One positive outcome of the NSA story is that everyday people are now talking about the importance of encryption. Perhaps nothing emphasized the need for this discussion more than the revelation that the NSA broke into the communication links between data centers belonging to Yahoo and Google. How did it access the data? It was unencrypted.
It’s great that we’re having a national discussion about encryption and holding tech companies’ feet to the fire when they fail to properly encrypt their data. But Eric Murray, a security architect at Zettaset, says there are still some common misunderstandings about encryption held not only by average joes but by professionals who work in the field. Zettaset is a software company providing security for “distributed systems” like Hadoop, where clusters of networked computers interact to achieve common goals. Because there are so many connections in these systems, encrypting them is a unique challenge. So far Zettaset offers encryption of the data when it is “at-rest,” or sitting on a hard drive, but it is working on offering encryption for data-in-transit as well.
Working on these problems has given Murray a unique perspective on some of the challenges and weaknesses of modern encryption. I caught up with him on the phone to talk about some of the most common misconceptions about encryption.
1. Encrypted = Secure
Encryption is a necessary part of any security strategy, but it isn’t the only part. Even when using the 256-bit Advanced Encryption Standard, which has never been cracked by a brute force attack, foreign or domestic hackers can find and manipulate other security weaknesses to access your private information.
“Key management is the biggest problem,” Murray says, referring to the encryption keys used to unlock data. “(Some companies) store the key on the hard drive along with the data that’s encrypted.” In that scenario, if the hard drive is stolen, or if the NSA is granted FISA approval to seize the hard drive, it won’t matter if the data is encrypted.
Murray adds, “Sometimes there are things that implement encryption that don’t use authentication,” meaning that the method used to identify which individuals have authorized access to the data is not sufficiently robust.
Another factor is how the data is structured. Murray describes a scenario where you have a database of patients and infectious diseases. One encrypted value denotes “Yes, this patient has tuberculosis,” and the other denotes, “No.” An unauthorized observer can’t tell which value means “yes” and which means “no.” But depending on how the data is structured, and because most people do not have tuberculosis, an observer can correctly infer which patients have the disease by looking at the larger makeup of the two values.
As Murray puts it, “Encrypted doesn’t mean secure.”
2. It’s safer to take your data to other countries
Last week, a report came out saying 25 percent of UK and Canadian businesses are moving their data outside the United States thanks to the NSA. This shows that the NSA revelations, in addition to having an impact on our national psyche, are having a real impact on US businesses.
But Murray says before companies make huge operational changes they should have a good understanding of the data and privacy laws in the United States and in the country where they plan to move the data. For example, the attack on Google’s and Yahoo’s data centers took place not in the US but overseas. Having “bulk access” to data is illegal in the United States, according to the Washington Post. But outside the US, “the NSA is allowed to presume that anyone using a foreign data link is a foreigner.”
For UK businesses, they may be as bad off or worse keeping their data at home. In addition to the NSA’s close ties to its British counterpart the GCHQ, “The UK has more draconian laws,” says Murray, citing explicit legislation that requires companies to hand over encryption keys to law enforcement. In the US, however, no such law exists. In fact, the Eleventh Circuit Court of Appeals found that in some cases the Fifth Amendment can provide protection against forced decryption by law enforcement.
“I can understand if you can move your data to some country you know has really good laws and the company is willing to stand up to the government,” Murray says. “(Otherwise) it’s probably not operationally appropriate for a lot of people.”
(For a deep dive into the laws governing encryption across different countries, check out this Crypto Law database)
3. There’s nothing we can do to fight the NSA
With the agency’s backdoors and its cushy relationships with tech and security companies, there’s a tendency to think that no matter what we do on the encryption front, the NSA will find a way around it. But while I agree this is as much a political issue as it is a technological one, the argument that “more crypto is not the answer” is unnecessarily defeatist.
We hear whispers of NSA quantum computers that can break any encryption, but most experts agree the NSA is no closer to building a practical quantum computer than anybody else, a development that could take decades.
“The best way to fight is to beat the NSA with technological means,” Murray says. “Cryptography in the open world is equal to the NSA.”
[Illustration by Brad Jonas for Pando]