This will be my last rant about public key encryption and internet security in this thread. I'll do my best to make it understandable. (And apologies to those whom do not care for such techno-babble).
You are indeed correct that a proxy is worthless if an interested party
already knows the identity of a specific individual and wishes to carry out electronic surveilence. Barring having physical access to that individual's computer, their best bet for network traffic analysis is by "sniffing" all traffic on the link from the individual's computer to their ISP. The question now becomes "what will they be able to analyze?"
If you communicate over the internet in an insecure an unprotected fashion, then
every TCP segment (i.e. all chunks of data transmitted when surfing the net) that your computer sends and receives contains
- the source IP address
- the destination IP address
- a sequence number (used for reconstituting data in the correct order and in case packets are lost/arrive out of order)
- more bookkeeping information superfluous to this discussion
- the actual application data (e.g. a chunk of HTML web page etc) you are interested in viewing/sending
Using the sequence numbers, a snooping observer can readily reconstruct all information that you are indeed sending and receiving. If you are under surveilence and viewing kiddie-porn you can expect the FBI to come crashing through your front door.
If, however, you are communicating over an
encrypted connection then the snooping observer will no longer have raw application data to reconstruct. Without your private key, they will have to rely on brute-force number field sieving or elliptic curve factoring to decrypt the application data contained within each TCP packet.
If you are using a weak form of encryption then, the snooping observer will (with a little time and computing power) be able to decrypt and reconstruct the application data. Again, expect a visit from the FBI.
If you have used much stronger forms of encryption, then it becomes
computationally infeasible for anyone to decrypt the application data.
I guess this begs the question - how infeasible is infeasible? Trying to decrypt data on a home PC may be computationally infeasible, but is it really infeasible for the boffins at the NSA with their distributed grids of supercomputers? The answer depends on the algorithm you use to encrypt your data, and the strength of the key used.
PGP (Pretty Good Privacy) is a freely available program implementing
public key cryptography. It's been around for a while now, and provides a swarth of encryption algorithms (ElGamal, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160, TIGER etc.) RSA is one of the more noted and secure algorithms. It is one of the algorithms that most banks, governments and the military currently use to encrypt data when electronically communicating. It is a very simple algorithm that at the same time is computationally infeasible to break:
1. select two very large prime numbers, p, q, such that p does not equal q.
2. compute n = pq
3. compute z = (p-1)(q-1)
4. compute e such that e and z are coprime
5. compute d such that ed-1 is exactly divisible by z
Now some message fragment m is encrypted to a value c using e and n; c is decrypted using d and n:
c = m^e mod n
m = c^d mod n
The infeasibility of breaking a message encrypted using the RSA algorithm fundamentally depends on the size of p and q. If n = pq is less than 256 bits (i.e. n < 2^256), a message can be broken in a few hours on a modern PC; if n is less then 512 bits, a message can be broken by a few hundred supercomputers in a distributed computing network; if n is 1024 bits or more is it currently unbreakable using the currently available technology in the world (it would take ~7000000 times as long as 512 bits); if n is 4096 bits or more, then all world's current and future computational power combined will be insufficient to break the encryption before the Sun burns out.
Consider the fact that most banks use RSA-1024 bit encryption for financial transactions, the US government uses RSA-2048 bit encryption for highly sensitive communications, and freely available PGP programs offer RSA-4096 bit encryption for your home PC.
There is also another form of technology that I am currently involved in called
circuit-based low-latency anomymous communication services, or
second-generation onion routing. In this computing paradigm all network communication is coordinated over a distributed network sharing perfect forward secrecy, integrity checking, and location-hidden services. This means that all communication is distributed over the network so that no single point can link a packet to its destination. No computer in such a network sees more than one router ahead; neither a compromised server nor a snooping observer can perform traffic analysis in order to determine the source, destination or payload of a TCP packet.
One final point. It may seem surprising that with this technology publically and freely available, there are
any successful internet child pornagraphy investigations. In some respects it
is surprising. But I'm relieved that some paedophiles and crooks tend not to be technically savvy of this technology. I'm also relieved that others tend to be compulsive enough to send just one more picture to that undercover FBI agent.