NSA Leaks Uncover Legitimate Surveillance Concerns, But Cryptographic Systems are Not One of Them

September 17, 2013 by Bill Conner     1 Comment

This entry is part 1 of 2 in the series The Snowden Papers: Lessons to be Learned

Intelligence Services Disclosures and the Impact on Information Security

The Washington Post and other media outlets have provided extensive coverage of allegations made by Edward Snowden concerning some of the NSA’s surveillance programs. The allegations include:

  1. The NSA has unrestricted direct access into U.S.-based cloud services operated by Microsoft, Google, Apple and others.
  2. The NSA’s Tailored Access Operations subvert the security of endpoint computers and network devices .
  3. Commercial products, including encryption products, contain backdoors that allow access by the NSA .
  4. The NSA has secretly subverted the security of standard encryption algorithms.

Edward Snowden LeaksWhile none of these allegations is new or surprising to those who follow the information security industry, the documents provided by Snowden do contain a level of detail that hasn’t previously been seen by the general public.

The existence of unrestricted direct access to the servers of North American cloud service providers is strongly denied by the companies concerned. They are, however, clear that law enforcement agencies are granted limited access on presentation of a properly executed warrant. It seems likely that the companies provide an air-gapped data room into which U.S. law enforcement agencies have direct access and into which the companies place specific information in accordance with thoroughly scrutinized warrants.

The Tailored Access Operations program researches and exploits the kinds of product vulnerabilities commonly used by the criminal community. It does seem likely that the NSA employs some of the most accomplished hackers in the world.

There are reported instances of backdoors in commercial products.  However, Entrust has been crystal clear on this topic; neither its products nor its services contain backdoors.

Accusations that NSA has “crippled” standard encryption algorithms have dogged the industry since the ‘70s. But, with the obvious exception of the DES key size, no such vulnerabilities have been discovered.

Clearly, the NSA and its counterparts in other advanced countries have extraordinary computing power at their disposal. And they may direct this computing power at their highest-value military targets. Random-number generation based on elliptic curve cryptography (ECC) has been singled out as suspicious because of the NSA’s role in the standard-setting process and because of its potential to impact a broad range of security services. And while elliptic curve cryptography is not yet in widespread use, Entrust’s products support a wide range of curves from a variety of standard-setting organizations.

The information security industry is familiar with innuendo and conspiracy theory — as well as genuine advances in cryptanalytic capability — yet it has managed to protect users of all types of information systems from harm for many decades.  It has done this by continuously advancing the security of its products and systems while minimizing the possibility for misconfiguration. We expect this approach to continue to work for many years to come.

  1. NSA Leaks Uncover Legitimate Surveillance Concerns, But Cryptographic Systems are Not One of Them
  2. The Edward Snowden Story Calls For Understanding of Encryption, Strong Identity
Bill Conner

About

With a career that spans more than 30 years across numerous high-tech industries, Bill Conner is among the most experienced security and infrastructure executives worldwide. As a corporate turn-around and cybersecurity expert, Conner has achieved a number of milestones since he joined Entrust as president and CEO in April 2001, the latest of which was engineering the acquisition of Entrust by private equity firm Thoma Bravo in July 2009. Full Bio: http://www.entrust.com/corporate/management/bill_conner.htm

One thought on “NSA Leaks Uncover Legitimate Surveillance Concerns, But Cryptographic Systems are Not One of Them

  1. Pingback: 2014 – Looking Back, Moving Forward | Entrust, Inc.

Add to the Conversation