11.5 C
Saturday, October 21, 2017
Home Tags Encryption

Tag: Encryption

In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not of itself prevent interception, but denies the message content to the interceptor. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, large computational resources and skill are required. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.

Introduced in July, the Surveillance State Repeal Act's provisions now seem more urgent.    
In a post-Snowden era, it's getting hard to tell prudence from paranoia.    
The search giant steps up the pace on an encryption plan to protect information in transit between its data centers. September 6, 2013 5:50 PM PDT A newly revealed Google encryption project is apparently months ahead of schedule. (Credit: Declan...
New measure is a defense tactic against direct taps of fiber optic cables.    
NEWS ANALYSIS: There are still ways enterprises and individuals can keep communications private. But the quick and easy paths have already been compromised by the United States. Thanks to NSA leaker Edward Snowden, we now know that most of the communications pathways you thought were secure can’t be relied on. Most of the secure cloud storage, almost all of the online encryption to Websites, the 4G wireless communications you use and your WiFi encryption have been compromised by the U.S. National Security Agency and probably by the intelligence services of other nations. In some cases, the actual encryption has been cracked, and in other cases the encryption has been circumvented. In a series of reports in the New York Times and other media, Snowden’s leaked secrets have revealed that most of the basic encryption you use, including SSL, has been broken.

If it wants to, the agency can find out just what you bought from Amazon yesterday. But perhaps more important, the NSA can read what you’re storing on the public cloud, they can read your communications with Google when you send Gmail, and they can read your banking transactions. The fact that the National Security Agency can crack this encryption should be no surprise.

After all, the NSA was chartered in the early 1950s specifically for code-breaking. So cracking such encrypted communications is actually what the agency is supposed to be doing.

This is, after all, how the NSA tracks the communications of terrorists in Yemen, or the Taliban in Pakistan. But we didn’t expect that this would eventually give them the capability to read our business and personal messages at home. But Snowden also revealed something that the NSA probably would prefer that you didn’t know. Good encryption still works, and there are types that the NSA still hasn’t cracked, such as PGP. When Phil Zimmermann created Pretty Good Privacy 22 years ago, the government tried to block its implementation. During the Clinton administration, the government even tried to force the adoption of the “Clipper” chip to create a permanent back door into computer systems through an embedded encryption chip with a built-in back door. PGP encryption is still out there, although it’s owned by Symantec these days, and it still works. In fact, the U.S. government is a major user of PGP encryption. But that doesn’t stop the NSA and the agencies of other governments from trying to get their hands on your communications, and most of the time they’re successful.

The reason is that they don’t bother to crack encryption these days.

They just siphon off unencrypted data before it’s encrypted or after it’s decrypted. In addition, the NSA has been able to find and preserve encryption keys, with which decryption stops being an issue. Sometimes these keys are obtained legally, other times they’re retrieved through a back door to a server that holds the keys. But such back doors are limited to servers and encryption keys. ${QSComments.incrementNestedCommentsCounter()} {{if QSComments.checkCommentsDepth()}} {{if _childComments}}
The National Security Agency has found ways to break or work around much of the encryption that guards information on the Internet, according to published reports. The National Security Agency, the U.S. government organization tasked with gathering intelligence from adversaries' communications and protecting domestic communications, has the capability to peer into far more Internet communications than previously thought, according to a report published on Sept. 6 and based on documents leaked by former NSA contractor Edward Snowden. Using a variety of tactics—including coercing vendors to provide access to their products, compromising corporate network infrastructure, or hunting down and exploiting vulnerabilities—the secretive agency can access content that had previously been considered safely protected by encryption, a New York Times article stated. While the leaked memos do not indicate a break in any specific encryption technology, the various strategies, collectively known under the code name "Bullrun," have allowed the NSA to effectively circumvent much of the security protecting communications. Messages that could not be broken have been stored until the agency is able to decrypt them, the memos stated. "For the past decade, NSA has led an aggressive, multi-pronged effort to break widely used Internet encryption technologies," said a 2010 memo distributed among employees of England's Government Communications Headquarters (GCHQ), the British counterpart to the NSA, according to the New York Times. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable." The NSA's Bullrun program allows the NSA to effectively target protected information and find ways to either collect the information before it's encrypted or exploit vulnerabilities in the technology used to encrypt the data, including the browser encryption Security Sockets Layer (SSL), virtual private networks used by almost all companies and the security protecting smartphone communications, according to the memos leaked by Snowden. Such revelations will likely hurt U.S. companies abroad, according to recent studies. The attacks are not thought to be a single capability, but a collection of tactics that allow the NSA to cobble together an effective decryption strategy on a case-by-case basis. Many makers of security and networking products, for example, have a way for their support staff to get into a customer's product to update the appliance or device.

While not considered a backdoor, if the NSA is able to get access to that functionality, it could easily be used to access communications, says Chris Wysopal, chief technology officer for Veracode, an application security firm. The document describing Bullrun discusses "implants" in vendor technology, but it is not clear whether the NSA has worked with vendors to access the technology or compromised the technology on its own, he said. "It could be that they are putting an implant in on a network where they can then access things in the clear, or it could be putting an implant somewhere in the supply chain where they can get at keys or other parts of the technology—it's vague," Wysopal said. "If it's at the vendor, then that's pretty scary." The NSA's apparent goal to store mass quantities of encrypted data from the Internet for later decryption is a laudable goal to combat terrorism, but worrisome for the average citizen, Pierluigi Stella, chief technology officer of managed security services provider Network Box USA, said in an email to eWEEK. "The point here isn't whether we should worry about consumers or not; we should consider this from the 'citizens' point of view," he said. "The NSA can and will store everything we send on the internet, not only in clear text but also encrypted. ...

If we are to give away a bit of our freedom, it'd better be for very, very good reason, and in a very well controlled way, to ensure no one can ever abuse this collection of information."
The United States' National Security Agency has collaborated with technology companies and internet service providers to build the typically accepted standards of web security itself, and reportedly has the means to brute force encryption standards it itself had a hand in building.New revelations from the Snowden cables reveal the NSA has cracked most encryption that was considered a safeguard for commerce and banking systems around the world, and the very same encryption that was supposed to protect sensitive data like medical records, as well as email, web searches, online chats, and phone calls - of Americans and others, globally.Beginning in 2000, according to the New York Times, the NSA went about building supercomputers that were capable of breaking complex codes and encryption.

Additionally, the secretive but bloated agency collaborated with US technology companies to build backdoors directly into their products and services.These new revelations fly in the face of strings of denials from US internet companies after the initial Snowden leaks. Microsoft, Facebook, Apple and the gang were all adamant that there were no delibate backdoors built into software or hardware. Whether they were willing collaborators or had their hands forced in the name of "national security" is up in the air.A 2010 GCHQ memo speaking of the NSA's work said: "For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies. Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable”.$250 million a year is reportedly spent on a program which "covertly influences" technology company product designs, the Guardian reports, while the influence and capabilities of the agency against encryption is said to be closely guarded.

Analysts were warned not to ask about, or speculate on, sources or methods.The British spy agency, GCHQ, is itself largely bankrolled by the US taxpayer. It was earlier revealed that other English-language countries Canada, Australia, and New Zealand were allied with the USA's spying efforts - and although there was bluster from other European countries, protecting national business or security secrets was what had them irate.

These latest leaks suggest even those were compromised, despite any international agreements.The Guardian claims a GCHQ team has worked its way into encryptic traffic from top service providers - listed as Hotmail, Google, Yahoo, and Facebook.

The New York Times article is here while the Guardians' is here."Secure" email company Lavabit - which Edward Snowden is suspected of using to transmit information to Guardian journalists - shut itself down in light of the last round of leaks.

Its CEO said if the public knew what he knew about email communications, they may be less likely to use it. Likewise, popular law blog Groklaw decided to pull the plug, citing concerns about being able to properly provide anonymity where anonymity was necessary.The latest revelations - that the United States and its allies are aggressively pursuing all online communications, including those that are encrypted - could be cited as a further reason for activists, the privacy minded, or civil liberties groups to withdraw from the internet, and there is a greater risk self censorship than ever before.
UK and US intelligence agencies have unlocked the technology used to encrypt online services, including email, online banking and medical records. According to The Guardian in partnership with the New York Times and ProPublica, the US National Security Agency (NSA) and the UK’s equivalent GCHQ have been able to hack online encryption relied on by millions of internet users to protect their personal data. The new documents have been leaked to The Guardian by whistleblower Edward Snowden (pictured), who is wanted in the US on espionage charges and has been granted temporary asylum in Russia. The documents state that GCHQ has been working on methods to access encrypted traffic from the big four providers – Hotmail, Google, Yahoo and Facebook. It is reported that the NSA worked with unnamed technology companies and internet service providers to insert "back doors" into their software to allow access to the data before it was encrypted.

The intelligence agency is also said to have used supercomputers to break encryption standards with “brute force”. The documents reveal that the NSA spends $250m (£160m) a year on the programme, which began 10 years ago. Both agencies state that their actions are vital in foreign intelligence gathering and fighting terrorism. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Leaked documents say that the NSA has compromised encryption specs. It wasn't always this way.    
"To the engineers: we built the Internet... those of us who love liberty have to fix it."    
Encrypted phone concept a good one, but secrecy and FUD inspire skepticism.    
Is cloud-based storage from Dropbox a secure option for enterprises? And what should enterprises be thinking about in order to securely store data in the cloud anyway? Dropbox is a widely used cloud-based storage platform that is now the target of security researcher scrutiny, as user data privacy is being called into question.

A pair of researchers at the USENIX security conference in August released a white paper in which they describe methods for attacking Dropbox and obtaining user data.

While the merit of the actual research is debatable, it raises questions about what enterprises should be doing to protect the integrity and security of data in the cloud. While Dropbox is aware of the research, it isn't treating it as a security risk that demands immediate attention.

A Dropbox spokesperson noted in an email to eWEEK that Dropbox appreciates the contributions of security researchers and everyone who helps keep Dropbox safe. That said, Dropbox does not currently hold the view that the research presented at the USENIX conference presents a vulnerability in the Dropbox client. "In the case outlined there, the user's computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board," the spokesperson said. Although Dropbox is not raising the alarm bells about cloud storage security, others are. Willy Leichter, senior director at CipherCloud, told eWEEK that the problems with the cloud storage security model go beyond the bugs found in Dropbox's authentication method. "Cloud-based file sharing sites bypass most corporate security, but businesses still need to be able to inspect information leaving their networks and prevent loss of sensitive or regulated data to unauthorized outsiders," Leichter said. Steven Sprague, CEO of Wave Systems, told eWEEK that in his view, the fundamental problem is that Dropbox can read all of the files, for all of the customers. "The fact that they are stored encrypted is of no value if the keys are owned by Dropbox," Sprague said.  Geoff Webb, director of Solution Strategy at NetIQ, agrees that ownership of the encryption keys is a key consideration. Webb told eWEEK that one of the big fallacies that users make is assuming that simply because companies like Dropbox encrypt their data, that it's somehow perfectly safe. "So while you may be assured that data you upload to Dropbox is encrypted, you can't be sure of who has access to the keys themselves, and if the keys are compromised, the encrypted data is no longer protected," Webb said. The challenge for Dropbox and indeed for anyone trying to provide a secure online cloud service is that ease of use and security are often antithetical. Matt Richards, vice president of products at open-source cloud storage vendor ownCloud, told eWEEK that it's important to remember that security is relative: The most secure system is one that no one can access. In his opinion, that is the opposite of the Dropbox experience, which is all about ease of use.