Recently, it was revealed that the NSA is able to break common encryption protocols used on the internet.  You can read the article here:

http://www.theverge.com/2013/9/5/4698808/most-common-encryption-protocols-are-useless-against-nsa-surveillance

But, to me, it’s not really that much of a revelation.  And taking the article’s claims at face value will cause the user to miss a practical side of security that is often overlooked.

Having been in the technology world for close to 40 years, I read a lot of material related to technology.  Around the late 1980’s when PC’s still dominated the computer networks and the internet was still not opened yet for general public use, there was an article about 40-bit encryption and even 64-bit encryption in the marketplace.  It also mentioned that the academic community was already talking about 128-bit encryption, but that there were signs that the NSA was not going to allow this.

Why would the NSA not allow it?  Because quite frankly, if the NSA is not able to decode it, and the cipher gets into the hands of people with evil intent, it can’t be monitored for abuse and it can be used in many evil ways.  One of NSA’s tasks is to ensure the security of government communications.  This task falls into that realm.  If there is no foreseeable way to break the code, you cannot deny its use to people who would use it against you.  This is one of the reasons why the United States has laws banning export of certain encryption technology.

That’s why I am not surprised that NSA would have the capability to break the encryption we use on the internet. BUT DON’T MAKE THE MISTAKE OF THINKING THIS: The NSA can decode everything I do on the internet now and read it.  It’s easy to come to that conclusion because of the stated ability to break a cipher.  But there is another aspect to breaking a cipher key that is just as important: how long does it take to actually break it.

Did the article mention anything about how long it takes?  Of course not.  That’s the real secret, right?  Even though NSA has the ability to crack the keys, the actual time spent on the effort could be days, weeks, or months of time and involve thousands of CPUs running in concurrence to solve it.  Once the key has been cracked, all the data collected to that point which used the key is now decipherable, but not before then.

In any security system, there are two core aspects to it.  The first is the physical or virtual layers of security intended to stop access to the item being protected, to prevent unintended use.  In this case, that is the data.  The second, is the time required to gain access.  How long is the lock I installed going to stop a criminal from finding the key, and making his own copy to gain access?  In a practical example of a break-in, a thief may be trying to gain access.  If I add an alarm to the front door, even if the thief has figured out the key to get in, how long does he have before he is discovered and arrested by the police responding to the alarm.

Of course, if the thief has found a way to get access to your key chain, the time he needs to spend picking the lock mechanism to get the right combination of tumbler settings is zero.  So if NSA has found a way to get at the cryptographic certificates on a server or network device directly (the virtual world’s keychain), their time figuring out the cipher values also goes to zero.  But I doubt this capability exists, short of a software bug or forcing some sort of malware onto the system to help them into the machine’s pockets.  This latter attack is what modern day virus scanners look for.

So just because the NSA may have the ability to break an encryption key doesn’t automatically make that a bad thing. Quite frankly, it’s important to remember that our everyday activities online draw more interest from commercial business activities than government security interests.  The real concern we have is not with NSA, which is just a tool for acquiring and analyzing the data.

The real issue of privacy goes to motives of the people who keep pressing NSA for information and try to pass laws to circumvent constitutional rights to get it.  That is the real problem.

 

 

 

 

 

 

 

No Comments
Politics and Public Policy, Random Thoughts, Technology.Networking, Technology.Thoughts