The NSA is making headlines once again thanks to new revelations from fugitive whistleblower Edward Snowden. Snowden claims that efforts to encrypt communications are incapable of preventing access by the NSA, but at least one security expert maintains that this claim is probably exaggerated, and that you may play a significant role in allowing the NSA to “break” your encryption.
According to a report from UPI.com, “The [NSA], at a cost of more than $250 million in the current year's budget, employs custom-built, superfast computers to break codes with "brute force," uses covert measures to ensure NSA control over setting international encryption standards and, in the most closely guarded secret, collaborates with technology companies and Internet service providers in the process, said the documents published by The New York Times, the non-profit news organization ProPublica and a British newspaper, The Guardian.”
Is it possible? Yes. There is no such thing as absolutely impenetrable encryption. Given enough processing power, and time, the NSA can just try every possible combination in existence until it hits the right one—a brute force attack. An encryption algorithm based on a 256-bit key, however, has 1x10 to the 77th power possibilities. That’s a 10 with 77 zeros after it.
When you’re brute forcing, you could get lucky and hit it on the first try, or it could take you 1x10 to the 77th power attempts. I have no idea what you even call a number with almost 80 zeros, but suffice it to say its astronomically huge. I don’t care how powerful your computers are, it will take a long time to try out that many possible key combinations to find the right one.
Anderson suggests that the NSA ability to bypass encryption is almost certainly a function of flawed implementation and/or poor encryption key management. “So, is it possible that the NSA can decrypt financial and shopping accounts? Perhaps, but only if the cryptography that was used to protect the sensitive transactions was improperly implemented through faulty, incomplete or invalid key management processes or simple human error.”
When properly implemented, encryption provides essentially unbreakable security. It’s the sort of security that would take implausibly-powerful supercomputers millions of years to crack. But if it’s carelessly implemented, and the key management processes are not sound, this security can be reduced to the level where a hacker with a mid-market PC can crack in a few hours at most.
Regardless, the issue underscores a massive problem with data security. Encryption is generally touted as the Holy Grail magic solution for all things data security, and many organizations and individuals just turn on whatever encryption is the easiest or most convenient and expect communications and data to be invulnerable. It’s an unrealistic expectation.
You can have the best, most formidable lock in the world securing the front door to your home, but if you hide the key under the welcome mat, it won’t stop an intruder. If the NSA is cracking all of the encryption on the Internet, there’s a pretty good chance that a weakness in key management is making it possible—maybe even easy. It might be a weakness in how the keys are being generated, or how they’re stored. The key management lifecycle typically relies in part on human intervention, which brings an element of human error into the equation as well.
Anderson summed up with, “General Robert Barrow (USMC) once said that amateurs think about tactics while professionals think about logistics. An appropriate way to update this to the Internet age might be that amateurs talk about encryption while professionals talk about key management.”