To paraphrase the 1991 video game Zero Wing, “all your [bytes] are belong to us” Even if you think you’ve encrypted your data like a good Internet citizen should, you’re pwned.. At least that’s what the NSA can claim if this report of documents leaked by Edward Snowden is true.
This is an extremely shocking and significant revelation. It is certainly the most troubling claim to come out of the Edward Snowden-NSA controversy since it hit the news two months ago. I want to be skeptical of this news because, mathematically speaking, and given how open the process for developing most of the encryption standards were, I don’t see how it can be true. Math doesn’t lie. And yet, the leaked documents allegedly suggest that the NSA is, in fact, able to decipher most encrypted information exchanged online. I’m anxious for more details on how they do this. For now, I’m simply surprised and dismayed.
The article suggests that one way the NSA has gotten to this point is that it has planted moles in security companies that implement encryption technology. In other words, the encryption algorithms themselves, like AES and RSA, remain mathematically sound, but their implementations by software development firms are not. Specifically, it is alleged that companies that write encryption software and provide it to security tool and appliance makers employ people supplied by the NSA who have introduced holes in the algorithms. These holes are security “back doors” that enable the NSA to determine the content of an exchange even though they don’t have the encryption key.
Wow. I’m impressed at this level of deception. It would be laudable in its stealthiness if it didn’t pose such a threat to you and me. It promotes the worst of our fears: that you really can trust no one online.
Sometimes news comes out that makes you question the entirety of what you’re doing. In my case, having taught our undergraduate and graduate encryption courses in Computer Science for seven years now, and having repeatedly talked up how uncrackable AES is as a way to keep data private, there is a big part of me that wonders how I’ll be able to keep those courses relevant. Those courses describe all the various algorithms Computer Scientists and Mathematicians have developed to obfuscate sensitive data. Old algorithms, like DES, were cracked long ago simply by throwing more computing power at the problem. AES, with its much large key size and more complicated mathematics, wasn’t supposed to be broken until quantum computing became a reality, if, indeed, it ever does.
Has the NSA compromised AES by exploiting a heretofore unknown mathematical weakness, or did it simply game the development process so that all AES implementations contain planned design flaws that make them vulnerable? Hopefully we’ll learn the answer to that question in the next few weeks.
And yet, if we do learn the details of how the NSA has pulled off this trick on the world’s citizens, then what?