A Cryptographic Engineer Looks at the Latest NSA Reports
On September 5, the Guardian, the New York Times, and ProPublica reported on NSA’s programs to defeat any and all encryption. There has been a lot of response, in particular a call from Bruce Schneier for engineers to take back the internet. Matthew Green, a cryptographer and research professor at Johns Hopkins University, has a brief overview of what the articles reported.
The gist of it is:
NSA has been doing some very bad things. At a combined cost of $250 million per year, they include:
- Tampering with national standards (NIST is specifically mentioned) to promote weak, or otherwise vulnerable cryptography.
- Influencing standards committees to weaken protocols.
- Working with hardware and software vendors to weaken encryption and random number generators.
- Attacking the encryption used by ‘the next generation of 4G phones‘.
- Obtaining cleartext access to ‘a major internet peer-to-peer voice and text communications system’ (Skype?)
- Identifying and cracking vulnerable keys.
- Establishing a Human Intelligence division to infiltrate the global telecommunications industry.
- And worst of all (to me): somehow decrypting SSL connections.
All of these programs go by different code names, but the NSA’s decryption program goes by the name ‘Bullrun’ so that’s what I’ll use here.
I said some time ago in a comment in the context of StuxNet that the world’s most cybervulnerable nation should not be running around being the first and most aggressive to use offensive cyberwarfare against the internet of things. Especially since a family’s experience with a wayward baby monitor has exposed “The Terrifying Search Engine That Finds Internet-Connected Cameras, Traffic Lights, Medical Devices, Baby Monitors And Power Plants.”
Public domain logo from Wikimedia Commons.