My assumptions on encryption and where we stand today

Late last week a few more of Edward Snowden’s documents were released to the public. They show that the NSA (US) and GHCQ (UK)are able to unlock encryption used to protect emails, banking and medical records. They also show that the NSA spends huge amounts of money every year to pay tech companies and get them to insert weaknesses into products. To read the whole story check The Guardian’s website here. Unfortunately we do not know which companies are part of this program. Shortly after this news hit an article from Bruce Schneier called “NSA surveillance: A guide to staying secure” stated the following:
“For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn’t part of today’s story – it was in process well before I showed up – but everything I read confirms what the Guardian is reporting. At this point, I feel I can provide some advice for keeping secure against such an adversary.” I reached out to Mr. Schneier with a few questions and assumptions which I am about to tell you but got a rather lame reply unfortunately indicating he had not taken the time or effort to really read my email.

In his article he gives a few pieces of advice on how to remain secure:
1. Hide the network, use TOR.
2. Encrypt communications, use TLS and IPsec.
3. Assume that while your computer can be compromised, it probably isn’t.
4. Be suspicious of commercial encryption software, especially from large vendors.
5. Try to use public domain encryption (open source).
I narrowed things down, for the full list go to the article using the link above.
He also states he uses GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit and a few other things.

While I do not agree with the use of TOR for multiple reasons like outdated 1024bit encryption which can certainly be broken by the NSA, GCHQ and other government agencies and contractors (I’ll talk about all the other negative sides of TOR in another article) and the statement to encrypt communications doesn’t really help, as we don’t know which encryption is safe to use anymore, point 4 is what worries me. “Be suspicious of commercial encryption software, especially from large vendors.”

Based on all this information I made some assumptions. They may be wrong but until I can find someone that can either prove or disprove them (Mr. Schneier unfortunately wouldn’t) I’ll just throw them out here to at least get you to start asking some questions.

Assumption 1 – Mr. Schneier has read the documents and knows enough to know that everything that was reported is confirmed. He also lists the encryption he uses personally. My assumption therefor is, he would not use encryption he knows to be compromised so therefor PGP, OTR, TrueCrypt etc must be safe to use. Of course PGP comes in different forms, it’s a standard that is used by many vendors and we do not know which vendors are safe to use. But the encryption itself appears to be intact. The same goes for OTR and TrueCrypt is an actual product so that appears to be safe too. The biggest PGP vendor, Norton, is something I would stay away from in light of these new revelations.

Assumption 2 – Apple is a large vendor. While they do not specialize and focus on encryption software, encryption is an important part of OS X with FileVault and Disk Utility’s ability to encrypt folders, partitions or entire drives. We already know Apple joined PRISM late 2012, could they be in bed with the NSA providing backdoors in FileVault and their implementation of AES encryption as well? Unfortunately we don’t know, and may never know. For me it’s a big enough “what if” to seriously reconsider using OS X’s encryption as my biggest line of defense. The alternatives out there are not easy and/or pretty though.

As Edward Snowden and Bruce Schneier mention, encryption can be trusted. It’s not the math that’s compromised, it’s the implementation. Whether companies have been paid off to build in weaknesses or backdoors or encryption keys have been compromised by breaking in, the math is sound. The only real way to know if the implementation is properly done is to use open source products that have been thoroughly checked by engineers and other experts that can verify “yes, this software has no backdoors”.

GPGTools for Mac offers encryption for files and email, is open source and used by many. I trust it until I am lead to believe otherwise. Adium supports OTR encryption and is open source as well, this too I trust. TrueCrypt is open source and also used by many, if this had a backdoor in it logic dictates it would have been discovered by now so this appears to be trustworthy too. The reason I have not written about TrueCrypt yet is because it’s not as easy to use as OS X’s built-in tools but just in case my assumtions about Apple are correct (I hope they are not) I will be writing about TrueCrypt soon.

So all is not lost. We just have to be a bit more picky on which tools we trust to encrypt our private data. The tools mentioned above are a good place to start. While I still recommend FileVault and Disk Utility encryption to protect your data from burglars, hackers and other snoopers, we have to accept the possibility that it may not protect you from the government and all of it’s powerhungry agencies (NSA, FBI, TSA etc.). Using OS X’s built-in tools in combination with TrueCrypt to protect hard drives and using Adium with OTR and GPGTools for communications should get you a long way though. Other ways to fight back are signing the petition to stop NSA spying (US Link) (International Link), call your elected representative and of course if you are an engineer with the right skills you can help by building and deploying better and more usable cryptosystems.