Yesterday, there was news that The Guardian had shared 50,000 pages of NSA documents released by Edward Snowden with the New York Times, some of which showed that the NSA are able to foil basic safeguards of privacy on the web.

We asked our client, Voltage Security, for their opinion on this as they are encryption specialists. Senior director, Dave Anderson, had this to say:

“To quote Snowden himself, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

In the light of this, it seems likely that any possible way that the NSA might have bypassed encryption was almost certainly due to a flaw in the key management processes that support the use of encryption, rather than through the cryptography itself.  So, is it possible that the NSA can decrypt financial and shopping accounts?  Perhaps, but only if the cryptography that was used to protect the sensitive transactions was improperly implemented through faulty, incomplete or invalid key management processes or simple human error.

When properly implemented, encryption provides essentially unbreakable security.  It’s the sort of security that would take implausibly-powerful supercomputers millions of years to crack. But if it’s carelessly implemented, and the key management processes are not sound, this security can be reduced to the level where a hacker with a mid-market PC can crack in a few hours at most.

A more likely way that the NSA is reading internet communications is through exploiting a weakness in key management.  That could be a weakness in the way that keys are generated, or it could be a weakness in the way that keys are stored.   And because many of the steps in the lifecycle of a key often involve a human user, this introduces the potential for human error, making key lifecycle management never as secure as the protection provided by the encryption itself.

General Robert Barrow (USMC) once said that amateurs think about tactics while professionals think about logistics. An appropriate way to update this to the Internet age might be that amateurs talk about encryption while professionals talk about key management. “

Advertisements