Regardless of the NSA, you still need encryption

It seems as though everywhere you turn lately, another story breaks revealing information about PRISM and Edward Snowden. And it just keeps coming. Snowden’s latest disclosure builds on the story that not only has the NSA partnered with cloud service providers to bypass encryption and access data on their international clients, but also that they have ‘cracked much online encryption.’ What does this mean for your security team? Should you quit using encryption?


The short (and long) answer is NO.

Interestingly, Snowden himself commented that strong encryption cannot be decoded by the NSA, and he was quoted by the Guardian during an online chat, "Encryption works. Properly implemented strong crypto systems are one of the few things you can rely on."

While the details are still murky regarding the NSA’s actual technical capabilities, Snowden’s recent revelations indicate the NSA has used a combination of endpoint security weaknesses, direct access granted by service providers, and potentially some mathematics to ‘crack’ the encryption used in SSL – the primary algorithm used for internet communications. But does this mean they can crack all encryption? No – or at least, not yet.

Let’s look at one of the most common forms of encryption, the AES standard. This is a primary encryption algorithm recommended by the National Institute of Standards and Technology (NIST). The AES algorithm, introduced in 2001, is used extensively (including by the government) to encrypt data ‘at rest’ in storage and in backups. Bruce Schneier, a famous cryptographer, has written about AES extensively in the past and has said many times that AES will take a long time to break, quite likely on the order of decades, centuries or even longer. In a recent blog after news of the NSA leak, Schneier wrote:

To continue reading this article register now

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon