Skip to main content

NSA Hasn't Cracked Basic Internet Encryption (Yet)

The latest scare stemming from new Edward Snowden documents and The Guardian, The New York Times and ProPublica indicate that the National Security Agency has cracked common Internet encryption codes, RSA included, that protects all data online including emails, banking transactions, medical records and so on. That doesn't seem to be the case… for now.

Instead, the documents indicate that the agency is hacking into tech company servers to steal encryption keys. They also indicate that the agency has coerced tech companies local and abroad into leaving backdoors (entry points) in their software and hardware. This latter fact should be the focus of concern given that companies like Microsoft, Google and Yahoo claim to put our privacy first.

MORE: Inside the Black Budget: 5 Things NSA May Be Working On

"Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system," writes security expert Bruce Schneier via Wired. "It’s very probable that the NSA has newer techniques that remain undiscovered in academia. Even so, such techniques are unlikely to result in a practical attack that can break actual encrypted plaintext."

Schneier points out that the native way to break an encryption key is to brute-force the key. However the upper practical limit on brute force is somewhere under 80 bits, and currently encryption algorithms have 128-bit keys at a minimum. Thus the NSA's supposed "cracking plan" will need to "reduce the effective key length by at least 48 bits in order to be practical".

"More likely is that the NSA has some mathematical breakthrough that affects one or more public-key algorithms," he writes. "There are a lot of mathematical tricks involved in public-key cryptanalysis, and absolutely no theory that provides any limits on how powerful those tricks can be."

As Schneier points out, most of the Internet is phasing out 1024-bit RSA keys for 2048-bit keys (the smallest is 128-bit). That means brute force might yield a decrypted message "once every million years". He suggests that the Internet jump right into 3072-bit keys and use key lengths above 500 bits.

The latest scare stems from 50,000 leaked documents provided by Snowden. The NSA's highly classified encryption cracking program is called Bullrun, and has supposedly foiled top encryption methods Secure Sockets Layer (SSL), Virtual Private Networks (VPN), and encryption used on 4G smartphones. This program, until now, was only known by top NSA officials and counterpart agencies in Britain, Canada, Australia and New Zealand.

The documents also show that the NSA is still having issues with strong, non-commercial encryption systems such as Pretty Good Privacy, or PGP. They also claim that the agency has actually deployed custom-built computers designed to break encryption. Schneier theorizes these could be quantum computers capable of performing the heavy calculations, but highly unlikely.

"For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies," said a 2010 memo. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable."

An intelligence budget document written by the director of national intelligence, James R. Clapper Jr., even states that the agency is "investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic."

The NSA has reportedly specialized in code breaking since its creation in 1952, and has used this expertise to frequently influence policies, specifications and standards for commercial public key technologies. The agency supposedly spends $250 million a year on this influential "Sigint Enabling Project" that actively engages with local and foreign IT industries to steer technology in its favor.

In the 1990s, the NSA tried to insert a government back door into all encryption called the Clipper Chip, but failed. “And they went and did it anyway, without telling anyone,” said Paul Kocher, a leading cryptographer who helped design the SSL protocol.

The latest news regarding the NSA defeating SSL, VPN and 4G encryption is unsettling at best. The reports indicate that the agency may have essentially slithered in through the years rather than attacking encryption by sheer brute force. Evidence suggesting that the NSA has pushed tech companies into providing back doors is even more unsettling and perhaps a little unsurprising. The big fear, it seems, is that these government-enforced back doors will eventually be discovered by hackers wanting more than just a little peepshow.   

Alex Stamos, chief technology officer of the online security company Artemis, said last month that RSA and classic Diffie-Hellman encryption schemes, which are used to protect banking, ecommerce, email and even OS updates, will not be usable in four to five years. Breaking these two methods, he said, would be a "total failure of trust on the Internet".

Follow us @tomsguide, on Facebook and on Google+.

  • thor220
    The logic for introducing backdoors into security algorithms is about as sound as buying a poodle to protect your house. NSA: "Hey we decided to protect your security by breaking security algorithms you use and spying on you." eh, what a double whammy. Well you know what they say: those who would give up a little essential liberty to gain temporary security deserve neither and lose both.
    Reply
  • Madison. although Nancy`s comment is astonishing... on wednesday I got themselves a Mini Cooper since getting a cheque for $5290 this-last/month an would you believe $10,000 last-month. this is definitely my favourite job I have ever had.
    I started this 9-months ago and immediately got me more than $72.. per hour.
    this contact form w­ww.wℴ­rk25.ℂ­ℴm
    Reply
  • COLGeek
    One again, that this is even possible should not come as any great surprise.

    What math can put together, math can take apart.

    Time (and fast computers) along with a thorough understanding of the encryption algorithms themselves can always defeat the standards widely in use.
    Reply
  • ubercake
    Lies. All lies. They want you to think they know nothing. Just keep doing what you're doing...
    Reply
  • xanxaz
    Decrypt my porn! Lost the key
    Reply
  • pjmelect
    Although the NSA has legitimate reasons to intercept internet communications, I suspect that the major use of this technology will be to do industrial espionage. The Americans do not have a very good track record in this area in the past.
    Reply
  • Usersname
    @ pjmelect...

    It's reputed that Eddison got most of his patents by owning the telephone lines and exchanges. Too many instances of people who applied for a patent later discovering that Eddison had got there just days or hours before their applications.
    Reply
  • crypto_cracker
    RSA is not as secure as the world and NSA thinks. Over 2 1/2 years ago I solved the issue with RSA keeping me out of something I needed into. RSA has a HUGE flaw at it's code and I am very surprised that the rest of the world has not seen this yet. As another commenter said "Math put it together, and math can take it apart" For any size key pair, I can solve the first half with 1 math operation. The second half I rely on shear computing power and common sense. RSA is not and has not been secure since GPU computing has came about.

    -T
    Reply