Properly implemented encryption very hard to beat, even by experts at U.S. spy agency, security experts say
By Jaikumar Vijayan, Computerworld
September 06, 2013 06:06 PM ET
Computerworld – Though the National Security Agency spends billions of dollars to crack encryption technologies, security experts maintain that properly implemented, encryption is still the best way to maintain online privacy.
The Guardian newspaper and other media outlets this week published stories based on internal internal NSA documents that explain how the spy agency bypasses encryption technologies by using backdoors, brute force attacks, lawful intercepts via court orders and partnerships with tech vendors.
The reports, based on documents leaked to reporters by former NSA-contract employee Edward Snowden, suggest that many encryption algorithms now widely used to protect online communications, banking and medical records and trade secrets have been cracked by the NSA and its British counterpart, the GCHQ.
Steve Weis, chief technology officer at PrivateCore and holder of a Ph.D in cryptography from MIT, said despite the NSA activities, the mathematics of cryptography remains very hard to crack.
He suggested that it’s likely that the NSA managed to break through insecure and outdated implementations of some encryption technologies.
For example, the documents suggest that the NSA built a backdoor into an NIST approved encryption standard called Dual EC DRBG, which is used to generate random numbers. Weis noted that the Dual EC DRBG standard has been available for six years and has been rarely used since two Microsoft engineers discovered the NSA backdoor, Weis said.
It remains unclear whether NSA experts have the ability to crack more robust encryption technologies, he said. “So far, I’ve not seen anything to suggest than an algorithm like AES (Advanced Encryption Standard) has been broken,” Weis said.
“When properly implemented, encryption provides essentially unbreakable security,” said Dave Anderson, a senior director with Voltage Security, a provider of encryption technology.
“It’s the sort of security that would take implausibly powerful supercomputers millions of years to crack. But if it’s carelessly implemented, and the key management processes are not sound, this security can be reduced to the level where a hacker with a mid-market PC can crack in a few hours at most,” he said an email to Computerworld.
Anderson said the NSA may have been able to take advantage of flaws in key management processes that support the encryption, rather than cracking the cryptography itself, he said. It’s possible that the NSA can decrypt financial and shopping accounts, but it can happen only if the cryptography was improperly implemented through faulty, incomplete or invalid key management processes, he said.
Dave Jevans, founder and CTO of Marble Security, a maker of mobile security technology, said some of the concerns raised by the NSA documents are based on a misunderstanding of the facts.
Most email, web searches, Internet chats and phone calls are not automatically encrypted, so the NSA or anyone else can merely scan onine traffic to access them, he said.
The main vulnerability to encrypted traffic is key management, Jevans said. Encryption keys are long, randomly generated passwords that can encrypt and decrypt Internet traffic. “Stealing the key is like stealing a password,” he said.
The NSA’s enormous financial resources and manpower allow it to effectively go after encryption keys and key management systems rather than break the math behind encrypted code, he said. “It’s about a billion times more effective,” Jevans noted.
Despite the recent revelations, encryption remains the best way to protect online data, Weis contends.
Concerned enterprises should consider using open source technologies like Open SSL — whose code is always visible to developers — rather than commercial software, which is more vulnerable to NSA backdoors, he said. “The code is there for people to audit and you can see the changes. At least you have some assurance that there is no intentional vulnerability” built into the software, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar’s RSS feed . His email address is firstname.lastname@example.org.
Read more about security in Computerworld’s Security Topic Center.