NSA has compromised most encryption
Posted by Charles II on September 5, 2013
Crossposted from DK
I remember when I was thought silly for saying this. James Ball, Julian Borger, and Glenn Greenwald, The Guardian:
US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden.
The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.
Among other things, the program is designed to “insert vulnerabilities into commercial encryption systems”.
Independent security experts have long suspected that the NSA has been introducing weaknesses into security standards, a fact confirmed for the first time by another secret document. It shows the agency worked covertly to get its own version of a draft security standard issued by the US National Institute of Standards and Technology approved for worldwide use in 2006.
Documents show that Edgehill’s initial aim was to to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs.
Another program, codenamed Cheesy Name, was aimed at singling out encryption keys, known as ‘certificates’, that might be vulnerable to being cracked by GCHQ supercomputers.
This was a view echoed in a recent paper by Stephanie Pell, a former prosecutor at the US Department of Justice and non-resident fellow at the Center for Internet and Security at Stanford Law School.
“[An] encrypted communications system with a lawful interception back door is far more likely to result in the catastrophic loss of communications confidentiality than a system that never has access to the unencrypted communications of its users,” she states.
And if you want the details, they are here.
So, even if users of e-mail do have a reasonabel expectation of privacy, they don’t. Because NSA says so.
This is bad for legitimate business and people trying to resist despotism abroad, because as Stephanie Pell says, deliberately broken software is more susceptible to being broken by other methods.
One Response to “NSA has compromised most encryption”
Sorry, the comment form is closed at this time.