What's next for the NSA?
The latest leaked governmental document provided by former NSA contractor Edward Snowden is the so-called "black budget" for the U.S. intelligence community's expenditures. The $52.6 billion budget contains so much sensitive information that the Washington Post, which broke the story, decided not to publish it in its entirety.
The Post's breakdown of the information does tell us, however, that the NSA received $10.3 billion for the 2013 fiscal year.
Of that, 429.1 million goes into research and technology. What are they researching? A summary of the budget penned by James Clapper, the director of national intelligence, also published by the Post, contains plenty of interesting, if vague, insights into the U.S. intelligence community (which comprises 16 agencies, including the NSA, the CIA and the FBI).
For example, the document, entitled "Congressional Budget Justification," states that "we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic."
That could mean better decryption techniques, which is significant because strong encryption is generally considered the best (and possibly only) way to keep your data safe from prying eyes.
But cryptanalysis means a lot more than just decryption. Read on for five good guesses as to what the NSA's "cryptanalytic capabilities" research is all about.
Cracking 1024-bit RSA/DH keys
Most of your online traffic is encrypted through a protocol called SSL, or Secure Sockets Layer. Basically, when you access a website, what's happening is your client (such as a Web browser) is accessing a server, the computer on which the website's data is stored. Through the client-server connection, the server's data comes over the Internet to your screen. This connection is encrypted so that eavesdroppers won't be able to view sensitive information such as credit card info, IP addresses and account details.
SSL is the method by which many websites, including Amazon.com and Facebook, keep their users' data secure. If you think of encryption as a lockbox in which your information is stored, the way to open that box is a complex string of ones and zeroes called a 1024- bit key.
Cybersecurity expert Robert David Graham of Errata Security speculates that the NSA is working on better, faster ways to crack 1024-bit keys for the encryption algorithms known as Rivest-Shamir-Adleman (RSA) and Diffie-Hellman (DH).
"We currently estimate that if the NSA designs their own custom silicon chips, and then spends $1 billion building those chips, that they can crack a 1024 in about one day," Graham told Tom's Guide.
"That means they can't idly monitor the Internet and crack everyone's SSL session, but that they can certainly crack the SSL sessions of high-value targets."
The way to prevent this, Graham says, is for websites to upgrade from 1024-bit keys to 2048-bit RSA or DH keys. Doubling the amount of ones and zeroes in the key greatly increases the difficulty of cracking it.
RSA Laboratories, the research center founded by the inventors of RSA cryptography keys, recommend that all websites upgrade to 2048-bit RSA keys by the end of 2013, and many websites have been complying. However, Graham points out, many parts of the Internet, including the well-known online anonymity software called TOR, or The Onion Router, still use 1024-bit keys.
Worse than the NSA finding ways to easily crack 1024-bit RSA/DH keys is the possibility that RSA's encryption algorithm itself may be irreparably cracked.
Keeping the metaphor of encryption as a lockbox and keys as the keys that open the lock, cracking 1024-bit keys is like searching through an enormous key ring to find the right one, and the so-called "cryptopocalypse" is about finding a way into the lockbox that would make the search for correct keys no longer even necessary.
"There is a small but real chance that both RSA and Diffie-Hellman will soon become unusable," said Thomas Ptacek of Chicago-based Matasano Security, Tom Ritter and Javed Samuels of iSec Partners in New York, and Alex Stamos of Artemis Internet, a security firm in San Francisco, in a presentation at the Black Hat security conference held in Las Vegas in July 2013.
Mathematicians have been working on cracking the RSA and DH algorithms for years. Thanks to several breakthroughs in early 2013, some researchers believe that someone will crack these algorithms in the foreseeable future.
Once that happens, current-generation encryption protocols will essentially be useless.
Could the NSA and other U.S. intelligence community groups be trying to accelerate this "cryptopocalypse" by cracking the RSA and DH algorithms itself? It's very likely. Aside from referring to "groundbreaking cryptanalytic capabilities," the summary of the Fiscal Year 2013 Black Budget refers to "tackling hard problems in quantum computing, biometrics, cyber, weapons of mass destruction, and large complex data sets."
Speaking of quantum computing, intelligence communities around the world have been racing to figure out how to do quantum encryption, a supposedly uncrackable form of encryption based on quantum mechanics.
One of the principles of quantum mechanics is that the act of observation has an impact on what is being observed. For example, before a particle is observed it does not have a fixed location — instead, all that particle has is a set of locations that it is more or less likely to be in. Only when a scientist goes to observe that particle does it resolve into a fixed location.
This means that the very nature of quantum computing makes it virtually impossible for snoops to look at sensitive data undetected.
The most important way that quantum computing differs from classical computing is that, in classical computing, the unit known as a "bit" (as in 1024-bit RSA keys) can only be a zero or a one. In quantum computing, because particles do not have fixed location, a quantum bit can be a zero and a one at the same time. Among the many potential uses for this capability is creating exponentially more complicated encryption keys, thus making quantum encryption theoretically uncrackable.
Quantum cryptography is still in its infancy, and doesn't exist outside of some highly theoretical research labs. But intelligence communities across the world are racing to be the first to successfully implement quantum cryptography in the field. Com Dev, a Canadian satellite company, is working on a fleet of microsatellites intended to serve as the backbone of a global quantum communications relay by sending and receiving streams of photons that contain quantum encryption keys. In June, China also announced plans to launch a quantum satellite into orbit by 2016. You can bet the U.S. has similar plans of its own.
As cars become more and more computerized, they also become more hackable and therefore more vulnerable.
These "connected cars" wirelessly connect to the Internet via Wi-Fi and 3G or 4G cellular modems, meaning they can be hacked and tracked through their GPS connections. Cars equipped with the hands-free program OnStar can even be shut down remotely.
In addition to these long-range communications, many cars also use short-range connections between the car and its key to lock and unlock doors and even start the engine. If a hacker were able to capture the connection between car and key, or even clone that signal, they could lock the car's owners out of their car or steal it themselves.
Most of these carjacking techniques still require the hacker to be very close to the car, however. At security conference DEFCON this August, researchers Chris Valasek and Charlie Miller demonstrated their ability to hack into a Prius and a Ford Escape. From the backseat of the car, they used their laptops to do things as harmless as honk the horn and as malicious as turn off the brakes.
Miller and Valasek needed to open up the Prius' dashboard and plug their laptop into the car's computer. If researchers could find a way to remotely hack into cars, they could take near-total control of a vehicle. That's definitely something the NSA would want to keep an eye on.
Noted encryption expert Bruce Schneier refused to speculate on what the NSA might be researching, saying only that it's best to assume that the NSA is looking into "everything."
"The NSA gets to use anything we [in the academic community] come up with but we don't get to use anything they come up with. Just by this fact they're going to be better, or at least as good, as us," Schneier said.
"They're also spending way more money. Half a billion dollars a year is an enormous amount of money to spend on cryptanalytic research. That might be more than anyone else combined."
Therefore Schneier refused to speculate on what the NSA's "groundbreaking cryptanalytic capabilities" could be.
"They have half a billion dollars," he said. "They're doing everything you could think of and a lot of things you can't."