#cryptography | Explore Tumblr Posts and Blogs

pizza-and-ramen · 2 years

Text

Tumblr is Tracking Shared Links

It looks like Tumblr @staff have finally implemented tracking garbage into shared links in the Tumblr mobile app. It took them years and years, but Tumblr is finally making an attempt to track shared links you click or links you share with friends.

When you share a post and choose to “copy” a link to your clipboard, you can see that they use their (new?) url shortener, at.tumblr.com. The shortened URL appears to contain: your blog name; either the ID of the destination post, or the short string associated with the post; and an alphanumeric string. Eg:

https://at.tumblr.com/pizza-and-ramen/im-fucking-dying-this-is-hilarious/uqndb20nkyob

The shortened URL redirects you to the destination link, but with 2 URL parameters: _branch_referrer and _branch_match_id. Both are associated with a third-party analytics tool, branch.io. Eg:

https://pizza-and-ramen.tumblr.com/post/118684413624/im-fucking-dying-this-is-hilarious?_branch_referrer=H4sIAAAAAAAAAxXEwQ2AIAwAwIlKH8aP21RQaaSAUIIyvZpczqvmuiCSGm2yhmJsEsw8BgFFB4Vki8gCe7MnxwPc86%2BeK3w8ByqcWsU7jHnql0u99xd0v%2FAuVQAAAA%3D%3D&_branch_match_id=1104914739086906151

_branch_referrer appears to be another shortened at.tumblr.com URL, except it’s been gzipped, base64 encoded, then URL encoded. Eg:

H4sIAAAAAAAAAxXEwQ2AIAwAwIlKH8aP21RQaaSAUIIyvZpczqvmuiCSGm2yhmJsEsw8BgFFB4Vki8gCe7MnxwPc86%2BeK3w8ByqcWsU7jHnql0u99xd0v%2FAuVQAAAA%3D%3D

URL decode to:

H4sIAAAAAAAAAxXEwQ2AIAwAwIlKH8aP21RQaaSAUIIyvZpczqvmuiCSGm2yhmJsEsw8BgFFB4Vki8gCe7MnxwPc86+eK3w8ByqcWsU7jHnql0u99xd0v/AuVQAAAA==

base64 decode to (in hex for legibility):

1F8B0800 00000000 000315C4 C10D8020 0C00C089 4A1FC68F DB545069 A4805082 32BD9A5C CEABE6BA 20921A6D B286626C 12CC3C06 01450785 648BC802 7BB327C7 03DCF3AF 9E2B7C3C 072A9C5A C53B8C79 EA974BBD F71774BF F02E5500 0000

and unzipped with gunzip:

https://at.tumblr.com/pizza-and-ramen/im-fucking-dying-this-is-hilarious/xlz53wqdowww

which directs to the post with the same _branch_referrer but a new _branch_match_id:

https://pizza-and-ramen.tumblr.com/post/118684413624/im-fucking-dying-this-is-hilarious?_branch_match_id=1104899685865808870&_branch_referrer=H4sIAAAAAAAAAxXEwQ2AIAwAwIlKH8aP21RQaaSAUIIyvZpczqvmuiCSGm2yhmJsEsw8BgFFB4Vki8gCe7MnxwPc86%2BeK3w8ByqcWsU7jHnql0u99xd0v%2FAuVQAAAA%3D%3D

_branch_match_id, according to this stackoverflow answer, is an identifier unique to you, used to track users. It could be based on browser fingerprinting, as branch.io’s branch_match_id is.

Anyway, there’s not a terribly easy way to avoid this tracking from the Tumblr mobile app, but if you get a link that has the id, not the string, you can modify it to the format of blog.tumblr.com/ID, like so before sending it to a friend:

https://at.tumblr.com/pizza-and-ramen/118684413624/uqndb20nkyob

https://pizza-and-ramen.tumblr.com/118684413624

Alternately, you could paste the link in your browser, allow it to redirect, then remove everything past the ? at the end, eg:

https://pizza-and-ramen.tumblr.com/post/118684413624/im-fucking-dying-this-is-hilarious?_branch_referrer=H4sIAAAAAAAAAxXEwQ2AIAwAwIlKH8aP21RQaaSAUIIyvZpczqvmuiCSGm2yhmJsEsw8BgFFB4Vki8gCe7MnxwPc86%2BeK3w8ByqcWsU7jHnql0u99xd0v%2FAuVQAAAA%3D%3D&_branch_match_id=1104914739086906151

https://pizza-and-ramen.tumblr.com/post/118684413624/im-fucking-dying-this-is-hilarious

Anyway, this has been my privacy rant of the day. Thanks for reading, and let me know if you know more about this than I do!

#tumblr #privacy #tracking #web development #psa #cryptography #tumblr meta #mine

28K notes · View notes

andmaybegayer · 6 months

Note

can you actually talk about bitwarden / password managers, or direct me to a post about them? Idk my (completely uneducated) instinct says that trusting one application with all your passwords is about as bad as having the same password for everything, but clearly that isn’t the case.

So it is true that online password managers present a big juicy target, and if you have very stringent security requirements you'd be better off with an offline password manager that is not exposed to attack.

However, for most people the alternative is "reusing the same password/closely related password patterns for everything", the risk that one random site gets compromised is much higher than the risk that a highly security focussed password provider gets compromised.

Which is not to say it can't happen, LastPass gets hacked alarmingly often, but most online password managers do their due diligence. I am more willing to stash my passwords with 1Password or Bitwarden or Dashlane than I am to go through the rigamarole of self-managing an array of unique passwords across multiple devices.

Bitwarden and other password managers try to store only an encrypted copy of your password vault, and they take steps to ensure you never ever send them your decryption key. When you want a password, you ask them for your vault, you decrypt it with your key, and now you have a local decrypted copy without ever sending your key to anyone. If you make changes, you make them locally and send back an encrypted updated vault.

As a result, someone who hacks Bitwarden should in the absolute worst case get a pile of encrypted vaults, but without each individuals' decryption key those vaults are useless. They'd still have to go around decrypting each vault one by one. Combining a good encryption algorithm, robust salting, and a decent key, you can easily get a vault to "taking the full lifetime of the universe" levels on security against modern cryptographic attacks.

Now there can be issues with this. Auto-fill can be attacked if you go onto a malicious website, poorly coded managers can leak information or accidentally include logging of passwords when they shouldn't, and obviously you don't know that 1Password isn't backdoored by the CIA/Mossad/Vatican. If these are concerns then you shouldn't trust online password managers, and you should use something where you remain in control of your vault and only ever manually handle your password.

Bitwarden is open source and fairly regularly audited, so you can be somewhat assured that they're not compromised. If you are worried about that, you can use something like KeePassXC/GNU Pass/Himitsu/ (which all hand you the vault file and it's your job to keep track of it and keep it safe) or use clever cryptographic methods (like instead of storing a password you use a secret key to encrypt and hash a reproducible code and use that as your password, e.g. my netflix password could be hash(crypt("netflixkalium", MySecretKey)), I know a few people who use that method.

Now with any luck because Apple is pushing for passkeys (which is just a nice name for a family of cryptographic verification systems that includes FIDO2/Webauthn) we can slowly move away from the nightmare that is passwords altogether with some kind of user friendly public key based verification, but it'll be a few years before that takes off. Seriously the real issue with a password is that with normal implementations every time you want to use it you have to send your ultra secret password over the internet to the verifying party.

#computer stuff #ask #anonymous #cryptography #password managers

237 notes · View notes

yearningwitherrors · 10 days

Text

So, I am away from computer for four days for a really cool event and I come back and in the mean time they maybe found a polynomial quantum attack against Learning With Errors, a lattice problem? (https://eprint.iacr.org/2024/555) If this paper is correct then this is some serious breaking news shit, because lattices are like the main candidate for quantum-secure public key cryptography. (there are others but they are much less practical and for other types there have also been attacks) I mean, this paper seems to attack just a particular setting, is very impractical and does not work for schemes that are actually proposed, but an existing impractical attack often signals the way for more practical attacks. So, if it is not a false alarm, this is pretty big. It could signal the attackability of lattice schemes and undermine the trust in them. And it takes a long time to move to a new standard. Oh well. I guess we have to wait for experts to check the paper for mistakes before we can say anything.

#cryptography #lattices #postquantum

71 notes · View notes

blubberquark · 10 months

Text

Why Not Write Cryptography

I learned Python in high school in 2003. This was unusual at the time. We were part of a pilot project, testing new teaching materials. The official syllabus still expected us to use PASCAL. In order to satisfy the requirements, we had to learn PASCAL too, after Python. I don't know if PASCAL is still standard.

Some of the early Python programming lessons focused on cryptography. We didn't really learn anything about cryptography itself then, it was all just toy problems to demonstrate basic programming concepts like loops and recursion. Beginners can easily implement some old, outdated ciphers like Caesar, Vigenère, arbitrary 26-letter substitutions, transpositions, and so on.

The Vigenère cipher will be important. It goes like this: First, in order to work with letters, we assign numbers from 0 to 25 to the 26 letters of the alphabet, so A is 0, B is 1, C is 2 and so on. In the programs we wrote, we had to strip out all punctuation and spaces, write everything in uppercase and use the standard transliteration rules for Ä, Ö, Ü, and ß. That's just the encoding part. Now comes the encryption part. For every letter in the plain text, we add the next letter from the key, modulo 26, round robin style. The key is repeated after we get tot he end. Encrypting "HELLOWORLD" with the key "ABC" yields ["H"+"A", "E"+"B", "L"+"C", "L"+"A", "O"+"B", "W"+"C", "O"+"A", "R"+"B", "L"+"C", "D"+"A"], or "HFNLPYOLND". If this short example didn't click for you, you can look it up on Wikipedia and blame me for explaining it badly.

Then our teacher left in the middle of the school year, and a different one took over. He was unfamiliar with encryption algorithms. He took us through some of the exercises about breaking the Caesar cipher with statistics. Then he proclaimed, based on some back-of-the-envelope calculations, that a Vigenère cipher with a long enough key, with the length unknown to the attacker, is "basically uncrackable". You can't brute-force a 20-letter key, and there are no significant statistical patterns.

I told him this wasn't true. If you re-use a Vigenère key, it's like re-using a one time pad key. At the time I just had read the first chapters of Bruce Schneier's "Applied Cryptography", and some pop history books about cold war spy stuff. I knew about the problem with re-using a one-time pad. A one time pad is the same as if your Vigenère key is as long as the message, so there is no way to make any inferences from one letter of the encrypted message to another letter of the plain text. This is mathematically proven to be completely uncrackable, as long as you use the key only one time, hence the name. Re-use of one-time pads actually happened during the cold war. Spy agencies communicated through number stations and one-time pads, but at some point, the Soviets either killed some of their cryptographers in a purge, or they messed up their book-keeping, and they re-used some of their keys. The Americans could decrypt the messages.

Here is how: If you have message $A$ and message $B$, and you re-use the key $K$, then an attacker can take the encrypted messages $A+K$ and $B+K$, and subtract them. That creates $(A+K) - (B+K) = A - B + K - K = A - B$. If you re-use a one-time pad, the attacker can just filter the key out and calculate the difference between two plaintexts.

My teacher didn't know that. He had done a quick back-of-the-envelope calculation about the time it would take to brute-force a 20 letter key, and the likelihood of accidentally arriving at something that would resemble the distribution of letters in the German language. In his mind, a 20 letter key or longer was impossible to crack. At the time, I wouldn't have known how to calculate that probability.

When I challenged his assertion that it would be "uncrackable", he created two messages that were written in German, and pasted them into the program we had been using in class, with a randomly generated key of undisclosed length. He gave me the encrypted output.

Instead of brute-forcing keys, I decided to apply what I knew about re-using one time pads. I wrote a program that takes some of the most common German words, and added them to sections of $(A-B)$. If a word was equal to a section of $B$, then this would generate a section of $A$. Then I used a large spellchecking dictionary to see if the section of $A$ generated by guessing a section of $B$ contained any valid German words. If yes, it would print the guessed word in $B$, the section of $A$, and the corresponding section of the key. There was only a little bit of key material that was common to multiple results, but that was enough to establish how long they key was. From there, I modified my program so that I could interactively try to guess words and it would decrypt the rest of the text based on my guess. The messages were two articles from the local newspaper.

When I showed the decrypted messages to my teacher the next week, got annoyed, and accused me of cheating. Had I installed a keylogger on his machine? Had I rigged his encryption program to leak key material? Had I exploited the old Python random number generator that isn't really random enough for cryptography (but good enough for games and simulations)?

Then I explained my approach. My teacher insisted that this solution didn't count, because it relied on guessing words. It would never have worked on random numeric data. I was just lucky that the messages were written in a language I speak. I could have cheated by using a search engine to find the newspaper articles on the web.

Now the lesson you should take away from this is not that I am smart and teachers are sore losers.

Lesson one: Everybody can build an encryption scheme or security system that he himself can't defeat. That doesn't mean others can't defeat it. You can also create an secret alphabet to protect your teenage diary from your kid sister. It's not practical to use that as an encryption scheme for banking. Something that works for your diary will in all likelihood be inappropriate for online banking, never mind state secrets. You never know if a teenage diary won't be stolen by a determined thief who thinks it holds the secret to a Bitcoin wallet passphrase, or if someone is re-using his banking password in your online game.

Lesson two: When you build a security system, you often accidentally design around an "intended attack". If you build a lock to be especially pick-proof, a burglar can still kick in the door, or break a window. Or maybe a new variation of the old "slide a piece of paper under the door and push the key through" trick works. Non-security experts are especially susceptible to this. Experts in one domain are often blind to attacks/exploits that make use of a different domain. It's like the physicist who saw a magic show and thought it must be powerful magnets at work, when it was actually invisible ropes.

Lesson three: Sometimes a real world problem is a great toy problem, but the easy and didactic toy solution is a really bad real world solution. Encryption was a fun way to teach programming, not a good way to teach encryption. There are many problems like that, like 3D rendering, Chess AI, and neural networks, where the real-world solution is not just more sophisticated than the toy solution, but a completely different architecture with completely different data structures. My own interactive codebreaking program did not work like modern approaches works either.

Lesson four: Don't roll your own cryptography. Don't even implement a known encryption algorithm. Use a cryptography library. Chances are you are not Bruce Schneier or Dan J Bernstein. It's harder than you thought. Unless you are doing a toy programming project to teach programming, it's not a good idea. If you don't take this advice to heart, a teenager with something to prove, somebody much less knowledgeable but with more time on his hands, might cause you trouble.

#programming #cryptography #learn programming #teaching programming

346 notes · View notes

renegade-hierophant · 5 days

Text

Branch Runes

Cipher:

left branches of the tree stand for the row

right branches of the tree stand for the column

#runes #runic #futhark #younger futhark #norse #norse paganism #heathen #heathenry #cryptography #calligraphy

39 notes · View notes

theoutcastrogue · 2 months

Text

"In December 2013, a curator and archaeologist purchased an antique silk dress with an unusual feature: a hidden pocket that held two sheets of paper with mysterious coded text written on them. People have been trying to crack the code ever since, and someone finally succeeded: University of Manitoba data analyst Wayne Chan. He discovered that the text is actually coded telegraph messages describing the weather used by the US Army and (later) the weather bureau. Chan outlined all the details of his decryption in a paper published in the journal Cryptologia. [...]

When Rivers-Cofield turned the dress inside-out, she found a small hidden pocket. Many women's dresses of the era had pockets, but this one would only be accessible by hiking up the overskirt. She puzzled over why anyone would make a pocket so inaccessible and thought it might have been used to smuggle messages. Hidden inside, she found two sheets of wadded-up translucent paper measuring about 7.5 inches by 11 inches. The text on each sheet consisted of 12 lines of recognizable common English words—except they made no sense. "Bismark omit leafage buck bank"? "Paul Ramify loamy event false new event"? [...]

With the invention of the telegraph, "For the first time in history, observations from distant locations could be rapidly disseminated, collated, and analyzed to provide a synopsis of the state of weather across an entire nation," Chan wrote in his paper. But it was expensive to send telegrams since companies charged by the word, so codes were developed to condense as much information into as few words as possible.

The challenge was figuring out which code book had been used since, otherwise, it would be nearly impossible to decode the message. Chan perused some 170 telegraphic code books, finally coming across a section about signals used by the US Army Signal Corps that were similar to the pages found in the antique silk dress. Eventually, he realized that the words were codes used by weather stations in the US and Canada to condense telegraph messages about meteorological observations. He relied on old maps to narrow the date to May 27, 1888."

Mysteries remain: who was the owner of the silk dress (a telegraph operator?), and why would she keep these papers in a hidden pocket?

#cryptography #practice #telegraphic code #words of the trade

64 notes · View notes

slack-wise · 11 months

Photo

Ferdinand Kriwet. Rundscheibe IX (1962)

#Ferdinand Kriwet #artists #typography #cryptography

152 notes · View notes

notwerewolf · 7 months

Note

CGACTAGCCATCCCTCTGGCTCTTAGATAGCCGGATACAGTGATTTTGAAAGGTTTGTGGGGTACAGCTATGACTTGCTTAGCTGCGTGTGAGGGAAGGAACTTTTGCGTGTTAGTATGTTGACCCGTGTACTACGCATGCGGGTAGATTATGTAGGTTGAGAGATGCAGGAGAAGTTCTCGACCTTCCCGTGGGAGGTGAACCTATTCACTATTGGAGCATTCCGTTCGAGCATGGCAGTAAGTACGCCTTCTCCATTCTGGTAACCTTCATCCCTATCAGAGCTTGGAGCCAATGATCAGGGTTATTCCCTTGGGACAGACTTCCTACTCACAGTCGGTCACATTGGGCTACTCCATGGGTCTTCGGCTTGACCCGGTCTGTTGGGCCGCGATTGCGTGAGTTTCGGCCCCGCGCTGCGCTGTATAGTCGATTCTCATCCGGCCCTCACATCTGGAAACCCCAACTTATTTAGATAACATCATTAGCCGAAGTTGCTGGGCATGTCCACCGTGGAGTCCTCCCCGGGCGTCCCTCCTTCAAATGACGATAAGCACCGGCAAGCACCATTGATCAACGCAAGGATCGGTGATGTTAACAAAGATTCGGCACATTACTCTTGTTGGTGTGGAATCGCTTAACTACGCGGCGAAGCCTTATGGCAAAACCGATGGGGAATGATTCGGGTAGCGCTAAAAGTCCATAGCACGTACATCCCAACCTGGCGTGCGTACAGTTTGACGACCGCTTCACGCTAAGGTGCTGGCCACGTGCTAAATTAATGCGGCTGCACTGCTCTAAGGACAATTACGGAGTGGGCGGCCTGGCGGGAGCACTACCCCATCGACGCGTACTCGAATACTGTATATTGCTCTCACATGAACAAATTAGTAGAGTGCCGCTTTCAGCCCCCCTGTCGTCGGCGACGTCTGTAAAATGGCGTTGATGTGGATCGACTCTATAGAGGCATCTACTGATGCGTAGGGAGATCCGGAATGTA

i wish that this was a new ARG cryptography strat for creating messages using only amino acid abbreviations. do better

#get on it #cryptography #dna sequencing #metraposting

87 notes · View notes

mechanismslorearchive · 4 months

Text

Cryptography Enthusiasts Requested

As promised, a post about... something. Secret codes!

Several of the blog posts begin with "TRANSMISSION// [something here] // AURORA." The middle section is different in each of these-- one is text in Chinese, another one is Morse Code, and one is what Travis identified as shorthand for elements of the periodic table. I believe all of them probably have some kind of code, but I do not know enough about cryptography to begin with most of them.

Which is where we could use a hand! If anyone has any insight or ideas on any of these (as transcribed below), and would be willing to help us decode them, that would be fantastic!

From January 13, 2013:

TRANSMISSION // 032::3834K::00003 // AURORA

From February 11, 2013:

TRANSMISSION // 0002/02/00002012 // AURORA之動得？違言語？何意味？待・之押that should fix it.

Google Translate says the text here is Chinese (Traditional) and reads, "Can it move? Breaking the rules? What does it mean? Wait and pledge". However, Google translate is obviously not the greatest source, so confirmation or correction would be welcome.

From March 12, 2013:

TRANSMISSION // 052::9JU324::00005 // AURORA

From April 13, 2013:

TRANSMISSION//AURORA//RANDOMGIBBERISHFILTERMALFUNCTION07 RESTARTY/N?

This one seems pretty straightforward, but I'm including it in case others have additional insights.

From May 6 2013:

TRANSMISSION//AURORA//890::E6::FREQ–GK10//–./../…-/.//..-/…//–/—/-././-.–//SEND

The morse code here translates to "give us money".

From June 17 2013:

TRANSMISSION // UUDD::LRLR::BARTN // AURORA

From September 25 2013:

TRANSMISSION // AqPArT::GCaLeV::LiScSaCa // AURORA

Travis translated the elements here as: AqPArT: Aq: aqueous solution is a solution in which the solvent is water, Phosphorous, Argon, Titanium

GCaLeV: Gallium, Calcium, Lanthanum, Vanadium

LiScSaCa: Lithium, Scandium, Samarium, Calcium

For reasons I lack the chemistry knowledge to understand, he took these as numbers, or dates, and translated it as such: X/31205723/3216220.

So that what we've got so far! Thoughts?

#mod miralines #travis if you wanna chime in on those elements please do #the mechanisms #the mechs #cryptography

53 notes · View notes

worlds-smallest-epsilon · 3 months

Text

Gmail how fucking dare you try to suggest “cryptocurrencies” when I started typing out “cryptography”

#math #cryptography

32 notes · View notes

shinelikethunder · 2 years

Text

polar exploration nerds 🤝 cryptography nerds 🤝 people who got their entire shit fucked up by The Terror (2018): COOL SHIT ALERT

a bunch of gibberish classified ads from the early 1850s were finally decrypted using an old maritime signal code, and were confirmed to be updates to & from the would-be rescuers of the Franklin Expedition, placed in The Times presumably on the assumption that the crew would be able to find a copy no matter where in the world the ships ended up

#collinson expedition #franklin expedition #the terror #elonka dunin #cryptography #marryat signal code #history #arctic exploration #encrypted newspaper ads

554 notes · View notes

felixcloud6288 · 8 months

Text

Second-most audacious thing I did in my academic career happened in a cryptography exam. One question gave us a message to encrypt, the method we had to use, and some of the numbers that would be used. We were allowed to choose the remaining values for the encryption algorithm. We had to choose values that would be appropriate and show the process needed to calculate the encryption and decryption keys and show the encryption and decryption process.

The encryption method used exponents and modulo in the encryption and decryption process and instead of actually doing any math on it, I realized I could exploit Fermat's (pronounced fair-ma) little theorem (which the professor had taught earlier that semester) using the numbers the professor gave to make the encryption key equal to 1. As a result, I was able to skip the entire process of showing the encryption process, determining the decryption key, and decrypting the message, because the encryption key I made literally didn't change the message at all.

When I got the exam back, the professor made it very clear how annoyed he was with my answer but gave me full points because I did technically demonstrate how the algorithm works. I'm glad too cause that question was 20% of the exam grade.

He even called me out for my shenanigans when he went over the exam later and modified the question for future semesters to stop others from using my exploit.

#original post #university life #cryptography #exam #mathematics

63 notes · View notes

its-leethee · 5 months

Text

What kind of magic does the Jailer use, and what is her connection to the Key of Aaravos?

I have thought for a while that perhaps the Jailer is neither a primal nor a dark magic user, and that she utilized the Key of Aaravos to serve an important role in his imprisonment. Now, there isn't a lot of overt evidence for my hypothesis here; this is a ramble of pure speculation. I'm going to do my best to present the dialogue and canon-consistent logic to support my thoughts. Here goes:

The prevailing opinion in Xadia is that "human magic" is akin to trickery and sleight of hand. When confronted with Callum's claim of being a primal mage in 5x07, Nyx dismisses his boast reflexively: “I’ve seen ‘human magic.’ Fake ropes, false doors, birds and rabbits stuffed into clothing.” To her, it's common knowledge that humans can't use real primal magic, and her derisive attitude shows she doesn't have much respect for human magic either. As for dark magic, Nyx doesn't even mention it at all; as Lujanne said in 2x01, "we do not call that practice magic. It's an atrocity."

But human magic has one more specialty: creating and solving puzzles. The mechanical devices and riddles guarding the secrets in Kpp'ar's labyrinthine house and the rock-stone puzzle hiding the staircase to Viren's dungeon are story-significant examples of the types of innovations created by human magic. In 1x03, Ezran solves the rock-stone puzzle to reveal the staircase hiding Viren's dungeon. Callum answers the riddle posed by Rex Igneous in 4x08, "having knowledge isn't knowing knowledge…. He has a map!"

So neither a primal mage nor a dark mage would resort to puzzles and riddles, the gimmicks used by magic-less humans. So let's now consider the Jailer.

During the post-season four Discord Q&A, Aaron Ehasz states that the Jailer is a "mastermind of prisons and puzzles."

In episode 5x05, Archmage Akiyu tells the story of how she met the Jailer and introduces her as "a human mage." Akiyu goes on to explain:

"The archdragons had given the Jailer a daunting task, to design a magical prison that could hold a Startouch Elf. She needed my powers to craft the prison itself." (emphasis mine).

It stands to reason that a competent dark mage, with the notoreity to catch the attention of the archdragons, could bring that kind of power into her grasp on her own. So why would the Jailer seek out the powers of primal archmage, unless she couldn't wield that power herself? Furthermore, knowing the prejudice that the archdragons hold against dark magic--all of humanity was driven out of Xadia for refusing to forswear its use--I don't believe the archdragons would ever condone cooperating with a dark mage, even to quell an existential crisis like a demi-god bent on world destruction.

Akiyu tells us one more intriguing thing that the Jailer said:

"'The puzzle is the real prison,' she told me with a proud smile," (again, emphasis mine)

There's another word besides "magic" that we can use to describe the practice of creating and solving puzzles: cryptography; the art and science of creating and breaking codes and ciphers. The terms code and cipher are often used interchangeably, but their meanings are technically different. Basically, a code uses arbitrary substitutions while a cipher uses an algorithm.

Now, if you wish to solve a puzzle, you're going to need all the pieces - and if you wish to solve a cipher or code, you're going to need a key.

More than one use has been hinted at for the Key of Aaravos. We've heard Rayla refer to it several times as a toy and a game piece (1x04, 2x07). In the book two novelization, Callum notices that the Key left marks on the ground that appeared to point toward Xadia (we get a glimpse of those lines in early episode 2x07). In 4x07, we get suspiciously up-close framing of the Key when Callum asks, "is there no primal gem for star magic?"

And a few months back, one of the TDP creators shared on Twitter about a season 6 scene that was eventually cut. In the scene, Callum holds the Key up to a symbol on a wall and says, "I'm gleaming the cube!" (if anyone remembers this twitter convo and can provide me a link to this, I would be so grateful)

This is the Key feature we're all most familiar with: its glow. When exposed to a source of magic, the corresponding primal magic symbol on the Key lights up. This is why I think one of the potential functions of the Key of Aaravos is as a cryptographic key. If it were held up to a magic-infused symbol, the glow effect would reveal the primal magic source - and in this way it could be used to decode a secret message.

In cryptography, a key is the series of words, symbols or phrases that contain all of the basic information you need to decode or understand a specific coded message. Both the sender and receiver of the coded message need to know the key in order to create the coded message or decode it into plaintext - to lock or unlock the meaning behind a cipher or code.

I can't speculate on the exact nature of the secrets that she encrypted with it, but the Key can literally shed light on the solution! It was a toy that was repurposed by a the Jailer, magicless human mage and mastermind of ciphers and codes, to protect the secrets of Aaravos and his prison.

Exactly what secrets it will be used to reveal remains part of the Mystery.

if you're interested in learning more about cryptography, this page has links to a lot of my favorite resources

Recommended reading for more Key of Aaravos and the Jailer theories:

the post that initially enabled my crazy train of thoughts, thank you @beautifulterriblequeen

super rad analysis of the Jailer's unique character design by @kradogsrats, who also authored one of my favorite alternative hypothesis for the real function of the Key of Aaravos

an amazing thorough and detailed Key analysis, by @raayllum and another very interesting conversation about the Key here

Special thanks to @raayllum for answering my random Akiyu and Jailer questions, and to @self-spaghettification for giving me the push I needed to bring this essay together!