Regardless of the NSA, you still need encryption

It seems as though everywhere you turn lately, another story breaks revealing information about PRISM and Edward Snowden. And it just keeps coming. Snowden’s latest disclosure builds on the story that not only has the NSA partnered with cloud service providers to bypass encryption and access data on their international clients, but also that they have ‘cracked much online encryption.’ What does this mean for your security team? Should you quit using encryption?

big_brother.jpg

The short (and long) answer is NO.

Interestingly, Snowden himself commented that strong encryption cannot be decoded by the NSA, and he was quoted by the Guardian during an online chat, "Encryption works. Properly implemented strong crypto systems are one of the few things you can rely on."

While the details are still murky regarding the NSA’s actual technical capabilities, Snowden’s recent revelations indicate the NSA has used a combination of endpoint security weaknesses, direct access granted by service providers, and potentially some mathematics to ‘crack’ the encryption used in SSL – the primary algorithm used for internet communications. But does this mean they can crack all encryption? No – or at least, not yet.

Let’s look at one of the most common forms of encryption, the AES standard. This is a primary encryption algorithm recommended by the National Institute of Standards and Technology (NIST). The AES algorithm, introduced in 2001, is used extensively (including by the government) to encrypt data ‘at rest’ in storage and in backups. Bruce Schneier, a famous cryptographer, has written about AES extensively in the past and has said many times that AES will take a long time to break, quite likely on the order of decades, centuries or even longer. In a recent blog after news of the NSA leak, Schneier wrote:

Honestly, I’m skeptical. Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts.

To continue reading this article register now

  
Shop Tech Products at Amazon