Questions About Crypto Security Follow Latest NSA Revelations

As security experts and cryptographers continue to debate and discuss the implications of the revelations of the NSA’s capabilities against various encryption protocols and systems, some of the larger Internet companies are taking steps to protect their users’ data against the new threat.

Google, which has been in the middle of many of the conversations resulting from the NSA leaks in the last few months, is accelerating an existing program designed to encrypt all of the data moving between its various global data centers. The company, which handles a massive amount of the Internet’s traffic, has been moving in the direction of encrypting most of its user-facing resources for a long time now, including Google search, Gmail and other products. Users can opt to use a secure connection by default on many Google properties now, an option that encrypts their communications with Google’s servers.

However, the company previously hasn’t encrypted the massive amount of traffic that flows among the data centers it has located around the world. Encryption operations can be costly in terms of performance, so for a company with the traffic footprint of Google, it can be difficult to implement encryption on a global basis like that. But the company has been working on the problem for some time, and it has sped up up that plan, the Washington Post reports, in the wake of the flood of leaks this summer about the NSA’s data-gathering capabilities and surveillance operations.

The latest revelation last week, is perhaps the most concerning for a company such as Google that relies on encrypted communications to protect its users’ data. Leaked classified documents published last week show that the agency has had a long-term program in place that focuses on subverting and breaking encryption protocols, such as SSL/TLS, the main protocol used to protect Internet communications. That has led cryptographers and security experts to express concerns about the reliability and integrity of the encryption protocols that secure much of the traffic on the Internet.

“[SSL] uses a fairly strong, modern encryption algorithm. If they’ve cracked it without getting the keys, that’s terrifying,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University.

The decision by Google to accelerate its plans to encrypt the data between its data centers shows that even companies with significant engineering and economic firepower are worried about the implications to their businesses of pervasive surveillance and data collection.

“It’s an arms race,” Eric Grosse, vice president for security engineering at Google, told the Washington Post. “We see these government agencies as among the most skilled players in this game.”

Although the leaked documents are short on details about how the NSA is compromising encrypted data or which protocols are at risk, cryptographers say that one likely scenario is that the agency has found ways to break cryptosystem implementations rather than the protocols themselves. That means using some vulnerability on one end of the system or the other to get the unencrypted data instead of employing some mathematical breakthrough to decrypt the transmission. But it’s also possible that the NSA, which employs thousands of mathematicians and cryptographers, has in fact made a significant advance that gives it the ability to decrypt some portion of protected communications. That is, after all, part of the agency’s mission.

“More likely is that the NSA has some mathematical breakthrough that affects one or more public-key algorithms. There are a lot of mathematical tricks involved in public-key cryptanalysis, and absolutely no theory that provides any limits on how powerful those tricks can be,” cryptographer Bruce Schneier wrote last week. “It’s naive to assume that, in 2013, we have discovered all the mathematical breakthroughs in cryptography that can ever be discovered. There’s a lot more out there, and there will be for centuries.”

Even with that in mind, Schneier said he trusts the math more than the software that implements it. Dan Wallach, an associate professor at Rice University, agreed, writing in an analysis of the revelations that the big problem is likely in the underlying code.

“The challenge is that the computer code, which implements the math, might be subtly broken, because a software developer either made a mistake or deliberately planted one,” he wrote.

Michael Mimoso contributed to this story.

Image from Flickr photos of Joao Trindade

 

Suggested articles

Black Hat and DEF CON Roundup

‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.