Security News

A Few Thoughts on Cryptographic Engineering: On the NSA

A Few Thoughts on Cryptographic Engineering: On the NSA: If you haven’t read the NYT or Guardian stories, you probably should. The TL;DR is that the NSA has been doing some very bad things. At a combined cost of $250 million per year, they include:

  • Tampering with national standards (NIST is specifically mentioned) to promote weak, or otherwise vulnerable cryptography.
  • Influencing standards committees to weaken protocols.
  • Working with hardware and software vendors to weaken encryption and random number generators.
  • Attacking the encryption used by ‘the next generation of 4G phones’.
  • Obtaining cleartext access to ‘a┬ámajor internet peer-to-peer voice and text communications system’ (Skype?)
  • Identifying and cracking vulnerable keys.
  • Establishing a Human Intelligence division to infiltrate the global telecommunications industry.
  • And worst of all (to me): somehow decrypting SSL connections.
  • All of these programs go by different code names, but the NSA’s decryption program goes by the name ‘Bullrun’ so that’s what I’ll use mostly use here.
Standard