NSA Can Break Internet Encryption Technologies

    September 5, 2013
    Zach Walton
    Comments are off for this post.

The NSA can see pretty much everything you do online as long as it’s not encrypted. That’s at least what a Snowden leak from last month claimed. The news spurred more people and businesses to sign up for more encryption services, but a new leak suggests that their efforts may have been all for naught.

The Guardian, in collaboration with The New York Times and ProPublica, report that the NSA employs a number of programs to break through the encryption software used everyday to protect the privacy of Internet users. These programs range from the use of super computers in decrypting files to outright paying companies to insert vulnerabilities into their own software.

It should be noted before going any further that the NSA sees encryption and those who use it as adversaries to its mission. In one of the documents provided by Snowden, the NSA says that it’s able to use exploits in encryption software to access what “consumers and other adversaries” think is secure data.

Let that sink in it for a moment.

The NSA, an agency that’s charged with protecting the American people, refers to those its sworn to protect as adversaries. If the document had read “consumers and adversaries,” it would have been questionable, but fine. The addition of the “other” confirms a previous leak that revealed the NSA automatically assumes any encrypted data is up to no good.

So, how does the NSA gain access to encrypted data? The most prominent method is the one used by pretty much every other hacker on the planet – brute force alongside new decryption techniques. It appears that the NSA worked alongside their British counterparts at the GCHQ on two programs – Bullrun and Edgehill respectively – to break through the encryption used in major communication systems, including Gmail.

More worrisome, however, are the back room deals negotiated by the NSA to ensure that it doesn’t even have to break through the encryption in the first place. The documents point to a top secret program, which costs $250 million a year, where the NSA works with “US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs.” In other words, the NSA pays companies to insert backdoors into their own software. Some of the participants are even encryption companies that knowingly insert exploits into their own software so the NSA can access data sent via their services.

The NSA also has a hand in influencing global encryption standards. The documents state that the agency secretly had its draft of encryption standards accepted by the US National Institute of Standards and Technology. These are the bare minimum security standards that any Internet company worth their salt abides by, and the NSA can just blow right through said standards on account of it writing them.

So, is there anything that the NSA can’t peer into? Well, there are new encryption tools being developed every day. The NSA makes a note of this by saying that it can’t break through every encryption technology just yet. We don’t know what those encryption technologies are, but it’s safe to assume that LavaBit may have been one of them.

Even more worrisome than the NSA having access to encrypted information is the existence of these backdoors in the first place. Any security researcher will tell you that backdoors are an incredibly bad idea that do more harm than good. What happens when malicious hackers find their way into the backdoors intended for government officials? Nothing good, that’s what.

President Obama and defenders of the NSA claim that the agency is needed to protect us from the bad guys. Those bad guys are increasingly turning to cyberwarfare where such back doors are rather convenient for those who would launch cyber attacks that can cause real harm to people who use the Internet for everything from banking to sharing personal information. The NSA may be trying to secure America from foreign threats, but in doing so is making the Internet less secure. That’s a problem and one that needs to be addressed by Obama’s “independent” panel of experts that will examine the NSA’s practices over the coming months.

[Image: The Guardian]
  • Reality

    America is not free and those that believe it is are deluded. Lets looks at what has transpired since 9/11:

    – We have 5% of the world population but 25% of the world’s prisoners.
    – Prison statistics don’t even include those “detained”.
    – No-warrant wire taps.
    – Indefinite detention of citizens without charges.
    – Approval of rendition of prisoners and torture.
    – Stop and frisk without probable cause.
    – Search and seizure without a warrant.
    – No-knock entry,
    – Confiscation and destruction of cameras that film police acting illegally.
    – Police brutality and police shootings that go without investigation.
    – Managed news.
    – The civil-rights destroying “Patriot” Act.
    – FEMA camps.
    – TSA expansion beyond airports.
    – Internet entrapment cases.
    – People going to prison for crimes against fictitious people who do not even exist.
    – Major increase in victim-less crimes in the US.

    We are simply a police state and this is just the beginning. I feel sorry for all the grand-children out there. This is just going to get worse.

    • Jon

      Could we also include on your list the following.

      I recently came across a hero of US airforce who spoke of a programme to defend the soverienty of US airspace called “noble eagle”.

      Post 9/11 the need for such a programme is obvious, I dont deny the right of any nation to defend itself from attack.

      Nope what gets my back up is the talk of “noble eagle” and other national pride talk when the US does not seem to respect foreign sovereinty at all. Note the taking of Bin Laden and also drone attacks over foreign sovereign soil.

      Sure the US should defend itself and may need to fight dirty and many actions may be totally justified post 9/11 but if thats the case can use more transparent language so at least the under-informed US electorate can gain a reasonably clear and unpolished view of what their country gets up to.

      I dont judge the action I just hate the double standards and associated spin – if you have to fight dirty sometimes to defend yourself then have the decency and courage just to say it clear and people will have more respect.

  • http://www.cinnte.ie CCTV installer Cavan

    Very interesting article thanks for sharing…

  • Jon

    If you do not like NSA involvement then perhaps this is a good reason to go for open source products to me. Mozilla seem to have made their position clear. It is of course possible that a sub-group of coders within an open source project might be malleable but its hard to see how volunteers could be coralled with the same ease as a large commercial software provider.

    As far as the technical papers I have on the subject the basic RSA theory is sound as long as the primes used are big enough and as long as quantum computers are not deployed.

    The thing that disturbs me here is not so much whether the intelligence agencies have information on us – most of us flatter ourselves if we think we are remotely interesting to these agencies and the underlying theme is to counter terrorist activities.

    The thing that disturbs me is the potential for some software companies to be given unfair advantages if they co-operate. I would trust security agencies more if I knew that they only ever got involved in security issues and never used commercial intellingence for self gain but frankly I see no reason to trust them this much especially since the NSA apparently saw fit to bug the European parliament – the US would be in absolute outrage if the reverse situation was ever exposed.

    Pity agencies like the NSA cannot be more transparent and gain our trust so that they could do their job and we could get on with our business not worrying about what they might be up to.

  • http://Tdesignonline.com Richard

    Thats why i encrypt my encryptions 3 times!

  • RockyFjord

    I think I’m screwed, for the same reason that I’m in trouble if broke down on the highway: I have not learned the technology. I just operate the email function. I believe the NSA reads my Hotmail messages, because I send something to a General in Russia and five days later I am reading my words in the New York Times, repeated by John Kerry. I have sent things snail mail, but I think that gets copied to NSA as well. I tried sending Snowden a couple books with note. I would gladly pay someone who could get emails sent without NSA
    reading them. I am not a terrorist, and I know no secrets; I just analyze political and military stuff for interested parties. Still, it
    rather defeats the purpose if the NSA snoops on everything. The only way I can think of to communicate privately now, is to deliver paper copy to foreign embassies, to be carried in their diplomatic pouch.
    For me, this involves a 1000 mile trip one way. Guess I need a drop off person in D.C. I could mail to under surreptitious return address. Why all this is necessary, is because the US government is turning into a scary fascist militarist state, or so it seems to me.