American intelligence operatives may be colluding with technology companies and using backdoors and brute force attacks to crack encryption technologies, but encryption is still the best way to protect the privacy of online communications and data, according to security experts.
The mathematics of cryptography remains very hard to break despite the billions of dollars that the National Security Agency and its British counterpart, the Government Communications Headquarters (GCHQ) may pour into their snooping programs.
When properly implemented, encryption provides an essentially unbreakable security, according to Dave Anderson, senior director of Voltage Security, a provider of data-centric security software for cloud, mobile devices and big data environments.
It’s likely that the NSA managed to break through insecure and outdated implementations of some encryption technologies, according to Steve Weis, chief technology officer at PrivateCore, a develop of software for secure server data.
Last week, media outlets reported that that internal NSA documents leaked by former NSA security contractor Edward Snowden indicate that the NSA and GCHQ had cracked the encryption algorithms used for Internet communications, banking and medical records around the world.
The NSA used covert means to ensure it controlled the setting of international encryption standards, used supercomputers to break encryption and collaborated with technology companies and Internet service providers (ISPs), according to the reports. The document also said the NSA created a backdoor into a National Institute of Standards and Technology (NIST) approved encryption standard called Dual EC DRBG.
Weiss said the Dual EC DRBG standard has been available for six year and it has been rarely used since two Microsoft Corp. engineers discovered the NSA backdoor in 2011.
There is no evidence that a more current encryption algorithm such as the Advanced Encryption Standard (AES) has been compromised, Weis said.
Most email, Web searches, Internet chats and phone calls are not automatically encrypted so the NSA or anyone else can scan online traffic and listen in, said Dave Jevans, chief technology officer of Marble Security, developers of mobile security applications.
Worried business should consider using open source technologies such as Open SSL, according to Weis.
Open SSL code is always visible to developers so that people can audit any changes to it such as the NSA creating backdoors, he said.