gone a different way. Coulson already said they had no information on her, and the episode wouldn't have been as rushed.
    Reply