Today I came across a very good article by Matthew Green, a professor a Johns Hopkins. Christopher Soghoian of the ACLU called this the one article to read and I absolutely agree.
It was just revealed by ProPublica, The Guardian, and The New York Times that the NSA has been ‘defeating’ encryption measures. For a techspeak layman that means the NSA is peeking through windows on the Internet that were thought to be drawn and locked. Mainstream media have overwhelming reported this as “breaking” cryptography. But this description is seriously misleading, since it is close to mathematically impossible to ‘break’ cryptography in the sense they mean (cracking the cryptography itself using pure brute force).
Instead, a better description is that the NSA is ‘cheating’ via backdoors and other methods to tilt the odds of cracking encryption in their favor. Professor Green accurately qualifies what ‘breaking’ cryptography means:
“Readers of this blog should know that there are basically three ways to break a cryptographic system. In no particular order, they are:
- Attack the cryptography. This is difficult and unlikely to work against the standard algorithms we use (though there are exceptions like RC4.) However there are many complex protocols in cryptography, and sometimes they are vulnerable.
- Go after the implementation. Cryptography is almost always implemented in software — and software is a disaster. Hardware isn’t that much better. Unfortunately active software exploits only work if you have a target in mind. If your goal is mass surveillance, you need to build insecurity in from the start. That means working with vendors to add backdoors.
- Access the human side. Why hack someone’s computer if you can get them to give you the key?
Bruce Schneier, who has seen the documents, says that ‘math is good’, but that ‘code has been subverted’. He also says that the NSA is ‘cheating‘. Which, assuming we can trust these documents, is a huge sigh of relief. But it also means we’re seeing a lot of (2) and (3)here.”
So, it has more to do with the NSA working with providers to sabotage the encryption. Locked windows that one can unscrew from the outside, or a backdoor to the inside, if you will. Professor Green goes on to describe some of the ways that the NSA could be “cheating” the system:
“If you haven’t read the NYT or Guardian stories, you probably should. The TL;DR is that the NSA has been doing some very bad things. At a combined cost of $250 million per year, they include:
- Tampering with national standards (NIST is specifically mentioned) to promote weak, or otherwise vulnerable cryptography.
- Influencing standards committees to weaken protocols.
- Working with hardware and software vendors to weaken encryption and random number generators.
- Attacking the encryption used by ‘the next generation of 4G phones‘.
- Obtaining cleartext access to ‘a major internet peer-to-peer voice and text communications system’ (Skype?)
- Identifying and cracking vulnerable keys.
- Establishing a Human Intelligence division to infiltrate the global telecommunications industry.
- And worst of all (to me): somehow decrypting SSL connections.”
These revelations are already leading to an air of distrust in the security industry, as Professor Green predicted. Consider that today Google began accelerating its encryption of data traveling between its data centers.
Fortunately, companies like Google have identified that the NSA’s measures undermine their brand’s credibility abroad and run against the underpinnings of the Internet. It will be important over the next several days to look at what other players in the tech industry can become unanticipated allies to digital civil liberties activists.
