After NSA encryption: News that the NSA can break or bypass a variety of digital encryption tools has researchers second-guessing the strength of Internet security products they previously trusted, and wondering exactly who else, besides the feds, may be listening in.
In the latest revelation about the NSA’s activities, The Guardian, the New York Times, and ProPublica suggest that the organization gained access, less by technical savvy, but by coercion, strong-arming companies that work with data, by “getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware.”
Encryption might still work in some form, but the revelation indicates that there are many vulnerabilities that the entire cryptography community so far missed. Researchers are now fearful of compromised elements in products they would previously have sworn were secure.
For instance, it’s troubling to experts that the NSA has been working with the National Institute of Standards and Technology. NIST sets the public standard — writes the modern cookbook for how cryptography should work, according Matthew Green, a cryptography professor at Johns Hopkins. Cryptographers rely on NIST to know which “recipes” they can trust. But if, according to new reports, the NSA is worked to set these standards to their advantage, products built along those guidelines could be weaker than the security community previously thought.