Encryption under the light of PRISM revelations

Posted by on Oct 9, 2013


Image from http://www.infosecurity-magazine.com

Image from http://www.infosecurity-magazine.com

With the incredible growth in technology these days, the Internet is now used for a number of important functions such as shopping, managing our bank accounts, paying bills and socializing. While the Internet makes our lives easy and comfortable, there are a lot of security risks that come with it. The exposure of so much personal information like credit card details, social security numbers, or bank account information on the Internet makes us extremely vulnerable to cyber attacks. Most of us rely on a very simple and straightforward security control called “encryption” to maintain the integrity and confidentiality of our data across the Internet. Encryption is a method of securing your data or message by scrambling it into a form that can be only read by someone who has the appropriate key to unscramble it. This is an age-old technique often used to prevent unauthorized users from reading your data. But is this a fool-proof method of data protection under the light of PRISM revelations? It seems that the NSA has several ways to crack this extremely popular and widely-used security control.

The biggest and best-funded spy agency, the  NSA, spends billions of dollars every year to circumvent most of the encryption or digital scrambling technologies used for protection of sensitive data like trade secrets, medical records, secured email messages, Internet chats and even phone calls. “For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

NSA primarily collects information by monitoring network or communication channels. They have sophisticated tools and technologies to automatically monitor and analyze network traffic. NSA has been successful in cracking majority of the encryption codes on the Web, by using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age. They can easily invade poorly-implemented and outdated encryption technologies, and sadly there’s a lot of bad cryptography out there.

Image from http://downtrend.com

Image from http://downtrend.com


As per the recent reports, the NSA has been defeating many encryption standards by working closely with security vendors to understand and exploit security vulnerabilities in their products. Basically, the  NSA asks these companies to deliberately make changes to their products in undetectable ways like leaking encryption keys, making random number generator less random, adding a common exponent to a public-key exchange protocol, and so on. Many well-known and high profile companies, like Microsoft, share information regarding vulnerabilities in its software with the US government before releasing security updates in public. So, if you are using any of the Microsoft software products like Windows, Office or Skype, it is possible for the NSA to compromise your system and penetrate into encrypted communications with very little effort.

Here is an interesting story about information sharing by Skype (which is considered the most secure medium of communication) with the US government.

Image from http://www.inflexwetrust.com

Image from http://www.inflexwetrust.com

“Skype, the Internet-based calling service, began its own secret program, Project Chess, to explore the legal and technical issues in making Skype calls readily available to intelligence agencies and law enforcement officials, according to people briefed on the program who asked not to be named to avoid trouble with the intelligence agencies. One of the documents about the PRISM made public by Mr. Snowden says Skype joined Prism on Feb. 6, 2011”.

The obvious question that comes to our mind is how can we keep our data safe from the prying eyes of the NSA? As per Edward Snowden “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.” By the term “end point security “ he means the security of the computers on the either end of the communication. The security of the end point systems is more critical compared to the security of message in transit.

Security technologist Bruce Schneier, recommends the following steps to secure your data despite NSA encryption cracking:

1) Hide in the network: Implement hidden services such as Tor to anonymize yourself.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you’re much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t Use a computer that has never been connected to Internet before for encrypting and decrypting personal files or documents.

4) Be suspicious of commercial encryption software, especially from large vendors. Most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.


True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. In this way, we are not capable of betraying our customers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.form.

SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.



Leave a Reply