Has NSA broken the crypto?

With the continuous flow of revelations by Snowden, there is not one day without somebody asking me if crypto is dead.  Indeed, if you read some simplifying headlines, it looks like the Internet is completely unsecure.


Last Friday, Bruce Schneier published an excellent paper in the guardian : “NSA surveillance: a guide to staying secure.”  For two weeks, he has analyzed documents provided by Snowden.   From this analysis, he drives some conclusions and provides some recommendations.  In view of the security profile of Bruce, we may trust the outcome.  I recommend the readers to read the article.

My personal highlights from this article.

  • The documents did not present any outstanding mathematical breakthrough.   Thus, algorithms such as AES are still secure.
  • To “crack” encrypted communications, NSA uses the same tools than hackers but at a level of sophistication far higher.   They have a lot of money.  The tricks used:
    • Look for used weak algorithms
    • Look for weak passwords with dictionary attacks
    • Powerful brute force attacks
  • The two most important means are:
    • Implementing back doors and weakening commercial implementations (poor random generator, poor factors in Elliptic Curve Cryptosystems (ECC), leaking keys…).   The same is true for hardware.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about.

    • Compromising the computer that will encrypt or decrypt.  If you have access to the data before it is secured, then you do not care about the strength of the encryption.

These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.

His recommendations are common sense.   The most interesting one is to avoid using ECC as NSA seems to influence the choice of weak curves and constants in the curve.


His final statement

Trust the math.

is OK, but I would add “Do not trust the implementation.”  Always remember law 4: Trust No One.

Leave a Reply

Your email address will not be published. Required fields are marked *