NSA Encryption – Comments from Dave Anderson, Voltage Security

Commenting on today’s reports of the NSA’s manipulation of encryption technology (http://nyti.ms/15HK9Wm), Dave Anderson, a senior director with Voltage Security (www.voltage.com), said:

“To quote Snowden himself, ‘Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.’

In the light of this, it seems likely that any possible way that the NSA might have bypassed encryption was almost certainly due to a flaw in the key management processes that support the use of encryption, rather than through the cryptography itself.  So, is it possible that the NSA can decrypt financial and shopping accounts?  Perhaps, but only if the cryptography that was used to protect the sensitive transactions was improperly implemented through faulty, incomplete or invalid key management processes or simple human error.

When properly implemented, encryption provides essentially unbreakable security.  It’s the sort of security that would take implausibly-powerful supercomputers millions of years to crack. But if it’s carelessly implemented, and the key management processes are not sound, this security can be reduced to the level where a hacker with a mid-market PC can crack in a few hours at most.

A more likely way that the NSA is reading internet communications is through exploiting a weakness in key management.  That could be a weakness in the way that keys are generated, or it could be a weakness in the way that keys are stored.   And because many of the steps in the lifecycle of a key often involve a human user, this introduces the potential for human error, making key lifecycle management never as secure as the protection provided by the encryption itself.

General Robert Barrow (USMC) once said that amateurs think about tactics while professionals think about logistics. An appropriate way to update this to the Internet age might be that amateurs talk about encryption while professionals talk about key management.”

Silicon Valley-based Voltage Security (www.voltage.com) is a top encryption technology expert and provider of data-centric security solutions.

Voltage Security

About Voltage Security

Voltage Security®, Inc. is the world leader in data-centric security, delivering secure, scalable, and proven data-centric encryption and key management solutions, enabling our customers to effectively combat new and emerging security threats. Leveraging breakthrough encryption technologies, our powerful data protection solutions allow any company to seamlessly secure all types of sensitive corporate and customer information, wherever it resides, while efficiently meeting regulatory compliance and privacy requirements. For more information, please visit www.voltage.com.

, , ,

No comments yet.

Leave a Reply