With all the stories about the NSA spying on the communications of people all over the world, we may have an exaggerated sense of the NSA’s code-breaking capabilities. Matthew Green, the cryptography researcher at Johns Hopkins University who was temporarily censored, explains that there are three ways to get past encryption.
There’s almost too much here for a short blog post, so I’m going to start with a few general thoughts. Readers of this blog should know that there are basically three ways to break a cryptographic system. In no particular order, they are:
- Attack the cryptography. This is difficult and unlikely to work against the standard algorithms we use (though there are exceptions like RC4.) However there are many complex protocols in cryptography, and sometimes they are vulnerable.
- Go after the implementation. Cryptography is almost always implemented in software — and software is a disaster. Hardware isn’t that much better. Unfortunately active software exploits only work if you have a target in mind. If your goal is mass surveillance, you need to build insecurity in from the start. That means working with vendors to add backdoors.
- Access the human side. Why hack someone’s computer if you can get them to give you the key?
Bruce Schneier, who has seen the documents, says that ‘math is good‘, but that ‘code has been subverted‘. He also says that the NSA is ‘cheating‘. Which, assuming we can trust these documents, is a huge sigh of relief. But it also means we’re seeing a lot of (2) and (3) here.
So to sum up, one way is to do the math, which is the hardest. The next hardest is to exploit weaknesses in the software. And the third is to basically cheat, by demanding that the manufacturers of the software and hardware give you the encryption keys. So what NSA has done is not be clever but to basically cheat, using the power of the government to get what it wants. Good encryption can still defeat them and so they are determined to avoid people gaining access to such things.
ProPublica reports that the National Institute of Science and Technology (NIST), that is supposed to set standards for all manner of things, has lowered its own encryption standards. It refuses to comment on whether it did so at the request of the NSA though Green suspects that that is the reason. So not only does the NSA cheat, it makes other parts of the government, that are supposedly working in the public interest and who should be actually raising standards, accomplices in its cheating.