Privacy

After NSA encryption-cracking revelation, can we trust Internet security?

Sep. 6, 2013 at 4:37 PM ET

epa03439161 An undated handout photo provided by Google on 19 October 2012 shows blue LEDs on a row of servers showing that everything is running smoo...
Google via EPA file
Blue LEDs on a row of servers indicate that everything is running smoothly, at the Google data center in Douglas County, Georgia.

News that the NSA can break or bypass a variety of digital encryption tools has researchers second-guessing the strength of Internet security products they previously trusted, and wondering exactly who else, besides the feds, may be listening in. 

In the latest revelation about the NSA's activities, The Guardian, the New York Times, and ProPublica suggest that the organization gained access, less by technical savvy, but by coercion, strong-arming companies that work with data, by "getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware."

Encryption might still work in some form, but the revelation indicates that there are many vulnerabilities that the entire cryptography community so far missed. Researchers are now fearful of compromised elements in products they would previously have sworn were secure.

For instance, it's troubling to experts that the NSA has been working with the National Institute of Standards and Technology. NIST sets the public standard — writes the modern cookbook for how cryptography should work, according Matthew Green, a cryptography professor at Johns Hopkins. Cryptographers rely on NIST to know which "recipes" they can trust. But if, according to new reports, the NSA is worked to set these standards to their advantage, products built along those guidelines could be weaker than the security community previously thought.

Say we're building a house, Green told NBC News. "We have good boards and pretty good nails but the glue is compromised," he said. "The NSA is giving us bad glue," he said, and it's hard to tell which glue the bad glue is. (Green goes into more detail in a blog post, here.)

Many researchers had guessed that the NSA had some nifty decryption tricks up its sleeve, Green said. So he and his colleagues were surprised to learn one of the agency's key tactics. "Instead of breaking the encryption algorithms, they're going around making everyone's products worse," he told NBC News.

Which raises the question: If the NSA is listening in, who else is, too? Green agrees that it is plausible that other governments or even organized crime rings may be able to take advantage of the back doors the NSA has left in. Joan Feigenbaum, professor of computer science at Yale University wrote in an email to NBC News that it is "plausible" that other entities beyond the NSA are listening in, but without more information about "exactly what's going on," it is hard to know who or how. 

Based on the information available so far, the flaws are hard to catch because it's hard to tell what techniques the NSA using — "We don't know if the NSA can crack specific algorithms, or if they're only going after vulnerabilities in software."

One way to find out? More whistle-blowing, Bruce Schneier, a vocal privacy researcher argues. InGuardian post on Thursday, he declares: "We need to know how exactly how the NSA and other agencies are subverting routers, switches, the Internet backbone, encryption technologies and cloud systems." Schneier calls on engineers and designers like Edward Snowden who have been tapped for help by the NSA to go public, and speak out. 

Feigenbaum is convinced that "our information and communication environment has been compromised," and agrees with Schneier: Increased transparency from members of the cryptography community itself will be key to finding and fixing flaws. 

For their part, big companies like Google and most recently Facebook have attempted to come clean(er) about their requests from the government. Facebook, the most recent one to do so, has indicated that it had fielded up to 12,000 requests from the U.S. government, "including both criminal and national security requests," in the first six months of 2013. 

As for specialists in the field, the people who promote the idea that Internet security is, in fact, secure, the outlook is grim. There's going to be a lot less trust in the security industry — especially in the short term, Green said.

Nidhi Subbaraman writes about technology and science. You can follow her on Facebook, Twitter and Google+

TOP