Encryption still best way to protect data -- despite NSA
Properly implemented encryption very hard to beat, even by experts at U.S. spy agency, security experts say
Computerworld - Though the National Security Agency spends billions of dollars to crack encryption technologies, security experts maintain that properly implemented, encryption is still the best way to maintain online privacy.
The Guardian newspaper and other media outlets this week published stories based on internal internal NSA documents that explain how the spy agency bypasses encryption technologies by using backdoors, brute force attacks, lawful intercepts via court orders and partnerships with tech vendors.
The reports, based on documents leaked to reporters by former NSA-contract employee Edward Snowden, suggest that many encryption algorithms now widely used to protect online communications, banking and medical records and trade secrets have been cracked by the NSA and its British counterpart, the GCHQ.
Steve Weis, chief technology officer at PrivateCore and holder of a Ph.D in cryptography from MIT, said despite the NSA activities, the mathematics of cryptography remains very hard to crack.
He suggested that it's likely that the NSA managed to break through insecure and outdated implementations of some encryption technologies.
For example, the documents suggest that the NSA built a backdoor into an NIST approved encryption standard called Dual EC DRBG, which is used to generate random numbers. Weis noted that the Dual EC DRBG standard has been available for six years and has been rarely used since two Microsoft engineers discovered the NSA backdoor, Weis said.
It remains unclear whether NSA experts have the ability to crack more robust encryption technologies, he said. "So far, I've not seen anything to suggest than an algorithm like AES (Advanced Encryption Standard) has been broken," Weis said.
"When properly implemented, encryption provides essentially unbreakable security," said Dave Anderson, a senior director with Voltage Security, a provider of encryption technology.
"It's the sort of security that would take implausibly powerful supercomputers millions of years to crack. But if it's carelessly implemented, and the key management processes are not sound, this security can be reduced to the level where a hacker with a mid-market PC can crack in a few hours at most," he said an email to Computerworld.
Anderson said the NSA may have been able to take advantage of flaws in key management processes that support the encryption, rather than cracking the cryptography itself, he said. It's possible that the NSA can decrypt financial and shopping accounts, but it can happen only if the cryptography was improperly implemented through faulty, incomplete or invalid key management processes, he said.
Dave Jevans, founder and CTO of Marble Security, a maker of mobile security technology, said some of the concerns raised by the NSA documents are based on a misunderstanding of the facts.
- U.S. commercial drone industry struggles to take off
- Snowden leaks erode trust in Internet companies, government
- NSA phone metadata collection program renewed for 90 days
- NSA isn't evil, says noted civil libertarian
- Franken presses Ford on location data collection practices
- Justices let stand appeals court decision on border searches of laptops
- California lawmakers move to bar state help to NSA
- Appeals court again nixes Google's bid to overturn Street View case
- Older Mac webcams can spy without activating warning light
- Update: Judge rules NSA spy efforts may be unconstitutional
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts