The latest scare stemming from new Edward Snowden documents and The Guardian, The New York Times and ProPublica indicate that the National Security Agency has cracked common Internet encryption codes, RSA included, that protects all data online including emails, banking transactions, medical records and so on. That doesn't seem to be the case… for now.
Instead, the documents indicate that the agency is hacking into tech company servers to steal encryption keys. They also indicate that the agency has coerced tech companies local and abroad into leaving backdoors (entry points) in their software and hardware. This latter fact should be the focus of concern given that companies like Microsoft, Google and Yahoo claim to put our privacy first.
"Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system," writes security expert Bruce Schneier via Wired. "It’s very probable that the NSA has newer techniques that remain undiscovered in academia. Even so, such techniques are unlikely to result in a practical attack that can break actual encrypted plaintext."
Schneier points out that the native way to break an encryption key is to brute-force the key. However the upper practical limit on brute force is somewhere under 80 bits, and currently encryption algorithms have 128-bit keys at a minimum. Thus the NSA's supposed "cracking plan" will need to "reduce the effective key length by at least 48 bits in order to be practical".
"More likely is that the NSA has some mathematical breakthrough that affects one or more public-key algorithms," he writes. "There are a lot of mathematical tricks involved in public-key cryptanalysis, and absolutely no theory that provides any limits on how powerful those tricks can be."
As Schneier points out, most of the Internet is phasing out 1024-bit RSA keys for 2048-bit keys (the smallest is 128-bit). That means brute force might yield a decrypted message "once every million years". He suggests that the Internet jump right into 3072-bit keys and use key lengths above 500 bits.
The latest scare stems from 50,000 leaked documents provided by Snowden. The NSA's highly classified encryption cracking program is called Bullrun, and has supposedly foiled top encryption methods Secure Sockets Layer (SSL), Virtual Private Networks (VPN), and encryption used on 4G smartphones. This program, until now, was only known by top NSA officials and counterpart agencies in Britain, Canada, Australia and New Zealand.
The documents also show that the NSA is still having issues with strong, non-commercial encryption systems such as Pretty Good Privacy, or PGP. They also claim that the agency has actually deployed custom-built computers designed to break encryption. Schneier theorizes these could be quantum computers capable of performing the heavy calculations, but highly unlikely.
"For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies," said a 2010 memo. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable."
An intelligence budget document written by the director of national intelligence, James R. Clapper Jr., even states that the agency is "investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic."
The NSA has reportedly specialized in code breaking since its creation in 1952, and has used this expertise to frequently influence policies, specifications and standards for commercial public key technologies. The agency supposedly spends $250 million a year on this influential "Sigint Enabling Project" that actively engages with local and foreign IT industries to steer technology in its favor.
In the 1990s, the NSA tried to insert a government back door into all encryption called the Clipper Chip, but failed. “And they went and did it anyway, without telling anyone,” said Paul Kocher, a leading cryptographer who helped design the SSL protocol.
The latest news regarding the NSA defeating SSL, VPN and 4G encryption is unsettling at best. The reports indicate that the agency may have essentially slithered in through the years rather than attacking encryption by sheer brute force. Evidence suggesting that the NSA has pushed tech companies into providing back doors is even more unsettling and perhaps a little unsurprising. The big fear, it seems, is that these government-enforced back doors will eventually be discovered by hackers wanting more than just a little peepshow.
Alex Stamos, chief technology officer of the online security company Artemis, said last month that RSA and classic Diffie-Hellman encryption schemes, which are used to protect banking, ecommerce, email and even OS updates, will not be usable in four to five years. Breaking these two methods, he said, would be a "total failure of trust on the Internet".
- 10 Pros and Cons of Jailbreaking Your iPhone or iPad
- How HTTPS Safeguards Your Browsing
- Email Encryption: Worth the Trouble?