Skip the navigation

Encryption still best way to protect data -- despite NSA

Properly implemented encryption very hard to beat, even by experts at U.S. spy agency, security experts say

September 6, 2013 05:25 PM ET

Computerworld - Though the National Security Agency spends billions of dollars to crack encryption technologies, security experts maintain that properly implemented, encryption is still the best way to maintain online privacy.

The Guardian newspaper and other media outlets this week published stories based on internal internal NSA documents that explain how the spy agency bypasses encryption technologies by using backdoors, brute force attacks, lawful intercepts via court orders and partnerships with tech vendors.

The reports, based on documents leaked to reporters by former NSA-contract employee Edward Snowden, suggest that many encryption algorithms now widely used to protect online communications, banking and medical records and trade secrets have been cracked by the NSA and its British counterpart, the GCHQ.

Steve Weis, chief technology officer at PrivateCore and holder of a Ph.D in cryptography from MIT, said despite the NSA activities, the mathematics of cryptography remains very hard to crack.

He suggested that it's likely that the NSA managed to break through insecure and outdated implementations of some encryption technologies.

For example, the documents suggest that the NSA built a backdoor into an NIST approved encryption standard called Dual EC DRBG, which is used to generate random numbers. Weis noted that the Dual EC DRBG standard has been available for six years and has been rarely used since two Microsoft engineers discovered the NSA backdoor, Weis said.

It remains unclear whether NSA experts have the ability to crack more robust encryption technologies, he said. "So far, I've not seen anything to suggest than an algorithm like AES (Advanced Encryption Standard) has been broken," Weis said.

"When properly implemented, encryption provides essentially unbreakable security," said Dave Anderson, a senior director with Voltage Security, a provider of encryption technology.

"It's the sort of security that would take implausibly powerful supercomputers millions of years to crack. But if it's carelessly implemented, and the key management processes are not sound, this security can be reduced to the level where a hacker with a mid-market PC can crack in a few hours at most," he said an email to Computerworld.

Anderson said the NSA may have been able to take advantage of flaws in key management processes that support the encryption, rather than cracking the cryptography itself, he said. It's possible that the NSA can decrypt financial and shopping accounts, but it can happen only if the cryptography was improperly implemented through faulty, incomplete or invalid key management processes, he said.

Dave Jevans, founder and CTO of Marble Security, a maker of mobile security technology, said some of the concerns raised by the NSA documents are based on a misunderstanding of the facts.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!