Almost three decades late, the themes in George Orwell’s “1984” seemed to finally roll around this year amid disclosures that the National Security Agency can penetrate encryption, read email and listen to phone calls.
The revelations scare many individuals with nothing in particular to hide. But for enterprises with trade secrets, they pose a more urgent problem: Even if you trust the U.S. government, who is to say that foreign governments — or your competitors — haven’t mastered the same hacks.
Fortunately, reality is not quite as dire: Leading cryptographers say it is still possible to protect your data — if you do it in-house.
News agencies led by The Guardian, Washington Post, The New York Times and ProPublica have been publishing accounts all summer of NSA efforts to read electronic communication. Citing leaked documents, these organizations first reported that the NSA had ordered telephone companies to share records of everyone’s calls. Subsequent reports covered agency efforts to force email providers and social media websites to give the government access to users’ messages, and that it had penetrated the codes used to protect Internet data.
“The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents,” The New York Times reported earlier this month.
The agency can reportedly get around codes used in Secure Sockets Layer and, by extension, secure hypertext transfer protocol, virtual private networks and the protections that shield 4G smartphones. But not every code is vulnerable.
Security in mathematics
“You need more than supercomputers to be able to decrypt international standard-encryption algorithms,” said Geoff Webb, director of solution strategy at security consultancy NetIQ.
The best algorithms are designed like math problems that would take millions of years for even the smartest computer to solve. What’s more likely is that the NSA has begged, demanded or stolen the keys to encryption programs that major vendors have generated with these algorithms, said Bruce Schneier, a Harvard University cryptographer.
“Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system,” he wrote in the wake of the latest disclosures. “I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are and where the NSA spends the bulk of its efforts.”
Where the NSA doesn’t have keys, some accounts suggest, it has convinced code makers and agencies who set security standards to create slight flaws in the way algorithms are applied — flaws the NSA can later exploit.
But if experts believe that no one can actually break codes made by the correctly applied algorithms, then it’s still possible to successfully encrypt data. It does raise a question, however, about whether organizations should trust communications companies to encrypt on their behalf.
Following this logic, organizations that need to send sensitive email should encrypt it before hitting send, store it in the cloud or put it on a server accessible through VPN. Webb said it’s not hard to encrypt data in-house, and many organizations have become too reliant on third parties to protect their vital secretes.
“There are plenty of tools that allow you to encrypt data before you send it,” Webb said. “I think it’s unlikely in the extreme that the NSA has access to that.”
Many software makers offer propriety solutions for in-house encryption. Webb said he prefers software that uses open-source algorithms, which may sound counterintuitive, but public algorithms are tested in a way that private ones are not.
“A whole planet full of mathematicians has hammered on them,” he said.Tags: IT Security,Technology