Report: NSA can break mainstream Internet encryption
The latest Snowden revelation alleges that the NSA has the technology to break the encryption that powers the secure use of the Internet for commerce and personal use. When I first heard this, my initial response was: Duh! Code breaking was what the NSA was founded to do and they have the budget and resources to make it happen somehow. However, like most of the revelations that Snowden has exposed, the devil is indeed in the details. So, should we be concerned?
Before I give my opinion on that question, some background. I believe we live in a very dangerous world, were most of our enemies don’t play nicely in the sandbox. The NSA role is to play in this shadowy sandbox, while being constrained by US law. The NSA does this by listening to and deciphering all sorts of electronic signals and they are very good at it. They have a very large budget and are one of the few organizations in the world that can afford to apply large numbers of very powerful computers to find keys by brute force.
There are basically three methods for successful decryption: Intelligent guessing, brute-force and back-doors. Intelligent guessing is looking at a person’s profile and figuring that they likely will use information about themselves or their families to create passwords. This can be quite effective since many people use things like their kids names, various birth dates, phone numbers, addresses and similar information in their passwords. Alternatively, they’ll use some well known words like “password” or “1234″ or “aaaaaaaa” in their passwords. BTW:This doesn’t require the resources of a NSA to figure out.
Brute-force is the act of trying every possible password against the encryption until the key is found. This is typically can only be attempted by organizations like the NSA or some other government entity, since it requires very large numbers of very powerful computers applied for this to have a chance of working. However, given the rapidly increasing power (and numbers) of computers that can be applied to problem, existing keys will soon be not secure enough. Currently, the standard key length is 256 bits (Note: every additional “bit” in length doubles the possible keys, so 257 bits would yield 2X the possible keys). It wasn’t that long ago that 64 bit keys were sufficient, though now they can be broken in a very short time with a PC. All this leads us to the remaining method:
Back-doors are special interfaces and/or protocols that allow selected parties to decrypt a message without the appropriate key. Think of it as a master key. With a back-door, the possessor of the master key wouldn’t need to spend the resources or (more importantly) time to break the cypher, they’d simply apply the master key.
What has been alleged is that the NSA and its British counterpart the GCHQ have been able to successfully perform brute-force attacks against the standardly used Internet cyphers as well as to work with leading technology vendors to provide back-doors into their secure products. On the brute-force attacks, it’s not clear from the Snowden provided documents how successful they have been. Specifically, how reliably can the key be found and how long does it take? If it takes vast resources weeks to months to successful discover a key, then it’s not that successful (yet).
The back-door attacks are more troubling. Presumably, with a master key, messages can be encrypted in something that approaches real-time. The question here is whether the back-door solution requires a dedicated connection into the servers for a company like Google or if they can sniff it and decode in real-time off the Net? As troubling as the former is, the latter is my real concern because that means that others could conceivably figure out how to exploit the back-door. Which leads us to the Snowden revelations in general. In my opinion, Snowden has done irrevocable damage to the US and for that matter global community by exposing this information. However, it’s also a proof that organizations like the NSA, CIA, GCHQ are more porous than they’ve been historically and likely will remain so. This means that any shortcut that they devise will eventually be known by others.
So, back to the initial question: Should we be concerned? For average Americans doing their thing on the Internet, not yet. First of all, we really don’t know enough to know whether NSA or GCHQ (or any other friend or foe government) has the ability to decrypt messages quickly enough or on a wide enough scale to do any real damage. My bigger concern is are foreign governments like Russia, who have enabled criminal organizations free reign to terrorize the Internet. It would be a nightmare for these organizations to have access to NSA-like resources. However, there is no indications that we are there yet.
The best protection continues to be to use complex, difficult to guess passwords, properly encrypt sensitive data stored and transmitted on the Net, limit sensitive data on the Net (even if encrypted), don’t use untrusted WIFI networks (like the local cafe WIFI) and perform financial transactions with established, reputable companies and financial institutions.
For more information:
- The Guardian article
- New York Times article - This is a very good overview of the issues and some of the history of the NSA’s attempts to install a back doors including a solution called the Clipper Chip.
September 9th Update: There is a more information this topic, which I created a new post today.