Encryption still best way to protect data -- despite NSA
Properly implemented encryption very hard to beat, even by experts at U.S. spy agency, security experts say
Computerworld - Though the National Security Agency spends billions of dollars to crack encryption technologies, security experts maintain that properly implemented, encryption is still the best way to maintain online privacy.
The Guardian newspaper and other media outlets this week published stories based on internal internal NSA documents that explain how the spy agency bypasses encryption technologies by using backdoors, brute force attacks, lawful intercepts via court orders and partnerships with tech vendors.
The reports, based on documents leaked to reporters by former NSA-contract employee Edward Snowden, suggest that many encryption algorithms now widely used to protect online communications, banking and medical records and trade secrets have been cracked by the NSA and its British counterpart, the GCHQ.
Steve Weis, chief technology officer at PrivateCore and holder of a Ph.D in cryptography from MIT, said despite the NSA activities, the mathematics of cryptography remains very hard to crack.
He suggested that it's likely that the NSA managed to break through insecure and outdated implementations of some encryption technologies.
For example, the documents suggest that the NSA built a backdoor into an NIST approved encryption standard called Dual EC DRBG, which is used to generate random numbers. Weis noted that the Dual EC DRBG standard has been available for six years and has been rarely used since two Microsoft engineers discovered the NSA backdoor, Weis said.
It remains unclear whether NSA experts have the ability to crack more robust encryption technologies, he said. "So far, I've not seen anything to suggest than an algorithm like AES (Advanced Encryption Standard) has been broken," Weis said.
"When properly implemented, encryption provides essentially unbreakable security," said Dave Anderson, a senior director with Voltage Security, a provider of encryption technology.
"It's the sort of security that would take implausibly powerful supercomputers millions of years to crack. But if it's carelessly implemented, and the key management processes are not sound, this security can be reduced to the level where a hacker with a mid-market PC can crack in a few hours at most," he said an email to Computerworld.
Anderson said the NSA may have been able to take advantage of flaws in key management processes that support the encryption, rather than cracking the cryptography itself, he said. It's possible that the NSA can decrypt financial and shopping accounts, but it can happen only if the cryptography was improperly implemented through faulty, incomplete or invalid key management processes, he said.
Dave Jevans, founder and CTO of Marble Security, a maker of mobile security technology, said some of the concerns raised by the NSA documents are based on a misunderstanding of the facts.
- NSA defends collecting data from U.S. residents not suspected of terrorist activities
- Groups fear bill would allow free flow of data between private sector and NSA
- Google's move into home automation means even less privacy
- Bill to require warrant for email searches gains ground in House
- Coming soon to a fridge near you -- targeted ads
- Snowden leaks prompt tech firms to tout privacy, transparency policies
- License reader lawsuit can be heard, appeals court rules
- Is EU's 'right to be forgotten' really the 'right to edit the truth'?
- Tails 1.0: A bootable Linux distro that protects your privacy
- Privacy jitters derail controversial K-12 big data initiative
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!