Well, what an announcement! But, really?
I don't believe for a moment either the NSA (National Security Agency) nor GCHQ (Government Communications Headquarters) have actually broken or successfully hacked AES or public key encryption that - I hasten to add - underpins the trust and security of
the Internet; securing every online transaction, secure email, secure VPN
(Virtual Private Network) tunnels, WiFi, stock trading, 3G and 4G mobile
phones, online banking... I could go on and on!
Where would this leave eCommerce and international
trading? How could - for example - China trade securely online with a
competitor market of the US, when all the time the US NSA are intercepting
these highly secure and encrypted communications, decrypting them and figuring
out a way to undermine this and all future deals?
International markets would suffer beyond belief, sending
stocks tumbling and all markets into turmoil. They haven't... but why?
School yard Bully
What these reports should explain is, the NSA haven't
broken the mathematics behind the original encryption algorithms but in fact circumvented it by
deliberately introducing weaknesses into the encryption, using secret court
orders, coercion and bullying the IT companies and providers into handing over
encryption keys, installing escrow keys or replacing secure random number
generators for less random generators. These are not direct breaks of the
encryption algorithms but 'back-doors' (or zero-day exploits) deliberately
introduced to reduce the effectiveness and strength of the encryption or, bypass it altogether.
Hiding under their 'national security' umbrella and
playing the 'terrorism' card allows the NSA to easily obtain secret court
orders and force companies into complying with their demands or make their CEO's
face potential prison time and or fines.
The problem here is not so much that giants like
Facebook, Google, Microsoft etc. are complying (whether under duress or not) but
that CA's (Certificate Authorities) may also have been forced to comply.
Bent CA's is a serious concern. CA's are responsible for
issuing TLS/SSL certificates for HTTPS secured websites and web services. You will recognise these sites from the padlock icon in your web browser.
If these organisations have been nobbled by the NSA then every website secured with a TLS/SSL certificate will have a back-door or some other way for the NSA to monitor the the sites traffic or otherwise get around the encryption. Why spend millions (or billions) of dollars and computing time trying to break complex mathematical algorithms - that as yet, to the best of my knowledge are unbreakable - when a bent CA can give direct access to unencrypted data? It's a no-brainer! Is this why Google and other companies have tripped over themselves to offer TLS/SSL protected searches? Are they trying to look like they're protecting their users' privacy when in fact all your search terms are accessible to the NSA anyway? The NSA and GCHQ weren't that concerned that these companies decided to move the HTTPS route, in fact they recommended they did... why? Because they knew the encryption would provide a sense of security for people (especially criminals) and they could bypass the security anyway to retrieve any data passed over the 'secure' protocol?
If these organisations have been nobbled by the NSA then every website secured with a TLS/SSL certificate will have a back-door or some other way for the NSA to monitor the the sites traffic or otherwise get around the encryption. Why spend millions (or billions) of dollars and computing time trying to break complex mathematical algorithms - that as yet, to the best of my knowledge are unbreakable - when a bent CA can give direct access to unencrypted data? It's a no-brainer! Is this why Google and other companies have tripped over themselves to offer TLS/SSL protected searches? Are they trying to look like they're protecting their users' privacy when in fact all your search terms are accessible to the NSA anyway? The NSA and GCHQ weren't that concerned that these companies decided to move the HTTPS route, in fact they recommended they did... why? Because they knew the encryption would provide a sense of security for people (especially criminals) and they could bypass the security anyway to retrieve any data passed over the 'secure' protocol?
TLS/SSL is a hybrid encryption solution - the primary encryption employed by TLS/SSL is public key
encryption (it also employs AES symmetric encryption also but this is discussed in
another post). This relies on the fact that current computer systems cannot factor large semi-prime numbers easily.
A semi-prime is a number resulting from
the multiplication of two prime numbers. So, if I gave you a semi-prime number
of 15 and asked you to find the two primes making up this number,
it's not that hard. This is called factoring. The larger the primes used to
create the semi-prime, the harder it is to
factorize. The largest prime number known today is 243,112,609-1 and when printed, it eats up 4,376 pages!
Simon Pampena - the mathematical genius explains more.
Simon Pampena - the mathematical genius explains more.
Computers are amazing at maths, they can take mere seconds to multiply two large prime numbers together to create an even bigger
number (semi-prime) but reversing this process, that is to take a very large
number (semi-prime) and find the two primes that made this can take a time
greater than the age of the Universe to complete. The larger the key size, the
greater the attack time. The sort of processing power required to factor these
immense semi-primes just doesn't exist today.
Take a look at this short video. It will demonstrate what I'm saying.
Quantum Computing
It's worth mentioning at this point Quantum
Computing.
Quantum Computing (QC) is the next generation of computing.
It's the future! Current computing technology uses binary, a one or a zero.
These bits are used to process instructions sequentially, and can only process
them sequentially. QC operates on Qubits. A Qubit
can be both a one or a zero at the same time. This gives Quantum Computers
immense processing power and when these become more advanced and main-steam, they will blow
public key encryption apart. They'll do this because they will factor massive
numbers far quicker than current systems. Remember public key cryptography
relies on the fact we cannot quickly factor large semi-primes, quantum
computing will fix this problem, meaning we either find even larger prime
numbers to create these public/private key pairs or we look
to another encryption solution for this security problem.
What about AES?
Quantum computers pose no real threat to symmetric
encryption. Unlike public key cryptography (relying on the discrete logarithm problem and complex prime factorisation to secure data), symmetric encryption requires a key
to encrypt and decrypt data. This key (assuming brute force attacks) can only
be broken by trying every possible combination. This will take many try/fail
attempts to find the correct key to decrypt the ciphertext. However, although this encryption won't be broken as easily as asymmetric (public key) encryption, it will be possible to try more combinations of a key in a shorter time period than current systems are able to.
From my understanding, AES-128 can be broken with 264 steps, meaning AES-256 in a quantum world will only actually provide the equivalent of AES-128. We'll need bigger keys!
From my understanding, AES-128 can be broken with 264 steps, meaning AES-256 in a quantum world will only actually provide the equivalent of AES-128. We'll need bigger keys!
So I'm confident the NSA (and GCHQ) have not actually
broken the encryption algorithms used to secure data transfer over the Internet
but introduced dangerous zero-day exploits into the current systems. Some may
say 'so what?', well from a developers point of view, deliberately introducing
zero-day exploits into software is definitely not the brightest thing to do... for anybody! Why would anyone
deliberately introduce a security hole into any software, never mind software
designed explicitly to protect data? I think it smacks of desperation! Plain and simple... desperation!
The US and UK security services are so obsessed with data mining and
harvesting internet communications they are doing whatever they can to achieve
this. Even if it means introducing security flaws into otherwise secure
software.
What does it matter?
Zero-day exploits are dangerous. They are often exploited
by hackers to gain unauthorised access to computers, networks and applications
and such breaches often go undetected for a long time. Deliberately introducing
such exploits into trusted commercial applications not only undermines the
trust put into those companies by their customers, but is an open invite to
hackers to find the 'back-door' and exploit it for their own gains.
In my opinion, the NSA are playing a very dangerous game.
They are dismantling all freedom and privacy on the Internet and putting honest
people's confidentiality and privacy at great risk. So what's the solution?
Open Source
With talk of large corporations bowing down and being
raped of all honestly and integrity by the NSA, can you trust the software
produced by these companies? Can you be sure your private, encrypted data is
confidential? If you're a government, can you be sure the US and its allies
aren't eavesdropping on your conversations?
Don't get me wrong. I completely understand the need for
national security - and I agree with it - but what pisses me off is how this
card is played every time the governments are caught out doing something
illegal. Collating emails, images, videos, phone meta data, instant messages
etc. for analysis (storing it for years), keeping it quiet - but when
busted, some high ranking official as if having Tourette's yells 'terrorism!',
'national security!' There, that'll do
it. That should cover our illegal activity and scare the public into accepting
what we're doing is right!
Well it's not right. Far from it! In the 90's the NSA tried to introduce the Clipper Chip, which was essentially a back-door into all encryption services/devices which whilst allows the data to be encrypted, it would always allow the NSA a way into documents, files or device. This was given the boot by the US government at the time but the NSA didn't roll over and take this. This was the start of a multi-billion dollar hacking and bullying program whereby the NSA effectively introduced flaws into encryption algorithms and used their power to threaten companies into handing over passwords, encryption keys and give them access to their networks and data upon demand. As this progressed and their thirst for more and more data took over them like a vampire craving fresh blood, other programs came online such as Prism. These programs are funded by the US black budget and are classified.
So if all the 'reputable' companies are nobbled and the NSA have keys in all the mainstream commercial software, allowing them to hack into any system they see fit - what do you do?
Open Source is where many people will begin a fight back again this abuse. Open Source software is available to anybody to view and scrutinise and is so much harder for the NSA to implement back-doors in the code base as it will be spotted by developers and questions will be asked.
Much of the commercial software available out there to day (I'm thinking mainly of PGP) is also available as Open Source. The Open Source version of PGP is called OpenPGP. Software such as Privacy Guard is built on the OpenPGP standard and provides a vast array of encryption and security tools.
Personally, I would always recommend, where possible, the use Open Source (or open source based) software when it comes to security, especially in light of the recent revelations from Edward Snowden.
It's not all doom and gloom!
So right now, I would say the the NSA and GCHQ have a long way to go to break the encryption in use today. Breaking is not the same as cracking. Cracking a cryptographic algorithm (DES for example) means the cryptanalyst has found a way to speed up any potential key retrieval. It does not mean they have broken the algorithm itself. Modern algorithms are very secure and standards like AES (the Advanced Encryption Standard) is in use today for a reason - it's yet to be broken!
Well it's not right. Far from it! In the 90's the NSA tried to introduce the Clipper Chip, which was essentially a back-door into all encryption services/devices which whilst allows the data to be encrypted, it would always allow the NSA a way into documents, files or device. This was given the boot by the US government at the time but the NSA didn't roll over and take this. This was the start of a multi-billion dollar hacking and bullying program whereby the NSA effectively introduced flaws into encryption algorithms and used their power to threaten companies into handing over passwords, encryption keys and give them access to their networks and data upon demand. As this progressed and their thirst for more and more data took over them like a vampire craving fresh blood, other programs came online such as Prism. These programs are funded by the US black budget and are classified.
So if all the 'reputable' companies are nobbled and the NSA have keys in all the mainstream commercial software, allowing them to hack into any system they see fit - what do you do?
Open Source is where many people will begin a fight back again this abuse. Open Source software is available to anybody to view and scrutinise and is so much harder for the NSA to implement back-doors in the code base as it will be spotted by developers and questions will be asked.
Much of the commercial software available out there to day (I'm thinking mainly of PGP) is also available as Open Source. The Open Source version of PGP is called OpenPGP. Software such as Privacy Guard is built on the OpenPGP standard and provides a vast array of encryption and security tools.
Personally, I would always recommend, where possible, the use Open Source (or open source based) software when it comes to security, especially in light of the recent revelations from Edward Snowden.
It's not all doom and gloom!
So right now, I would say the the NSA and GCHQ have a long way to go to break the encryption in use today. Breaking is not the same as cracking. Cracking a cryptographic algorithm (DES for example) means the cryptanalyst has found a way to speed up any potential key retrieval. It does not mean they have broken the algorithm itself. Modern algorithms are very secure and standards like AES (the Advanced Encryption Standard) is in use today for a reason - it's yet to be broken!
No comments:
Post a Comment