It’s no secret the intelligence agencies of the world spend a great amount of time trying to break the many different codes and encryption types available today. The NSA has its fair share of success stories in this area. But, as the Edward Snowden leak showed, there are still some encryption standards the NSA can’t crack.
Encryption is a way of taking plain data and turning it into a secret code. Once encrypted, the only way to read the data is with the right secret key or password. Encryption is the most effective way to secure your data, and because of this, it is used by businesses and people around the world.
The National Security Agency, or NSA, is one of the world’s best spy agencies. Unlike some other agencies though, the NSA has a conflict of interest when it comes to encryption.
This is because in addition to breaking different encryption standards, the NSA is also tasked to provide the U.S. National Institute of Standards and Technology, NIST, with guidelines in trusted technology for use in cost-effective systems for protecting sensitive computer data.
Sort of an ironic twist, isn’t it? The NSA is charged with breaking secret codes to protect American interests around the world and it also responsible for recommending encryption methods for use by U.S. agencies and citizens.
Taking the irony to another level, one encryption method recommended by NIST, the Advanced Encrypt Standard (AES) appears to still be in the “too tough to crack” category. An NSA document reveals the agency is looking for ways to break the very standard it recommends because AES remains “widely used and difficult to attack”.
Unfortunately, the Snowden leak shows the NSA is having quite a bit of success breaking encryption standards. Take, for example, Skype. This popular voice and video program is used by millions of people, and Skype’s own webpage boasts “all Skype-to-Skype voice, video, file transfers, and instant messages are encrypted. However, one document from Snowden showed the NSA began collecting intelligence from Skype in 2011.
That same year, 2011, Microsoft enabled Skype and vowed not to provide any governments with access to customer data or encryption keys. But, as the Snowden leak showed, NSA was successfully collecting from Skype well before Microsoft’s acquisition of Skype. Skype isn’t the only victim of NSA’s code crackers though.
Another successful NSA venture deals with Virtual Private Networks, or VPNs. VPNs are used around the world by companies and individuals to create a secret connection between two points on the Internet. In theory, all traffic passing through that connection is encrypted, and thus, secure. Like Skype though, this is not the case.
Der Spiegel, a German news magazine, claims to have seen a document showing the NSA’s ability to process 1,000 requests an hour to decrypt VPNs, back in 2009! By the end of 2011, NSA expected to have the ability to simultaneously monitor 20,000 “secure” VPN connections an hour. As Spiegel put it, the security of a VPN may indeed only be virtual.
There is good news for privacy and security advocates. The Snowden leak also showed the areas where the NSA is still struggling to crack encryption codes. A NSA presentation shows the NSA has “major” problems decrypting messages sent through popular, heavily encrypted email services like Zoho or the Tor network.
Tor, which is an open source software, allows users to browse the Internet through a network of over 6,000 linked volunteer computers. Tor, or The Onion Router, automatically encrypts data in such a way as to ensure no single computer has all of a user’s information. This has proven very difficult for the NSA to crack.
Two other software suites, Truecrypt and Off-The Record (OTR) also appear to pose issues for the NSA. Truecrypt, which is used to encrypt files on computers, stopped working on their software in May 2013, fueling speculation they were pressured to stop. OTR, a protocol for encrypting instant messages, also presents the NSA with a challenge.
Both these programs, like Tor, are open source. This means anyone can view, modify, share, and use the software. Because these types of programs can be modified by anyone at anytime, it is much for difficult for attackers to insert spying software without someone noticing.
Use a combination of similar standards, and the challenge for the NSA is described as “catastrophic”. Using two or more programs together results in what the Snowden leak described as a “near-total loss/lack of insight to target communications, presence”.
Although the Snowden documents reveal some chilling information about the success the NSA has with cracking encryption, there are still some methods that elude the U.S. spy agency. Privacy and security advocates alike can be assured, at least a little, that there are still some ways to communicate securely.
The NSA, along with the other great spy agencies of the world, won’t rest though, and to some extent we shouldn’t want them to. After all, part of these agencies’ charter is to protect it’s nation’s citizens and interests. This is the gray line and the conflict of interest. The spy agencies must contend with their quests to intercept and decode communications of their enemies, while ensuring the privacy and security of their own citizens. Let us hope they continue to perform this juggling act admirably.
If you have any information, insights, or questions, don’t forget to leave a comment. Thanks!